SecPro #07: XDR Platforms, Threat Intelligence, and MITRE D3FEND!
As we move forward, I’d love to hear from you! What resources are you looking for? What information about security does it seem like you’re struggling to find? Please do write to me and let me know your thoughts.
If you find this newsletter useful and interesting and know other people who would too, I’d really appreciate it if you’d forward it to them.
XDR Platforms: AI-Powered Threat Detection and Response
An Extended Detection and Response (XDR) platform can centralize and automate the analysis and remediation of security threats across your organization. XDR specializes in improved visibility and analytics across endpoints, cloud infrastructure, and on-premise networks. This makes XDR highly useful for simplifying management and enforcing consistent policies across hybrid environments.
With XDR solutions, you can aggregate data from across the enterprise, utilizing the work that SIEMs have historically done. XDRs then leverage threat intelligence and AI-driven data analytics to automate responses to given threats across disparate systems. The greater focus on analytics lets XDR more proactively and automatically identify and respond to new and known threats.
In a nutshell, a great XDR solution can help you:
- Identify threats that are highly sophisticated or hidden
- Track threats across multiple system components
- Improve detection and response speed
- Perform proactive threat hunting
Acting On Signals That Matter
If you work in SecOps, it’s likely you have no shortage of alerts to investigate, so adopting solutions that prioritize real incidents for triage and containment could be a blessing. You can use an XDR solution that exposes incidents that would otherwise get easily missed by cross-correlating low fidelity signals.
Aim for a solution that curates a list of real incidents enriched with context to help your analysts understand the attack and its impact, resulting in confident response actions and reduced attackers’ dwell time. We examine three XDR solutions:
Sophos Endpoint Protection with Intercept X provides an antivirus/antimalware solution that when upgraded with Intercept X or Intercept X Advanced provides advanced threat detection and EDR capabilities.
Scope and Features:
- Offers fully synchronized, cloud-native data security. Its malware detection is based on AI-powered deep learning.
- The combination of on-device and data lake forensics provides better-contextualized insights.
- A feature called “Query Pivot” makes it easier and faster for security analysts to investigate and respond to threats by suggesting “subqueries” off of the original investigation.
Trend Micro Vision One claims advanced XDR capabilities that collect and correlate deep activity data across multiple vectors – email, endpoints, servers, cloud workloads, and networks.
Scope and Features:
- AI security analytics with in-built threat expertise and global threat intelligence.
- Uses predictive analytics and machine learning to monitor for emerging threats.
- Increased risk visibility that ties back to the MITRE ATT&CK Framework.
- Easy integration with Apex One.
Hunters created a lot of buzz last year when they raised their Series A funding with Snowflake Ventures. Hunters.ai is the only solution on the list that’s exclusively built for open XDR purposes, unlike most products which are either a SIEM/SOAR or CASB.
Scope and Features:
- Hunters XDR ingests both raw data as well as alerts and signals from any telemetry source and supports integrations from multiple vendors.
- Uses ML models to correlate signals and alerts and dynamically score them, allowing for easy prioritization and triage of threats.
- Detection capabilities mapped to the MITRE ATT&CK Framework.
- Security teams can build a security data lake using Hunters and leverage its built-in ETL capabilities to normalize and organize all the security data.
XDR vs. EDR vs. MDR
XDR can in many ways be considered an evolution of endpoint detection and response (EDR). Both are designed to change an organization’s security posture from legacy reactive stances to proactive activities like threat hunting.
The key distinction between the two is the difference in scope. EDR excels at centralizing data and determining next step actions related to endpoints specifically. XDR is broader than just endpoints. XDR also covers network security and cloud-based systems.
Finally, Managed Detection and Response (MDR) is the outsourcing of threat hunting and responding to threats service. An MDR provider will offer round-the-clock network monitoring and incident investigation and response in the form of managed security service offerings.
Raisin Bran: Useful, Everyday “How-tos”
Retrieving AWS security credentials from the AWS console
How to retrieve AWS security credentials (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, and AWS_SESSION_TOKEN) when authenticated in the AWS Console.
How Netflix uses eBPF flow logs at scale for network insight
Netflix has developed a network observability sidecar called Flow Exporter that uses eBPF tracepoints to capture TCP flows in near real-time.
At much less than 1% of CPU and memory on the instance, this highly performant sidecar provides flow data at scale for network insight.
A great way to protect Kubernetes config files against accidental or malicious change or reading.
Tutorial: Leveraging Threat Intelligence into Ops
The term “threat intelligence”covers a wide range of information, data points, and techniques that allow analysts to identify attack types in their network, adequately respond to them, and prepare for future attacks. In order to properly leverage this capability, security analysts should have a solid foundation of the various terminologies, methodologies, and tools that can be utilized in conjunction with threat intelligence.
Through this tutorial, we’ll offer a starting point for responders to integrate threat intelligence into their operations. So let’s get started!
What’s Threat Intelligence and What’s Not
Like some terms in infosec, threat intelligence is a bit nebulous and can mean different things to different people (and organizations). For simplicity, let’s consider the following key elements that need to be present for data or information to be considered threat intelligence:
- Evidence-based: For any intelligence product to be useful, it must first be obtained through proper evidence collection methods. In this way, analysts that rely on it can be sure of its validity.
