Author: Theos

Benefits of Managed Detection & Response

Managed Detection and Response (MDR) is a relatively new approach to cybersecurity that aims to provide organizations with an enhanced level of protection against advanced and persistent threats. MDR combines advanced threat detection technologies with expert analysis and response services to help organizations quickly identify, investigate, and remediate potential cyber threats.

Challenging traditional approaches

Traditional approaches to cybersecurity have relied on a combination of preventative measures, such as firewalls and antivirus software, and incident response procedures to address cyber threats. However, as cyber threats become increasingly sophisticated and persistent, many organizations have recognized the need for more proactive and holistic approaches to cybersecurity.

MDR services typically involve the deployment of advanced threat detection technologies, such as machine learning algorithms and behavioral analytics, that are designed to identify potential cyber threats based on patterns of activity that may be indicative of malicious behavior. These technologies are often deployed across an organization’s entire IT infrastructure, including endpoints, servers, and cloud-based services, in order to provide comprehensive coverage.

How does it Work?

Once a potential threat has been identified, the MDR service provider will typically undertake a series of investigation and analysis activities to determine the nature and severity of the threat. This may involve gathering additional information about the source of the threat, the techniques and tactics being employed, and any potential vulnerabilities that may have been exploited.

Once the threat has been fully understood, the MDR service provider will work with the organization to develop a response plan that is tailored to the specific circumstances of the threat. This may involve a range of activities, such as blocking or quarantining malicious files or processes, patching vulnerabilities, and conducting forensic analysis to determine the extent of any damage that may have been caused.

Benefits of MDR

One of the key benefits of MDR services is that they are typically provided on a 24/7 basis, which means that organizations can benefit from continuous monitoring and rapid response capabilities. This can be particularly important for organizations that have a high risk profile or that operate in industries that are particularly susceptible to cyber threats, such as finance or healthcare.

Another key advantage of MDR services is that they can help organizations to minimize the impact of cyber threats by identifying and remediating potential issues before they can cause significant damage. This can be particularly important for organizations that handle sensitive data, such as personally identifiable information (PII) or financial data, as a single breach can have significant financial and reputational consequences.


In summary, Managed Detection and Response is a proactive and holistic approach to cybersecurity that combines advanced threat detection technologies with expert analysis and response services to help organizations quickly identify, investigate, and remediate potential cyber threats. By providing continuous monitoring and rapid response capabilities, MDR services can help organizations to minimize the impact of cyber threats and protect sensitive data from malicious actors.

Purple Teaming: Enhancing Cybersecurity Posture through Collaborative Testing

As a Chief Information Security Officer (CISO), you are tasked with protecting your organization from cyber threats. With the constantly evolving threat landscape, traditional cybersecurity measures may not be enough to keep your organization safe. This is where purple teaming comes in. In this blog post, we will explore what purple teaming is, how often it should be conducted, and how the findings can be used to improve your organization’s security posture.

What is Purple Teaming?

Purple teaming is a collaborative approach to cybersecurity testing that involves both the offensive and defensive teams working together. The red team, responsible for attacking the organization’s security defenses, works in collaboration with the blue team, responsible for defending against attacks. The goal is to identify vulnerabilities in the organization’s security posture and improve its ability to prevent, detect, and respond to cyber threats.

Benefits of Purple Teaming

  • Collaboration: One of the most significant benefits of purple teaming is collaboration between the red and blue teams. Both teams work together to achieve a common goal, which leads to improved communication and understanding of each other’s roles and responsibilities.
  • Identify Vulnerabilities: Purple teaming can help identify vulnerabilities and gaps in an organization’s defenses that may not be apparent through traditional security assessments. The collaborative approach ensures that all possible attack vectors are explored and tested, allowing for a more comprehensive security assessment.
  • Enhanced Threat Detection and Response: By continuously testing and refining the security posture, purple teaming enables organizations to detect and respond to threats more effectively. This proactive approach ensures that security defenses are continually updated and strengthened.

How Often Should Purple Teaming be Conducted?

The frequency of purple teaming depends on several factors, including the organization’s risk profile, the industry it operates in, and its cybersecurity maturity level. Generally, it is recommended to conduct purple teaming at least once a year, but more frequent testing may be necessary for organizations with a high risk of cyber threats or those that handle sensitive data.

