CERT / CSIRT
REDTEAM.PL CERT (RFC 2350) is a member of the international organization Trusted Introducer associating recognized incident response teams. In addition, REDTEAM.PL is also listed on the official website of the European Network and Information Security Agency (ENISA) as the Polish incident response team (CERT / CSIRT).
We have competences in the field of digital forensics and incident response, the result of which is a recognized scientific publication entitled “Practical computer forensics analysis” (2017) published by Polish Scientific Publishers PWN. The leader of the third SOC line, Adam Ziaja is co-authored of several documents of the European Network and Information Security Agency (ENISA) for CERT / CSIRT teams published in 2013-2014, regarding computer forensics, threat hunting and threat intelligence among other topics.
We know how cybercriminals exploit vulnerabilities because for over a decade we have been conducting authorized whitehat attack simulations in the form of penetration tests and red teaming, aimed at finding the weakest points in the organization – just like real attackers do.
Thanks to the combination of offensive and defensive competence, we are able to offer the high quality cybersecurity services.
Threat hunting & threat intelligence
Threat hunting and threat intelligence are subjects that we have been dealing with for over a decade. We have technical competences and achievements related to proactive threat hunting as well as advanced incident response, including world-class APT (Advanced Persistent Threat).
In 2019, the REDTEAM.PL research team revealed a global badWPAD attack, which affected millions of computers around the world. Our study was observed by SANS institute and we received thanks from national incident response teams, incl. Poland (CERT Polska), Estonia (CERT-EE) and Latvia (CERT-LV). In 2020, we described TTPs (ang. Tactics, Techniques, and Procedures) and IOC of advanced APT attacks, which we identified and analyzed – incl. cybercriminal groups Sodinokibi / REvil and Black Kingdom. Our actions resulted in the extensive cooperation with international law enforcement agencies (also in the role of IT Expert Witness).
We are able not only to analyze 0-day vulnerabilities (software weakness for which there are no security patches yet) but also to identify them. Only at the turn of 2019/2020 we received numerous thanks from Google and a total award of $68,000 for identified and responsibly reported vulnerabilities in the Chrome browser. In addition, as a result of the vulnerability found by our researcher in Apple Safari for macOS/iOS, the world's media, including Forbes magazine, wrote about it and again we were observed by SANS institute – this time for offensive research. We also have a number of acknowledgments available on the official websites of entities to which we have responsibly reported security vulnerabilities over the course of many years, incl. Adobe (2014), Apple (2012), BlackBerry (2012), Deutsche Telekom, Google (2013), Harvard University, Netflix (2013), Nokia (2013), Reddit, SoundCloud, Yandex (2013). We are a team of IT security experts who have been successfully dealing with the technical aspects of cybersecurity for many years.
Network threats detection
Typical products for detecting network attacks monitor communication and use hundreds of predefined rules for detection. The main disadvantage of this approach is the lack of understanding of most of the alerts reported. Numerous alerts appear regardless of whether an attack is taking place or not. In this way, despite having security systems in place, an attack often goes unnoticed because it is not identified in the maze of hundreds of warnings that appear constantly in the production environment.
During attacks, hackers use native mechanisms of Windows enviroment to obtain credentials. Antivirus software does not detect the presence of an attacker who logs in as a legitimate user. Antivirus detection is an analysis of how the software, not the user, works. Cybercriminals take advantage of this and carry out attacks not only against vulnerable software, which could very likely be detected by EDR (Endpoint Detection and Response) or SOAR (Security Orchestration, Automation, and Response) systems, but against standard mechanisms of Windows enviroment. Such attacks are not detected by the software installed on the client stations because they are performed on the level of the internal network between stations located in the Windows domain. In this way, APT (Advanced Persistent Threat) groups are able to gain access to data despite the fact that the organization has various types of security mechanisms deployed on workstations.
REDTEAM.PL approach to threat hunting implemented in RedEye solution is based on the knowledge of attack techniques (TTPs) and tools used by advanced adversaries. It is the only solution that can detect advanced attacks against the Windows environment and Active Directory (AD) without the need for an agent. Thanks to the understanding of both the offensive and defensive aspects, RedEye software implements rules that allow detecting attacks that are not identified by EDR software. Therefore, RedEye complements antivirus and related solutions.
Cybersecurity research
The team of REDTEAM.PL experts has published numerous articles on the techblog on the technical aspects of cybersecurity:
we combine expertise both in the field of attack and defense, and our cybersecurity research is widely recognized in the world.