- Utility: The intelligence must provide clarity, in terms of context and data, about specific behaviors or methods to determine whether an analyst is evaluating an incident against other incidents of a similar nature.
- Actionable: Intelligence should be action-driven, whether that is a specific sequence of events or a specific focus area of an incident.
Before we proceed further, please make a note of the following threat intelligence types for reference:
- Indicators of Compromise (IOCs): An IOC is an artifact observed on a system that is indicative of a compromise of some sort.
- Indicators of Attacks (IOAs): An IOA is an artifact observed on a system that is indicative of an attack or an attempted attack.
- Tactics, Techniques, and Procedures (TTPs): A group or attacker’s habit, unique methodology, and how they execute a certain attack can be considered as their TTP.
A useful construct describing the various types of IOCs and IOAs that an adversary can leverage and their ability to modify them during an attack is the “pyramid of pain” developed by David Bianco. The following diagram shows the relationship to the various indicators and the work effort necessary to modify them in order to bypass security controls:
Threat Intelligence Sources
There are three primary sources of threat intelligence that an organization can leverage:
- Internally Developed Sources: The most complex threat intelligence sources are those that an organization internally develops. To obtain IOCs, the organization can make use of honeypots or other deliberately vulnerable systems to acquire unique malware samples.
- Commercial Sourcing: An alternative to internal sourcing is to contract a threat intelligence vendor. These organizations utilize their own personnel and infrastructure to acquire malware, analyze attacks, and conduct research on various threat groups.
- Open Source: OSINT providers have become quite popular. Groups such as SANS and US-CERT provide specific information about threats and vulnerabilities. Commercial providers such as AlienVault provide an Open Threat Exchange (OTX) to share threat intelligence such as IOCs and TTPs. Other formats of the OSINT include OpenIOC, STIX, TAXII, VERIS.
Note: Parts of this story were curated using Chapter 13 of Digital Forensics and Incident Response, Second Edition published by Packt.
Threat Intelligence Platform: MISP Threat Sharing
As organizations begin to aggregate threat intelligence, whether it is created internally or externally sourced, they will need a platform in which to aggregate it. There are several commercial platforms available as well as freeware versions that provide analysts with this capability.
One freeware platform that is available is the Malware Information Sharing Platform (MISP). This community project has produced a software platform that can be used by analysts to store data about malware and other exploits. Installing MISP is dependent on the type of operating system platform in use. Complete directions are available at https://github.com/MISP/MISP/tree/2.4/INSTALL. Once logged in, the following window will appear:
There is a good deal of data on this page, including tags that identify the classifications of events, the date that they were added, and basic information that allows analysts to quickly sort through the various entries.
Clicking on an Event ID or the View icon to the far right of an event brings up another window:
Analysts will be provided with a good deal of intelligence regarding the specific event. First is the event data, which is an overview of the attributes of the IOCs contained within the event:
Further down, the window reveals the specific elements of the event:
Here, the specific Trojan indicated in the background information has been evaluated by VirusTotal and following the link indicates that 46 out of 61 antivirus providers have detected that this event is linked with a Trojan virus:
The real value of the MISP platform is the IOCs that are associated with events. Navigating down the window, the analyst can then view the individual IOCs associated with the malware addressed in the event:
The analyst can also identify specific URLs that are associated with either C2 communications or if the malware is part of a multistaged attack. The analyst can then either correlate those URLs with logs on the firewall or block those URLs through a web proxy to contain a possible malware outbreak.
If you’re looking to leverage the advantages that threat intelligence provides, then you must first understand the threat. From there, you can define their requirements and begin the intelligence process. Finally, by integrating your organization’s toolset to utilize threat intelligence, you can position to have more effective proactive controls and the ability to respond efficiently. While threat intelligence may not remove the fear of an adversary entirely, it can offer you a good deal of ammunition to combat today’s threats.
Frameworks and Tools
Complementary to the threat-based ATT&CK model, D3FEND provides a model of ways to counter common offensive techniques, enumerating how defensive techniques impact an actor’s ability to succeed. By framing computer network defender complexity as granularly as ATT&CK frames computer network attacker techniques, D3FEND enables cybersecurity professionals to tailor defenses against specific cyber threats. Read the full NSA press release here.
A reverse engineering course with over 90 challenges covering assembly, stack buffer overflows, format strings, array indexing, return-oriented programming, heap exploitation, symbolic execution, and more.
SLSA: An End-to-End Framework for Supply Chain Integrity
Inspired by Google’s internal Binary Authorization for Borg that has been in use for the past 8+ years, Supply-chain Levels for Software Artifacts (SLSA) is an end-to-end framework for ensuring the integrity of software artifacts throughout the software supply chain.
Policy as Code Tools: OPA vs. Semgrep
This article looks at two popular PaC tools to check a Terraform resource for compliance from the lens of usability, simplicity, tooling, and performance.
Google’s Open Source Insights Project
Open Source Insights provides a visualization of a project’s dependencies and their properties. It provides interactive tools to visualize and analyze full, transitive dependency graphs. It also has a comparison tool to highlight how different versions of a package might affect your dependencies and offers insights to fix related security problems.
The SecPro is a weekly security newsletter to help you stay sharp and upgrade your skills with trending threat insights, practical tutorials, hands-on labs, and useful resources. Build skills in as little as 10 minutes.