While organizational leaders and IT owners keep a watchful eye on emerging threats and trends from the previous year, much of their cybersecurity strategy will need to be founded on how well their businesses can respond to an attack. While the risk of cyberattacks is an undeniable reality, cyber preparedness can significantly differentiate successful businesses from those struggling to manage after a cyber event.

In particular, Chief Information Security Officers (CISOs) will be building plans to ensure a quick and effective return to normal operations in the face of attack. This post covers how to evaluate the business’s current cyber preparedness, how to plan for a cyberattack and what to do after an attack has occurred. It offers guidelines on the key elements CISOs and IT leaders will need to focus on as they bolster their defense strategies in light of the current threat landscape.

The Increasing Threat of Cyberattacks to Businesses

All sectors in the last few years have grappled with the threat of cyberattacks. Healthcare, education, government, and critical infrastructure are among those that have taken the hardest hits. Targeting underprepared or poorly-funded victims has become a lucrative business model for malicious threat groups and opportunistic actors.

Modern adversaries do not discriminate targets by size or sector; consequences from one attack can affect the organization and its vendors and providers. The last 12 months have seen little respite in the wave of ransomware attacks and data breaches even as the Biden-Harris Administration’s Executive Order on Improving the Nation’s Cybersecurity and official Shields Up campaign have raised awareness of the severity of the threats facing businesses.

From an insurance standpoint, the cost to remediate attacks has increased, spiking the price of cyber insurance premiums. Insurance carriers recognizing the risk from attack have subsequently adjusted their requirements for security.

In such an environment, it makes sense for businesses to prepare for the possibility of a compromise or cyber attack. An effective incident response plan that has been openly communicated and tailored to the needs of the business increases the organization’s chances of recovery and rapid return to normal operations.

Evaluating Cyber Preparedness | Is Your Business Ready?

Cyber preparedness ensures that enterprises have a plan in place to respond to imminent threats. For small to medium sized businesses (SMBs), properly implemented incident response and emergency management can mean the difference between recovery and insolvency. While cyber risk cannot be eliminated completely, enterprises can manage risk effectively with the right people, processes, and technology.

The first step to building a strong cyber incident response plan (IRP) is evaluating the organization’s level of preparedness.

People

• Response Team: Is it clear who the incident response team members are? Does the response team include: a technical lead, data analysts, communications/PR advisor, human resources specialist, etc.?
• Stakeholders: Are both internal and external stakeholders clearly identified? Are key contacts for third-parties, vendors, clients, and providers identified? Are all public-facing members of the Board and C-levels all well versed in addressing the media?
• Roles & Responsibilities: Does everyone in the organization understand their role in the IRP? Have all expectations been explained, trained, and documented?
• Communication Matrix: Is a communications plan in place and in an easily accessible format/location should networks go down? Does it include central points of contact for each team in the organization?

Process

• Policies: Do the incident response policies align with the organization’s overarching policies and compliance requirements? Have senior leadership reviewed, approved, and communicated to all employees?
• Continuous Improvement & Lessons Learned: After every practice, drill, or actual incident, are takeaways and feedback documented and stored in an easily accessible platform? Are action items and deficiencies assigned and communicated to directors and managers? Are post-incident reports used for training and onboarding processes?

Technology

• Post-Event Assessments: Is there a managed service or security operations center (SOC) that can provide in-depth incident response (IR) assessments? Do these assessments pinpoint evidence within the environment?
• Backups: Are backups regularly scheduled, stored offline, or stored in a secure cloud? Are backups regularly reviewed and protected with passwords and encryption? Are backups accessible for modification or deletion from the primary network?
• Data Forensics & Incident Response (DFIR): Does the organization’s security stack include digital forensics analysis, incident response, and/or security consultations in the event of an attack?
• Contextual Information: Is the security stack capable of detailed log collection? Is log data stored read-only with standard encryption in place?

