XDR Needs Network Data and Here’s Why

As we’ve discussed in previous blogs, XDR is a better way to detect attacks within a network since it is able to coordinate and collaborate threat intelligence and data across multiple threat vectors, including endpoint (including mobile and IIoT), server, network, messaging, web, and cloud. In this blog I want to discuss an area of the attack sequence that can help organizations identify an attack, and that is the lateral movement.

Malicious actors, once in an organization’s network, will need to move beyond their initial infection location to other parts of the network, seeking out areas that hold the data or critical systems they wish to utilize. Whether that is the data center, an OT network, or finding critical business systems to support their criminal or destructive intent. There are a number of ways lateral movement is performed, but the key is to hide and remove evidence of their presence.

Initially they will look to scan the internal network using similar scanning tools used by admins to identify what systems are available to them. Hacking tools and keyloggers will be used to steal user accounts and passwords to obtain legitimate user credentials within systems. More tools will typically be downloaded using the command & control infrastructure to help with their attack. After obtaining more powerful user accounts, the attacker can laterally move to other systems and use “normal” tools to perform other activities. These activities may be difficult to identify for defenders due to the use of these things like:

  1. PSEXEC to execute a program from remote system
  2. Schedule a remote task to execute back door or malicious code
  3. RDP or net use to connect to other hosts
  4. Leverage WMI for fileless intrusion
  5. Execute Powershell script for fileless intrusion
  6. Utilize exploits targeting unpatched systems for known vulnerabilities
  7. Execute normal tool like Bitlocker, to encrypt customer data like ransomware did. But normal tools will not detect by antivirus system.

This is where adding network intelligence to an XDR and correlating with other intelligence from different areas of the network can be most beneficial. An XDR that supports advanced detection capabilities can identify correlate data across areas to identify events that would otherwise go unnoticed.

Additionally, in many attacks the malicious actors are removing their tracks once finished with that area, so having the ability to capture and keep intelligence can help with root cause analysis and correlate the different disparate components of an attack. This correlation allows an organization to put the pieces of the attack puzzle together to see the full picture.

Some recent RYUK ransomware attacks are a good example. In these attacks, attackers utilized the Eternal Blue exploit and harvested credentials as they moved across the environment, and then used existing system tools to kill security services within machines to hide their presence. In both cases the intelligence coming from endpoints, servers, and the network allowed researchers to identify the attack chain and all the components used within the attack.

Most attacks today, including ransomware, are utilizing lateral movement. Including detection of this as part of an overall XDR platform will improve the prevention, detection, and remediation of sophisticated attacks on an organization.

Stay tuned for more upcoming blogs on how XDR will help improve our overall security strategy moving forward.

Read More HERE