Search

XDR and MITRE ATT&CK: anticipate the attacker's movements to better apprehend him

Year after year, cybercriminals demonstrate their ability to develop ever more sophisticated attack scenarios. Fileless malware, detection of sandbox environments, zero-day vulnerability exploitation, many techniques have proven in the past that they have the ability to circumvent all or part of a business’ existing cybersecurity solutions. To be able to detect and stop an attack, professionals more and more look to leverage cybersecurity repositories such as MITRE ATT&CK, a repository enabling the attacker's movements to be understood, explained and ultimately - anticipated.

EPPs and EDRs provide a necessary first level of security

Workstations, mobile phones and tablets are prime targets for cybercriminals. To protect these IT assets, antiviruses have given way to so-called EPP technology, an acronym for Endpoint Protection Platform. An PPE is a software agent whose purpose is to prevent cyber threats such as attacks by ransomware, malware and other malicious programs. Even if this technology provides a first level of security, it has a limitation, that of not collecting telemetric data and by analogy of not being used for behavioral detection, hunting or forensic purposes.

It is to meet this need that EDR (Endpoint Detection and Response) technology was developed. A complementary solution to that of the EPP, the EDR observes and detects any suspicious behavior making it possible to stem the threat. Simply put, EPP detects threats upstream while EDR handles the compromise downstream. To do this, EDR relies on cybersecurity benchmarks like MITRE ATT&CK . Thanks to the modeling of tactics, techniques and procedures (TTP), and based on the traces left by the attacker, detection scenarios make it possible to identify the advance of the attack and thus react.

As of this writing, the MITRE ATT&CK repository breaks down cybercriminals' modus operandi into 14 tactics:

  1. Reconnaissance
  2. Resource Development
  3. Initial access
  4. Execution
  5. Persistence
  6. Escalation of privileges
  7. Bypassing Defenses
  8. Access to identifiers
  9. Discovery
  10. Lateral displacement
  11. Collection
  12. Command and control
  13. Exfiltration
  14. Impact

Added to this is the identification of 193 techniques and 401 sub-techniques used such as infrastructure compromise, DHCP spoofing, browser extension hijacking or brute force attacks. A gold mine that allows companies to strengthen their detection and response arsenal.

XDR technology brings a holistic view of enterprise security

While EPP and EDR technologies are a first defense against cyber threats, they only allow monitoring of the machine on which the software agent is installed. To prevent cyber attackers from exploiting equipment that would not be secured by these technologies, XDR technology for eXtended Detection and Response was developed.

By collecting event logs from all types of equipment, XDR makes it possible to analyze the activity of all the assets of the information system. Agnostic to protocols and brands, the XDR platform has the ability to integrate equipment at the edge of the network (firewall) through internal network equipment (router, switch) to servers and terminals not equipped with PPE/EDR agents.

If on paper, the marketing concept of XDR seems clear, in fact each cybersecurity publisher does not have the same definition. For some, XDR technology is the addition of the collection of logs from EDRs and events from user access (IAM) while for others it is the association of events from EDRs and analysis network traffic (NTA) through a collection firewall.

By correlating the data reported as indicators of compromise (IoC) or indicators of attacks (IoA) and thanks to the MITRE ATT&CK repository, XDR technology has the ability to recognize a lateral movement, an attempt to escalate privilege or an exfiltration of data. XDR makes it possible to holistically arbitrate the perimeter to be secured while defining detection scenarios based on identified tactics, techniques and procedures. These scenarios most often require the development of automation scripts through an orchestration brick called SOAR (Security Orchestration, Automation and Response ). A technological brick that is not integrated by default in all XDR offers on the market.

Some key use cases to consider

MITRE ATT&CK is an extensive library of TTPs as we have already alluded to.  But what are some of the key use cases that XDR platforms can help bring to life and turn the catalogue of possibilities into a real-world, active defense?