Regular testing ensures that the organization’s security posture is up to date and able to withstand the latest threats. It also provides an opportunity to identify areas that need improvement and make necessary adjustments before a real cyber attack occurs.

How Can the Findings Be Used to Improve an Organization’s Security Posture?

The findings from purple teaming can be used to improve an organization’s security posture in several ways. These include:

  1. Identifying Gaps: Purple teaming can help identify gaps in the organization’s security posture that may have been overlooked by traditional security measures. These gaps can be used to prioritize areas for improvement and allocate resources accordingly.
  2. Enhancing Communication: Purple teaming promotes collaboration and communication between the red and blue teams, enhancing their understanding of each other’s roles and responsibilities. This can help improve the overall effectiveness of the organization’s security measures.
  3. Improving Response: The findings from purple teaming can be used to develop more effective incident response plans. By identifying weaknesses in the organization’s response capabilities, the organization can take steps to improve its ability to detect and respond to cyber threats.
  4. Optimizing Security Investments: Purple teaming can help optimize the organization’s security investments by identifying areas where additional investment may be required, and areas where investments can be scaled back.

Two Practical Examples of Purple Teaming

Example 1: Improving Incident Response

An insurance company conducted a purple team exercise to test its incident response plan. During the exercise, the red team was able to compromise several critical systems and exfiltrate sensitive data. The exercise highlighted weaknesses in the organization’s incident response plan, such as slow response times and inadequate communication between teams. The organization used the findings to revise its incident response plan, increasing its ability to detect and respond to real-world cyber threats.

Example 2: Enhancing Threat Intelligence

A financial institution conducted a purple team exercise to test its threat intelligence capabilities. The exercise revealed that the organization’s threat intelligence was not comprehensive enough to detect advanced persistent threats (APTs). The organization used the findings to improve its threat intelligence capabilities, including increasing the scope of its threat intelligence feeds, developing a more comprehensive threat model, and investing in additional threat intelligence tools.


Purple teaming is a proactive and collaborative approach to cybersecurity testing that can help organizations identify and address vulnerabilities in their security posture. By conducting regular purple team exercises, organizations can improve their incident response plans, enhance their threat intelligence capabilities, optimize their security investments, and ultimately strengthen their overall cybersecurity posture. As a CISO, it’s essential to prioritize purple teaming as part of your organization’s cybersecurity strategy to stay ahead of constantly evolving threats and protect your organization’s critical assets and data.

Penetration Testing vs Red Teaming 

Penetration Testing vs Red Teaming

Given the rise of Cybercrime and advancement of tools and techniques in cybersecurity, Organizations must work to continuously test and improve their security programs. There are different security assessments that an organization can employ for this. However, with the limitations on budget and resources, it is essential to understand and choose the one that best suites the organization’s needs.  

In the forefront of security testing methods are Penetration Testing and Red Teaming. Both these methods simulate an attack from an adversary, using real world strategies and techniques to discover vulnerabilities in the organization. However, there are key differences between each method and it best to understand their differences and know when one is most appropriate to use over the other: 


Penetration tests have different goals than Red Team engagements. 

The goal of a Pentest is to find as many vulnerabilities as possible and exploit them through any means possible. Its goal is to find as many ways to compromise the target and assess the risk to the business.  

However, Red teams do not try to compile a long list of all your company’s vulnerabilities. A Red Team’s goal is to find a way, even just one way, into your organization and (depending on agreement) access whatever critical data or asset there is to access without getting caught.  

A Penetration test helps the organization discover holes in their systems that an attacker can use. A Red Team exercise helps the organization find gaps in their process, people and technology and test how effectively they can respond to a successful attack. 


Penetration tests have limited scope while a Red Team, essentially, doesn’t have these limitations. 

Penetration tests are usually limited to a specific application, server, environment or to a specific network or range, etc. Limitations may also include testing hours or testing durations. 

However, for a Red Team engagement, other than some minor business critical systems (or people), there are generally no limitations to the application or network you can leverage. You are open to compromise a UAT or production server. And you can send your attacks during and off work hours. 

