EXtended Detection and Response (XDR) for 2022 and beyond
It’s easy enough to imagine that in a hundred years or less, nation-states will not have their current reliance on traditional defense forces: an army, navy, and air force. Instead, every state will equip and train its own standing army of cyber attackers, whose skills and aggression could be put into play against the state’s enemies entirely online.
The same technologies, skills, and experience will also serve the state for defense: against its enemies, but also against any parties hoping to steal or compromise from any organization operating inside the nation’s borders.
This image of the future may seem far removed from today’s reality, but the fact is that at the time of writing, the Russian state has leveraged cyber forces against opposition in Ukraine. Its attacks are directed at infrastructure, transport, and communications networks inside the territory.
There is a great deal of commonality between Russian state actors and hackers all over the world, and allegedly, a significant number of malware and ransomware attacks are carried out by individuals identifiable as Russian. Tactics, techniques, and procedures associated with state activity from that country are commonly found during forensic follow-ups to successful attacks.
Often the multiplicity of tools at hand for cybersecurity use can, as of themselves, create false positives and allow attackers through otherwise well-maintained defenses. The merger of FireEye and McAfee Enterprise recently, giving rise to the newly-named Trellix, means organizations can now leverage the experience, threat intelligence, and remediation techniques of one of the world’s largest cybersecurity platforms.
With multiple toolsets at hand and with centralized control and oversight, eXtended detection and response (XDR) is the new approach to protecting a company and the individuals in it from the types of attacks that are causing such havoc in Ukraine right now.
Part of any security function’s capabilities includes the gathering of cyber attackers’ techniques and using this knowledge to enable businesses to address each common attack vectors. That ability effectively extends detection capabilities to remove protected organizations from the easy-pickings category so beloved of cyber attackers.
Transportation, supply chain, and telecommunications companies are particularly at threat from attack, and it’s in these sectors that extended detection and response can be highly effective. Automated, smart systems capable of reaching out into the furthest corners of a large, multinational business’s extended network are imperative. Localized audits of potentially endangered systems are not sufficient due to modern malware’s ability to traverse across networks. This is where extended detection is particularly valuable.
Companies of all sizes can learn exactly the types of techniques and methods used by bad actors, regardless of their provenance, whether that’s merely criminal, or state-sanctioned. That’s the point expounded on in detail by the Trellix Threat Labs Research Report [PDF] released in 2022. The tactics, techniques, and procedures (TTP) in common use can be combated in the first instance by taking some critical steps, which the Report details as:
– being aware of shortened URLs (web links) arriving in emails (phishing attacks),
– monitoring for brute force attacks targeting common usernames & passwords of Microsoft 365 accounts,
– instigating multi-factor authentication,
– hardening public-facing systems,
– disabling unused ports, especially those relating to remote services like RDC (remote desktop connection) and VNC (virtual network connection),
– blocking tools like wget and UltraVNC seen in previous attacks.
At the recent Trellix Xpand 2022 virtual event, Sean Morton, VP of Strategy at the company, showed attendees the extended detection capabilities that the new company’s clients benefited from. He stated: “You’ll find that your most critical threats have been automatically correlated and prioritized across both your native trunk solutions and open third-party integrations. With the threats automatically prioritized, you can review and act on [those] top threat[s] immediately.”
Part of the USP (unique selling point) of XDR is its accessibility in combination with forensic data analysis and the knowledge that the two are not mutually exclusive. Simple top-down views need not obscure detail but allow cybersecurity professionals to drill down as appropriate to highlight even the weakest of signals that may be red-flagging malicious activity. Morton said: “The Trellix XDR platform, leveraging intelligence from a third party partner such as Mandiant and the enrichment capabilities [of XDR] insights marks […] behavior as suspicious.”
With challenges to cybersecurity functions rising and finding & training appropriately-skilled staff becoming much more challenging, having access to these types of tools smart and informed tools is critical. The combination of machine learning and algorithmically-derived flags add to human-based intelligence and experience drawn from all over the world. Extended detection and response is a new approach to a new set of challenges for the cybersecurity team leader.