Professional Documents
Culture Documents
XDR Design Clinic
XDR Design Clinic
XDR Design Clinic
Responder typically
builds out a timeline
when investigation
Lateral
Movement
Initial Data
Probing Initial
Exfiltration
Compromise
Timeline
Pre-Exploitation Exploitation Post-Exploitation
?
IP Address
Mac Address
Failed Privilege
GUID(s) Activity
Exploit Escalation
Attempts
• Very few tier-3 investigators skilled enough to run & keep them up.
• Requires big investment in training of the custom playbooks
• Personnel turnover is very costly
NGFW/IPS/IDS/WSA EDR
• Encryption NDR Email IaaS
• Limited
• Too noisy • Too many alerts • Phishing • Not enough
coverage
• Not actionable • Not actionable • BEC visibility
• Too many alerts
• Remote workers
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
Timeline from multiple sources
EDR
EVENT
Credential Theft
IP Address
Mac Address - AD Find
GUID(s) Activity - Rubeus
Vic01
Random mac-address
DHCP Assigned IP
EDR Installed
BYO EDR Native to Cisco XDR Included w/ XDR Native to Cisco XDR
Sentinel1 Darktrace
CyberReason
AD3
Discovery commands AD2
- systeminfo.exe AD
- netstat.exe
- net.exe EVENT
- ipconfig.exe
- nltest.exe
Impact: Crypto
- whoami.exe
- ryuk.exe
starts encrypting
Executes
Bazar
EDR
EDR EDR EDR
EVENT
Credential Theft
Vic01
- AD Find
Activity - Rubeus
Vic01
Random mac-address
DHCP Assigned IP
EDR Installed
4. EDR: First System (AD) was Ransomed! How did this happen?
5. EDR: Endpoint Vic01 was sending out discovery commands previously, what else was seen for Vic01?
12. Bazar executable XYZ was downloaded by Kevin Smith
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
NVM & NetFlow as Sources
Random mac-address
AD AD3
DHCP Assigned IP
EDR Installed
7. NDR / DNS / Proxy: XYZ on Vic01 was communicating encrypted TLS w/ a potentially risky site before the commands
8. NDR: Vic01 does first lateral move to AD via RDP
9. NDR: AD Establishes C2 channel
10. NDR: AD moves laterally to other AD servers via SMB
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
11. Vic01 had roamed & gotten a new IP Address (so much more important than you know)
DNS (Umbrella) as a Source
AD
Email to Kevin Smith AD3
Contains Link to appIe.com/xyz.exe Discovery commands Network Conn: AD2
a-p-p-i-e.com (looks alike) - systeminfo.exe ldap://ad:389 AD
- netstat.exe smb tcp/445
AD AD2 AD2
- net.exe EVENT
Downloads - ipconfig.exe Lateral Movement
xyz.exe - rdp tcp/3389 Lateral Movement
- nltest.exe
- smb tcp/445 Impact: Crypto
- whoami.exe
- ryuk.exe
Vic01 Roams starts encrypting
Executes
Bazar & gets new IP
EDR
ETD NDR EDR NDR EDR NDR NDR EDR
NVM
Random mac-address
AD AD3
DHCP Assigned IP
EDR Installed
13. Kevin Smith received an email w/ a look-alike domain in the URL & he clicked it to download that executable
Progressive Disclosure
Clicking the user in the graph
would display the User Details
”drawer” within the window
How do we
get incidents?
Cisco Confidential
Methods of Incident Creation: Current Status
XDR Analytics
Individual and/or correlated alerts
API
For workflows and custom integrations
Cisco Secure
Endpoint
- Critical and High Events automatically promoted Once an Incident is created it
- this will evolve in the next quarter
is enriched with data from
supported integrations
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
Correlation Enrichment
Pre-Incident Creation Post-Incident Creation
Data from multiple security tools is A detection of maliciousness is further
analysed to arrive at a detection of enhanced with data from integrated
maliciousness security tools.
P(A|B) Alert(s)
Acquisition Observation(s)
Data Incident
Source and We believe this is
Normalisation Warehouse We saw something(s) Created
important
Attack Chain
to get an
incident today! *Cisco Secure Endpoint auto-promotes incidents
**Meraki NetFlow today is ingested into
Cisco XDR; a significantly enhanced
today. Q2 plan is to move through new data and
integration between XDR and Meraki is
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l logic path for correlation with other data sets
underway
Observations to Alert
Data
Model P(A|B)
Observation(s)
Alert
We saw something(s)
We believe this is important
44
A note about data science
There is a complex AI/ML data
model behind the alerting engine
Practical terms:
• Small labs are not ideal proof of concept scenarios
• Single test scenarios are also not cool
• You might not get alerts (incidents) for some data sources
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
Alerts Require (Specific) Data Plan
Accordingly
Familiarise yourself with the observations, data and history for specific alerts
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
Reconstructing the attack timeline
Attack Chain
Automation is essential.
5
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
Response is more than isolate,
block or quarantine
• Response includes:
• Triage / Investigation / Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
5
Response has its own processes…
Investigate +
Triage Respond Manage Incidents
• Reviews events, initial correlations • Reviewing triage data for • Manages Major incidents /
• Close / Ignore false-positives false positives Breaches
• Gather required data as requested • Investigate and validate scope of • Ensures proper threat hunting and
Informational, Functional and scoping
• Validate enrichment or conduct Recovery Impact
manual enrichment • Creates Detections
• Deep knowledge of tools and data • Deep forensics, threat intelligence,
• Assess against runbook processes
• Understands adversary actions malware understanding
• Swivel chair correlates • Creates Playbooks and Runbooks
• Reviews events, initial correlations • Reviewing triage data for false • Manages Major incidents /
• Close / Ignore false-positives
positives Breaches
• Reviews events, initial correlations • Reviewing triage data for • Manages Major incidents /
• Close / Ignore false-positives
false positives Breaches
• Reviews events, initial correlations • Reviewing triage data for • Manages Major incidents /
• Close / Ignore false-positives
false positives Breaches
Incident Breach
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l
XDR Response Value
Learn how to take use cases and turn them into playbooks by attending my
tech talk: “How to develop playbooks from a use case” this afternoon.
Cisco Confidential
Review: the "should's" of any XDR
• Should work with your existing tools & not require a lift & shift to a single
vendor.
• Should be able to extend the detections without having to store all
telemetry & events in its own Data store
• Should enable the junior analyst to perform a much more senior level
• Should be able to respond quickly without additional configuration
• Should be able to create gap integrations with XDR Automate
• Integrate & work with your SIEM investments without having to replace
them.
5
Follow-up