What to Do to Prepare for a Cyberattack

One of the most important things cybersecurity executives can do to prepare for a cyberattack is to establish a task force and name specific individuals responsible for responding to a breach. This task force should include key members of the organization, such as IT professionals, legal counsel, upper management, and any external partners or service providers that may need to be involved in the response.

Before a breach occurs, it’s essential to develop a comprehensive cyberattack survival protocol that outlines the steps to take during an attack. This should include information on identifying, containing, and recovering from the attack. It should also include details on communicating with relevant stakeholders, including employees, customers, and the media.

In addition to establishing a task force, there are a few other vital steps to increase preparedness for a cyberattack:

1. Conduct regular security assessments: Regular security assessments can help identify vulnerabilities in systems and networks that attackers could exploit.
2. Implement robust security controls: This includes network and cloud security, endpoint security software, user identity protection, and encryption to protect systems and data.
3. Train employees: Educating employees about the importance of cybersecurity and how to identify and report potential threats can go a long way in protecting an organization from an attack.
4. Establish incident response protocols: Having a plan in place for how to respond to a cyberattack can help minimize the damage and get systems and operations back up and running as quickly as possible.
5. Perform a forensic incident response simulation: simulations help manage the aftermath of a cyberattack. The findings can provide valuable support in navigating the complex legal and technical challenges that often arise in the wake of a breach.

What to Do After a Cyberattack

The overall goal of the post-attack process is to mitigate any exploited vulnerabilities, ensure the threat has been neutralized or eradicated, and restore affected services to operational normalcy.

After a confirmed cybersecurity attack, the following steps will help ensure that the incident is appropriately contained and minimize data losses.

1. Assess the Extent of the Attack

The security team’s first order of business is to determine the attack’s extent and identify which systems, data and/or users have been affected. The following will help determine the type of attack and assess the extent of the damage:

• Determine the type of attack: An effective response first needs to understand the specific kind of attack that occurred. Types of attack include phishing attempts, Denial of Service attacks, ransomware/data exfiltration and account/user takeovers. If malware was used, identify the specific kind of malware. This can often lead to a better understanding of other elements of the attack.
• Identify the source of the attack: It is important to identify the initial vector of compromise. Threat actors may have gained a foothold or presence in other parts of the network that have not yet come to light. To do this effectively, work with a forensic incident response team to analyze the attack and trace it back to its origin. Understanding the source of the attack also helps inform the company’s security strategy so that measures can be implemented to prevent similar attacks from occurring in the future.
• Assess the extent of the damage: Once the attack has been contained and the type of attack has been identified, it’s time to assess the extent of the damage. This may include evaluating the impact on systems and data and identifying any sensitive information that may have been compromised. Understanding the full scope of the attack will help the organization to plan an effective response.

2. Contain the Attack

The next step is to prevent attackers from gaining further access to the network. Some recommended steps are:

• Isolate infected systems and devices: Any system or device that may have been compromised should be isolated from the rest of the network to prevent the attacker from spreading to other systems. Organizations with SentinelOne installed can use the quarantine network feature to block any other communication to and from endpoints that may have been compromised.
• Disconnect from the network (if necessary): In some cases, it may be required to disconnect the entire network from the internet to prevent the attacker from accessing systems.
• Shut down affected services: If certain services (e.g., email, web servers) have been compromised, it may be necessary to take these services offline across the organization to prevent the attacker from using them as a foothold.
• Implement any necessary emergency measures: Depending on the severity of the attack, it may be required to activate the incident response plan, which should outline the steps needed to contain the attack and minimize damage.

3. Eradicate the Threat

After containment, the next step is to remove any malware or other malicious software installed during the attack and to ensure that the initial infection vector is blocked.

• Remove malware or other malicious software: Organizations that deploy SentinelOne can set a policy that removes malware automatically, or it can be done remotely if the policy was not already set. Organizations without SentinelOne may need to manually remove malware from infected systems or rebuild the system from scratch.
• Patch any exploited vulnerabilities: If the attacker exploited software vulnerabilities to gain access, these will need to be patched as soon as possible. This may require applying patches or software updates, reconfiguring network settings, or replacing outdated or unsupported systems. Patching vulnerabilities may involve downtime, which can be disruptive to business operations. However, it’s essential to prevent attackers from exploiting the same infection vector again and interfering with the recovery process.
• Reset passwords: If any user accounts or service credentials were compromised before or during the attack, ensure that these are reset and that user identities are confirmed and protected using biometric keys, MFA and other authentication techniques.

