Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Spotlight on Trustwave SpiderLabs, Part 2: Incident Response and Threat Hunting

This two-part article will introduce and provide an overview of the SpiderLabs team at Trustwave dedicated to finding and analyzing new threats, helping clients detect, fight, and recover from security compromises, and helping the cybersecurity field with original research and intelligence. Read Part 1 here.

Client-Side Cybersecurity

Trustwave SpiderLabs is responsible for the client-side work that’s done with Trustwave Managed Security Services (MSS) clients, including Trustwave Managed Detection and Response (MDR) clients, where they engage in threat hunting and incident and response as part of their Digital Forensic and Incident Response (DFIR) service.

Threat Hunting

Trustwave SpiderLabs has developed a hybrid framework of threat hunting that feeds them events, alerts, and data points via thousands and thousands of queries from automated tools and non-automated tools (as in, security researchers). According to Brian, “we’ve basically created a framework of tools that let us do a real deep dive on threat hunting. For example, if a client has 100 endpoints, we can attach a binary executable of our EDR tool on each endpoint that allows us to query for any kind of info we want.”

This framework allows the team to learn about the clients endpoints, environmental threats, ports, outdated software, flawed or vulnerable infrastructures -- anything that can be executed within their system, hashes via a custom hash database that allows them to grade it, system admin tools, known goods, and other data points that then be analyzed to find out whether or not a threat is present.

However, while traditional threat hunting is usually thought of as a process that looks for malicious actors within a network, the hybrid framework Trustwave SpiderLabs employs allows them to look even deeper to identify existing weaknesses, poor behaviors within an environment, and other indicators of security hygiene. “Our threat hunting starts with malicious actors,” says Brian “and ends with security hygiene.”

This approach also helps analyze whether existing tools are working effectively to block, detect, and prevent threats while also letting them proactively analyze a client’s environment to find vulnerabilities, outdated software, website flaws, in hopes that it’ll never reach the breach phase.

DFIR - The First Responders

Trustwave SpiderLabs Data Forensic Investigation Response team are the first responders in the event of a breach or if the threat hunting, pen testing, or tabletop exercises uncover something that requires a much deeper investigation

Mark likens Trustwave SpiderLabs’ DFIR team as “smoke jumpers—they jump into an organization and take charge, calm an organization, and use best practices to identify attacks that took place.” The team leverages Trustwave SpiderLabs research, resources, and tools to provide forensic analysis, and attribute the attack actor, method, and tools used. DFIR is essentially responsible for putting together how a breach happened, when, who might be behind it, and piece together the attack or reverse engineer any offending malware. One of the other benefits is they have hundreds of ethical hackers a key stroke or phone call away to collaborate with.

The investigation often starts using the threat hunting tools and feeds to contain the breach and do an initial analysis. Depending on how significant the breach is or how large the company is, it may end up being a much larger investigation.

Speed is key when it comes to breach investigations and analysis – “if you’re an enterprise with over 10,000 computers,” says Mark. “you need a lot of people to churn through the investigation. The whole goal is to investigate quickly.”

 The faster the investigation happens, the quicker the data can come through. However, the most efficient way of working is to have one person handle the first 24 hours to look at logs, get the breach under control, and have a single point of contact the affected organization can rely on. That person can then find out “how big the blaze is” and delegate the resources required for containment and full analysis.

Having the human element present in the investigation as soon as possible is extremely important as it can uncover details an automated tool can’t. “Automated tools only see the surface” says Mark, “but people know to look under that and potentially find new techniques automated tools don’t even know about. It requires really good training and skillsets.” When it comes to threats or techniques that have never been observed before, an automated tool isn’t equipped to detect or analyze it.

When that’s the case, the information is passed to the research team so they can identify it if any other company or organization has come across it before or attribute it as a new threat variant, actor, or technique.

How Trustwave SpiderLabs Contributes to Cybersecurity

Trustwave SpiderLabs’ continuous research has resulted in real-world improvements to the cybersecurity intelligence community. If they come across a new vulnerability, they follow a responsible disclosure process to alert the manufacturer so they can fix it before the vulnerability is made public. For example, Trustwave SpiderLabs will normally allow the vendor up to 90 days to fully investigate the issue and develop a patch, and even help them test it to make sure it is complete. However, in scenarios of elevated risk, for example if the vulnerability details are discussed publicly or if the issue gets exploited in the wild, the team will consider a much faster release, sometimes disclosing the details in matter of days. All in all, they  are responsible for around 10-12 public advisories a year and their blog also covers new threats, trends, and behaviors.

Trustwave SpiderLabs also works with several cyber intelligence organizations, other cybersecurity companies, and is part of various intelligence partnerships dedicated to exchanging intelligence and learning from each other’s’ efforts.

When given permission, any information or work they do for clients can also be used for future reference and the new data and knowledge is embedded in their future work and Trustwave tool development. As a result, Trustwave SpiderLabs is responsible for a wealth of new cybersecurity intel that’s used to improve Trustwave services and offerings but also the world’s intelligence resources and capabilities.

Ready to see how Trustwave SpiderLabs can help protect your organization? Learn more about this elite group of researchers, penetration testers and incident responders today.

Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More