Attack Vectors

There are different types of Penetration tests such as Internal, External Network, Application, Wireless, Social Engineering, etc. In each of these, the testers are limited to attacks for that specific context or type of test. For instance, for an application pentest, a test is usually only limited to using web related attack vectors. 

However, for a Red Team exercise, its Free-For-All, anything goes. Red Teams usually have complete freedom to use whatever attack or technique they can use to get in. Red Teamers can send in USB sticks, send phishing emails, or physically break into your office to get the necessary access. 

The only exception for Red Teams would be attack vectors that you have agreed to deny or exclude from the engagement. Red teams may be designed based on a scenario and thus Tactics, Tools and Techniques may be agreed upon to be limited for that scenario. 


There is a major difference in the duration of a Penetration test vs a Red Team exercise. 

Penetration tests are usually done between 1-3 weeks depending on the scope and type of test.  

However, a Red team can run between 4-8 weeks, sometimes even longer depending on the size of the company and the scenario agreed upon. 


And lastly is the significant Cost difference between a Pentest and Red Team. 

Because Red Teams requires more time, more effort and expertise, it is understandably more expensive than a regular penetration test.  

Overall, Penetration testing and Red Teaming are essential parts of an organization’s security program. Both of them have different goals and bring different value to an organization. However, one is never better than the other; both of them are equally important to improve an organization’s security. They just need to be aligned with the organizations needs and current level of maturity. 

Penetration Testing Methodology

What is Penetration Testing? 

Penetration testing, also known as Pentest or Ethical Hacking, is an authorized security exercise designed to find and exploit vulnerabilities on a system, network or application. It is a simulated attack performed by cyber-security experts, mimicking real world strategies and techniques, aimed to identify weaknesses on the system and evaluate how an attacker can take advantage of them. 

Vulnerability Assessment VS Penetration Testing

While a Vulnerability Assessment also tries to identify vulnerabilities or weaknesses in a system (usually using an automated scanner), Penetration testing goes beyond that and tries to also exploit these vulnerabilities manually. A pentest not only reports these vulnerabilities but also demonstrates how these can be used, leveraged or even chained to compromise the target system. Escalation will also be attempted to demonstrate how deep an attacker can access due to the compromise and therefore better evaluate the overall exposure and security posture of the organization. 

Penetration Testing Approaches

Penetration testing can be conducted in one of three ways: Black, White or Grey box testing. 

The Black Box testing approach is done from the perspective of an outsider or external adversary with limited knowledge or information of the target system. This approach can be seen as the most authentic, demonstrating how an attacker with no inside knowledge would target and compromise the system. While this approach most closely mimics real world attackers, the process of discovering vulnerabilities takes significantly longer than other testing approaches due to the lack of internal knowledge. As a result, time spent by tester is not fully maximized and some components may not get tested. 

The White Box testing approach is done with full knowledge of the target. This knowledge includes technical and functional specifications, architecture/network diagrams, access matrix, source codes and other relevant information. This approach allows for the tester to discover all attack vectors possible and perform a more comprehensive analysis on the system. However, this approach requires much more effort to conduct and may even require more sophisticated tools. 

The Gray Box testing approach is a bit of a combination or a compromise of Black Box and White Box. In this approach the tester has some knowledge of and some level of access on the target system. This eliminates much of the time spent doing reconnaissance and allows for more time to do security testing.  

Penetration Testing Process 

In general, a penetration test can be structured in 6 phases and that is: 

  1. Planning 
  2. Reconnaissance 
  3. Vulnerability Analysis 
  4. Exploitation 
  5. Post-Exploitation 
  6. Reporting 

In the Planning phase, the details of the pentest exercise are discussed and agreed upon. These includes agreement on the Scope and limitations on the test, the testing approach as well as timelines and rules of engagement. Logistical requirements are also detailed on this phase such as test accounts, VPN access, IP whitelisting, etc. The goal of this phase is to ensure the exercise runs smoothly and that the objectives of the exercise are fully achieved. 

In the Reconnaissance phase, the tester gathers as much information about the target as possible and mapping out the full attack surface of the target. This is done through a combination of passive and active methods.  

