Home » The Energy of Endpoint Telemetry in Cybersecurity

The Energy of Endpoint Telemetry in Cybersecurity

The Energy of Endpoint Telemetry in Cybersecurity


A extreme cyberattack leveraging TrickBot malware compromises an organization’s defenses, resulting in vital monetary losses. This was not on account of a mere oversight, however reasonably a consequence of insufficient endpoint visibility. With efficient monitoring and real-time insights into endpoint exercise, the risk might have been detected and neutralized earlier than inflicting in depth harm. This underscores the vital significance of complete endpoint telemetry.

What’s endpoint telemetry?

In cybersecurity, endpoint telemetry refers to knowledge collected by monitoring actions on endpoint gadgets, akin to computer systems and servers. This knowledge is essential for risk detection, incident response, and enhancing the general cybersecurity posture by providing enhanced visibility.

Essential function of endpoint telemetry

Visibility is essential to stopping advanced cyberattacks early within the kill chain. Should you can’t see it, you’ll be able to’t cease it. Relating to stopping an assault, it’s all the time higher to take action within the early levels of the assault chain.

In response to the MITRE ATT&CK framework, which is often utilized by cybersecurity professionals, most enterprise-level assaults — akin to Turla, ToddyCat, and WizardSpider (TrickBot) — contain numerous levels, often called techniques, which attackers can use in numerous sequences to attain their aims.

Example attack chain for an enterprise-level attack.

The MITRE framework catalogs a listing of strategies and sub-techniques that attackers use to hold out every of those techniques on an endpoint. To detect malicious habits early within the assault chain, it’s important to watch the endpoint and report actions that resemble these generally used strategies. Capturing telemetry is due to this fact important for figuring out these strategies and intercepting assaults at an early stage. Endpoint telemetry additionally serves as an important knowledge supply for XDR, enhancing its skill to detect, analyze and reply to safety threats throughout a number of environments.

Minimizing false positives

One of many important challenges in utilizing telemetry to detect threats is managing false positives. Attackers typically exploit Dwelling Off-the-Land (LOL) binaries — reliable instruments and utilities that include working techniques — to execute numerous strategies or sub-techniques. For instance, the Lazarus Group, a extremely subtle and infamous state-sponsored hacking group, is understood to make use of Scheduled Duties or PowerShell throughout the Persistence or Execution levels of an assault. Lazarus continuously employs these strategies as a part of their broader Dwelling Off the Land (LOL) technique, which permits them to take advantage of reliable system instruments and binaries to mix in with common community exercise and keep away from detection by conventional safety options.

Since these actions mimic benign actions generally carried out in enterprises, detecting them incorrectly can result in a excessive price of false positives. We might tackle this problem is by correlating the occasions and telemetry triggered round that exercise or through the use of an XDR (Prolonged Detection and Response) software, akin to Cisco XDR. Cisco XDR correlates telemetry from numerous detection sources to generate high-fidelity incidents, enhancing the power to determine and cease advanced assaults whereas decreasing the probability of false positives.

Capturing telemetry utilizing Cisco Safe Endpoint

Cisco Safe Endpoint is an Endpoint Detection and Response (EDR) software that collects and information a variety of endpoint telemetry. It employs numerous detection engines to research this telemetry, determine malicious habits and set off detection occasions. We constantly fine-tune the product to seize extra telemetry and detect occasions of various criticality throughout totally different levels of the MITRE ATT&CK framework. Moreover, occasions from Cisco Safe Endpoint are ingested into the Cisco XDR analytics engine and correlated with different knowledge sources to generate high-fidelity incidents inside Cisco XDR.

Let’s discover the detection occasions captured by Cisco Safe Endpoint within the Occasions view, together with the telemetry recorded within the Machine Trajectory view. We’ll give attention to how Safe Endpoint gives visibility into the early levels of an assault and its functionality to cease advanced threats earlier than they escalate.

Exploring detection occasions

All of the occasions used on this instance might be seen from Administration->Occasions web page of the Cisco Safe Endpoint console.

Execution Tactic and Detection

Execution techniques signify the strategies used to run attacker’s payload on a compromised endpoint to carry out some malicious actions.

Instance strategies embrace:

  • Encoded PowerShell — Utilizing obfuscated PowerShell instructions to execute code.
  • Home windows Administration Instrumentation (WMI) — Leveraging WMI for executing instructions and scripts.
  • Native APIs — Using built-in system APIs for code execution.

The screenshot beneath shows an occasion generated by the Behavioral Safety engine of Safe Endpoint, which detected a PowerShell command utilizing “Invoke-Expression” and triggered by “sdiagnhost.exe”.

An event generated by the behavioral protection engine of secure endpoint in response to a malicious PowerShell command.

Persistence Tactic and Detection

Persistence refers to techniques that permit malicious payloads to stay on a compromised system and proceed their operations even after reboots or different system adjustments. These strategies allow the malware to keep up communication with a command-and-control server and obtain additional directions.

