Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
This is a guest blog post by Ricardo Antuna, VP of Strategy and Business Development at Stratodesk.
Stratodesk is a key Citrix Ready partner exhibiting at HIMSS23, this year’s most influential healthcare information technology event. We’ll be in booth #674, showcasing our solutions for improving healthcare endpoints.
We are excited to be back at HIMSS as a sponsor and exhibitor in the Citrix Ready Partner Pavilion. We always enjoy networking with IT professionals from various backgrounds and hearing about their successes and new challenges in healthcare.
HIMSS23 brings together 40,000+ professionals throughout the global health ecosystem to build relationships during lively networking events, to learn from experts in hot-topic education sessions, and to discover innovative health tech products to solve their greatest challenges.
This year we will show our joint solution with Citrix and the ground-breaking innovations we’ve made to create smarter and more secure workspaces. Stratodesk provides the premier lean, secure endpoint operating system that gives healthcare professionals easy, fast access to their Citrix Workspace and other virtual/cloud environments.
Together with Citrix, our benefits include:
Scalable and simple endpoint management across multiple devices and locations
Flexible licensing options
Enriched user experience through the integration of critical technologies: SSO (Imprivata ProveID), smartcards, dictation, imaging as well as apps like Cerner, EPIC, and other EMR systems
Citrix and Stratodesk share a common mission — helping healthcare IT enable a secure, managed, and cost-efficient remote workspace.
In healthcare, better user productivity, experience, and security translate into improved patient outcomes. That’s why so many healthcare organizations turn to Citrix and Stratodesk NoTouch OS to better enable their workforce. By deploying Stratodesk NoTouch OS on any endpoint, healthcare IT teams can make their endpoints feel like new, delivering Citrix DaaS to users wherever they are located.
During the live event, held April 17-21 in Chicago, Stratodesk will demonstrate its integrations with Citrix. Explore how we solve common obstacles in healthcare IT. Stratodesk NoTouch OS is the ultimate solution for the clinical endpoint. Together with Citrix, we provide VDI and DaaS solutions that allows healthcare professionals to be more efficient and productive with an improved end-user experience.
Don’t Miss Our Live Demos
During HIMSS23, we will provide these live demos of NoTouch OS technology that integrates with Citrix:
New releases of NoTouch OS and NoTouch Center
The latest integrations with Citrix DaaS
Simplified user login using Imprivata
NoTouch OS running on our endpoint partners’ latest devices including: Dell, HP and LG
Full support for Medical PCs from Cybernet including their popular battery powered CyberMed NB Series
Join Citrix and Stratodesk in person in the Citrix Ready Partner Pavilion at HIMSS23 to see new innovations in healthcare IT. Pick up Stratodesk swag, get a live demo, and get your questions answered. In addition, Stratodesk will host a happy hour with Cybernet on Tuesday, April 18, and Wednesday, April 19, from 4 p.m. to 6 p.m. in Cybernet booth #2412.
We can’t wait to see you in Chicago!
from Citrix Blogs https://bit.ly/42UjY3W
via IFTTT
The advanced persistent threat (APT) actor known as Winter Vivern is now targeting officials in Europe and the U.S. as part of an ongoing cyber espionage campaign.
"TA473 since at least February 2023 has continuously leveraged an unpatched Zimbra vulnerability in publicly facing webmail portals that allows them to gain access to the email mailboxes of government entities in Europe," Proofpoint said in a new report.
The enterprise security firm is tracking the activity under its own moniker TA473 (aka UAC-0114), describing it as an adversarial crew whose operations align with that of Russian and Belarussian geopolitical objectives.
The NATO-related intrusion wave entails the exploitation of CVE-2022-27926 (CVSS score: 6.1), a now-patched medium-severity security flaw in Zimbra Collaboration that could enable unauthenticated attackers to execute arbitrary JavaScript or HTML code.