4. Restore Data and Services

Once the attack has been mitigated, the next step is to restore any systems or data that were damaged or lost during the attack. This may involve restoring from backups, rebuilding systems, or recovering data using specialized software. Priority should be given to the following:

• Restore systems and services: Bring back any systems or services that were shut down to contain the attack and any systems or services that were damaged or lost during the attack. It’s important to carefully test and validate these services to ensure that they are fully functional and secure before making them available to users again.
• Restore lost data (if necessary): If the attack resulted in the loss of essential data, restore it as soon as possible. This may involve restoring from known clean backups, using specialized data recovery software, or manually recreating lost data.
• Rebuild affected systems (if necessary): If the attack caused damage to systems that cannot be repaired, they may need to be rebuilt from the ground up. While this can be time-consuming, it’s necessary to ensure that all systems are secure and fully functional.

5. Report the Event

As the data forensics investigation progresses, senior leadership and other stakeholders should be kept informed of the team’s findings. When tasking the incident response team, ensure that reporting cadences are set.

During this stage, key communicators will reach out to law enforcement and insurance agencies. C-levels will work with media and public relations specialists to issue a press release and inform employees and affected clients and third-party vendors.

Organizations can maintain trust and transparency by providing regular updates on the situation and any progress made. Here are the steps to keep in mind:

• Set a report cadence and expectations around reporting: After the attack has been contained and the incident response team has begun its investigation, establish a report cadence and set expectations around how and when the information will be shared with stakeholders. This will help to ensure that the technical team can focus on their tasks without being interrupted by communication requests, which can waste valuable resources during this critical time.
• Identify the different reporting stakeholders: As part of the response and resolution efforts, it is important to keep employees, customers, and partners informed of the situation and any progress made. However, each stakeholder group may have different communication needs and preferences. For example, internal stakeholders may need clear, actionable feedback, while external stakeholders may require a more general update. Identify the different stakeholder groups and develop a communication plan that meets their needs.
• Work with media and public relations specialists: To maintain trust and transparency, issuing a press release or other public statements about the attack may be necessary. C-level executives should work closely with media and public relations specialists to carefully craft this statement and ensure that it accurately reflects the situation and the organization’s response efforts.

C-levels should also ensure that they are aware of any mandatory regulations that apply to their organization in the event of an attack. Depending on industry-specific federal laws and state legislation, many organizations are legally mandated to report cyberattacks and data breaches. Those that manage, store, and transmit personally identifiable information, for example, will be bound by HIPAA and PCI-DSS requirements to notify affected individuals.

6. Hold Post-Event Lessons Learned Sessions

Holding post-event lessons-learned sessions is an integral part of the cyberattack survival process because it enables organizations to reduce the risk of future attacks and better protect themselves and their customers.

Post-event lessons learned sessions help to improve incident response processes and procedures. By examining the events leading up to, during, and after the attack, organizations can identify any bottlenecks or inefficiencies in their incident response plan and take steps to streamline and improve response efforts. This can include revising team roles and responsibilities, updating communication plans, and incorporating new security controls or procedures.

• Learn from the attack: The investigation should have already identified what happened and how attackers gained access. Vulnerabilities should have been patched and mitigated. Ensure the findings of the investigation are used as lessons to prevent similar attacks in the future. This may also include mistakes or missteps made during the response effort.
• Update incident response plan: Based on the lessons learned from the attack, the incident response plan and the overally company security strategy should be updated to ensure they reflect the most current best practices and consider any new threats or vulnerabilities. This may involve revising IR team roles and responsibilities, updating the communication plan, and incorporating new security controls or procedures.

