A extreme cyberattack leveraging TrickBot malware compromises an organization’s defenses, resulting in vital monetary losses. This was not as a consequence of a mere oversight, however somewhat a consequence of insufficient endpoint visibility. With efficient monitoring and real-time insights into endpoint exercise, the menace might have been detected and neutralized earlier than inflicting intensive injury. This underscores the crucial significance of complete endpoint telemetry.
What’s endpoint telemetry?
In cybersecurity, endpoint telemetry refers to information collected by monitoring actions on endpoint gadgets, corresponding to computer systems and servers. This information is essential for menace detection, incident response, and enhancing the general cybersecurity posture by providing enhanced visibility.
Essential position of endpoint telemetry
Visibility is essential to stopping complicated cyberattacks early within the kill chain. In case you can’t see it, you may’t cease it. On the subject of stopping an assault, it’s at all times higher to take action within the early levels of the assault chain.
In accordance with the MITRE ATT&CK framework, which is usually utilized by cybersecurity professionals, most enterprise-level assaults — corresponding to Turla, ToddyCat, and WizardSpider (TrickBot) — contain varied levels, generally known as ways, which attackers can use in numerous sequences to attain their targets.
The MITRE framework catalogs an inventory of strategies and sub-techniques that attackers use to hold out every of those ways on an endpoint. To detect malicious habits early within the assault chain, it’s important to observe the endpoint and report actions that resemble these generally used strategies. Capturing telemetry is subsequently important for figuring out these strategies and intercepting assaults at an early stage. Endpoint telemetry additionally serves as a vital information supply for XDR, enhancing its means to detect, analyze and reply to safety threats throughout a number of environments.
Minimizing false positives
One of many most important challenges in utilizing telemetry to detect threats is managing false positives. Attackers usually exploit Residing Off-the-Land (LOL) binaries — official instruments and utilities that include working techniques — to execute varied strategies or sub-techniques. For instance, the Lazarus Group, a extremely subtle and infamous state-sponsored hacking group, is understood to make use of Scheduled Duties or PowerShell through the Persistence or Execution levels of an assault. Lazarus steadily employs these strategies as a part of their broader Residing Off the Land (LOL) technique, which permits them to use official system instruments and binaries to mix in with common community exercise and keep away from detection by conventional safety options.
Since these actions mimic benign actions generally carried out in enterprises, detecting them incorrectly can result in a excessive fee of false positives. We might handle this problem is by correlating the occasions and telemetry triggered round that exercise or by utilizing an XDR (Prolonged Detection and Response) device, corresponding to Cisco XDR. Cisco XDR correlates telemetry from varied detection sources to generate high-fidelity incidents, enhancing the power to establish and cease complicated assaults whereas decreasing the chance of false positives.
Capturing telemetry utilizing Cisco Safe Endpoint
Cisco Safe Endpoint is an Endpoint Detection and Response (EDR) device that collects and information a variety of endpoint telemetry. It employs varied detection engines to research this telemetry, establish malicious habits and set off detection occasions. We repeatedly fine-tune the product to seize extra telemetry and detect occasions of various criticality throughout completely different levels of the MITRE ATT&CK framework. Moreover, occasions from Cisco Safe Endpoint are ingested into the Cisco XDR analytics engine and correlated with different information sources to generate high-fidelity incidents inside Cisco XDR.
Let’s discover the detection occasions captured by Cisco Safe Endpoint within the Occasions view, together with the telemetry recorded within the Gadget Trajectory view. We’ll concentrate on how Safe Endpoint supplies visibility into the early levels of an assault and its functionality to cease complicated threats earlier than they escalate.
Exploring detection occasions
All of the occasions used on this instance could be considered from Administration->Occasions web page of the Cisco Safe Endpoint console.
Execution Tactic and Detection
Execution ways characterize the strategies used to run attacker’s payload on a compromised endpoint to carry out some malicious actions.
Instance strategies embody:
- Encoded PowerShell — Utilizing obfuscated PowerShell instructions to execute code.
- Home windows Administration Instrumentation (WMI) — Leveraging WMI for executing instructions and scripts.
