Under the Hood.
Group-IB Managed XDR

Industry experts have discussed the need to use multi-layered defense against cyberattacks for more than a dozen years. The idea behind the concept is to build several barriers using various security tools at different levels, including the perimeter, servers, end points, remote hosts, etc. Most organizations initially set up their arsenal with a standard toolset (antivirus software, antispam system, NGFW (Next-generation firewall), IDS/IPS (Intrusion Detection System, Intrusion Prevention System), sandbox), but they soon realize that solutions from different vendors conflict with each other. To manage these solutions and detect threats more efficiently, a Security Information and Event Management (SIEM) solution is required. This product category is designed to manage security events gathered across various sources. You’d think that it fits the task perfectly…

Three belated observations from a security expert who wanted to build a multi-layered defense system but did it just like everyone else

The first insight from our cybersecurity expert is: SIEM does not help detect sophisticated targeted modern attacks involving low-profile tactics and tools, regardless of the correlation rules written for this purpose. The problem can be solved using Endpoint Detection and Response (EDR) solutions, which collect telemetry data from hosts and provide greater correlation and threat hunting capabilities. Yet no matter how many security events SIEM systems aggregate from across the infrastructure, many cyber threats continue to fly under the radar.

The second insight is: all siloed solutions that have already been implemented must work together cohesively. A security expert’s main task is to set up as many defense layers as possible to protect against threat actors. This means not only that security events must be correlated across them, but also that each solution must communicate with neighboring defense systems. For example, if an antivirus system is triggered, the trigger must cause the EDR to react, the suspicious file must be sent to a sandbox for analysis, after which the sandbox must send the extracted indicators of compromise (IoCs) to NGFW, and so on. This is how our security expert — and the entire market — eventually began using Security Orchestration, Automation and Response (SOAR) solutions designed to combine all defense measures into a single system and automate incident response. It sounds promising, but no matter how deeply the solutions are integrated with each other, SIEM alert fatigue remains a serious issue that causes security teams to overlook real incidents.

The resulting third insight is that there is no need to send all events to SIEM because most notifications are useless in detecting threats. A new category of solutions has emerged as a result, and these solutions are designed to route and filter events in SIEM. This is how our security expert was drawn into a never-ending race to make the information security system more manageable, unified, and universal.

Eventually, Extended Detection and Response (XDR) systems entered the market. These systems were designed to make the life of cybersecurity teams easier. As a kind of “elite niche” in the cybersecurity market, XDR solutions are devoid of the shortcomings of all previously known approaches to creating multi-layered defense.

They help to:

• Collect, correlate, and analyze data across various sources, giving security experts a powerful tool that continuously monitors all events within the network and on each device, as well as external events that can pose a threat;
• Make incident response much faster, which minimizes damages and quickly stops adversaries;
• Detect the widest possible range of threats, from phishing to sophisticated targeted attacks, in a fully automated manner;
• Hunt for threats using telemetry from EDR from hosts, network traffic and email from a single Security Data Lake;
• Provide 360-degree ​​visibility and manageability across all security solutions in order to get the most out of each of them.
• Conduct in-depth investigations into incidents from patient zero (the first infected device on the network) to any further attack propagation, which helps control all potential infection vectors in the infrastructure.

Simply put, XDR is a new category of solutions designed for advanced detection, response and threat prevention. XDR solutions collect essential data only in a balanced and high-quality manner. They analyze signs across all security solutions, thereby giving security teams full control over the assets entrusted to them.

The solutions in this category fall under two types:

1. Solutions that collect only essential data across security systems for the purpose of more effective threat detection and advanced analytics when analyzing alerts or individual events.
2. Solutions that complement each other without affecting any existing solutions, all the while eliminating all the shortcomings described in the above introduction, namely conflicts between solutions, lack of management, alert fatigue, and difficult-to-detect threats.

The fact that XDR solutions have become the answer to the most painful challenges faced by security teams became clear just after this technologically advanced and “smart” solution for protecting companies worldwide emerged. Now that you know what an XDR solution is and how and why it should be used, let's talk about what you need to pay attention to when choosing one.