Conclusion

Given the growing risk of cyber threats on businesses of all sizes and industries, building cybersecurity preparedness has become an urgent goal for many C-level security leaders and IT owners.

Dealing with cybersecurity attacks will be a trying exercise for all involved, but leaders can do much to minimize damage and make the road to recovery as smooth as possible. Planning ahead and designing an incident response plan tailored to the business’s specific needs ensures businesses can retain sensitive data, client and public trust, and credibility in the long run.

CISOs, IT owners, and technical professionals trust SentinelOne’s Vigilance Response Pro to protect their businesses from advanced threat actors. Vigilance blends 24/7/365 managed detection and response (MDR) with comprehensive digital forensics analysis and guided security consultation to offer a full-service solution for enterprises operating in today’s cyber landscape. Learn more by booking a demo or contacting us today.

Looking back at 2022, we’ve reported on positive strides and wins seen across our community as well as some seriously heinous threats to the digital landscape. The Good, Bad and the Ugly series takes this week’s edition to rewind and revisit the best, the worst, and the ugliest from the past 12 months.

The Best

Throughout 2022, law enforcement groups across the globe made a sweeping number of arrests – many the result of international collaborations between agencies. Crackdowns this year saw the arrests of key members from infamous cyberthreat gangs such as JabberZeus and LockBit, as well as the shuttering of multiple darknet marketplaces and malicious domains.

From a policy standpoint, the U.S. government made good on their pledge to harden the country’s cyber posture by implementing the Digital Services and Digital Markets Acts, publishing new guidelines for securing supply chain operations, and adding key cybersecurity hires to their Crypto Assets and Cyber Units.

SentinelOne’s focus on technical innovations, partnership, and sharing security intel was best highlighted by the successful launch of LABScon this September. At this inaugural security conference, SentinelLabs hosted a gathering of the most prominent speakers and researchers from the infosec community with the goal of advancing cybersecurity research for the benefit of a collective digital defense.

The Worst

Despite the wins, threat actors were busy across the year attacking targets old and new.

At the beginning of the year, a Red Cross contractor suffered a large-scale cyberattack exposing the personally identifiable information (PII) of over half-million individuals. In April, a ransomware attack on the Costa Rican government triggered a national emergency that took over a month to remediate. In July, it was revealed that a Conti attack on a healthcare debt collection firm impacted more than 1.91 million patients and 650 medical providers.

As students returned to education in September, the Los Angeles school district supporting over 640,000 students disclosed a data breach on their IT systems.

Los Angeles Unified Targeted by Ransomware Attack

For more information, please visit https://t.co/Itdix5TlqK. pic.twitter.com/HDgktJKT0S

— Los Angeles Unified (@LASchools) September 6, 2022

Cybercrime-as-a-Service has introduced a new wave of low and medium-level cyber criminals to more complex and devastating attack methods. Services like Caffeine, for example, allow anyone on the internet to pay for customized phishing kits and URLs for hosting malware payloads.

Threat groups such as Vice Society were reported in October to be taking on a fluid approach to the spectrum of data extortion. Adapting different tactics based on their targets, some groups have been known to demand ransoms without deploying ransomware, instead threatening victims with exposure of the leaked data. Public exposure of sensitive data can be catastrophic for some organizations, while for others, just the cost of returning to normal operations can put an organization out of business entirely.

Attacks on enterprise cloud surfaces have also become an increasingly worrisome vector throughout 2022, with breaches of major companies such as Twilio, Okta, NetStandard, and LastPass raising fears that even as businesses have understood the need to harden endpoint security, cloud workloads and user identities remain easy targets.

The Ugliest

Amidst an ongoing economic downturn, active warfare, and civil unrest, the ugliest moments of 2022 showed that cybersecurity and cybersecurity awareness is a challenge for society across the board.

A feature of some of 2022’s worst moments was the increasing awareness of how governments around the world are using private espionage companies to throttle dissent and attack civilians including journalists, lawyers and civil rights protesters. In February, SentinelLabs reported on ModifiedElephant, an APT that has been targeting activists by planting false digital evidence.