- Native APIs — Using built-in system APIs for code execution.
The screenshot under shows an occasion generated by the Behavioral Safety engine of Safe Endpoint, which detected a PowerShell command utilizing “Invoke-Expression” and triggered by “sdiagnhost.exe”.
Persistence Tactic and Detection
Persistence refers to ways that enable malicious payloads to stay on a compromised system and proceed their operations even after reboots or different system adjustments. These strategies allow the malware to keep up communication with a command-and-control server and obtain additional directions.
Instance strategies embody:
- Create or Modify System Course of — This system includes creating new companies or modifying present companies to execute malicious code at startup or at particular intervals.
- Registry Modifications — Altering registry entries to make sure malicious applications execute on system startup.
- Creating Scheduled Duties — Organising duties that run at specified occasions or intervals.
The screenshot under illustrates an occasion generated when a brand new service was created to run malware at startup.
Protection Evasion Tactic and Detection
Protection Evasion includes strategies utilized by attackers to cover their malicious payloads and keep away from detection by safety techniques. The purpose is to make it tough for safety instruments and analysts to establish and cease the assault.
Instance strategies embody:
- Course of Hollowing — It’s a approach the place a suspended course of is created, and a malicious code is injected into the handle house of that suspended course of.
- Impair Defenses — Modify sufferer’s setting and disable defenses, like turning off anti-virus, firewall or occasion logging mechanisms.
- Masquerading — Making malicious recordsdata or actions seem official to evade detection.
The screenshot under exhibits the Course of Hollowing approach captured by the Exploit Prevention engine through the Protection Evasion stage of the assault.
Discovery Tactic and Detection
Discovery refers back to the completely different strategies adversaries use to assemble details about the sufferer’s setting.
Instance strategies embody:
- Course of Discovery — Enumerating working processes to seek out worthwhile or susceptible targets.
- System Info Discovery — Amassing particulars concerning the working system, {hardware} and put in software program.
- System Community Configuration Discovery — Figuring out the community settings, interfaces and linked gadgets.
The screenshot under depicts the occasion Safe Endpoint generated on observing “tasklist.exe” utilization within the endpoint in a suspicious method, run by “rundll32.exe”, and mapping the habits to Course of Discovery approach.
Gadget trajectory telemetry
Cisco Safe Endpoint (CSE) captures two sorts of telemetry beneath Gadget Trajectory view: Exercise Telemetry and Behavioral Telemetry.
Exercise Telemetry
By filtering out undesirable information, this telemetry reduces noise and gives clear visibility into endpoint actions, together with processes, parent-child course of relationships, triggered occasions, recordsdata and community exercise, whether or not malicious or benign.
The screenshot under exhibits the Gadget Trajectory view within the Safe Endpoint console, with the Exercise Telemetry captured.
Behavioral Telemetry
This particular sort of telemetry is displayed within the Gadget Trajectory view after evaluation by the detection engine. It’s triggered when a malicious exercise is linked to an in any other case benign exercise, offering further context to assist distinguish between benign and malicious actions.
The screenshot under exhibits the Gadget Trajectory view within the Safe Endpoint console, highlighting Behavioral Telemetry recognized by the detection engine. On this instance, the rundll32.exe course of is related to suspicious community exercise.
The telemetry particulars captured by Safe Endpoint on this view present essential context across the noticed exercise, permitting safety groups to rapidly assess the scenario. This enriched data not solely aids in figuring out the character and intent of the exercise but additionally empowers groups to conduct extra thorough and efficient investigations. By providing a deeper understanding of potential threats, Safe Endpoint helps to streamline the menace detection course of, decreasing response occasions and enhancing general safety posture.
Conclusion
The exploration of Cisco Safe Endpoint’s detection occasions and telemetry highlights the ability of visibility in early assault detection. By monitoring and analyzing endpoint habits, organizations acquire worthwhile insights into potential threats, permitting them to detect and reply to assaults at their earliest levels. This enhanced visibility is essential to safeguarding crucial techniques and fortifying defenses towards evolving cyber threats.
References
We’d love to listen to what you assume. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safety on social!
Cisco Safety Social Channels
Share: