The Devo SciSec Team (Devo’s Threat Research Team) has released our fourth alert pack in all Devo domains! This alert pack brings our SecOps related content to our non-SecOps customers and can help jumpstart your threat coverage.
Alert Pack - Impact
We have another alert pack focused on the MITRE Attack tactic Impact. Impact is a tactic that is used by attackers to disrupt and incur damages to a company. Worst of all these attacks can cause reputational damages which can take years to recover from. That's why we knew we had to create an alert pack to protect our customers from these issues. Here's more information from the MITRE organization.
Complete information on this threat vector.
"Impact consists of techniques that adversaries use to disrupt availability or compromise integrity by manipulating business and operational processes. Techniques used for impact can include destroying or tampering with data. In some cases, business processes can look fine, but may have been altered to benefit the adversaries’ goals. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach."
Download now directly from Devo Exchange by clicking here.
Full release notes and details of every alert in this Alert Pack.
Here is a sample of a few of the alerts included:
SecOpsAzureNWDeviceModified - This alert identifies when a user has modified a network device such as network virtual appliance, virtual hub or virtual router. Although this is a common operation, it should be checked since it could be undermining the security posture of the Azure account.
SecOpsAzureAutomationRunbookDeleted - This alert identifies when a user has deleted an Azure Automation runbook. This could be indicative that an attacker may be trying to disrupt the normal behavior of the automated processes within an azure account or deleting a runbook used in order to gain persistence.
SecOpsGCPSQLDatabaseModification - An attacker could intend to modify, or gain, privileges on a Cloud SQL Database.
SecOpsGCPPrivateCloudNetworkDeletion - An attacker could delete a Virtual Private Cloud Network (VPC) to interrupt availability of systems and network resources.
SecOpsGCPIAMServiceAccountDisabled - An adversary could disable an IAM Service Account to manipulate the service account and maintain access to the systems.