This two-part article will introduce and provide an overview of the SpiderLabs team at Trustwave dedicated to finding and analyzing new threats, helping clients detect, fight, and recover from security compromises, and helping the cybersecurity field with original research and intelligence. To get a deeper understanding of what Trustwave SpiderLabs does and how it works, we spoke to Mark Whitehead, Global Vice President, SpiderLabs Consulting, Ziv Mador, VP of Security Research, and Brian Hussey, VP of Cyber Threat Detection and Response.
Trustwave SpiderLabs has security researchers, ethical hackers, forensic security investigators, and incident responders across the world who look for the new threats, attack methods, nation-state actors and criminal hackers to know what kinds of current risk organizations face on a daily basis. “Trustwave SpiderLabs grew organically with only five people, starting in 2005”, recalls Ziv, “and now we’re 200+ experts with the most hands-on experience in cybersecurity.”
Aiding Trustwave clients with managed threat detection and response and proactive testing and response engagements, Trustwave SpiderLabs helps companies prevent, detect and recover from security compromises while also helping the security intelligence community at large. Trustwave SpiderLabs maintains a huge database of threat intelligence that's constantly evolving as the team takes in tens of millions of data points a week.
Threat intelligence - the research
On any given day, the Trustwave SpiderLabs team collects millions of security events, such as client events, antivirus events, events from intrusion detection and prevention systems, networks endpoints, database scanners, domain controllers, honeypots, and several other security products. These events are brought into the global network of Trustwave Security Operation Centers (SOCs), where they’re processed, parsed, identified, monitored and acted upon.
Effective monitoring of events from so many geographies and environments is possible due to the vast threat intelligence that Trustwave SpiderLabs maintains. The data ranges from malware samples, email threats, phishing attacks, business email compromise attacks (BEC), malicious codes, network threats, and web-based threats. But the team isn’t looking for only threats—they can also identify security issues within an organization like patch gaps, outdated or vulnerable software, access to databases and requests that don’t follow established policies, and other signs of poor security hygiene.
Trustwave SpiderLabs ethical hackers are also doing their own active research and testing new methods of attacks on different environments and software so they can pre-empt hackers, notify manufacturers, and get them patched before the vulnerability gets into the hands of any bad actors.
A specialized team also monitors the dark web, criminal forums, and hacker forums to learn about what kind of hacker tools are being developed, exploits that are being shared, how criminal hackers and hacker groups are advertising their services, how they’re using malware, and what companies they’re looking to target.
Taking it all together, the team is able to find new kinds of threats, behaviors, and trends that they can share with their clients and the cybersecurity intelligence community at large. Moreover, Trustwave SpiderLabs researchers use this knowledge for creating and updating detection rules for the different product lines, like our range of services for Managed Security, our Secure Email Gateway, Trustwave DbProtect, and various scanners.
Active defense – Penetration Testing, Purple teams and tabletop exercises
Trustwave SpiderLabs also has an extensive global team of expert penetration testers, also known as ethical hackers, that will conduct mock phishing and hacking attacks on a client’s environment. This helps ensure their defenses, processes and protocols are up to snuff and will also flag anything that might be out of compliance. For organizations that leverage applications, mobile, cloud resources or bring your own devices (BYOD) policies, Trustwave SpiderLabs knows how to test those with the mindset of an adversary looking to gain access to the most sensitive data. However, their pentesting goes further than just remote attacks.
The team will conduct advanced testing that simulates advanced persistent threats (APTs), attacks, continuously looking for weakness in digital footprints, and they’ll even fly out to a company’s headquarters to see if they can sniff out the building’s wi-fi, find their way in, and even conduct social engineering attacks .They also do those simulations working hand and hand with an organizations defenders to focus on weaknesses before the adversaries do in purple team exercises. Through all these engagements, Trustwave SpiderLabs’ goal is to improve digital resilience to a cyberattack.
To help clients prepare for a potential breach, they can also run what is called tabletop exercises - which simulates an organization’s behavior in the event of a breach leveraging some of the top expertise in digital forensics and investigations. Mark lists some of the questions that are asked:
- Who will be on call if a breach happens?
- What are the communication branches?
- How will the breach be contained? Can it be fixed, patched, or isolated?
- How quickly can an organization and security department mobilize?
This hands-on approach helps an organization go through the hypothetical motions of a security compromise and highlight any potential response gaps that a company wasn’t even aware of.
How Trustwave SpiderLabs uses threat intelligence
With all the research and information that’s gathered by Trustwave SpiderLabs, they’re able to use that to develop new tools, alert any manufacturers of potential vulnerabilities, share threat intelligence with the community, and also feed the info into the managed work that’s done with Trustwave clients.
Some of the research and real world tests conducted by Trustwave SpiderLabs is published on their blog, where they go over new kinds of attack methods, active attacks they’ve observed in the wild, and even information found in the dark web. The team is also responsible for the annual Trustwave Global Security Report, a data-driven research report that goes over the recent threats, behaviors, and trends organizations should be aware of.
In Part 2 of this article series, we’ll go over how the Trustwave SpiderLabs team works with Trustwave clients and works with the intelligence community.
Ready to see how Trustwave SpiderLabs can help protect your organization? Learn more about this elite group of researchers, penetration testers and incident responders today.
Evan Sharenow is content marketing manager at Trustwave.