XDR – The Magic Word for Efficient Defence against Modern Cyber Attacks [Part 2]

In the dynamic environment of increasing cyber threats, extended detection and response (XDR) technology has proven to be indispensable. In the first part of this blog series, we reported on how XDR works as an AI-supported technology, provides 24/7 protection against attack vectors and actively supports your Security Operation Centre (SOC) from “detection” to “response”. In the second part, we examine how a modern security architecture makes a decisive difference. The real-life case study illustrates the benefits of a structured cyber defence journey with an XDR stack and points the way to a robust security strategy.

The rapid pace of technological change not only boosts economic development, but also offers new opportunities for cyber criminals. The number and complexity of cyber attacks are alarming. A security operation centre (SOC) find themselves faced with significant challenges, while companies are forced to keep pace with rapid developments. The behaviour-based XDR technology is the key to effective cyber defence – from prevention to recovery. 

MDR/SOC dispositive: integrated solution approach for efficient cyber defence

In the context of cyber defence, the use of a comprehensive NIST Cybersecurity Framework 2.0 (MDR/SOC dispositive) is essential for the safeguarding of all essential security aspects. In other words, a balanced combination of identification, protection, detection, response and recovery forms the basis for effective cyber defence and protects against potential damage and business-relevant effects.

Figure 1: The NIST Cyber Security Framework 2.0, a MDR/SOC dispositive

Let’s take a detailed look at how the five components in this security framework are optimally interlinked.

1. Identify

The first step in any security framework is identification. This process includes:

• Recognising the risks: identification of potentially at-risk assets such as systems and data. This requires an understanding of the existing IT infrastructure, business-critical applications and potential threats.
• Mapping and prioritisation: identification of the most important vulnerabilities and prioritise protective measures based on the potential impact and probability of occurrence of threats.

2. Protect

After identifying the risks, we turn to the protective measures:

• Implementation of security measures: development of a protection system through the introduction of security solutions such as firewalls, antivirus software and encryption.
• Preventive measures: ensuring that all security precautions are taken to prevent attacks. This also includes the continuous updating and maintenance of security measures.

3. Detect

Detecting security incidents is crucial for early warning and rapid response:

• Monitoring and surveillance: use of technologies such as XDR, which collect and analyse comprehensive network telemetry data and detect suspicious activity.
• Alerting and reporting: implementation of systems that automatically raise the alarm as soon as a threat is detected. This enables an immediate forensic investigation and validation of potential security incidents.

4.  Respond

Once suspicious activity has been detected, it is important to respond correctly:

• Incident response: activation of an “incident response” team or CSIRT (computer security incident response team), which responds competently and efficiently to security incidents. This includes analysing, containing and eliminating the threat.
• Coordination and communication: communication within the company and with other stakeholders to ensure that all necessary measures are implemented in a coordinated, swift and compliant manner.

5. Recover

Recovery is the final step after a security incident:

• Recovery of the systems: once the incident has been contained, affected systems and data must be recovered. This often involves resetting to clean backups and removing all compromises.
• Checking and initiating optimisation measures: after recovery, the incidents should be analysed and lessons learned in order to successfully fend off future attacks. This can include updating security protocols, optimising protective measures and training staff.

This integrated approach ensures that organisations are not only proactively protected against threats, but can also respond and recover quickly and effectively in the event of an attack.

A real attack on a service provider: analysis and response measures

Let’s now examine a concrete attack attempt on a service provider. This case illustrates the challenges and response strategies involved in complex cyber attacks. To this end, we take a detailed look at the architectural issues, the course of the attack and the response measures.

Initial situation and architectural issues

The incident analysed concerned a service provider whose infrastructure was monitored and protected with an XDR stack in our SOC 24/7. This company provides its customers with infrastructure-as-a-service, but without adequate monitoring. The architectural issue lay in the shared use of the Active Directory by the company and its customers. The shared responsibility thus led to increased risk exposure. After the report was received by the SOC, it quickly became clear that an intervention by the CSIRT would be necessary.

Initial attack and detection

Reconnaissance tour to prepare for the attack – day 1

On the first day, the attacker established access via a “Cobalt Strike”-based “command and control” infrastructure. This took place in an area of the infrastructure that was not monitored by the XDR system. The attacker reconnoitred the system to determine whether the company would be a worthwhile target and left the system empty handed – albeit only temporarily.

Figure 2: Preparatory activities and reconnaissance

Continuation and extension of the attack – day 9

Nine days after the initial access, the attacker returned to the compromised server to carry out further activities.

Before performing several attack attempts, he extended the visibility in the network:

• DC sync attack: the attacker attempted to impersonate an identity provider in order to gain access to user passwords. This was the one and only attempt.
• Installation of vulnerable drivers: these drivers were intended to increase the attacker’s privileges and extend access – unsuccessfully thanks to XDR.
• Attempt to install Cobalt Strike on the domain controller: this attempt was also detected and blocked by the XDR solution.
  