We have prepared this blog post to share with you why we decided to develop our own XDR, what lies “under the hood” of the system, and how this superweapon can be used above and beyond protecting companies or their clients. XDR helps analyze adversary activity, learn how to hunt for threats, and contribute to the fight against cybercrime — a mission worthy of a superhero. Let's go.

Managed XDR is part of Group-IB Unified Risk Platform, a platform that combines a number of solutions and services designed to protect against cyber risks associated with targeted attacks, data leaks, fraud, phishing, and brand abuse. It is difficult to surprise a sophisticated customer, but the Unified Risk Platform is a unique and unparalleled development that multiplies the level of cyber security and protects businesses from the widest possible range of cyber threats. Managed XDR helps companies respond to threats 20% faster. At the same time, it provides a return on investment of over 272% (source: study by Forrester).

Let’s start with the most straightforward aspect: deployment. Managed XDR (MXDR) can be implemented on-premises (when the entire system is deployed within the client’s perimeter) or as a cloud solution. In the latter case, the cloud is located in the client’s country or region in compliance with local legislation.

XDR by Group-IB includes the following components:

• Endpoint Detection & Response (EDR)
• Network Traffic Analysis (NTA)
• Malware Detonation Platform (MDP)
• Business Email Protection (BEP)
• Threat Intelligence (TI)
• Managed Services (MS)

All these components already work together as a consolidated solution. There is no need to integrate them or to write playbooks and event correlation rules.
Clients often use solutions (EDR, sandbox, etc.) from several different vendors. What should be done in such cases? Easy: in order to save customers from having to integrate all these solutions, Group-IB has solved two key challenges:

1. We have made all our modules compatible and complementary. They augment each other and work with existing solutions. This means that Group-IB’s system does not conflict with other defense elements. More specifically, Group-IB’s EDR does not conflict with solutions by other vendors, but instead collects and uses their data. This equips the client with multi-layered defense and the best value from each solution involved.
2. Clients do not need to pay separately for EDR or NTA. After an XDR license is purchased, the EDR and NTA modules work in connector mode, which is included in the total price for the solution.

Let’s consider how MXDR works in terms of detection, prevention, and response. The key benefit is that there is no need to consider how each module works separately. XDR operates at full power only when everything works together as a whole because all the modules are interconnected. Such synergy is achieved through implemented playbooks that describe the native interaction of each component.

Let's look at some real-life use cases.

Use case 1: Synergy

1) NTA has detected a threat in network traffic. The problem is that when analyzing traffic, the system identifies only source and destination IP addresses. The next important step is therefore to automatically search for the endpoint from which malicious traffic is coming, identify the process associated with this network connection, and restore the timeline prior to this connection in order to determine the source of the infection. Automation is achieved through the synergy of the XDR components given that traffic and activity data from the hosts are already in a single Security Data Lake.

2) As the process and event timeline are already known after the previous step, all suspicious files should be automatically sent to the Malware Detonation Platform for a more detailed analysis. The main task is not just to confirm whether the files are malicious, but also to extract file and network indicators. As such, it is important that the files are executed properly in the Malware Detonation Platform.

3) The analysis in the Malware Detonation Platform makes it possible to identify malicious file and network indicators. Achieving such accuracy directly on the host is much more difficult due to other activities of legitimate users and applications, which create a great deal of noise. Malware Detonation Platform solves this problem. File indicators are immediately added to the EDR database in order to check all hosts, and network indicators are converted into detection rules in network traffic. This approach has improved protection on both hosts and at the network level.

Use case 2: Complementarity

Let's imagine that an anti-virus or EDR solution from another vendor worked faster and detected a threat on the host. Our EDR solution already deployed on the host recognizes all information about the activity of anti-viruses and other agents. It views processes blocked by them as well as files that have been deleted or moved to quarantine.

This is a trigger to automatically restore the event timeline and show all details about the alert. The beauty of this approach is that it does not require additional integration or support to changing log formats or APIs. Most importantly, the client can still not only build a multi-layered defense, but also make it more sophisticated thanks to the communication described. The malicious file will also be sent to Malware Detonation Platform, and information about the file and other IoCs will automatically become known to all other hosts.

