Cyber security threat hunting and detection engineering

Do you understand your cyber security posture?

Amid evolving and growing cyber security threats, organisations need to take a more proactive stance towards understanding their cyber security posture so they can identify threats in their IT estate, and respond quickly and effectively to mitigate potential impact.

Yet our 2022 Global Digital Trust Insights survey revealed that CEOs in particular are very concerned that their organisations had become too complex to secure, with advanced attackers able to obtain and maintain access to compromised environments for years without being detected.

Get greater visibility and understanding of your cyber security posture

The most sophisticated threat actors dedicate their time to finding ways of exploiting cyber risks in your IT environment and evading detection from traditional defence mechanisms, such as antivirus. We are focused on identifying the cyber risks affecting your IT systems, the cyber security attacks that first lines of defence may have missed, and on improving your detection capabilities.

Our discovery and detection services enable you to gain visibility into a range of security risks, health and hygiene indicators that may be placing your environment at an elevated risk, as well as identifying evidence of malicious activity within your IT estate. We do this by:

  • Analysing data pulled from distinct sources such as your endpoints and external threat sources;
  • Augmenting these datasets with our proprietary threat intelligence to gain unique insights into signs of historic or active compromises in your environment; and,
  • Providing clear, actionable advice for remediation.

What do you need to protect?

Organisations are complex, combining on-premises and cloud infrastructure and spanning multiple technologies, developed in-house and provided by third parties. To help you better understand your cyber security posture and improve your detection capabilities, our detection and discovery services focus on the following data sources:

Endpoint

  • Real-time behavioural detection using PwC’s industry leading ruleset, mapped to the MITRE ATT&CK® framework.
  • Analysis of persistence mechanisms that may be employed by attackers to maintain a foothold into your environment.
  • Automated scanning of indicators of compromise developed from the PwC’s threat intelligence research into over 200 advanced threat actors.
  • En-masse analysis of forensic artefacts and system logs to identify evidence of a historic compromise.

Network

  • Constantly evolving real time detection developed from PwC's research and engineering, covering hundreds of advanced threat actors and a wide range of other activity.
  • Our Network Threat Hunting platform is automatically updated as new detection logic becomes available.
  • Offline heuristic detection and machine learning powered by rich metadata.
  • We record a wide range of hygiene points to help inform your risk management programme.

Cloud

  • En-masse analysis of cloud logs to identify evidence of a historic compromise.
  • Review of cloud data points such as applications and admin accounts to identify persistence mechanisms.
  • We record a wide range of cloud hygiene points to help inform your risk management programme.

Internet of Things (IoT)

  • Analysis of your IoT infrastructure to identify vulnerable devices.

External

  • Analysis of your externally visible infrastructure, to identify compromises of vulnerable and exposed services/endpoints.
  • We search for corporate email accounts in our database of leaked credentials accumulated from hundreds of third-party breaches, and threat actor credential dumps to identify corporate email exposure.
  • Malware repository analysis, to seek out malware and phishing documents that appear to be targeting your organisation.
  • Monitoring of 'paste' and 'dump' sites for any references to your brand that could indicate malicious activity or a data leak.

For situations that require a sustained period of response activities, you will have rapid on-demand access to our global Cyber Incident Response team to help you contain and investigate the incident. Our procedures are grounded in industry best practice, and years of practical experience.

Our services also provide visibility into a range of security risks, health and hygiene indicators that may be placing your environment at an elevated risk. The insights gained from this exercise include the identification of:

  • Misconfigured user accounts and groups that would present a path for an attacker to access your most valuable assets
  • Operating system (OS) and application vulnerabilities that attackers can abuse to infiltrate your systems and maintain a foothold in the environment
  • Compliance configuration drift that may be undermining the protections in place designed to prevent a successful cyber attack

Alliance Partners

Our fundamental approach to discovery services is solution agnostic and we will work with all your technologies, subject to their capabilities.

We maintain our technical knowledge in solution agnostic formats (including a proprietary detection and threat hunting library), and will be able to use these resources to provide insight to your team.

In the case a solution is required for any of the discovery services we offer, we are partnering with leading vendors in the cyber security space including Tanium, Microsoft, Palo Alto and Claroty.

Our service offerings

Detection content

Our specialist teams track and monitor cyber threat actors, helping clients respond to some of the most challenging incidents from espionage to ransomware. The knowledge and insights from this work power our detection content – a bespoke collection of more behavioural indicators that let you get even more value from your security tooling. The detection content is currently available for Tanium and Defender for Endpoint.