Proactively modify a firewall’s filtering rules

Knowledge of the operating mode of an attack accompanied by the identification of an IP belonging to a cybercriminal infrastructure makes it possible to detect an intrusion attempt. By integrating a firewall with an XDR platform, a response action (ban IP) can be triggered automatically to stop the intrusion attempt.  One has to be careful of course, and we cannot entirely rely on artificial intelligence.  There still needs to be a human intervention in the vast majority of cases, because any grey area means a possibility of false positives and therefore wrongful blocking activities.  Making it easier for an analyst however, is a sound use case for efficiency and speed – two key elements of handling cybersecurity intrusions.

Detect suspicious user behavior

By analyzing user processes, the XDR platform can detect a privilege escalation attempt such as running a process with administrator rights by a user who does not usually have this level of rights. To contain this threat, a remediation action can be launched from the XDR platform by killing the process PID, disabling the affected user and then isolating the infected machine.

Disable phishing URLs before the user lands on the page

94% of threats use email as their primary attack vector. By analyzing the links contained in the emails in the corporate messaging inbox, the XDR platform has the ability to visit the URLs and analyze whether the pages are legitimate or not. In the case of a phishing page, a response action can be launched with the web proxy in order to stop the resolution of the offending domain. This remediation is transparent to the user and can be done in seconds (but again, with care and with expert knowledge to make the decision).

Detect shorthand attacks

To circumvent detection mechanisms, cybercriminals conceal information such as configuration settings in altered files (JPG, PNG). By analyzing the life cycle of files from creation to modification to deletion, XDR technology has the ability to correlate this information and provide contextualized information to the SOC analyst. The data de-obfuscation functionality is now mainly present in the XDR solutions on the market.

Detect failed network connections

When a machine is compromised by malware, the latter most often tries to move laterally on the victim's internal network. To do this, it launches a recognition phase by trying to connect to adjacent machines. The detection of failed network connections allows the XDR solution to detect an attempt to recognize or move laterally.

Detect a file exfiltration attempt

Whether voluntary or not, monitoring access to a sensitive file is important data for the SOC analyst. Thanks to the recording of data reading streams (file-read), XDR technology generates an alert while making it possible to assess the exposure of the incident, and this by analyzing all the files that have been read. by this same process (PID). An essential feature for data exfiltration detection.

Analyze RPC calls and System calls

XDR provides Threat Hunting teams with a simplified investigation capability. By recording RPC calls and System calls, analysts can access all actions performed by a particular process or by a remote machine. This is particularly useful when one wishes to understand how the recognition or persistence phases were carried out.

MITRE ATT&CK improves cybersecurity maturity of companies

Beyond its usefulness in detecting threats, helping to understand the operating mode used by cybercriminals, its behavior and the path of the attack, the MITRE ATT&CK repository is intended to be an asset in the evaluation a company's cybersecurity maturity level.

By analyzing the modus operandi used by cybercriminals, companies can identify the security flaws present in their detection arsenal as well as in the blind spots in the daily functioning of their organization. Associated with current and future compliance obligations (GDPR, NIS 2, DORA), decision-makers can take corrective actions and increase their level of security.

Conclusion

Detection and response technologies must be progressively integrated through identified tactics, techniques and procedures. The choice of XDR technology is made through a process of understanding the attack scenarios to be covered as a priority for the company. To do this, decision makers can rely on benchmarks such as MITRE ATT&CK. However, this approach must becomplemented by experts who have evaluated the actual capabilities of the XDR platform. If you would like to know more and receive integration advice, do not hesitate to contact the experts at Orange Cyberdefense. We do extensive real-world testing working with our SensePost team to separate the marketing claims from the actual reality. In addition, we also manage these platforms and unleash the power of our own Security Analysts and Threat Intelligence to recognize their raw potential and turn it into a sect of Managed Detection and Response outcomes that can rapidly improve your cyber resilience.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.

CSIRT