A private sector offensive actor based in Austria was uncovered in July, while Spain-based IT company Variston were outed in early December as trading in commercial spyware.

Of course, the dominant news of 2022 centered around Ukraine. As the conflict in Ukraine unfolded in the early months of the year, banks, major websites, and other public services in Ukraine were hit with distributed denial-of-service (DDoS) attacks leading up to Russia’s invasion.

In February, SentinelOne researchers reported on HermeticWiper, a new custom wiper malware circulating in Ukrainian organizations in an effort to break down the country’s information systems. Shortly after, another wiper attack on Ukraine dubbed AcidRain hit satellite modems in neighboring countries.

The traffic wasn’t all one way: Russian courts and mayoral offices were targeted with CryWiper. Elsewhere, wipers were deployed by Iranian-linked APT Agrius on targets in Hong Kong, Israel and South Africa. Unlike ransomware, these wipers do not attempt to extort the victim; their intent is only to destroy the victim’s ability to operate, and collectively may be the most nefarious of cyber threats we’ve seen over the last year.

Conclusion

2022 was a year in which cybersecurity headlines reached out into the mainstream media and public consciousness more so than ever. We can hope that this increased awareness will pay dividends in 2023, as public and private organizations, and indeed individual users, develop a greater understanding of cyber risk and how to mitigate it.

Our regular weekly roundups will return next Friday. Meanwhile, find our predictions for 2023 here, and from all of us at SentinelOne, have a happy and very safe New Year.

2022 has been another eventful year for the SentinelLabs research team, with events in Ukraine dominating and directing a large portion of our research output. We also hosted the first ever LABScon, bringing together top tier researchers and thought leaders from across the industry, and found time to investigate a number of supply chain attacks, adversaries, macOS, Linux and Windows malware, and exploitable vulnerabilities.

We’ve seen a shift in ransomware TTPs with increasing use of hybrid and partial encryption and a greater focus from threat actors on stealing data for ransom as well as – and sometimes instead of – using file lockers.

All our research and threat intelligence posts can be found on the SentinelLabs home page, but for a quick recap of the year’s main highlights, take a scroll through the 2022 timeline below.

January

In January, we identified new variants of the PowGoop malware belonging to Iranian-linked threat actor MuddyWater. We described how this adversary used tunneling tools and likely exploited CVE-2020-0688 on Exchange servers to compromise governmental organizations in the Middle East. Like many other Iranian threat actors, the group displays less sophistication and technological complexity compared to other state-sponsored APT groups but continues to be successful through its use of publicly available offensive security tools and exploitation of unpatched vulnerabilities.

January also saw SentinelLabs post research on threat hunting for macOS adware infections, recent hacktivist campaigns, and analyses of BlackCat ransomware, and CVE-2021-45608 – a flaw in NetUSB affecting millions of routers.

February

The Russian invasion of Ukraine in February 2022 was an event that had, and continues to have, a global impact. It was widely expected that the Russian campaign would be swift and decisive, and accompanied by an equally destructive cyber warfare campaign. Those expectations turned out to be far from correct. While the resolve of the Ukrainians took both the Russians and many observers by surprise, the cyber campaigns associated with the war also had an unexpected dimension. In February, the first of these was a new destructive wiper that SentinelLabs dubbed Hermetic Wiper, a signed driver targeting Windows devices in Ukrainian organizations.

This month, SentinelLabs also exposed a decade-old state-sponsored adversary named ModifiedElephant targeting human rights activists, lawyers, academics and others involved in civilian dissent in India. The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’—files that incriminate the target in specific crimes—prior to conveniently coordinated arrests.

SentinelLabs also reported on an Iranian threat actor, TunnelVision, exploiting the Log4j2 and other vulnerabilities against Middle East and US targets.

