Strengthen Your Security Posture with a Detection Capability Assessment (DCA)

Empower Your Blue Team with Real-Time Training and Comprehensive Threat Detection

When your organization invests in a new Endpoint Detection & Response (EDR) solution or collaborates with a managed security provider, it’s a significant step forward in your cybersecurity strategy. However, this is just the beginning of a robust security posture. While detection, monitoring, and response tools provide the foundation, the true strength of your security lies in how well your team can operate these tools. Effective training, real-time threat hunting, and a deep understanding of attacker techniques are essential to maximizing the value of your security investments. That’s where CYPFER’s Detection Capability Assessment (DCA) Workshop comes in—helping your blue team enhance detection and response capabilities through hands-on, collaborative exercises.

Scenario 1: Your company has just implemented a new Endpoint Detection & Response (EDR) solution. Whether this decision was driven by a need to modernize, a newly approved budget, or a recent security incident, it has undoubtedly required significant time and financial investment. 

Scenario 2: You are collaborating with a provider who monitors your technological environment, either fully or partially. 

If you find yourself in one of these scenarios, you’re not alone. However, it’s crucial to understand that the journey doesn’t end here. Ensuring that your detection, monitoring, and response tools are functioning optimally is just the beginning. Equally important is the training of your employees who operate these tools. They need to be adept at recognizing signs of potential intrusions or malicious activities. 

While most monitoring tools offer similar alerting capabilities, the real differentiator lies in the training of your analysts (blue team). Real-time training in event correlation and threat hunting for attacker techniques can significantly enhance your team’s effectiveness and your overall security posture. The better trained your team is, and the more refined your security tools are, the greater your confidence in your security measures will be. 

It’s essential to verify the effectiveness of your various tools, as each has its own focus, some monitor employee workstations, others oversee network activities, and still others watch over your cloud environment. You might be surprised by the blind spots you discover. 

To address these concerns comprehensively, CYPFER has designed an exercise called the Detection Capability Assessment (DCA). This assessment ensures that detection and response controls are evaluated and optimized, providing you with a robust and reliable security posture. 

By continuously monitoring and training, you can stay ahead of potential threats and maintain a secure environment for your organization. 

Elevate Your Security with a Detection Capability Assessment Workshop 

In the form of an interactive workshop, CYPFER will collaborate with your blue team, assuming the role of attackers while your team hunts for traces of our attack techniques. During these live sessions, CYPFER will execute Tactics, Techniques & Procedures (TTPs) commonly used by threat actors. Typically, about 20 to 25 of these TTPs are executed within your environment, providing your blue team with the opportunity to identify and respond to these activities. 

Unlike a traditional red team exercise, this workshop is conducted in a fully transparent and collaborative manner with the blue team. This approach allows for real-time learning and improvement. As a result of a Detection Capability Assessment (DCA), you will be able to identify detection and response strengths and gaps across various areas, including cloud, network, malicious execution, lateral movement, and vulnerability exploitation. We adapt our test cases in function of your environment.  

A common misconception we often encounter is the belief that “we applied a patch, so this shouldn’t be vulnerable.” However, not all patches mitigate all attack vectors. For example, with the EFSRPC coercion vulnerability also known as PetitPotam, applying the patch only serves as a mitigation. This means that while the patch addresses certain aspects of the vulnerability, the system can still be exploited through other vectors. Therefore, even after applying the patch, the vulnerability can still be exploited. Can you block or detect the attack? It’s possible that you have SMB 445 outbound allowed in your firewalls, which could enable an attacker to capture the exploited domain controller computer account NetNTLMv2 hash remotely. Additionally, do you have SMBv1 permitted or signing disabled? These configurations could allow for a relaying attack. The DCA exercise can help answer all of these questions. 

The comprehensive report you receive will document each test case and its outcome, based on evidence shared by your blue team during the exercise. Each test case is linked to the TTPs and categorized according to the MITRE ATT&CK framework, an industry standard. 

If you are interested in implementing this approach at your company, feel free to reach out to us. We would be delighted to discuss your needs and assess how we can help enhance your security posture. 

A strong security posture is not a one-time achievement but an ongoing commitment. CYPFER’s Detection Capability Assessment (DCA) Workshop offers your organization the opportunity to elevate your security measures by combining cutting-edge techniques with real-world training. If you’re ready to transform your blue team into a proactive defense force, contact us today. Together, we’ll ensure that your organization’s security strategy is not only reactive but resilient, providing you with true Cyber Certainty™.

For more information please reach out to Marie Eve Bergeron-Tourangeau