The detection patterns developed are categorised using the tactics and techniques documented in the widely accepted MITRE ATT&CK® framework. Our detection rule subscription helps companies that are already using Tanium or Defender for Endpoint to better detect and control cyber attacks in their IT environment. Every detection rule includes a detailed description providing an explanation of the attacker technique, real-world context and actionable triage recommendations.

Benefits:

  • Instant uplift of your detection capabilities and security posture.
  • Expert support with testing, configuring and implementing the detection rules in your environment.
  • Updates to existing detection rules and release of new detection rules based on the latest tactics, techniques and procedures used by threat actors.

Compromise assessment

The most sophisticated threat actors dedicate their time to finding ways of evading detection from traditional defence mechanisms, such as antivirus.Our threat detection experts focus on identifying the cyber attacks that your first lines of defence may have missed.

Our compromise assessment is a rapid, proactive discovery exercise to identify threats and unwanted activity within your IT estate – everything from high-severity targeted intrusions through to hygiene issues such as unwanted software. You will have on-demand access to our global team of cyber security experts to help you contain and investigate the incident. Our service also provides visibility into a range of security risk, health and hygiene indicators that may be placing your environment at an elevated risk of sustained compromise or reputational damage.

The insights gained from this exercise include the identification of:

  • Misconfigured user accounts and groups that could facilitate an attacker’s activity and place your most valuable assets at risk. For example, the identification of all domain users being part of a local admin group on a number of servers, which would facilitate privilege escalation.
  • Artefacts indicating a historic or on-going compromise in your environment, for persistent malware in your environment.
  • Wider configuration issues degrading your cyber protections. For example, administrators using plaintext passwords when executing command-line tools.
  • Potentially unwanted software, which can facilitate supply chain attacks or lead to legal and reputational issues.

Health assessment

By using a rigorous data-based approach, our cyber health assessment gives you valuable insights into cyber risks affecting your IT system. It also identifies potential issues from unknown systems in your network, including shadow IT. With the help of partner security software, we analyse data from your systems and can use it to answer crucial questions such as:

  • Which devices and software versions are active in your network?
  • Are there any unmanaged systems (e.g. shadow IT) on your company network?
  • Are all of your systems compliant with patching policies?
  • What vulnerabilities might exist due to outdated software?
  • How easily can an attacker gain administrative user rights?

After analysis and modelling, results are processed via a series of evaluations with key figures, diagrams and other important performance indicators (KPIs). The evaluated KPIs based on the collected data give you the opportunity to easily identify threats to your system landscape.

Our approach gives you valuable insight into your IT system landscape, identifies any gaps in your IT asset inventory, shows associated cyber risks and identifies potential attack vectors in your network.

Case Study

The client issue

A global entertainment organisation had recently suffered from a cyber security breach, which they were only able to detect after the threat actor had achieved their objectives. They wanted to understand whether the threat actor was still present in their environment, or whether there was any evidence to suggest there were signs of another compromise.

The solution

We delivered our compromise assessment and our health assessment to address the client’s requirements. As part of the services, we delivered our proprietary threat detection methodology combined with a market-leading endpoint detection solution, which sat on top of their existing security infrastructure, to provide an extensive view of any historical and current malicious activity. Using the same endpoint solution, we retrieved wider data points to identify additional security risks.  

The benefits

During the compromise assessment, we found live evidence of the early stages of a WastedLocker ransomware attack. We were able to rapidly analyse the malicious activity for additional indicators of compromise, and sweep the entire environment for any signs that the threat actor had moved laterally across the network. We then transitioned the investigation to our incident response team, who performed additional forensic analysis and initiated remediation steps with the client to ensure that the threat was removed from the environment.

As part of the health assessment, we identified unmanaged assets that the client was not tracking in their asset register. We also uncovered hygiene issues such as plaintext passwords in user directories, plaintext passwords used in command line tools, and exposed file shares. We provided to the client actionable recommendations on how to improve their cyber posture and solve identified hygiene issues.

{{filterContent.facetedTitle}}

{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}

Contact us

David Cannings

David Cannings

Cyber Threat Operations, PwC United Kingdom

Tel: +44 (0)7483 434287

Alex Blinda

Alex Blinda

Cyber Threat Detection and Response, PwC United Kingdom

Follow us