March

As the war in Ukraine gathered pace, so did the cyber attacks: WhisperKill, WhisperGate, HermeticWiper, IsaacWiper, CaddyWiper, and DoubleZero were all reported on across the industry, but AcidRain saw a new development. An attempt to take out Ukrainian military command-and-control capabilities by hindering satellite connectivity spilled over to affect German infrastructure with remote monitoring and control of almost 6000 Enercon wind turbines disrupted by an attack on Viatsat modems.

It turns out it hasn’t only been the Russians targeting Ukraine, either. In March, SentinelLabs reported on a Chinese threat actor Scarab APT attempting to infect organizations in Ukraine with HeaderTip malware. Meanwhile, multiple critical severity flaws in Microsoft Azure’s Defender for IoT were disclosed by SentinelLabs that could allow unauthenticated attackers to remotely compromise devices.

April

In April, SentinelLabs’ focus turned to crimeware with research on LockBit 3.0 discovering that threat actors were sideloading Cobalt Strike beacons via a signed VMware xfer logs command line utility. We subsequently discovered this technique was connected with an affiliate Microsoft tracks as DEV-0401, a threat actor that had not previously been known to use LockBit.

SentinelLabs also published on Nokoyama ransomware in April, finding that it was clearly an evolution of Karma/Nemty rather than Hive, as suggested by some earlier analyses.

May

Supply-chain attacks via shared code repositiores were flavor of the month in May. SentinelLabs reported on CrateDepression this month, a supply-chain attack against the Rust development community. This followed an advisory from the Rust Security Response Working Group announcing the discovery of a malicious crate that targeted victims using GitLab Continuous Integration (CI) pipelines. Infected CI pipelines were served a second-stage payload we identified as Go binaries built on the red-teaming framework, Mythic. Both macOS and Linux payloads were available to the threat actors.

Also in May, threat actors targeted PyPI with a malicious Python package in a typosquatting campaign. We noted how the macOS payload used a similar obfuscation technique to OSX.Zuru in 2021 to drop a Cobalt Strike beacon on infected devices.

June

June 2022 saw SentinelLabs’ research turn to focus on Chinese-linked threat activity. Our research revealed a newly-discovered APT dubbed Aoqin Dragon that had been quietly spying on government, education, and telecommunication organizations in Southeast Asia and Australia for over a decade.

We found that the threat actor had a history of using document lures with pornographic themes to infect users and typically drops one of two backdoors: Mongall and a modified version of the open source Heyoka project.

July

In July, SentinelLabs research discovered that a Chinese state-sponsored cyber espionage group had set its sights on Russian targets in the midst of the Ukraine war.

We also explored how malicious Windows applications created as APPX and MISIX packages were being used by threat actors as an alternative infection vector to Office macros. LockBit 3.0 continued to be a significant threat for many enterpriss and we published new research on LockBit’s latest anti-analysis and evasion techniques.

August

Furthering our research on alternative vectors in light of Microsoft’s announced lockdown of Office Macros, SentinelLabs published on how Windows shortcuts, LNK files, were being abused by threat actors. This detailed research was based on an analysis of over 27,000 malicious LNK file samples.

We discovered that Windows Explorer was the top LOLBin (living off the land binary) in the chain of LOLBins that threat actors use to execute malware via LNK files.

September

September was the month of LABScon, and unsurprisingly saw some big reveals from the SentinelLabs research team. First up came Metador, a mysterious threat actor that SentinelLabs found had been targeting telecommunications, internet service providers, and universities in several countries in the Middle East and Africa.

We also published research on Void Balaur, a cyber mercenary group running hack-for-hire campaigns throughout 2022 on targets in the United States, Russia, Ukraine, and other countries. SentinelLabs also reported on JuiceLedger, a relativey new threat actor focused on infostealing through a .NET assembly called ‘JuiceStealer’, and its phishing campaign against PyPI contributors.

October

In October, our research returned to focusing on Chinese-linked APTs with research on a new threat cluster we track as WIP19.

WIP19 has been targeting telecommunications and IT service providers in the Middle East and Asia using a stolen digital certificate signed by a company called “DEEPSoft”. The activity was notable for the fact that almost all operations performed by the threat actor were conducted in a “hands-on keyboard” manner, with the attacker foregoing using C2 channels in exchange for increased stealth.