This also involves employing scanning tools like Acunetix to identify unpatched webmail portals belonging to targeted organizations with the goal of sending phishing email under the guise of benign government agencies.
The messages come with booby-trapped URLs that exploit the cross-site scripting (XSS) flaw in Zimbra to execute custom Base64-encoded JavaScript payloads within the victims' webmail portals to exfiltrate usernames, passwords, and access tokens.
It's worth noting that each JavaScript payload is tailored to the targeted webmail portal, indicating that the threat actor is willing to invest time and resources to reduce the likelihood of detection.
"TA473's persistent approach to vulnerability scanning and exploitation of unpatched vulnerabilities impacting publicly facing webmail portals is a key factor in this actor's success," Proofpoint said.
"The group's focus on sustained reconnaissance and painstaking study of publicly exposed webmail portals to reverse engineer JavaScript capable of stealing usernames, passwords, and CSRF tokens demonstrates its investment in compromising specific targets."
The findings come amid revelations that at least three Russian intelligence agencies, including FSB, GRU (linked to Sandworm), and SVR (linked to APT29), likely use software and hacking tools developed by a Moscow-based IT contractor named NTC Vulkan.
THN WEBINAR
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!
This includes frameworks like Scan (to facilitate large-scale data collection), Amesit (to conduct information operations and manipulate public opinion), and Krystal-2B (to simulate coordinated IO/OT attacks against rail and pipeline control systems).
"Krystal-2B is a training platform that simulates OT attacks against different types of OT environments in coordination with some IO components by leveraging Amesit 'for the purpose of disruption,'" Google-owned Mandiant said.
"The contracted projects from NTC Vulkan provide insight into the investment of Russian intelligence services into developing capabilities to deploy more efficient operations within the beginning of the attack lifecycle, a piece of operations often hidden from our view," the threat intelligence firm said.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3lZXkGL
via IFTTT
We're excited to present our latest 5.81 monthly release, packed with a multitude of improvements and new features. While our team has been hard at work refining "under the hood" aspects of the platform, we've still managed to deliver a substantial update that enhances your overall experience.
This release showcases our commitment to continuous development and innovation, and we're thrilled to share these updates with you. So, without further ado, let's dive into the enhancements and additions you'll find in Xen Orchestra 5.81!
🐦 VMware migration tool (V2V)
Over the past three months, we have been diligently enhancing our V2V tool to simplify the migration process from VMware to XCP-ng. With this release, our VMware-to-Vates V2V tool has become even more efficient and user-friendly!
Multi VM import
We are excited to introduce the ability to import multiple VMs simultaneously (either in parallel or sequentially) using our V2V web interface. You'll have access to a list of each VM to transfer, including its name, description, and settings. In other words, you can initiate a large batch transfer and then sit back and enjoy your coffee! This feature is fully compatible with our unique warm migration system, minimizing downtime to just a few minutes per VM.
☝️
We also provided various options to help you on the automation side of things: you can stop if there's one error for one VM, or decide to only report errors in the end. Finally, you can also decide how many VMs in parallel you want to import!
Better error handling
We have now a better error message when importing a VM is failing. We covered 2 extra cases:
if the *.vmx file missing on the VMware side
if we don't support warm migration because of the VMware version (6.5+), giving you also the solution to do a normal conversion (consolidate and having the VM halted)
💾 Improved backup
This release brings a multitude of enhancements to XO backups. We've introduced the ability to set a transfer speed limit, making the platform more aligned with your infrastructure requirements. Additionally, we've expanded the use of NBD to accelerate backups, irrespective of whether a "block-based" system is being utilized or not. Overall, these improvements significantly boost the performance, flexibility and reliability of our platform.
Backup Transfer Rate Control
When configuring your backup job, you now have the option to set a speed limit for the entire process. XO will enforce the maximum speed you specify, irrespective of the number of hosts, disks, and VMs involved. If no speed limit is provided, the platform will continue to operate as before, with no restrictions on the transfer speed.
