Endpoint Protection Isn’t Enough
There are hundreds of great security products on the market, each filling specific needs and having pros and cons. Endpoint detection and response (EDR) is no exception. EDR finds and kills the threat on the endpoint, your computer or server, but it is looking at a very narrow picture of the attack surface. It misses the network, identity, Cloud data, and email threats that face your organization. This lack of complete visibility has is where extended detection and response (XDR) comes to into play.
EDR is very effective in stopping threats that reach the endpoint, so why do we need more? Isn’t the endpoint what we are trying to protect? Yes, but threats that bypass EDR, affect manufacturing operational technology (OT), affect IoT, containers, or attack legacy systems unprotected by EDR are at risk. Lastly: Wouldn’t it be nice to stop the threat before it reaches your endpoint?
What does XDR do?
Good XDR will correlate data from:
- Endpoints (event logs, EDR telemetry)
- Identity (Active Directory, Okta, Duo, Azure AD, Thycotic, PingFederate, etc.)
- Network (firewalls, core switches, wireless controllers, network IDS systems, netflow)
- Email Security (Microsoft Defender for 365, Armorblox, Mimecast, Proofpoint)
- Email Platform (Microsoft 365, Google Workspace, Exchange Server)
- Cloud (cloud firewalls, AWS/Azure/GCP logs)
- Infrastructure (VMware logs, IIS logs, FTP/SFTP logs, access logs, audit logs)
Good XDR will correlate all of these events and build associations between them. It will enrich data from threat feeds and map events to frameworks MITRE ATT&CK and/or MITRE D3FEND.
Good XDR will integrate with endpoints and firewalls in order to execute playbooks, stop threats, clean infections, and isolate hosts.
Scenario
Reconnaissance:
- Bob, your CFO, is in the news as your company celebrates a stellar quarter. The screen transitions to the CEO announcing a new innovation, a product that is sure to reduce energy consumption for the entire world. The threat actor, watching the news, just identified their new target: you.
Weaponization:
- The threat actor compiles a malware payload using code that they have used with ransomware clients in the past. The payload allows them to move through your network, execute commands, exfiltrate data, collect credentials, and deliver more malware.
Delivery:
- The threat actor sends phishing emails to your finance team and sends fake invoices with the malware payload to the accounts payable address on your company’s website. Let’s say Bob, your CFO, falls for a phishing email. The threat actor now has Bob’s credentials. Next, Jane in Accounts Payable opens a fake invoice that contains a malicious payload on the old, unpatched finance system.
Exploitation:
- The malware payload elevates its privileges and acts as an administrator rather than as Jane.
Installation:
- It next compiles and installs a backdoor for the attacker. It also installs a service on the system so that it will execute again even if the system is rebooted.
Command & Control:
- The malware does a DNS lookup to live.super****hairbydesign.com and receives a command to start uploading the finance database to the attacker’s cloud server. The DNS lookup tells the threat actor sees that your company is infected.
Actions on Objectives:
- Next, the threat actor uses Bob’s credentials to access the VPN, which does not have MFA enabled. Upon connecting, the threat actor explores your network discretely, and finds a server called ENGINEERING-SRV. Using Bob’s credentials, the threat actor opens the shared drive on ENGINEERING-SRV and starts downloading all of the data over the VPN, including all of the intellectual property behind the new energy innovation.
- The threat actor sees a server on the network called BACKUP-NAS and deletes all of the files on the file share.
- Once the finance databases and the engineering data is uploaded, the threat actor instructs the malware to deploy a kill script, which disables volume shadow copies (VSS) and deploys a custom-compiled ransomware variant across the network.
Detection:
- Endpoint detection and response (EDR) software on your network identifies and stops the ransomware from executing on 300 of your 389 computers. Alerts reach your IT helpdesk and your team launches its incident response plan. The IT team finds that many of your server file shares, including ENGINEERING-SRV, are fully encrypted.
Note that EDR was effective in catching the ransomware based on its behavior, even though it was custom-compiled and did not match any known virus signature. It was not effective in preventing the attack, nor preventing the exfiltration of your data.
The XDR Improvement
Use AirCISO XDR for free and get useful data on your cybersecurity threats and vulnerabilities in your environment immediately. Get all the data a CISO needs to know where they stand.
Using the telemetry from all of these sources, XDR maps the attacker’s actions to the MITRE ATT&CK framework and identifies the threat actor as an 87% match to a hacker named PwnMeDude.
Integrating with the telemetry from your EDR, XDR could correlate the data and clean or isolate hosts as the kill script and propagation are recognized.
Take a Look at XDR
Understanding that these attacks are opportunistic, and the attackers look for gaps in security and unpatched systems, it is important to have more visibility and more correlated data. While important, EDR is only a piece of the puzzle. More data with strong correlations can create fewer, more informed alerts for IT and security staff.
