Hi guys
You might have heard of MOVEit transfer recently, as a critical vulnerability has been announced 2 weeks ago and is tracked under the CVE-2023-34362 with a base score of 9.8.
I figured I have never told you about our QRadar Suite platform and it has been a long time since I've talked about our X-Force Threat Intelligence, so I'll cover everything here under the MOVEit topic !
IBM Security QRadar Suite
IBM Security QRadar Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.
Part of QRadar Suite is QRadar Log Insights. QRadar Log Insights is a cloud-native log management and security observability product that provides simplified data ingestion and rapid search, investigations and visualizations, this is what we are going to use today to look for MOVEit transfer vulnerability indicators.
If you want to know more about QRadar Suite, you can find information here.
Data collection
Log collection
The first thing you should know about is that QRadar Log Insights allows to collect and parse the logs just like you are used to it.
You can use the same protocols that you are using today (Syslog, Log File, JDBC, SNMP, Amazon API, MSRPC, etc), the difference resides in the DSMs that now include the Custom Event Properties natively.
The data you are collecting is stored in our Data Lake powered by ClickHouse and can be queried with Kusto Query Language (KQL), which is super powerful and would deserve a dedicated blog to talk about it.
Thanks to KQL, you can search the Data Lake for MOVEit transfer vulnerability indicators very fast, and you can create visualizations in a few seconds.
Something you might not be used to, is that you can also connect to a remote source and query the data without collecting the logs !
You've read that right, we know that it is not always easy to collect all the data, because some sources such as cloud as an example, generate so much.
Once you have connected your remote sources, we provide two ways of querying them, you can perform a STIX query or use the Am I affected functionality.
Data Explorer is the equivalent of the Log Activity. This is the place where you can query your data in the Data Lake with KQL and where you can create a STIX query for querying your remote sources, which is what we are exploring today.
In the example below I have 33 sources connected to my environment and decided to query 4 of them that I suspect could have the information I am looking for.
Now that you know about Federated Searches, we can focus on the MOVEit transfer vulnerability detection.
As I mentioned earlier, you can perform a search against the data you are not collecting but you can also use the Am I Affected functionality to query those sources.
With QRadar Log Insights you benefit from all the X-Force intelligence as part of the offering.
All the information that you can access from the X-Force Exchange portal can be accessed from Threat Intelligence Insights, including the early warnings, malware analysis, and Industry reports. You can also create your own collections and share them with your organization.
In the screenshot below you can see the MOVEit transfer collection that has been updated on the day I am writing this blog post.
If you go inside the collection, you will find all the information related to the analysis that has been performed by the X-Force team, as well as the list of related indicators.
On the right hand side, you have the Am I Affected functionality, which allows you to select for the remote sources you want to query, just like we have done it for the STIX query earlier, and the timeframe you are interested in.
In just a few clicks, it is possible to search for a list of IOC provided by X-Force or your own team in your cloud, EDR or SIEM data from a single place.
Artifacts collected are natively enriched by the system and anything identified as suspicious would be added to a case and correlated with other alerts and findings.
In the below example you can see a few findings that have been added to the same case because they share some key artifacts. This is preventing from having to connect to many consoles to investigate in different places.
The coloured icons are the indicators of the enrichments that have been performed. The case also provides some investigation details as well as some recommended response tasks.
By default you get the enrichment from the X-Force Threat Intelligence Feed, but you can connect external sources to benefit from more enrichment sources
In the screenshot below you can see the enrichment of my previous case has been performed by the X-Force Threat Intelligence as well as the Virus Total source we connected to the system