UK Tel: +44 20 8868 0098
US Tel: +1 415 874 3104
The Cyber Threat Analysis and Detection Service (CTADS) is a
threat detection service designed to help you combat Advanced
Persistent Threats (APT’s) that steal information from compromised
computers. Those who carry out these attacks are determined and
resourceful in their attempts to capture information and maximise
In light of a marked rise in APT’s, Portcullis has devised CTADS as a
leading edge solution, providing consolidated threat intelligence, gathered
from a number of reliable and trusted sources. These sources include
Portcullis’ own research and development work as well as public and
privately disclosed threat feeds.
Portcullis has further extended CTADS beyond the remit of other threat
analysis services by including the efforts of real people, to analyse traffic
in depth for suspicious activity such as; IP tunnelling, binary files,
payloads, exploitation attempts, malware, shellcode, command and
control traffic and beacon packets.
Portcullis’ analysts are experts with backgrounds in defence, intelligence,
finance and other industries. They are able to interpret vast amounts of
information for the suspicious activity and threats contained within. They
take the technical information and produce a story of events, discuss
probable threats and recommend mitigations appropriate and suitable for
you. As well as the technical output that describes what has happened and
when, the combination of technical discovery with threat modeling and risk
centric analysis will look at answering who, where, why and how.
CTADS not only analyses traffic entering your network but also leaving it.
In today’s world Data Exfiltration is a huge concern. This work is often like
finding a needle in a hay stack and requires skills and understanding far
beyond the normal abilities of most security professionals. However, no
automated systems can achieve anything like the accuracy and insight
achievable by individuals with such a depth of knowledge and
understanding. The manual phase of this service allows us to push past
a set of known problems we reactively identify and attempt to be proactive,
using the latest intelligence with the combined experience of the team.
CTADS Incident Response is a time based service that proceeds through
up to five stages:
Consultation: Portcullis analysts will liaise with you to gain a detailed
understanding of your network architecture and your organisation’s
exposure to APT’s, before planning an effective strategy for the
deployment of CTADS Collection Agents.
Details of the Collection Agents to be deployed will be provided to you in
an equipment register so the data collected can be accounted for
throughout your assignment.
Data Collection: Portcullis investigators will then deploy the Collection
Agents; a selection of best of breed, appropriate and specialised tools; to
obtain a recording of network level traffic during a fixed period for later,
Analysis: Upon return to the Portcullis labs, your traffic will be subjected
to stringent analysis for evidential data. The Collection Agents are first
indexed and all data cross referenced then threats are trended and
identified; suspicious files, malware and other files containing payloads
are reconstituted, analysed and - where required - reverse engineered to
understand how they function and provide details to identify further
occurrences of them. Where discovered, malicious code will be
investigated by Portcullis’ dedicated and experienced network and
Throughout the Data Collection and Analysis processes you will receive
regular progress reports.
Reporting: The results of the Consultation, Data Collection and Analysis
will be collated into a comprehensive technical report of our actions,
discoveries, conclusions and recommendations. Executive reports may
also be commissioned for a specific audience.
The report will include a summary of positively identified issues, a general
traffic analysis, a list of any potential compromised hosts and wherever
possible, a list of types and levels of data egress with detailed information
on the data itself and the egress destination. Attack attribution and threat
modeling will also take place at this stage, building on the risk analysis
performed during the initial consultation.
Integrity: Upon completion of the CTADS assignment, data collected will
either be securely erased or the media physically destroyed and
certificates of destruction provided to you. Alternatively you can request
the return of the devices containing your traffic for destruction by you.