November

As the festive and holiday season started to approach, our focus turned once again to crimeware actors that typically ramp up their activities as the year rounds to a close. Our research into SocGholish noted how the actors had significantly diversified and expanded their infrastructure for staging malware with new servers, many of which were located in Europe, with the Netherlands, the United Kingdom, and France at the top of the list.

We also covered Black Basta ransomware and were the first to note links to its tools and cybercrime gang FIN7. For those who missed out on LABScon, we began a series of posts on some of the presentations that took to the main stage.

December

SentinelLabs was as busy at the end of the year as at the beginning. In December, we published research into crimeware group Vice Society, revealing how the group had pivoted to using a custome-branded ransomware variant we dubbed ‘PolyVice’.

We also dug deeper into Metador, exploring the anti-analysis techniques used in one of the actor’s backdoors, Mafalda. In collaboration with industry partners, we published on POORTRY and STONESTOP malware, used in active intrusions into telecommunication, BPO, MSSP, and financial services businesses.

SentinelOne was an early pioneer of the use of AI and machine learning in cybersecurity, but the technology hit public awareness in a big way with OpenAI’s release of ChatGPT 3. We found time to report on the wonders of this AI tool for the work of malware analysis and reverse engineering, and of course, we topped off the year by sharing more LABScon talks for the rest of the cybersecurity world to enjoy and learn from.

Conclusion

Throughout 2022, SentinelLabs has kept defenders informed and up-to-date on the latest developments across the crimeware ecosystem, adversaries, APTs, malware campaigns and critical vulnerabilities, and we’re not quite done yet: look out for a special LABScon talk that we’ll share before the New Year.

We’ll be back in 2023 with more security research, threat intelligence and vulnerability reporting. In the meantime, we wish all a happy, secure and peaceful New Year and 2023. Predictions for what 2023 in cybersecurity might look like from both SentinelLabs researchers and SentinelOne thought leaders can be found here.

This is Part 5, the concluding part of our multi-part XDR (eXtended Detection and Response) blog series.

If you haven’t read the earlier posts in this series yet, we recommend checking out the following:

• Part 1 discusses why organizations need to extend protection beyond the endpoint to stay ahead of adversaries
• Part 2 discusses why Endpoint Detection and Response (EDR) is a foundation and a cornerstone for any XDR strategy.
• Part 3discusses why identity security is a cornerstone of an XDR strategy
• Part 4 discusses the importance and value of security data for detection and investigation.

In this post we discuss the importance of why an XDR solution should be Open XDR.

The State of Security Operations Center

The only constant in security is change. New exploits are met with new defenses. The more we integrate technology into society, the more opportunities attackers have to hack for power or profit and so both sides keep innovating.

When attackers took to the supply chain and to lifting legitimate credentials from phishing and breaches, defenders moved further into vulnerability management, Zero Trust, and invented new Identity Threat Detection and Response (ITDR) tools. As attackers increasingly leverage crimeware  markets to grab off-the-shelf malware and lower the skill level needed to run an attack, defenders increasingly look to smarter tools and XDR Marketplaces to integrate tools and run automation that is a force multiplier for their team, turning disparate tools into connected defense networks sharing IOCs, risk levels, and coordinated response.

In Cybersecurity, Effectiveness Counts

Before we can talk about what good Open XDR systems do, we need to acknowledge why they’re here. Behind all of this are customer buying behaviors. Some of the world’s largest tech companies have long tried to convince customers that they can get all their security software from one vendor. The market evaluated that offer and decided the compromise in quality was too great and most have continued buying best in class tools from disparate vendors.

Convenience and cost drives some buyers to reduce the number of vendors but most have put security first and that is a good thing. We are all members of banks, we are all scanning our fingers and faces to get into our phones, and we’re all online, putting our data into databases almost. As consumers and members of societies that are under constant attack, we should be happy knowing that most organizations we buy from still choose better tools over streamlined buying and support or a deeply discounted EA package.