Instance strategies embrace:

  • Create or Modify System Course of — This method entails creating new providers or modifying current providers to execute malicious code at startup or at particular intervals.
  • Registry Modifications — Altering registry entries to make sure malicious packages execute on system startup.
  • Creating Scheduled Duties — Organising duties that run at specified occasions or intervals.

The screenshot beneath illustrates an occasion generated when a brand new service was created to run malware at startup.

Screenshot of an event generated when a new service is created to run malware at startup.

Protection Evasion Tactic and Detection

Protection Evasion entails strategies utilized by attackers to cover their malicious payloads and keep away from detection by safety techniques. The objective is to make it tough for safety instruments and analysts to determine and cease the assault.

Instance strategies embrace:

  • Course of Hollowing — It’s a approach the place a suspended course of is created, and a malicious code is injected into the tackle area of that suspended course of.
  • Impair Defenses — Modify sufferer’s surroundings and disable defenses, like turning off anti-virus, firewall or occasion logging mechanisms.
  • Masquerading — Making malicious recordsdata or actions seem reliable to evade detection.

The screenshot beneath reveals the Course of Hollowing approach captured by the Exploit Prevention engine throughout the Protection Evasion stage of the assault.

Screenshot of an event showing the Process Hollowing technique

Discovery Tactic and Detection

Discovery refers back to the totally different strategies adversaries use to collect details about the sufferer’s surroundings.

Instance strategies embrace:

  • Course of Discovery — Enumerating working processes to search out useful or weak targets.
  • System Info Discovery — Gathering particulars concerning the working system, {hardware} and put in software program.
  • System Community Configuration Discovery — Figuring out the community settings, interfaces and linked gadgets.

The screenshot beneath depicts the occasion Safe Endpoint generated on observing “tasklist.exe” utilization within the endpoint in a suspicious method, run by “rundll32.exe”, and mapping the habits to Course of Discovery approach.

Screenshot of an event showing .exe usage in the endpoint behaving in a suspicious manner

Machine trajectory telemetry

Cisco Safe Endpoint (CSE) captures two kinds of telemetry underneath Machine Trajectory view: Exercise Telemetry and Behavioral Telemetry.

Exercise Telemetry

By filtering out undesirable knowledge, this telemetry reduces noise and provides clear visibility into endpoint actions, together with processes, parent-child course of relationships, triggered occasions, recordsdata and community exercise, whether or not malicious or benign.

The screenshot beneath reveals the Machine Trajectory view within the Safe Endpoint console, with the Exercise Telemetry captured.

Screenshot of the device trajectory view in the secure endpoint console, with the activity telemetry captured

Behavioral Telemetry

This particular kind of telemetry is displayed within the Machine Trajectory view after evaluation by the detection engine. It’s triggered when a malicious exercise is linked to an in any other case benign exercise, offering further context to assist distinguish between benign and malicious actions.

The screenshot beneath reveals the Machine Trajectory view within the Safe Endpoint console, highlighting Behavioral Telemetry recognized by the detection engine. On this instance, the rundll32.exe course of is related to suspicious community exercise.

Screenshot of the Device Trajectory view in the Secure endpoint console.

The telemetry particulars captured by Safe Endpoint on this view present essential context across the noticed exercise, permitting safety groups to rapidly assess the scenario. This enriched data not solely aids in figuring out the character and intent of the exercise but in addition empowers groups to conduct extra thorough and efficient investigations. By providing a deeper understanding of potential threats, Safe Endpoint helps to streamline the risk detection course of, decreasing response occasions and enhancing total safety posture.

Conclusion

The exploration of Cisco Safe Endpoint’s detection occasions and telemetry highlights the ability of visibility in early assault detection. By monitoring and analyzing endpoint habits, organizations achieve useful insights into potential threats, permitting them to detect and reply to assaults at their earliest levels. This enhanced visibility is vital to safeguarding vital techniques and fortifying defenses in opposition to evolving cyber threats.

References

We’d love to listen to what you suppose. Ask a Query, Remark Beneath, and Keep Linked with Cisco Safety on social!

Cisco Safety Social Channels

Instagram
Fb
Twitter
LinkedIn

Share:





Supply hyperlink

Tags:

Related Articles
We will be happy to hear your thoughts

Leave a reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Easyclickexpress.com

We aggregate the best deals from Amazon to ensure you have the best selection and lowest prices. Once you choose your desired selection you will be redirected to buy directly from their websites.

Product categories
Affiliate Disclosure

Affiliate Disclosure: As an Amazon Associate, we may earn commissions from qualifying purchases from Amazon.com. You can learn more about our editorial and affiliate policy.

Easy Click Express
Logo
Compare items
  • Total (0)
Compare
0
Shopping cart