XDR – Advantages From a Wider View

Avatar photo
Art Ocain

Endpoint Protection Isn’t Enough

There are hundreds of great security products on the market, each filling specific needs and having pros and cons. Endpoint detection and response (EDR) is no exception. EDR finds and kills the threat on the endpoint, your computer or server, but it is looking at a very narrow picture of the attack surface. It misses the network, identity, Cloud data, and email threats that face your organization. This lack of complete visibility has is where extended detection and response (XDR) comes to into play.

EDR is very effective in stopping threats that reach the endpoint, so why do we need more? Isn’t the endpoint what we are trying to protect? Yes, but threats that bypass EDR, affect manufacturing operational technology (OT), affect IoT, containers, or attack legacy systems unprotected by EDR are at risk. Lastly: Wouldn’t it be nice to stop the threat before it reaches your endpoint?

What does XDR do?

Good XDR will correlate data from:

  • Endpoints (event logs, EDR telemetry)
  • Identity (Active Directory, Okta, Duo, Azure AD, Thycotic, PingFederate, etc.)
  • Network (firewalls, core switches, wireless controllers, network IDS systems, netflow)
  • Email Security (Microsoft Defender for 365, Armorblox, Mimecast, Proofpoint)
  • Email Platform (Microsoft 365, Google Workspace, Exchange Server)
  • Cloud (cloud firewalls, AWS/Azure/GCP logs)
  • Infrastructure (VMware logs, IIS logs, FTP/SFTP logs, access logs, audit logs)

Good XDR will correlate all of these events and build associations between them. It will enrich data from threat feeds and map events to frameworks MITRE ATT&CK and/or MITRE D3FEND.

Good XDR will integrate with endpoints and firewalls in order to execute playbooks, stop threats, clean infections, and isolate hosts.

Scenario

Reconnaissance:

  • Bob, your CFO, is in the news as your company celebrates a stellar quarter. The screen transitions to the CEO announcing a new innovation, a product that is sure to reduce energy consumption for the entire world. The threat actor, watching the news, just identified their new target: you.

Weaponization:

  • The threat actor compiles a malware payload using code that they have used with ransomware clients in the past. The payload allows them to move through your network, execute commands, exfiltrate data, collect credentials, and deliver more malware.

Delivery:

  • The threat actor sends phishing emails to your finance team and sends fake invoices with the malware payload to the accounts payable address on your company’s website. Let’s say Bob, your CFO, falls for a phishing email. The threat actor now has Bob’s credentials. Next, Jane in Accounts Payable opens a fake invoice that contains a malicious payload on the old, unpatched finance system.

Exploitation:

  • The malware payload elevates its privileges and acts as an administrator rather than as Jane.

Installation:

  • It next compiles and installs a backdoor for the attacker. It also installs a service on the system so that it will execute again even if the system is rebooted.

Command & Control:

  • The malware does a DNS lookup to live.super****hairbydesign.com and receives a command to start uploading the finance database to the attacker’s cloud server. The DNS lookup tells the threat actor sees that your company is infected.

Actions on Objectives:

  • Next, the threat actor uses Bob’s credentials to access the VPN, which does not have MFA enabled. Upon connecting, the threat actor explores your network discretely, and finds a server called ENGINEERING-SRV. Using Bob’s credentials, the threat actor opens the shared drive on ENGINEERING-SRV and starts downloading all of the data over the VPN, including all of the intellectual property behind the new energy innovation.
  • The threat actor sees a server on the network called BACKUP-NAS and deletes all of the files on the file share.
  • Once the finance databases and the engineering data is uploaded, the threat actor instructs the malware to deploy a kill script, which disables volume shadow copies (VSS) and deploys a custom-compiled ransomware variant across the network.

Detection:

  • Endpoint detection and response (EDR) software on your network identifies and stops the ransomware from executing on 300 of your 389 computers. Alerts reach your IT helpdesk and your team launches its incident response plan. The IT team finds that many of your server file shares, including ENGINEERING-SRV, are fully encrypted.

Note that EDR was effective in catching the ransomware based on its behavior, even though it was custom-compiled and did not match any known virus signature. It was not effective in preventing the attack, nor preventing the exfiltration of your data.

 

The XDR Improvement

Recommended Solution
AirCISO logo
Air
CISO

Use AirCISO XDR for free and get useful data on your cybersecurity threats and vulnerabilities in your environment immediately. Get all the data a CISO needs to know where they stand.

>>Learn More
XDR would have prevented increased visibility on the attack. By talking to your email security solution, XDR would have noticed the phishing attempts aimed at Bob and the finance team and correlated it with VPN access from the outside. XDR would have noticed Bob accessing the Engineering server, which is probably not common. It would have noticed the payload coming to Jane and its execution on the finance system. On the privilege escalation to administrator, XDR would have fired a critical alert. Integrating with the firewall, XDR would have recognized the calls to the threat actor’s cloud server, as well as the exfiltration of data, correlating that information with the attack. XDR would have killed the connection to the cloud server by integrating with the firewall, cutting off the exfiltration.

Using the telemetry from all of these sources, XDR maps the attacker’s actions to the MITRE ATT&CK framework and identifies the threat actor as an 87% match to a hacker named PwnMeDude.

Integrating with the telemetry from your EDR, XDR could correlate the data and clean or isolate hosts as the kill script and propagation are recognized.

 

Take a Look at XDR

Understanding that these attacks are opportunistic, and the attackers look for gaps in security and unpatched systems, it is important to have more visibility and more correlated data. While important, EDR is only a piece of the puzzle. More data with strong correlations can create fewer, more informed alerts for IT and security staff.

New Resources In Your Inbox

Get our latest cybersecurity resources, content, tips and trends.

Other resources that might be of interest to you.

Airiam and Cybereason Partnership

Airiam and Cybereason Partner to Offer Stronger Incident Response and Enhanced Cybersecurity Airiam, a managed IT and Digital Transformation company with a strong focus on cybersecurity, today announced a partnership with Cybereason that will enhance p
Avatar photo
Bill Bowman
>>Read More

Price Vs Good IT

How Much Does Bad IT Cost? You are the decision maker. Whether deploying a new server, upgrading your switches, migrating to Office 365, or virtualizing your datacenter with VMware and Veeam, you may see the price tag and instantly balk. $10,000? $75,0
Avatar photo
Anthony Lewis
>>Read More

Office 365 Working with OpenDNS

Office 365 Working with OPENDNS We ran into some issues the other day with our client running Office365. Activation and a few other issues due to OpenDNS Enterprise running on their network. We worked with support and got the full list of domains to wh
Avatar photo
Anthony Lewis
>>Read More