What does CYREBRO monitor and detect?

CYREBRO monitors all your business systems and security tools, collects, and analyses the data, and interprets suspicious events with an attacker’s mindset. Strategic monitoring and detection are achieved through a combination of proprietary detection and response algorithms, plus our team’s extensive knowledge of various monitoring methodologies.

CYREBRO creates its own custom, proprietary rules, instead of using generic, out-of-the-box rules. Detection and response algorithms are created based on specific attributes, not specific systems, so CYREBRO is able to detect a wide range of threats, covering the attack landscape. Detection attributes are based on the MITRE framework, CYREBRO incident response cases, and our threat research.

  • The threat research is based on tests we run in our lab environment using tools used by adversaries in the wild. These tests are used to characterise adversary behaviour, which then inform our rule creation process.
  • For every CYREBRO incident response case, we take the steps that the adversary took, mimic them in our lab environment, then create related rules.
  • CYREBRO clients benefit from the “wisdom of the crowd,” meaning that the rules created for a single client incident will be applied proactively to the entire client base.

CYREBRO detection

Rule logic

Rules are created to ingest two different data streams. The first are raw events coming from non-security tools and critical assets, and the second are alerts sent by security tools.

The types of rules created fall into these categories:

  • Traditional detection engine rules
  • Single event rule (based on an alert/event from one system)
  • Aggregation rule (multiple alerts/events from one system) Correlation rule (multiple alerts/events from multiple systems)

Machine learning and AI engine rules

CYREBRO monitoring

CYRBERO has three categories of alerts:

  • Hunting leads- alerts created for the threat hunting team to proactively detect threats
  • High-fidelity alerts- high risk, high severity alerts that trigger CYREBRO investigation
  • Attack stories- a chain of behaviour aggregated by hunting leads and high-fidelity alerts

CYREBRO monitors and responds to all alert types, but the alerts that are visible in the SOC Platform consist of high-fidelity alerts and attack stories. Instead of escalating every benign alert, CYREBRO shows you what needs to be dealt with, and how our security analysts are investigating, instead of overwhelming you with and endless stream of harmless alerts.

System and network activity can occur as part of normal network or as adversarial activity. Therefore, events and alerts should not be viewed in isolation, but as part of a chain of behaviour that can lead to other activities, based on the information obtained.

CYREBRO detection and MITRE attack matrix

For each event in your environment, we identify how many MITRE techniques can be implemented and how many rules can be created for this data source type. We perform this analysis for every client, across each of their data sources.