Throughout history we see that battles are a measure of numbers, training, and equipment quality. Armies don’t win by buying planes and ships from the same vendor to get a good deal. CISOs and SOC Managers know that they can’t afford as many personnel as they need and can’t find the people with the level of training and expertise that they need. There has been a skills shortage for years and it’s not getting better. Instead, CISOs and SOCs coming up on their EPP/EDR renewal are asking questions about automation and AI. Tooling has to make the difference.

Where Open XDR Diverges from Other Security Tools Like the SIEM and SOAR

Before XDR, data often lived in two places: in the SIEM and in the EDR database. EDR data is too voluminous to send to most SIEMs without selling the headquarters to pay for it, so the data stayed separated. This meant searching, rule writing, dashboarding, and reporting all had to be done in two places.

It’s important then to realize that any SIEM that hasn’t solved the data silo issue is still just a SIEM, not XDR. If the SIEM hasn’t extended to cover all critical parts of the stack, there’s no “X”. Most XDR vendors solve the data separation issue by bringing all data to the EDR database. At the same time, some XDR vendors have acquired indexless database companies, making log ingest cheaper than it was with SIEMs.

XDR also solves the SOAR problem. SOARs were too expensive and complex for most teams so market penetration was low. XDR had to solve this because automation is the backbone of XDR. Instead of a complicated solution that requires writing a large check every year and adding headcount to build and maintain the playbooks, XDR delivers turnkey automation as part of existing or slightly higher packaging. Where SOAR was expensive shelfware, XDR is automation for the masses.

Where Open XDR Comes In

Beyond the centralized data and automation is one common thread: X. If it doesn’t extend, it’s just Detection and Response. If it’s not all the data, it’s by definition only part of the picture.

This is where XDR buyers need to look more closely and understand, is this native or open XDR? It’s important to know that behind the scenes, some vendors don’t want connected ecosystems, Native XDR vendors are focused on their portfolio. Open XDR vendors are investing in integrations with vendors that customers indicate are important. SentinelOne’s Singularity XDR has native coverage across workstation, mobile, OT, cloud, and identity but every month rolls out new integrations with third parties or updates to existing integration with security partners, many in those same areas.

This benefits customers in several ways.

• Leverage Existing Investments: Open XDR helps maximize the value of your security investments. While a native XDR requires the vendor to supply all the required sensors for typical use cases, an Open XDR works with what’s in place today, with minimal disruption or change.
• Vendor agnostic: With Open XDR, companies are freed from being locked into specific solutions, letting SOCs customize their stack to the tools that are best for their industry and to evolve with it as new vendors innovate and disrupt. With Open XDR it’s even easy to integrate with multiple threat intelligence vendors, multiple firewalls, multiple clouds, or all of the above.
• Scalable Solution: Open XDR makes it straightforward to onboard new security tools and technology, as well as easily integrate and connect these tools with each other. For example, our multi-tenancy means you can install one identity integration for one part of your organization and a completely different integration for another part of your organization. Scopes make that easy. Our open IOC database means your intel can work together too. You can push in threat intel from anywhere you’d like and it’s combined into our database to use for enriching, alerting, mitigating, writing custom rules, or firing automations.

Conclusion

A successful defense cannot be won with sheer numbers, no security team has enough people for it. Even the teams with the best budgets, with the best firewalls and threat intel, are still searching for a centralized, automated, intelligent tool that’s going to continually make their teams the defenders of tomorrow. Can your threat intel trigger a detection that triggers a Slack notification? Can a high enough threat intel score trigger a true positive or kick a detection into remediation mode? Can those be enabled with a few clicks and no code? Last week OpenAI proved to the world that AI may be closer than we think. This week is a great time to ask whether your tools are built for tomorrow.

If you would like to learn more about SentinelOne Singularity XDR platform, contact us for more information or request a free demo. Also join and listen to the XDR webinar to learn more about best practices and building blocks for an enterprise looking to adopt XDR.