Use Cases for XDR - Part 1: Phishing
By Trellix · February 17, 2022
This story was written by Deepak Seth.
The modern SOC continues to face unprecedented challenges heightened by the COVID-19 pandemic. With many employees now having the option to work from anywhere and from any device, there is more pressure to deploy reliable technology that maintains efficiencies as well as cybersecurity professionals to safeguard organizations. The ever-evolving dynamic threat landscape sees new threats almost every day, making management that much more difficult for organizations. With businesses processing hundreds or even thousands of alerts every day, we’re seeing every (at least critical) alert putting SOC teams under significant stress.
Many organizations believe they have chosen best-of-breed solutions. However, many are also finding when these solutions are deployed, that operating these solutions requires experts, manual, and time-consuming repetitive tasks due to disconnected or not closely integrated solutions
Based on practical experience with several mid-to-large organizations, we designed several XDR use cases built around complex SOC operations so that when a threat is detected, organizations can quickly respond to it and remediate as soon as possible. As your partner, we’re sharing some of these use cases if you find yourself facing similar challenges. These use cases have been built around some of the very common (yet missed) practical examples that every organization (big or small) may come across in their security journey.
Email phishing is one of the most common and easiest methods used by threat actors to target victims. Most organizations instruct customers and employees to forward emails they are wary of to a mailbox, for example firstname.lastname@example.org, so dedicated security analysts and solutions in the security stack can process these messages. Each message can take about 30-45 minutes of analyst time to process. Assuming an organization is receiving about 100 potential phishing emails per week then it would take about 50 hours per week of analyst time to process these messages. That’s an equivalent of about 1.25 full-time employees.
To mitigate the above challenge and to ensure security analysts focus on more difficult, or the right tasks, this use case is designed to automatically perform repetitive tasks that would otherwise require a manual and time-consuming effort. Using automation where possible shifts analyst resources so they can manage more skilled and difficult tasks.
Trellix XDR can continuously monitor a specific mailbox for any submitted phishing emails. It parses emails and looks for any indicators of compromise (IOC) such as URLs, domain, IP, MD5 hash, and more. Trellix XDR submits these IOCs to local or third-party threat intelligence used by the organization. If the email contains any binary file, it would also take the MD5/SHA256 hash of that binary file and submit it for static and dynamic analysis while querying the organization’s directory for the user that submitted the email.
Let’s assume the email being parsed in this example has a malicious attachment. Until now proactively and without any human intervention, Trellix XDR has found 1) there is a malicious attachment and 2) who received that attachment. The solution then searches all emails that have the same attachment and automatically deletes those emails from mailboxes.
Having first acted proactively, Trellix’s XDR response capabilities then automatically run an on-demand scan of all victim endpoints (discovered in the previous step by querying directory services) by first containing those endpoints (isolating them from the network) and running a separate scan in case any device has the attachment already opened by the user. Trellix XDR can also proactively request a triage package or memory image from infected endpoints for analyst review and learnings. If it finds any malicious C&C IPs or URLs, it automatically creates an access control policy in firewall so malicious IOCs can be blocked at a network level (part of network response portion of XDR). In this instance, Trellix XDR would present the following actionable findings to the analyst:
- Username that reported the phishing email
- Who was the email sender - email address?
- IOCs such as URL, IP, MD5, SHA Hash, domain name
- Action taken like firewall policy created, endpoints scanned, triage/memory image captured
Once an analyst has this information, they can conduct more advance analysis like leveraging a memory analysis solution such as Volatility/Rekall to provide context and understanding they can action in the future.
As we have seen in this practical example, a true XDR solution has full integration across endpoint protection, endpoint detection and response, and email and network response. Trellix XDR provides more visibility to an organization and helps to create effective response strategies while ensuring analyst time is spent on more challenging tasks and any time-consuming repetitive task are handled automatically.
The above use case would provide the following outcomes to an organization:
- Automated threat detection and incident response workflows
- Simplifying and accelerating security operations using insights, learnings, and adaptation
- Detection monitoring and hunting methodology
- Response preparation via XDR to improve efficiency and reduce TTR (time to remediation)
Look for our next blog, where we’ll outline additional XDR use cases to aid in automating threat detection and incident response workflows.
Mar 15, 2023
Trustwave and Trellix Announce Strategic Partnership to Deliver Best-in-Class Managed Detection and Response to Protect Global Organizations
Feb 22, 2023
Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data
Feb 8, 2023
Trellix Launches Xtend Global Channel Partner Program
Feb 6, 2023
President Biden Names Bryan Palma to National Security Telecommunications Advisory Committee
Jan 17, 2023
Trellix Endpoint Scores 100% Detection with Zero False Positives in Latest SE Labs Endpoint Security Test
The latest from our newsroom
The Bug Report – January 2023 Edition
By Jesse Chick · February 1, 2023
January began with a headache on a Sunday morning and, if you happen to be on the receiving end of this month's remote code excitement, it ended with one, too.
Cyberattacks Targeting Ukraine Increase at End of 2022
By Daksh Kapur, Tomer Shloman, Robert Venal and John Fokker · January 24, 2023
From malicious email and URLs to nation-state backed use of malware, cyberactivity continues to accompany kinetic military activity and social discontent.
Trellix to Lead the XDR Market
By Daniel Ramos · December 19, 2022
Recognition by the analytical firms and peer review programs in all the main XDR front-end components including EDR, NDR, SEG, CWWP, and DLP.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.