Use case 3: Threat intelligence

A major advantage of XDR by Group-IB is the built-in Threat Intelligence data. This data can be used in SIEM, but it gains an even greater power in XDR:

• All network and file indicators are automatically delivered to NTA, EDR, and Malware Detonation Platform for threat detection. No additional integration or correlation logic are required.
• When attributing threats to a malware family or specific threat actors, descriptions and timelines of the group’s attacks, all related indicators, information about vulnerabilities, and additional signatures become available in one click. You understand quickly and in detail who is attacking you and why.

Use case 4: "All clear!"

Security tools are often blind in cases when threat actors do not use malware or do not make particularly active movements such as network scanning or exfiltrating large amounts of data.

Imagine that an adversary uses the pass-the-hash technique (PtH) and creates a delayed task that will download something from the Internet after 12 hours. The computer is already compromised at this stage, but no malicious tools are in use yet. Detecting such simple and common techniques is difficult because they are hard to distinguish from legitimate user activity.

Group-IB’s MXDR not only detects such techniques being used both at the host and at the network level, but it also tracks every action taken by threat actors after they use the PtH.

Security experts cannot delegate all their work to security solutions. They want to keep everything under control and be able to check the quality of their defense.

For such purposes, Group-IB XDR provides access to the Security Data Lake, which aggregates information about network and email traffic, and activity on hosts. At the same time, data from hosts includes information about each running process, created or modified file, registry entries, network activity, account manipulations, and more.

This offers the following important benefits:

• It helps filter out redundant events and transfer the processed results to SIEM in the form of ready-made alerts.
• It provides threat hunting capabilities and considerably speeds up incident investigations.

The concept of threat hunting is worth a separate article. Nevertheless, a single console for big data searches is an indispensable tool for any IT and Cyber Security specialist. Analysts can create any search queries, save them, and run them on schedule to check whether the situation changes and how. This helps set up a flexible logic for detecting threats and testing hypotheses.

Corporate cybersecurity teams are usually short on resources and tools. To significantly enhance their analytical, threat hunting, and research capabilities, two important tools have been built into our XDR: Group-IB Malware Detonation Platform and Group-IB Network Graph Analysis tool.

Malware Detonation Platform

Malware detonation is essential for analyzing suspicious files and links. In such cases, analysts can obtain remote access to the inside of the virtual machine in order to control the analysis process and perform additional actions. Security experts can control from which country the network traffic will originate and change other settings of the virtual machine image.

The main goal is to "detonate" malicious code - execute it and extract as many indicators of compromise as possible. This helps understand straight away what actions the malware is performing and use all the extracted indicators to detect threats automatically. An additional important advantage is attributing threats using Threat Intelligence.

Graph Network Analysis tool

First of all, let's admit it: the Graph is beautiful. Second, it's indispensable. Group-IB's patented Graph Network Analysis tool is an essential part of Threat Intelligence that gives visibility to the network infrastructure beyond the organization’s perimeter.

When investigating threats associated with an IP address or a domain, analysts resort to third-party tools to check whether the host is malicious. As a rule, an analyst's standard set includes services that provide information about the history of open ports, running services, and the history of domains associated with an IP address or domain registration data (e.g., WHOIS data by email). We have seen attempts to add such data to SIEM systems. Due to interface limitations, using this data within SIEM helps analyze threats, but it makes the process extremely complicated.

Group-IB XDR offers two main benefits:

1. The Graph automatically determines all relevant links using one IP address or domain and in one click visualizes what the connected infrastructure looks like. As a result, analysts save time on enriching the indicators manually and obtaining context for each.
2. We provide all the necessary context in a single window: open ports, services, recognized software, related vulnerabilities, historical domain registration data, passive DNS, related malicious files, attribution to malware families, hacker aliases, and even mentions on hacker forums.

The entire context from point 2 is shown immediately for the entire infrastructure identified, which speeds up the analysis even more and makes the tool essential when using NTA.

