Use Cases for XDR - Part 1: Phishing
By Trellix · February 17, 2022
This story was written by Deepak Seth.
The modern SOC continues to face unprecedented challenges heightened by the COVID-19 pandemic. With many employees now having the option to work from anywhere and from any device, there is more pressure to deploy reliable technology that maintains efficiencies as well as cybersecurity professionals to safeguard organizations. The ever-evolving dynamic threat landscape sees new threats almost every day, making management that much more difficult for organizations. With businesses processing hundreds or even thousands of alerts every day, we’re seeing every (at least critical) alert putting SOC teams under significant stress.
Many organizations believe they have chosen best-of-breed solutions. However, many are also finding when these solutions are deployed, that operating these solutions requires experts, manual, and time-consuming repetitive tasks due to disconnected or not closely integrated solutions
Based on practical experience with several mid-to-large organizations, we designed several XDR use cases built around complex SOC operations so that when a threat is detected, organizations can quickly respond to it and remediate as soon as possible. As your partner, we’re sharing some of these use cases if you find yourself facing similar challenges. These use cases have been built around some of the very common (yet missed) practical examples that every organization (big or small) may come across in their security journey.
Email phishing is one of the most common and easiest methods used by threat actors to target victims. Most organizations instruct customers and employees to forward emails they are wary of to a mailbox, for example email@example.com, so dedicated security analysts and solutions in the security stack can process these messages. Each message can take about 30-45 minutes of analyst time to process. Assuming an organization is receiving about 100 potential phishing emails per week then it would take about 50 hours per week of analyst time to process these messages. That’s an equivalent of about 1.25 full-time employees.
To mitigate the above challenge and to ensure security analysts focus on more difficult, or the right tasks, this use case is designed to automatically perform repetitive tasks that would otherwise require a manual and time-consuming effort. Using automation where possible shifts analyst resources so they can manage more skilled and difficult tasks.
Trellix XDR can continuously monitor a specific mailbox for any submitted phishing emails. It parses emails and looks for any indicators of compromise (IOC) such as URLs, domain, IP, MD5 hash, and more. Trellix XDR submits these IOCs to local or third-party threat intelligence used by the organization. If the email contains any binary file, it would also take the MD5/SHA256 hash of that binary file and submit it for static and dynamic analysis while querying the organization’s directory for the user that submitted the email.
Let’s assume the email being parsed in this example has a malicious attachment. Until now proactively and without any human intervention, Trellix XDR has found 1) there is a malicious attachment and 2) who received that attachment. The solution then searches all emails that have the same attachment and automatically deletes those emails from mailboxes.
Having first acted proactively, Trellix’s XDR response capabilities then automatically run an on-demand scan of all victim endpoints (discovered in the previous step by querying directory services) by first containing those endpoints (isolating them from the network) and running a separate scan in case any device has the attachment already opened by the user. Trellix XDR can also proactively request a triage package or memory image from infected endpoints for analyst review and learnings. If it finds any malicious C&C IPs or URLs, it automatically creates an access control policy in firewall so malicious IOCs can be blocked at a network level (part of network response portion of XDR). In this instance, Trellix XDR would present the following actionable findings to the analyst:
- Username that reported the phishing email
- Who was the email sender - email address?
- IOCs such as URL, IP, MD5, SHA Hash, domain name
- Action taken like firewall policy created, endpoints scanned, triage/memory image captured
Once an analyst has this information, they can conduct more advance analysis like leveraging a memory analysis solution such as Volatility/Rekall to provide context and understanding they can action in the future.
As we have seen in this practical example, a true XDR solution has full integration across endpoint protection, endpoint detection and response, and email and network response. Trellix XDR provides more visibility to an organization and helps to create effective response strategies while ensuring analyst time is spent on more challenging tasks and any time-consuming repetitive task are handled automatically.
The above use case would provide the following outcomes to an organization:
- Automated threat detection and incident response workflows
- Simplifying and accelerating security operations using insights, learnings, and adaptation
- Detection monitoring and hunting methodology
- Response preparation via XDR to improve efficiency and reduce TTR (time to remediation)
Look for our next blog, where we’ll outline additional XDR use cases to aid in automating threat detection and incident response workflows.
Feb 21, 2024
Trellix Named to Constellation ShortLists for XDR and Endpoint Protection Platforms
Feb 15, 2024
Trellix to Host AI and Cybersecurity Virtual Summit
Feb 15, 2024
Trellix to Host Public Sector Cybersecurity Summit
Feb 9, 2024
Trellix Named a Leader in IDC MarketScape for Modern Endpoint Security for Midsize Businesses
Jan 25, 2024
Trellix Achieves AWS Small and Medium Business Competency
The latest from our newsroom
Trellix’s market-leading endpoint security solution delivers comprehensive threat management.
In this blog, we present multiple attack scenarios focused on lateral movement, including abuse of weak service permissions to execute code, dumping and exfiltrating credential material from Active Directory.
Get the latest
We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.
Zero spam. Unsubscribe at any time.