IBM Security QRadar

 View Only

Detect MOVEit Transfer Zero-Day with QRadar Log Insights

By Gladys Koskas posted Wed June 21, 2023 11:57 AM


Hi guys

You might have heard of MOVEit transfer recently, as a critical vulnerability has been announced 2 weeks ago and is tracked under the CVE-2023-34362 with a base score of 9.8. 

I figured I have never told you about our QRadar Suite platform and it has been a long time since I've talked about our X-Force Threat Intelligence, so I'll cover everything here under the MOVEit topic ! 

IBM Security QRadar Suite

IBM Security QRadar Suite is a modernized threat detection and response solution designed to unify the security analyst experience and accelerate their speed across the full incident lifecycle.

Part of QRadar Suite is QRadar Log Insights. QRadar Log Insights is a cloud-native log management and security observability product that provides simplified data ingestion and rapid search, investigations and visualizations, this is what we are going to use today to look for MOVEit transfer vulnerability indicators. 

If you want to know more about QRadar Suite, you can find information here.

Data collection

Log collection

The first thing you should know about is that QRadar Log Insights allows to collect and parse the logs just like you are used to it.

You can use the same protocols that you are using today (Syslog, Log File, JDBC, SNMP, Amazon API, MSRPC, etc), the difference resides in the DSMs that now include the Custom Event Properties natively. 

The data you are collecting is stored in our Data Lake powered by ClickHouse and can be queried with Kusto Query Language (KQL), which is super powerful and would deserve a dedicated blog to talk about it. 
Thanks to KQL, you can search the Data Lake for MOVEit transfer vulnerability indicators very fast, and you can create visualizations in a few seconds.
This is not the part I wanted to develop today, I want to introduce you to our Federated Searches (in the meantime @Jose Bravo posted a series of videos about KQL on youtube !).

Federated Sources

Something you might not be used to, is that you can also connect to a remote source and query the data without collecting the logs !
You've read that right, we know that it is not always easy to collect all the data, because some sources such as cloud as an example, generate so much. 
So we are providing you with a way to connect to 29 device types and query the data just where it is (full list can be found here).
Once you have connected your remote sources, we provide two ways of querying them, you can perform a STIX query or use the Am I affected functionality.

STIX query

Data Explorer is the equivalent of the Log Activity. This is the place where you can query your data in the Data Lake with KQL and where you can create a STIX query for querying your remote sources, which is what we are exploring today.
In the example below I have 33 sources connected to my environment and decided to query 4 of them that I suspect could have the information I am looking for.
To build my query I can either use the visual builder, or simply type it down if I am more familiar with STIX.
Now that you know about Federated Searches, we can focus on the MOVEit transfer vulnerability detection.

Am I affected

As I mentioned earlier, you can perform a search against the data you are not collecting but you can also use the Am I Affected functionality to query those sources

With QRadar Log Insights you benefit from all the X-Force intelligence as part of the offering.

All the information that you can access from the X-Force Exchange portal can be accessed from Threat Intelligence Insights, including the early warnings, malware analysis, and Industry reports. You can also create your own collections and share them with your organization.

In the screenshot below you can see the MOVEit transfer collection that has been updated on the day I am writing this blog post. 

If you go inside the collection, you will find all the information related to the analysis that has been performed by the X-Force team, as well as the list of related indicators

On the right hand side, you have the Am I Affected functionality, which allows you to select for the remote sources you want to query, just like we have done it for the STIX query earlier, and the timeframe you are interested in.

In just a few clicks, it is possible to search for a list of IOC provided by X-Force or your own team in your cloud, EDR or SIEM data from a single place. 


Artifacts collected are natively enriched by the system and anything identified as suspicious would be added to a case and correlated with other alerts and findings.
In the below example you can see a few findings that have been added to the same case because they share some key artifacts. This is preventing from having to connect to many consoles to investigate in different places.
The coloured icons are the indicators of the enrichments that have been performed. The case also provides some investigation details as well as some recommended response tasks.
By default you get the enrichment from the X-Force Threat Intelligence Feed, but you can connect external sources to benefit from more enrichment sources
In the screenshot below you can see the enrichment of my previous case has been performed by the X-Force Threat Intelligence as well as the Virus Total source we connected to the system
This means that if your EDR, SIEM or other detection devices discover something related to MOVEit transfer vulnerability, all the findings will be added to the relevant case(s) thanks to our alert correlation rules, and will save a great amount of time to the analysts during their investigations as they won't have to connect to all the different environments.
This is it for our quick tour of how to detect MOVEit transfer vulnerability thanks to QRadar Suite.
I hope this helps understand how we have built our unified analyst experience while bringing our own enrichment and correlation capabilities, and how it can help accelerate the process of detection and response.
If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.