Use Cases for XDR - Part 1: Phishing
By Deepak Seth · February 17, 2022
The modern SOC continues to face unprecedented challenges heightened by the COVID-19 pandemic. With many employees now having the option to work from anywhere and from any device, there is more pressure to deploy reliable technology that maintains efficiencies as well as cybersecurity professionals to safeguard organizations. The ever-evolving dynamic threat landscape sees new threats almost every day, making management that much more difficult for organizations. With businesses processing hundreds or even thousands of alerts every day, we’re seeing every (at least critical) alert putting SOC teams under significant stress.
Many organizations believe they have chosen best-of-breed solutions. However, many are also finding when these solutions are deployed, that operating these solutions requires experts, manual, and time-consuming repetitive tasks due to disconnected or not closely integrated solutions
Based on practical experience with several mid-to-large organizations, we designed several XDR use cases built around complex SOC operations so that when a threat is detected, organizations can quickly respond to it and remediate as soon as possible. As your partner, we’re sharing some of these use cases if you find yourself facing similar challenges. These use cases have been built around some of the very common (yet missed) practical examples that every organization (big or small) may come across in their security journey.
Email phishing is one of the most common and easiest methods used by threat actors to target victims. Most organizations instruct customers and employees to forward emails they are wary of to a mailbox, for example firstname.lastname@example.org, so dedicated security analysts and solutions in the security stack can process these messages. Each message can take about 30-45 minutes of analyst time to process. Assuming an organization is receiving about 100 potential phishing emails per week then it would take about 50 hours per week of analyst time to process these messages. That’s an equivalent of about 1.25 full-time employees.
To mitigate the above challenge and to ensure security analysts focus on more difficult, or the right tasks, this use case is designed to automatically perform repetitive tasks that would otherwise require a manual and time-consuming effort. Using automation where possible shifts analyst resources so they can manage more skilled and difficult tasks.
Trellix XDR can continuously monitor a specific mailbox for any submitted phishing emails. It parses emails and looks for any indicators of compromise (IOC) such as URLs, domain, IP, MD5 hash, and more. Trellix XDR submits these IOCs to local or third-party threat intelligence used by the organization. If the email contains any binary file, it would also take the MD5/SHA256 hash of that binary file and submit it for static and dynamic analysis while querying the organization’s directory for the user that submitted the email.
Let’s assume the email being parsed in this example has a malicious attachment. Until now proactively and without any human intervention, Trellix XDR has found 1) there is a malicious attachment and 2) who received that attachment. The solution then searches all emails that have the same attachment and automatically deletes those emails from mailboxes.
Having first acted proactively, Trellix’s XDR response capabilities then automatically run an on-demand scan of all victim endpoints (discovered in the previous step by querying directory services) by first containing those endpoints (isolating them from the network) and running a separate scan in case any device has the attachment already opened by the user. Trellix XDR can also proactively request a triage package or memory image from infected endpoints for analyst review and learnings. If it finds any malicious C&C IPs or URLs, it automatically creates an access control policy in firewall so malicious IOCs can be blocked at a network level (part of network response portion of XDR). In this instance, Trellix XDR would present the following actionable findings to the analyst:
- Username that reported the phishing email
- Who was the email sender - email address?
- IOCs such as URL, IP, MD5, SHA Hash, domain name
- Action taken like firewall policy created, endpoints scanned, triage/memory image captured
Once an analyst has this information, they can conduct more advance analysis like leveraging a memory analysis solution such as Volatility/Rekall to provide context and understanding they can action in the future.
As we have seen in this practical example, a true XDR solution has full integration across endpoint protection, endpoint detection and response, and email and network response. Trellix XDR provides more visibility to an organization and helps to create effective response strategies while ensuring analyst time is spent on more challenging tasks and any time-consuming repetitive task are handled automatically.
The above use case would provide the following outcomes to an organization:
- Automated threat detection and incident response workflows
- Simplifying and accelerating security operations using insights, learnings, and adaptation
- Detection monitoring and hunting methodology
- Response preparation via XDR to improve efficiency and reduce TTR (time to remediation)
Look for our next blog, where we’ll outline additional XDR use cases to aid in automating threat detection and incident response workflows.
Sep 28, 2022
Trellix Empowers Next Generation of Cybersecurity Talent at Xpand Live
Sep 28, 2022
Trellix Accelerates Channel Success Through Unified Partner Program and Expanded Security Innovation Alliance
Sep 28, 2022
Trellix Expands XDR Platform to Transform Security Operations
Sep 26, 2022
60% of Cybersecurity Professionals Feel They Are Losing Ground Against Cybercriminals
Sep 21, 2022
Trellix Launches Advanced Research Center, Finds Estimated 350K Open-Source Projects at Risk to Supply Chain Vulnerability
By Britt Norwood · August 30, 2022
Our team understands the critical role organizations like AWS play in efforts to drive premium threat detection no matter a customer’s security architecture. We continuously look for partners with a similar desire to grow and innovate to relieve pain points for SecOps teams.
This blog is the third and final of a multi-part series focused on vulnerability discovery in a widely used access control system and describes our research journey from target acquisition all the way through exploitation, beginning with the vendor and product selection and a deep dive into the hardware hacking techniques.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.