☝️
The speed limit is applied to the data transferred to Xen Orchestra, rather than when it's pushed to your backup repository. For instance, if you set a maximum speed of 10 MiB/s for your job, the "input" traffic for that job will never exceed this limit. However, if you have three backup repositories for the same job, the data might be sent at a combined rate of up to 3x 10 MiB/s!
Faster backups
In our quest of faster backups, we started, few months ago, to enable NBD-capable backups. You can read more about our initial work in this blog post:
We managed to add NBD "lower" in the stack, meaning that any disk export, regardless its origin (VHD, VMDK, OVA, Continuous Replication), will be exported via NBD if it's possible. Also, it works now even if you rely on existing VHD file storage, not only for "Block mode". In other words: faster backups for everyone!
There's only one downside: right now, the export task doesn't work for VBD, so it will be up to Xen Orchestra to compute the progress and "feed" XAPI with the progress. This will come in a next release!
You can see if your backup is using NBD for the transfer inside the backup log:
More checks on the VHD stream
We have enhanced XO's backup feature by introducing a more efficient method for identifying the root cause of incomplete backups. Although we previously detected these issues, our latest update provides a more comprehensive approach to troubleshooting.
Now, we cross-check the anticipated size of a VHD file with the actual size read from the XAPI and the size written on the remote. This enables us to determine whether any errors occurred during the transfer process, either when pulling data from the host or pushing it to a remote location.
Additionally, our new feature offers more precise error reporting, as it identifies the specific size transferred before a failure. This allows us to pinpoint unique cases, such as issues occurring during metadata or block transfers, or at the end of the data stream.
This update effectively replaces the previous error message footer1 !== footer2, offering a more streamlined and accurate diagnostic tool for our users.
Improved S3 Compatibility
Originally, we developed S3 backup functionality with a focus on AWS S3. As more users started utilizing alternative providers, we received valuable feedback that allowed us to eliminate certain AWS S3-specific checks, enhancing our compatibility with other providers.
📡 REST API
We added 2 endpoints for the REST API, mostly linked to the backup jobs and logs. You can list all the enpoints with a simple GET on the API URL, eg https://myxoa.example.org/rest/v0. The new ones are:
[
"/rest/v0/backups",
"/rest/v0/restore"
]
You can see everything related to the backup by also fetching the endpoint "backup", eg https://myxoa.example.org/rest/v0/backups
Backup logs
You can now list all the backup logs on https://myxoa.example.org/rest/v0/backups/logs. Example:
You can also check backup restore logs! Like our previous example, with https://myxoa.example.org/rest/v0/restore/logs. Same principle, you'll have a list of unique restore job, and you can pick one to get all the details:
You can also list your current backup jobs at any time on the https://myxoa.example.org/rest/v0/backup/jobs endpoint. It will list all the jobs, and then you can request one specifically to get all the details:
We are releasing various qualify of life improvements for XO 5.
Enhanced Network Configuration
When creating a network, you can choose a physical network card, known as a PIF in XAPI terminology. However, if multiple VLANs are associated with the same PIF, the selection menu wouldn't display this information, leading to a confusing list of seemingly identical NICs without their corresponding VLANs.
We have now resolved this issue by displaying the PIF VLAN alongside the network card. For example, for eth2, you will now see the associated VLAN clearly displayed, making network configuration more intuitive and user-friendly:
Grouping icons on pool and host view
Xen Orchestra is providing more and more information for each host or pool: NTP out of sync, updates available among many other things. It's now grouped into one icon, providing the details when clicked.
