IBM Security QRadar

Authors: Lolita Chandra and Sophia Sampath

Earlier this year there was a massive transition to a largely remote workforce across the globe and over a very short span of time. According to Gallup, “From mid-March to mid-May 2020, the percentage of U.S. employees working from home more than doubled, from 31% to 65%, accounting for more than 100 million American workers”. Such a quick shift has significant implications for businesses and can pose some major challenges, with security being at the top of the list. Cyber attackers have been taking advantage of elevated fear and uncertainty levels by targeting large numbers of innocent victims with malicious attacks. There has been a significant increase in nation-state attacks and malicious phishing campaigns and this trend is expected to continue.   

Implications of a workforce rapidly transitioning from onsite to remote 

• A rapid surge in the size and complexity of the attack surface: The attack surface for any organization is the sum of all it’s different points that attackers can try to use to infiltrate the organization and steal data or conduct other nefarious activities. With the drastic shift to a predominantly remote workforce almost overnight, organizations now had large numbers of devices outside the corporate network. This goes against the security best practice of condensing the attack surface to minimizing the number of endpoints that attackers can use to access networks and data.   

• Home networks: Remote employees work from home-based networks that lack the defense-in-depth security controls of corporate networks. Workstations on home networks - no defense-in-depth security controls that are implanted on corporate networks so it’s more important than ever to maintain security for remote employees. When security policies have not been built around remote employees (BYOD, home networks). Home networks don’t have the same defense in depth security controls as corporate networks. Now have a larger number of employees accessing – larger number of remote endpoints through which employees access sensitive data and systems.   

• BYOD risk - Organizations are faced with the challenge of securing a deluge of personal devices. Employees that are not already set up with corporate provisioned devices have had to use their personal devices for business purposes and access sensitive and confidential data. These personal devices lack corporate security policies/management/solutions. This is a big  BYOD risk for organizations who are faced with the challenge to ensure that corporate data is protected. BYOD devices when employees were not provisioned with company issued laptops for remote work. BYOD devices typically do not have the same security controls as business owned devices. Security teams must protect these devices from malware and viruses. 

• Remote security teams – Security teams are also remote though they still need 24 x 7 visibility and monitoring for users and endpoints. This raises additional challenges as security teams themselves are now geographically dispersed along with a largely distributed workforce. Security teams have to figure out new ways to put their heads together and collaborate on issues even though they are not sitting next to each other in the SOC. SOC managers have to be more flexible to accommodate new hours and workflows as their respective team members balance personal and professional lives.   

These factors create additional challenges for security teams that need to have visibility into all the endpoints in their environments along with the ability to monitor and control these endpoints and keep them safe from cyber-attacks.  

Monitoring and Securing Endpoints for a Remote Workforce 

The rapid shift in working remotely hinders visibility as a vast majority of employees are working on personal or unmanaged devices, such as laptops, smartphones, and other end-user devices. Employees may work off  VPN as slow networks mean users only connect to the VPN when absolutely required. These endpoint devices may be exposed to malicious threat actors as organizations must quickly adapt to remote monitoring of hundreds and thousands of employees.  

The mostly commonly asked question is, how can we monitor and secure endpoint devices. To gain visibility into this new normal, organizations are moving towards collecting and analyzing events from endpoints directly, as well as via solutions that can maintain real-time endpoint visibility without a VPN. Centrally monitor and correlate endpoint activity with other network and application activity to detect, hunt and track threats as they progress.  

Security teams can arm themselves with security tools and techniques such as (SIEMs, MITRE, AI) to fortify their endpoints. One extremely beneficial approach is to add the MITRE ATT&CK framework to their arsenal of cyber-defense techniques.  

What is the MITRE ATT&CK® Framework? 

MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) is a comprehensive, globally accessible knowledge base of tactics and techniques based on real-world observations of cyber attackers. Since it is based on adversarial behavior instead of signatures or Indicators of Compromise (IoC) that are static, the framework enables security teams to employ behavioral detection analytics by helping them understand the specific tactics and techniques that are being used by adversaries.   

With the MITRE ATT&CK framework security teams can see which tactics and techniques have already been used by attackers and helps them anticipate the next steps that they will take. This empowers security teams to be proactive by understanding how the attacker(s) operate and what steps they have taken so far and the steps they will be taking to fulfill their goals.  

A Real-World Use Case  

In the following scenario, using IBM Security QRadar, we have identified abnormal processes that may be classified as malicious malware, failed log in attempts, and the ability to monitor file transfers that may indicate data exfiltration. Leveraging AI using QRadar Advisor with Watson, we can analyze login patterns to differentiate between real users and threat actors accessing network resources. As well as, applying the MITRE ATT&CK tactics and techniques within the Use Case Manager App to further enrich network traffic.

As organizations leverage artificial intelligence to detect suspicious patterns, we can see in the example below, that an alert was triggered and 11 observables (IPs, Files, URLs) were analyzed. As we investigate further, 22 indicators were related to suspicious activity, and three indicators were active.   

In this example, 12 files, 1 URL, 1 domain name and 8 IP addresses have been found, which are known to be suspicious or malicious. There are indications that this alert can be attributed to the following threat actors: "carbonspider", "fancybear", "wizardspider", "guruspider", "viceroytiger" and "mythicleopard". AI has defined that the exploit target was known to be affected.  Threat vectors of the malware have been identified that are related to this offense: "trojan" and "Windows 32-bit platform". Analysis of the indicators found revealed two additional observables related to the offense in the local context.  

A source IP causing an authentication failure event followed by a successful login was detected indicating urgency to investigate further. In addition, more than 400 firewall deny attempts from a single source to a single destination within 5 minutes was detected, and this often indicates a service that was once used is now being blocked.   

By leveraging MITRE ATT&CK Tactics and Techniques, we can determine that a threat actor accessed the network (Initial Access), a threat actor is attempting to run malicious code (Execution), a threat actor is trying to gain higher level permissions (Discovery), a threat actor is trying to steal data (Exfiltration) and a threat actor trying to communicate with compromised systems to control them (Command and Control).  

After investigating this incident, a SOC Analyst can block the workstation to stop data exfiltration. These incidents can be remediated through any Security Orchestration, Automation and Response (SOAR) platform, in this case, we used Resilient.

As we adapt to working remotely, there are a several tools, such as QRadar, Advisor with Watson, MITRE ATT&CK framework that complement any security strategy. By providing organizations with threat intelligence and letting them visualize their defenses, security teams are better prepared to detect and respond to intrusions. The MITRE ATT&CK framework helps SOC analysts reduce dwell time, which in turn lowers the cost of security breaches if and when they do occur. Security teams can leverage Artificial Intelligence (AI) to enrich data within their networks and endpoint devices to provide visibility into their organizations’ network traffic. With this visibility, analysts can quickly identify, analyze and remediate threat attacks in any given situation.   

Register for the webinar on endpoint security to learn more 

Interested in learning more? Register for the webinar, “Endpoint Security for Your Remote Workforce Using AI & MITRE” on August 13 to learn more about protecting endpoints for a geographically dispersed workforce.