Passive methods do not involve direct interaction with the target. This includes gathering of information from Open-Source Intelligence sources (ie DNS records, google search, etc). While Active Methods involves direct interaction with the target to get relevant information. This includes port scanning, application mapping/spidering, internal DNS queries, etc. 

All the information gathered is then analyzed and use to draw attack vectors that can be used in the next phases. 

In the Vulnerability Analysis phase, tester uses different techniques to discover flaws in the target system or infrastructure. Discovery can be done through manual testing or automated means (using a vulnerability scanner). These flaws are then evaluated to determine accuracy and potential exploitability based on the scope and the objectives of the engagement. 

In the Exploitation phase, vulnerabilities that have been evaluated are then exploited to attempt to validate its potential risk. The aim of the exploitation is to establish some level of access on the system for post-exploitation and demonstrate the compromise. Demonstration can be done through a Proof-of-Concept or through an actual compromise on the system. 

The Post-Exploitation phase covers activities that can be done after a successful exploitation on the target. This includes privilege escalations, later movements, data exfiltration and others. The aim of this phase is to determine the extent of the compromise that can be done, and its value based on the sensitivity of data, purpose of the asset, effect to overall operations, etc. 

Lastly, the Reporting phase involves documentation and presentation of results of the pentest engagement. The report will detail the scope and objectives of the pentest, the vulnerabilities found, the risk they bring to the organization and recommendations that the organization can take to fix these vulnerabilities and mitigate the risks.  

The Report is the arguably the most important part of the engagement. This should be communicated in a way that it can be easily understood and be acted upon by the stakeholders both executive and technical. 

What is CSPM?

What is CSPM?

Cloud Security Posture Management or commonly referenced as CSPM is a key security control for organizations who are on a cloud-first strategy and focused on migrating their data and applications to cloud.  Most of the successful attacks on cloud environments are due to misconfiguration and mismanagement. 

By 2021, 50% of enterprises will unknowingly and mistakenly have some IaaS storage services, network segments, applications or APIs directly exposed to the public internet.1

1Gartner Research – Innovation Insight for Cloud Security Posture Management, 25 January 2019

Why do you need CSPM?

Whilst the cloud-first strategy provides speed, agility, increased levels of productivity and flexibility, it also brings the challenges of being exposed to heightened cyber security threats as the cloud environments are available on the internet, and the highest of all threats are data breaches.   

The are many options available to configure the components in a cloud environment to support business acceleration but also provides the opportunity for misconfigurations.  Some common ones are, 

  • Security policies which govern the configurations are overly permissible 
  • Access to data storage is not required nor encrypted 
  • Access paths from networks are not secured 
  • APIs drive the operations of cloud which are easily misconfigured and mismanaged due to the numerous multi-cloud resources often needed to operate the application 

Traditional on-premises security technologies such as firewalls and intrusion detection and prevention systems work well where a perimeter is clearly defined which does not bode well in a cloud environment where the ideology of a perimeter does not exist. Other challenges to the traditional on-premises solutions are, 

  • Cloud configuration changes happen at speed and scale which the manual processes established with on-premises tools are unable to keep up 
  • With a multi-cloud environment, a centralized view of the constant change against a baseline of secure practice is not available 
  • Finally, and most poignantly, the perimeter as we know has near enough dissolved with access to cloud resources is available from anywhere 

What does CSPM do for you?

CSPM provides non-stop visibility, monitoring, reporting and remediation of cloud infrastructure and application security posture​.

Key must have features of a CSPM: 

VISIBILITY● Centralized view of all your cloud environments 
● API driven for speed and accuracy 
● Coverage of cloud models (SaaS, PaaS, IaaS) 
GOVERNANCE● Security policies based on industry best practices (NIST, CIS, CSA) couple with regulatory and business operations compliance 
● Continuous monitoring for misconfiguration and non-compliance 
REPORTING● Real-time reporting on configuration deviation and control failures 
REMEDIATION● Step by step guided remediation to speed up response time 

How do you consume CSPM?