For example, on an old XenServer version, it was like a christmas tree:
Now, it's a lot better:
Better experience for supported hosts
Previously, we only displayed if you had XCP-ng Pro support at the pool level. However, it wasn't clear when browing on the host view. Now, have a clear information about the support status for a specific host:
OIDC improvements
Our feature released last month is already improved on two aspects:
the plugin will use the standard well-known suffix for auto-discovery
email field is now supported as username
Add Suse icon for all their distros
Sometimes, we endure the joy of marketing from some software companies. Especially when you want to match the distro name with its icon. Suse is probably the "best" for that. Let's take a look on how we match the Ubuntu icon from the tools: ubuntu: ['ubuntu']. Easy right? Now for Suse, every year there's another name to add… See for yourself:
While I cannot predict the future naming decisions of SUSE, I can provide a playful suggestion based on their naming pattern. The next name could be something like "OpenSuse Nano OS" or "OpenSuse Quantum OS," emphasizing the notion of a compact, lightweight, and efficient operating system.
Get ready for Nano OS then…
🔭 XO Lite
Despite a lot of our work is mostly done "behind the scene" (see below), we managed to get new features in XO Lite for this release.
Also, don't miss our previous article on the way we are building our XO Lite components!
In the Pool/VMs view, you can now create filters and/or sort your VMs. It's still a work in progress, but it's already a very powerful tool, that we will likely re-use on XO 6.
See the "+ Add filter" and "+ Add sort" buttonsFirst step for your filter, selecting the property and some extra conditionsCurrent condition are name, description and power status. More to come!
The filter is now visible:
You can obviously combine multiple filters
If you click on it, it's easy to update it:
Sort is very similar: you can sort per name, description and power status. To revert between ascending and descending, you just have to click on the created sort:
☝️
You can already experiment those features yourself, see this thread for deploying XO Lite on your host.
Enhanced Console Response Time
We've made significant improvements to the console response time after a VM reboot, ensuring you won't miss the Grub menu or the virtual BIOS/UEFI during the boot process. This enhancement proves valuable in various situations, and although it may not sound remarkable, the results genuinely contribute to more efficient VM management!
Multiple pages and modals improved
We've made numerous enhancements across multiple pages and modals in our ongoing effort to provide an exceptional user experience. Although some elements are still missing in the current interface, these improvements aim to address key areas. Here are some examples:
We added more info on the XCP-ng version from the "About" pageIf you lose the connection with the host, it's not correctly handledMissing sections are clearly a work in progress instead of being empty
CPU provisioning
You can now track the total number of vCPUs in use across your pool, compared to the available number of cores. This feature provides a clearer understanding of your resource utilization:
Available updates
You can now see the available updates from XO Lite:
☄️ Improved deploy script
If you don't want to use our web deploy form, you can -as an alternative- our deploy script in Bash. We updated it to be more user friendly, with more detailed steps and also some friendly emojis 😜
🚀 Other stuff to check out
Don't forget to catch up on some cool articles from the XCP-ng and Vates blog. Here are a few highlights:
In conclusion, we're delighted with the progress and updates in the Xen Orchestra 5.81 release, and we believe you'll appreciate the enhancements as well. As we look forward to our April release, we're excited to share that it will be even more impressive, with further advancements and news about our Project Pyrgos, which focuses on Kubernetes integration. Stay tuned for more details, and as always, thank you for your continued support and enthusiasm for Xen Orchestra!
from Xen Orchestra https://bit.ly/40upzMQ
via IFTTT
The Cyber Police of Ukraine, in collaboration with law enforcement officials from Czechia, has arrested several members of a cybercriminal gang that set up phishing sites to target European users.
Two of the apprehended affiliates are believed to be organizers, with 10 others detained in other territories across the European Union.
The suspects are alleged to have created more than 100 phishing portals aimed at users in France, Spain, Poland, Czechia, Portugal, and other nations in the region.
These websites masqueraded as online portals offering heavily discounted products below market prices to lure unsuspecting users into placing fake "orders."
In reality, the financial information entered on those websites to complete the payments were used to siphon money from the victims' accounts.
"For the fraudulent scheme, the participants also created two call centers, in Vinnytsia and in Lviv, and involved operators in their work," the Cyber Police said. "Their role was to convince customers to make purchases."
THN WEBINAR
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!