  

Figure 3: DC sync attack, attempts to install vulnerable drivers and Cobalt Strike

Response measures and recovery

Alerting and activation of incident response measures

The first alarm was triggered at 5:27 a.m. UTC and signalled the start of the response measures at the same time.

These measures included:

• Triaging and validation: the alarm was validated by the SOC team, forwarded and passed on to the CSIRT.
• Initiation of incident response: the incident response team investigated the incident and took measures to contain the threat.

Neutralisation and clean-up using artificial and human intelligence

The attacker was neutralised both automatically by the XDR stack and manually by the incident response team. The infrastructure was cleaned up to prevent further attacks. Even though the XDR technology had considerably slowed down the attack, complete neutralisation was only possible thanks to coordinated measures by the security team.

Figure 4: Triaging and validation

Overall, this incident shows that modern security architectures combined with well thought-out response processes are crucial for protecting against and dealing with cyber attacks.

Cyber defence journey: systematic cyber defence with XDR setting

The cyber defence journey describes the systematic process for building a robust and efficient cyber defence. 
Let’s take a closer look at the journey based on our four-stage “managed detect and response (MDR)” setting:

Figure 5: Cyber defence journey with a XDR-stack

1. Initialisation

Initialisation opens the cyber defence journey and lays the foundation for the entire security architecture.

• Prioritisation and planning: the first step is to define clear set of priorities to identify the company’s most important security objectives and needs. This includes defining the key protective measures and resources required for implementation.
• Establishment of the SOC: as part of the “managed detect and response” setting, a security operations centre (SOC) is set up to ensure continuous monitoring and response to security incidents.

2. Realisation

During the realisation phase, the fundamental security components are implemented.

• Agent rollout: in an initial step, agents are rolled out on the company’s systems. This step is crucial for the prevention- and detection-focused security architecture.
• Transition to modern security solutions: companies that previously operated with classic antivirus systems are being converted to a modern EPP-EDR construct. This construct offers improved prevention and detection capabilities compared to traditional solutions.

3. Baselining

Baselining is important for creating a basis for continuous monitoring and improvement.

• Integration of identity providers: the integration of all identity providers is essential in order to maintain visibility and control over privileged identities. These identities are often targeted by attackers as they are used for lateral movements within the network.
• Creation of a baseline: the system and network activities are monitored and documented in order to create a normal operating picture. This baseline helps to identify unusual or suspicious activity.

4. Operations

In the operations phase, operational capability is ensured so that threats can be responded to 24/7.

• Establishing operational capability: processes and tools are set up to respond to security incidents. This includes the implementation of continuous monitoring and a response strategy.
• Expansion of visibility: network and system visibility is continuously expanded to create a comprehensive picture of the situation. Additional log sources such as firewalls are integrated if necessary. XDR agents collect comprehensive network telemetry data, including Layer 4 information (IP addresses, ports, protocols) and the context of who initiated the network communication.
• Continuous improvement: new data sources and technologies are continuously integrated during operation in order to optimise the defence mechanisms. This may include the integration of additional firewalls or other security solutions, depending on the agent population and the organisation’s specific requirements.

By taking this structured approach to the cyber defence journey, a company can ensure that it has the necessary technologies and processes in place to effectively detect, prevent and respond to attacks.

We can advise you on setting up a highly efficient SOC compliant with ISO 27001:2022

The cyber defence journey shows clearly that a well thought-out and structured security strategy with effective solutions is essential for protection against increasingly complex cyber threats. But even the most sophisticated technology can only achieve its full effect in conjunction with the right expertise.

Our ISO 27001:2022-certified security experts not only support you in choosing the right XDR stack, but also work with you to develop a holistic security architecture that optimally strengthens your security operation centre (SOC) in the areas of detection, response and recovery.

Together we’ll ensure that your cyber defence meets the highest standards not only today, but also in the future.

Deepen your insight into the benefits of XDR systems

Our two-part blog series on “The Magic Word for Efficient Defence against Modern Cyber Attacks” gives you a complete 360-degree perspective:

• Part 1: from the magic shield at the initial access point to optimising detection and response
• Part 2: from the security architecture with XDR stack to the effective cyber defence journey
• Cyber defence with Cortex XDR – in a dedicated SOC or as a managed SOC service
  
  Happy reading!

Also for streaming: Ernesto Hartmann, Chief Cyber Defence Officer, and Sandro Bachmann, Senior Incident Responder, discussed how XDR can be used to effectively defend against cyber threats during an InfoGuard Security webcast. 

The recording of this webcast is available as a YouTube video. It's well worth listening to!

Caption: with Midjourney generated image