Combine XDR with Human Threat Hunters to Help Halt Cyber Attacks

shield cyber security symbol abstract 3d illustration picture id1298370858
Arkadiusz Warguta

The last several months have seen many organizations targeted in attacks that utilize on-premises versions of Microsoft Exchange Server and exploit what’s known as the ProxyLogon vulnerability.

In one recent incident, attackers moved laterally through the network and stole account credentials and compromised domain controllers, among other things.

“They found their way into the network through an exposed RDP (Remote Desktop Protocol) interface,” said Dan Schiappa, Sophos Chief Product Officer. “They used stolen credentials to log on to an RDP session, then used vulnerabilities to do credential dumps and moved around the environment. That’s a common chain of events for ransomware attackers to undertake these days.”

Typically, the bad actors’ objective is to find the most valuable data they can for extortion – and locate backups to compromise so they won’t be available after ransomware is deployed. Another consistent element, said Schiappa, is that the attackers often get in and do lots of damage before they are discovered.

“This type of attack is very difficult to follow. They start to use traditional IT tools on machines, and it looks legitimate. It’s very difficult for security to detect it.”

But this attack was stopped before ransomware was deployed. How? Because humans spotted one bit of anomalous behavior. What made it stand out was the attackers’ use of an unusual combination of commercial remote management tools not typically observed during the early phases of attacks, and the attackers’ careful avoidance of obvious techniques typically seen in this kind of exploit, according to Sophos researchers.

The victim recognized that something wasn’t right – in this instance the launch of Cobalt Strike in memory was the tip off. Recognizing the signs of an active attack through human threat detection was the key to stopping it.

“Having SecOps capability and having human threat hunters can help to uncover activity that is not super common,” said Schiappa.

Schiappa also notes that XDR technology can help organizations keep their eyes on these types of suspicious activities that other tools often can’t uncover. XDR goes beyond just endpoint and server data to tap firewall, email, and other data sources in order to provide threat hunters a complete picture.

“What’s great about XDR is you are looking at all of the architecture. Security tends to be a very focused effort,” he says. “The way I look at it is a security guard that is guarding one door. You won’t be able to see the other threats coming in if you are guarding just one door.”

Learn more at Sophos.com

Related:

Copyright © 2021 IDG Communications, Inc.