The nefarious scheme is estimated to have duped over 1,000 individuals, earning the operators approximately $4.33 million in illicit profits.
As part of the probe, law enforcement authorities carried out over 30 searches and confiscated mobile phones, SIM cards, and computer equipment used to carry out the activities.
Criminal proceedings have been initiated against the perpetrators, who may face a maximum sentence of up to 12 years in prison.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/3K2PzaU
via IFTTT
Organizations rely on Incident response to ensure they are immediately aware of security incidents, allowing for quick action to minimize damage. They also aim to avoid follow on attacks or future related incidents.
The SANS Institute provides research and education on information security. In the upcoming webinar, we'll outline, in detail, six components of a SANS incident response plan, including elements such as preparation, identification, containment, and eradication.
The 6 steps of a complete IR
Preparation: This is the first phase and involves reviewing existing security measures and policies; performing risk assessments to find potential vulnerabilities; and establishing a communication plan that lays out protocols and alerts staff to potential security risks. During the holidays, the preparation stage of your IR plan is crucial as it gives you the opportunity to communicate holiday-specific threats and put the wheels in motion to address such threats as they are identified.
Identification: The identification stage is when an incident has been identified – either one that has occurred or is currently in progress. This can happen a number of ways: by an in-house team, a third-party consultant or managed service provider, or, worst case scenario, because the incident has resulted in a data breach or infiltration of your network. Because so many holiday cybersecurity hacks involve end-user credentials, it is worth dialing up safety mechanisms that monitor how your networks are being accessed.
Containment: The goal of the containment stage is to minimize damage done by a security incident. This step varies depending on the incident and can include protocols such as isolating a device, disabling email accounts, or disconnecting vulnerable systems from the main network. Because containment actions often have severe business implications, it is imperative that both short-term and long-term decisions are determined ahead of time so there is no last minute scrambling to address the security issue.
Eradication: Once you've contained the security incident, the next step is to make sure the threat has been completely removed. This may also involve investigative measures to find out who, what, when, where and why the incident occurred. Eradication may involve disk cleaning procedures, restoring systems to a clean backup version, or full disk reimaging. The eradication stage may also include deleting malicious files, modifying registry keys, and possibly re-installing operating systems.
Recovery: The recovery stage is the light at the end of the tunnel, allowing your organization to return to business as usual. Same as containment, recovery protocols are best established beforehand so appropriate measures are taken to ensure systems are safe.
Lessons learned: During the lessons learned phase, you will need to document what happened and note how your IR strategy worked at each step. This is a key time to consider details like how long it took to detect and contain the incident. Were there any signs of lingering malware or compromised systems post-eradication? Was it a scam connected to a holiday hacker scheme? And if so, what can you do to prevent it next year?
THN WEBINAR
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!
Incorporating best practices into your IR strategy is one thing. But building and then implementing these best practices is easier said than done when you don't have the time or resources.
Leaders of smaller security teams face additional challenges triggered by these lack of resources. Bare-bones budgets compounded by not having enough staff to manage security operations is leaving many lean security teams feeling resigned to the idea that they will not be able to keep their organization safe from the all too common onslaught of attacks. Fortunately, there are resources for security teams in this exact predicament. Cynet Incident Response Services offers a unique combination of Cynet's security experience together with proprietary technology enables fast and accurate incident response.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/40Na5TK
via IFTTT
Enterprise communications software maker 3CX on Thursday confirmed that multiple versions of its desktop app for Windows and macOS are affected by a supply chain attack.
The version numbers include 18.12.407 and 18.12.416 for Windows and 18.11.1213, 18.12.402, 18.12.407, and 18.12.416 for macOS.
The company said it's engaging the services of Google-owned Mandiant to review the incident. In the interim, it's urging its customers of self-hosted and on-premise versions of the software to update to version 18.12.422.