Prevention and Response

Everything described above relates to threat detection and analysis. But it is important that threats be prevented before an incident occurs, which requires prevention and response capabilities.

When analyzing email traffic, Group-IB blocks emails that contain phishing content and malicious links or attachments. As a result of the complementary work of all modules and the enrichment between them, all malicious objects detected using EDR, Malware Detonation Platform, and Threat Intelligence indicators are blocked automatically.

On hosts, EDR supplements the local antivirus system and blocks malicious files and any related processes. This process also works in conjunction with the email analysis system, Malware Detonation Platform, and Threat Intelligence. In addition, users can manage lists of whitelisted applications to create a secure environment, which is often necessary on critical nodes such as SCADA systems and ATMs.

Yet the most noteworthy feature is the ability to respond to incidents automatically or, if needed, manually. The options of automated response (such as sending files to quarantine or Malware Detonation Platform, extracting indicators, passing them to each component, adding them to block lists) are described in the use cases above.

Cybersecurity teams can also independently launch certain additional features:

• Forced termination of a process on any host where EDR is installed.
• Remote response console that helps execute commands on the host for immediate response and remediation.

One of the main problems that most cybersecurity teams face is a massive amount of alerts generated by defense mechanisms that must be checked manually. The more security systems are in place and the more threat detection rules are added, the more significant the problem becomes, with multiple alerts and false positives.

Group-IB responds to incidents at companies of all sizes - from SMB to Enterprise. Our Digital Forensics & Incident Response (DFIR) experts noticed that in most cases some of the security systems in place were triggered before the incident even occurred. But the notifications were either lost in the general mass of alerts or they were not taken seriously due to the lack of context that would explain what exactly the threat was.

An important problem that XDR solves is optimizing the number of alerts and providing relevant details instantly. There are several advantages that help achieve this:

• Alerts from different security systems are no longer considered as separate events. If a threat is detected by multiple defense systems (such as EDR, NTA, Malware Detonation Platform, or Threat Intelligence), all these events are grouped into one incident. Even if the NDR system generates 100 alerts per day, they are still grouped into one alert, which means that analysts must examine significantly fewer events.
• After being grouped, events are correlated and the results of this automatic analysis are visualized using a graph which shows the timeline of events and the objects (files, processes, network traffic) involved in the process. This also greatly simplifies and speeds up analysis and decision-making.
• No matter how visual the graph is, however, and no matter how well the correlation is built, each trigger must be supported by evidence, which is why it is crucial that the system is interactive. When you select a process, file, or network indicator, all the necessary details must be shown immediately. Group-IB shows the whole context in the window on the right, where all the elements are interconnected. Analysts can sort out all the details in one window without manually analyzing raw logs, although this option remains available with the Security Data Lake described above.

As part of our research, we compared how quickly an incident could be analyzed with logs as compared to when using our XDR. The result showed that Group-IB XDR makes it possible to conduct investigations ten times faster. Try it yourself by requesting a demo today.

Inventory

Events from hosts, traffic, and email pass through XDR. This provides visibility to all applications and devices, which is an important opportunity to create an inventory of what is on the network, which in turn is an integral process for ensuring that any organization is secure. Group-IB XDR provides several unique advantages at once:

• Information about devices and applications comes from multiple sources (e.g., from hosts and from network traffic), which makes assets on the network more visible.
• By using correlation, for each asset the user can obtain all the necessary information at once. For example, host analysis shows what applications are installed, who logged in and when, and what alerts were or are being analyzed at that moment.

Integration

No security solution can be isolated from others. The possibility for integration with other solutions is always needed. To do so, Group-IB uses both the standard approach and more sophisticated methods.

Common integration interfaces include Rest API, Syslog, CEF, and ICAP. There are standard integrations with popular SIEM systems and the option to customize them.

A more sophisticated method is installing our own EDR, NTA, and Malware Detonation Platform as an addition to existing solutions, thereby gaining access to the results of their work without any complex integration or additional control. More importantly, we lighten the alert load on SIEM systems and make it possible to send only important alert-related data to them.