Hero title background image

Cyber security threat hunting and detection engineering

Do you understand your cyber security posture?

Amid evolving and growing cyber security threats, organisations need to take a more proactive stance towards understanding their cyber security posture so they can identify threats in their IT estate, and respond quickly and effectively to mitigate potential impact.

Yet our 2022 Global Digital Trust Insights survey revealed that CEOs in particular are very concerned that their organisations had become too complex to secure, with advanced attackers able to obtain and maintain access to compromised environments for years without being detected.

Get greater visibility and understanding of your cyber security posture

The most sophisticated threat actors dedicate their time to finding ways of exploiting cyber risks in your IT environment and evading detection from traditional defence mechanisms, such as antivirus. We are focused on identifying the cyber risks affecting your IT systems, the cyber security attacks that first lines of defence may have missed, and on improving your detection capabilities.

Our discovery and detection services enable you to gain visibility into a range of security risks, health and hygiene indicators that may be placing your environment at an elevated risk, as well as identifying evidence of malicious activity within your IT estate. We do this by:

  • Analysing data pulled from distinct sources such as your endpoints and external threat sources;
  • Augmenting these datasets with our proprietary threat intelligence to gain unique insights into signs of historic or active compromises in your environment; and,
  • Providing clear, actionable advice for remediation.

What do you need to protect?

Organisations are complex, combining on-premises and cloud infrastructure and spanning multiple technologies, developed in-house and provided by third parties. To help you better understand your cyber security posture and improve your detection capabilities, our detection and discovery services focus on the following data sources:

Endpoint

  • Real-time behavioural detection using PwC’s industry leading ruleset, mapped to the MITRE ATT&CK® framework.
  • Analysis of persistence mechanisms that may be employed by attackers to maintain a foothold into your environment.
  • Automated scanning of indicators of compromise developed from the PwC’s threat intelligence research into over 200 advanced threat actors.
  • En-masse analysis of forensic artefacts and system logs to identify evidence of a historic compromise.

For situations that require a sustained period of response activities, you will have rapid on-demand access to our global Cyber Incident Response team to help you contain and investigate the incident. Our procedures are grounded in industry best practice, and years of practical experience.

Our services also provide visibility into a range of security risks, health and hygiene indicators that may be placing your environment at an elevated risk. The insights gained from this exercise include the identification of:

  • Misconfigured user accounts and groups that would present a path for an attacker to access your most valuable assets
  • Operating system (OS) and application vulnerabilities that attackers can abuse to infiltrate your systems and maintain a foothold in the environment
  • Compliance configuration drift that may be undermining the protections in place designed to prevent a successful cyber attack

Alliance Partners

Our fundamental approach to discovery services is solution agnostic and we will work with all your technologies, subject to their capabilities.

We maintain our technical knowledge in solution agnostic formats (including a proprietary detection and threat hunting library), and will be able to use these resources to provide insight to your team.

In the case a solution is required for any of the discovery services we offer, we are partnering with leading vendors in the cyber security space including Tanium, Microsoft, Palo Alto and Claroty.

Our service offerings

Detection content

Our specialist teams track and monitor cyber threat actors, helping clients respond to some of the most challenging incidents from espionage to ransomware. The knowledge and insights from this work power our detection content – a bespoke collection of more behavioural indicators that let you get even more value from your security tooling. The detection content is currently available for Tanium and Defender for Endpoint.

The detection patterns developed are categorised using the tactics and techniques documented in the widely accepted MITRE ATT&CK® framework. Our detection rule subscription helps companies that are already using Tanium or Defender for Endpoint to better detect and control cyber attacks in their IT environment. Every detection rule includes a detailed description providing an explanation of the attacker technique, real-world context and actionable triage recommendations.

Benefits:

  • Instant uplift of your detection capabilities and security posture.
  • Expert support with testing, configuring and implementing the detection rules in your environment.
  • Updates to existing detection rules and release of new detection rules based on the latest tactics, techniques and procedures used by threat actors.

Case Study

The client issue

A global entertainment organisation had recently suffered from a cyber security breach, which they were only able to detect after the threat actor had achieved their objectives. They wanted to understand whether the threat actor was still present in their environment, or whether there was any evidence to suggest there were signs of another compromise.

The solution

We delivered our compromise assessment and our health assessment to address the client’s requirements. As part of the services, we delivered our proprietary threat detection methodology combined with a market-leading endpoint detection solution, which sat on top of their existing security infrastructure, to provide an extensive view of any historical and current malicious activity. Using the same endpoint solution, we retrieved wider data points to identify additional security risks.  

The benefits

During the compromise assessment, we found live evidence of the early stages of a WastedLocker ransomware attack. We were able to rapidly analyse the malicious activity for additional indicators of compromise, and sweep the entire environment for any signs that the threat actor had moved laterally across the network. We then transitioned the investigation to our incident response team, who performed additional forensic analysis and initiated remediation steps with the client to ensure that the threat was removed from the environment.

As part of the health assessment, we identified unmanaged assets that the client was not tracking in their asset register. We also uncovered hygiene issues such as plaintext passwords in user directories, plaintext passwords used in command line tools, and exposed file shares. We provided to the client actionable recommendations on how to improve their cyber posture and solve identified hygiene issues.

Contact us

David Cannings

David Cannings

Cyber Threat Operations, PwC United Kingdom

Tel: +44 (0)7483 434287

Alex Blinda

Alex Blinda

Cyber Threat Detection and Response, PwC United Kingdom

Follow us