With each of the above requirements for CSPM, understanding your current baseline will drive the selection of correct technology and security partner for the deployment of CSPM.  Data to establish are, 

  • Breakdown of your current subscriptions across IaaS/PaaS (AWS, Azure GCP), and SaaS (M365, Google Workspace, Box) cloud environments 
  • Application interactions between the cloud environments, both user to system and system to system (typically API calls) 
  • Regulatory and business compliance requirements 
  • Training and support needed for your security operations team 
  • Technology provider integration with your cloud environments 
  • Choose a CSPM solution which is SaaS delivered 
  • A business case on involving an implementation partner who can help accelerate the effort 

In closing, CSPM is a crucial step toward securing your organization’s presence to progress business workload migration into cloud.  CSPM supports security teams to provide the feedback to developers to embed a security by design mantra into their development process.  Operating in cloud environments places security on everyone’s responsibilities and CSPM helps make this process easier. 

What is CASB?

What is CASB?

Migration to cloud had begun from the turn of the millennium.  However, now organizations are beginning to move their business critical and sensitive systems, including data from Human Resources and Customer Relationship (CRM) to cloud.  Now it is time to gain total visibility on how these sensitive data is accessed, updated, and moved. 

Cloud Access Security Brokers or commonly referenced as CASB provides the capabilities to organizations to effectively secure and monitor their cloud-based data.  CASB began by looking at the cloud problem of Shadow IT but nowadays it has matured to network traffic inspection to obtain the visibility on how data is being accessed and transmitted, giving the possibilities to apply security policies. 

Why do you need CASB?

Some of the major challenges organizations have are: 

  • Pushing their on-premises DLP capabilities to cloud 
  • Identification of cloud account compromises 
  • Shadow IT threats 
  • Continuous monitoring of cloud applications and the ever increase in API usage 
  • Protection for a workforce who continue to be highly mobile 
  • Separation of duties between the cloud consumer and cloud provider not clearly defined and owned 

What does CASB do for you?

Key must have features of a CASB:

AUDIT● User and Entity Behavior Analytics (UEBA) to determine deviation from baseline 
● Ability to profile patterns based on application, data and cloud usage 
● Provide actionable items to security operations to main posture 
DATA SECURITY● Single tool to provide a view on where the data resides 
● Close tracking of data movement 
● Integration with cloud systems 
● Integration with current security toolset 
● DLP enforcement 
● Deep network traffic visibility 
● Encryption/tokenization techniques to provide data protection controls 
CONFIGURATION COMPLIANCE● Alignment to industry best practices and benchmarks from NIST, CIS, CSA 

How do you consume CASB?

There are numerous methods when deploying CASB.  Each of them should be evaluated in line with the business requirements and how technology is the enabler.  Some of the methods available are,

API Integration ● Out of band implementation with integration between the CASB tool and cloud environments 
Agent/Forward Proxy ● In line implementation with visibility on activities by managed assets for both managed and un-managed applications and data 
Agentless/Reverse Proxy ● Agentless implementation with visibility on activities by managed and un-managed assets for managed applications and data 

Business considerations when choosing a suitable CASB technology, 

  • Prioritize your applications to aid the determination on the critical ones to be part of the CASB pilot 
  • Identify current technologies in production which can integrate with the CASB solution 
  • Investigate the suitability of using the methods described above, especially when utilizing more than one to achieve the target objectives. 

As organizations move business critical and sensitive systems and data to cloud, the application use cases also increases which further places security strain on the residence and movement of data.

Delivering an end-to-end Vulnerability Management programme to reduce attack surface

Customer’s profile:

cosmetic manufacturer company, headquartered in US, which has 500 employees across seven offices globally. The company designs and manufacturers exclusive brands and private labels for mass, drug and specialty retailers and provide outsourcing solutions to leading beauty companies operating worldwide. ​

Customer’s challenge:

  • The business was recently acquired by a Private Equity firm with a mandate to uplift the entire security posture of the company. The requirements covered all aspects of information security with a global footprint and a need to provide ongoing security management over several years.​
  • The customer was seeking a security partner who could implement and run a breath of security services globally, at a commercial point commensurable with a mid-size enterprise.

