Because the bad guys never sit still, your threat-hunting system can’t afford to either. Managed XDR (Extended Detection and Response) service delivers the latest advances in endpoint protection and threat-hunting to keep up with new attack vectors. Managed XDR provides multiple advantages over traditional security stacks made up of several loosely connected systems. In this blog, we’ll focus specifically on managed XDR’s ability to track suspicious activity and decide when it’s time to intervene and stop a potential threat. Using a combination of machine learning and XDR rules programmed by analysts, these systems correlate actions across all corners of your technology stack to recognize threats that may have slipped by unnoticed before.
To help you understand the threat-hunting capabilities, let’s look at a day in the life of a managed XDR system as if it were the world’s most secure airport.
In our scenario, John Doe drives to the airport to catch the same 10:07am flight he’s taken every Monday for the last month. At the airport, he checks into the flight via a kiosk, makes his way through the TSA security checkpoint and heads to his assigned gate.
That seems routine enough. But if John Doe were living within an XDR-supervised system, the situation would look more like the following. (Keep in mind that while our airport example involving humans plays out over a couple of hours, this sequence may happen almost instantly in a managed XDR setting.)
An Unusual Access Point
Because our airport features highly enhanced security, anyone entering the property must pass through a manned checkpoint. At the guard shack, Agent Chuck Norris greets John Doe and asks to see his ID. Chuck recognizes John from his visits every Monday and notes that he’s arriving at his usual time. But Chuck notices some changes. John is entering via the west gate instead of the north gate that he typically uses, and he has a passenger with him. (Because our agent is Chuck Norris, he personally mans every gate every day.)
XDR parallel: XDR monitors every aspect of your technology stack and recognizes John as a known system user. But it notes that his pattern has changed. He’s trying to log in from a different web browser and IP address. Is John working somewhere else today, or is this a hacker who stole John’s credentials trying to log in from their location? Since the login info is correct and the login time matches John’s typical pattern of starting work each day, XDR lets him proceed.
Chuck finds something else sketchy. He knows that John took a different route from his house to the airport today. (Chuck gets a lot of intel.) But with a quick check of traffic reports, Chuck sees that there is road construction on the interstate. That would explain John’s atypical route to the airport.
XDR parallel: The system’s job is to stop threats while avoiding false positives. If a quick check can explain why a user may be entering through an unusual server, the system will allow them to proceed. But John’s activities have triggered enough rules for anomalous behavior that his session has moved to a higher alert level. XDR is now watching him more closely.
What About that Failed Login?
John makes his way through the main airport terminal to a kiosk, where he checks into his flight. His ID and flight reservation check out. A camera in the kiosk snaps a picture of his face, and his name and photo are instantly compared to every known no-fly list in the world. He comes back clear. He receives a boarding pass and heads to the security screening line.
XDR parallel: XDR systems are constantly improving their rules based on global threat analysis information. For example, Microsoft (Pratum’s XDR platform of choice) analyzed 31,700 indicators per second in 2020 and uses all of that information to constantly screen for emerging threats. If an attack happened on the other side of the globe last week, Microsoft’s XDR platform has probably taken note and learned to watch out for that technique.
At the entrance to the TSA screening area, John runs into—who else?—Chuck Norris. Chuck reviews John’s boarding pass and notices that John is entering the regular screening line, even though he has TSA Precheck. Anybody can mistakenly get into the wrong line. But Chuck knows that A) John flies every single week and B) Anybody with PreCheck takes advantage of it every time. Chuck points John to the proper line but makes another mental note. John hasn’t tried anything dangerous, but he’s not quite acting normal.
XDR parallel: Getting into the wrong line equates to a failed login attempt. XDR knows we all mistype passwords, but it looks at how many failed attempts were made—and how quickly. In John’s case, enough low-level indicators of anomalous events are adding up to the fact that he increasingly looks like a real potential threat. Without XDR, your security stack may not be coordinating all those seemingly disconnected events into an overall image of a suspicious actor. In many security stacks built on solutions from multiple vendors, the TSA agent, for example, wouldn’t know what the guard shack saw. But just like Chuck is everywhere in this airport, XDR sees everything happening in your system.
This Looks Like A High Risk
John successfully passes through the check of his ID and boarding pass. At the podium, Chuck confirms that John has Precheck on his boarding pass and allows him to proceed to that screening area.
XDR parallel: Precheck is the equivalent of a known user coming from a known IP address or trusted device. Because the system recognizes John’s identity and device, they get less scrutiny than other logins. In TSA terms, he can leave his shoes on during screening.
As John exits the screening area, Chuck remembers something from earlier today. A local cop—OK, that was actually Chuck, too—pulled John over for speeding on the way to the airport. Chuck had given John only a warning, but Chuck noticed at the time that John seemed very nervous during the conversation. Chuck decides he won’t let John out of his sight until John is on his plane and headed away from Chuck’s airport.
XDR parallel: It’s all adding up to the fact that John is acting strangely—and may not even really be the John Doe he’s claiming to be. His activities are now considered high-risk.
Time to Stop the Threat
At the TSA checkpoint, Chuck is running the X-ray (Does this guy ever take a coffee break?). He spots a suspicious object in a bag ahead of John’s. Chuck inspects the bag and finds a pocketknife. If Chuck were a rookie, he might tackle the guy, handcuff him and haul him away for this. But Chuck’s no rookie, and he knows that people forget pocketknives in bags all the time. That doesn’t make them terrorists. So Chuck confiscates the knife and sends the man on his way.
XDR parallel: Good XDR rules don’t overreact. Locking out a user or shutting down a system over such a small infraction causes significant inconvenience and business interruption for no good reason
John makes it through the X-ray screening with no red flags, but Chuck notices him walking toward a restricted area. John types a code into the door’s keypad, and it opens. Why would a passenger have the code to a door leading to the runway? Chuck decides that John is launching some kind of attack. Chuck runs toward John, wrestles him to the floor and slaps on the cuffs. John is neutralized as a threat. But Chuck recalls that when John went through the guard shack earlier today, he had a passenger in the car. Where is that person now? Chuck knows the other man has already checked in for a different flight leaving from Terminal A, so Chuck orders Terminal A locked down until he can find John’s accomplice.
XDR parallel: When enough anomalous activities add up, XDR shuts down the perceived threat. In this case, John had a valid access code, but nothing in his normal profile indicates that he SHOULD have that code. So XDR would declare him a threat and shut down his access before he can do any damage.
Just as Chuck knew about our suspect’s associate, XDR can scan for other entities, such as users and IPs, that are associated with the threat.
Chuck made the key decision to lock down only one terminal, not the entire airport. If XDR makes a habit of shutting down entire systems, productivity comes to a standstill. So managed XDR rules are designed to make good decisions and to confine quarantines to the minimum elements necessary.
As you can see, XDR provides powerful abilities to build awareness of an emerging threat and take action to stop it. Most of this happens only after Security Operations Center (SOC) analysts have customized the XDR tool to recognize the kinds of patterns shown here and prevent false negatives. For more information on how managed XDR could make your environment more secure and efficient, contact us today.