Solution delivered:

Theos delivered an end-to-end VM programme, which includes the following: ​

  • Implement vulnerabilities scanning platform and configure scan templates and schedules. ​
  • Performed Vulnerability Discovery & Penetration Testing: initially perform a vulnerability discovery on all its Internet facing systems, and conduct penetration testing on up to 3 external-facing applications or systems. ​
  • Deliver Vulnerability Management: scanning the entire estate for vulnerabilities, which will then be validated and remediated by Theos. Theos does validate findings and dismiss false positives to facilitate the remediation process and ensure a quicker time to fix issues.

Security values delivered to the customer:

  • Both external and internal network risk down FROM critical TO medium during first quarter implementation. ​
  • External network –  low risk maintained for 7 months straight since the completion of the implementation. ​
  • Internal Network – continuous VM practice enables system owners to remediate vulnerabilities as they are discovered. 

Delivering GRC Consulting Services for a global crypto market leader

Customer’s profile:

A blockchain company, with 200+ employees across 3 offices globally. A crypto market capitalization of USD 2.2B as of June 2021. The company provides end-to-end solutions to bring blockchain businesses from a strategic planning to product deployment. The Company’s software introduces a new blockchain architecture designed to enable vertical and horizontal scaling of decentralized applications. 

Customer’s challenge:

  • As a blockchain company that has operations in US and Asia, the customer had an urgent need for GRC consulting services to meet compliance requirements from various regulators and investors across the globe. ​
  • They needed a security partner to strengthen their security policies by aligning it to the latest regulatory requirements and internationally recognised standards to secure trading licenses

 Solution delivered:

Theos provided the following services to the customer: ​

  • Mapped regulatory requirements to internal security controls to fulfil their regulatory requirements and to strengthen their internal security policies ​
  • Completed vendor security assessments for 40 technology vendors (including SaaS, plugins and on-premise solutions) to lower 3rd party risks​
  • Designed and implemented security policies based on the regulatory and standard requirements. ​
  • Designed a Security Awareness Programme to help the customer better handle their critical systems and/or exchange 

Why Theos?

  • Our experience in delivering GRC for Financial Services customers in APAC: our security consultants are qualified to perform consulting services on a global scale for customers and have 10+ years of experience in delivering security and compliance engagements in APAC for customers in the fintech and financial services sector. 

Adversary Emulation for a technology business in Asia

Customer’s profile:

A technology company head-quartered in Hong Kong providing IT services to enterprises globally

Customer’s challenge:

Recent incidents involving third party compromise

Solution delivered:

Theos delivers two Red Team Cyber Assessment each year to the customer by emulating a real attack scenario, with the goal of improving the security defences as well as the security response to actual real-world attacks. ​

  • As part of the assessment, Theos performed an Advanced Persistent Threat (APT) attack, which aims to gain access to and exfiltrate sensitive information within the customer’s HR and Finance Department. ​
  • The Assessment follows a Black Box Approach, which mimics how an attacker typically approaches an APT attack. This means the client does not share any specific knowledge as to the internal workings of the organisation. THEOS will have no pre-existing access to any asset, or information of the internal architecture and security controls.

Valued delivered to the customer:

  • Actionable insights into the successful attack vectors leveraged during the exercise with recommendations around policies, systems and processes​
  • Re-run of the successful TTPs once the remediation had been implemented​
  • Successfully met regulatory requirements

Adversary Emulation with APT Scenario for one of the largest insurances in Asia

Customer’s profile:

One of the largest insurance company in Asia, 6000 employees and agents 10 countries in Asia. The company offers life and medical insurance, general insurance, employees benefits. 

Customer’s challenge:

  • Annual exercise to assess the cyber resilience of a specific business unit​
  • Regulatory requirement to conduct at least one red team exercise per year​
  • Strategy of continuous security improvement based on rotating assessments

Solution delivered:

  • Theos conducted an end-to-end Advanced Persistent Threat scenario with no initial knowledge of the target users, assets and infrastructure​
  • The objective of the exercise was the identification and exfiltration of sensitive information, with a focus on customer data​
  • The exercise was successful in that the objective was met within the timeline and boundaries set under the agreed rules of engagement

Values delivered to the customer:

  • Actionable insights into the successful attack vectors leveraged during the exercise with recommendations around policies, systems and processes​
  • Re-run of the successful TTPs once the remediation had been implemented​
  • Successfully met regulatory requirements
  • 1
  • 2