"3CX Hosted and StartUP users do not need to update their servers as we will be updating them over the night automatically," 3CX CEO Nick Galea said in a post on Thursday. "Servers will be restarted and the new Electron App MSI/DMG will be installed on the server."
Evidence available so far points to either a compromise of 3CX's software build pipeline to distribute Windows and macOS versions of the app package, or alternatively, the poisoning of an upstream dependency. The scale of the attack is currently unknown.
The earliest period of potentially malicious activity is said to have been detected on or around March 22, 2023, according to a post on the 3CX forum, although preparations for the campaign are said to have commenced no later than February 2022.
3CX said the initial alert flagging a potential security problem in its app last week was treated as a "false positive" owing to the fact that none of the antivirus engines on VirusTotal labeled it as suspicious or malware.
The Windows version of the attack leveraged a technique called DLL side-loading to load a rogue library referred to as "ffmpeg.dll" that's designed to read encrypted shellcode from another DLL called "d3dcompiler_47.dll."
This involved accessing a GitHub repository to retrieve an ICO file containing URLs hosting the final-stage payload, an information stealer (dubbed ICONIC Stealer or SUDDENICON) capable of harvesting system information and sensitive data stored in web browsers.
"The choice of these two DLLs – ffmpeg and d3dcompiler_47 – by the threat actors behind this attack was no accident," ReversingLabs security researcher Karlo Zanki said.
"The target in question, 3CXDesktopApp, is built on the Electron open source framework. Both of the libraries in question usually ship with the Electron runtime and, therefore, are unlikely to raise suspicion within customer environments."
SUDDENICON downloading a new executable
The macOS attack chain, in the same vein, bypassed Apple's notarization checks to download an unknown payload from a command-and-control (C2) server that's currently unresponsive.
"The macOS version does not use GitHub to retrieve its C2 server," Volexity said, which is tracking the activity under the cluster UTA0040. "Instead, a list of C2 servers is stored in the file encoded with a single byte XOR key, 0x7A."
THN WEBINAR
Become an Incident Response Pro!
Unlock the secrets to bulletproof incident response – Master the 6-Phase process with Asaf Perlman, Cynet's IR Leader!
Cybersecurity firm CrowdStrike, in an advisory of its own, has attributed the attack with high confidence to Labyrinth Chollima (aka Nickel Academy), a North Korea-aligned state-sponsored actor.
"The activity, which targets many organizations across a broad range of verticals without any obvious patterns, has been attributed to Labyrinth Chollima based on observed network infrastructure uniquely associated with that adversary, similar installation techniques, and a reused RC4 key," Adam Meyers, senior vice president of intelligence at CrowdStrike, told The Hacker News.
"The trojanized 3CX applications invoke a variant of ArcfeedLoader, malware uniquely attributed to Labyrinth Chollima."
Labyrinth Chollima, per the Texas-based company, is a subset of the Lazarus Group, which also constitutes Silent Chollima (aka Andariel or Nickel Hyatt) and Stardust Chollima (aka BlueNoroff or Nickel Gladstone).
The group "has been active at least since 2009 and typically tries to generate revenue by targeting crypto and financial organizations," Meyers said, adding it's "likely affiliated with Bureau 121 of the DPRK's Reconnaissance General Bureau (RGB) and primarily conducts espionage operations and revenue generation schemes."
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
from The Hacker News https://bit.ly/40Mqwjc
via IFTTT
Ask any security operations analyst about their biggest frustrations, and alert fatigue will be among them. They constantly struggle to identify the serious threat indicators while ignoring the false positives. Scientists and engineers have a name for this balance between useful and irrelevant data. It's called the signal-to-noise ratio.
The signal is the important data, while the noise is everything else; the white noise that gets in the way. When the signal-to-noise ratio is too low, the noise drowns out what's important. Experts from radio operators to genome scientists grapple with these issues in some form.
Improving the signal-to-noise ratio is also a problem for modern IR teams who face information overload. They are swamped with rising levels of network event data. They have trouble sifting through it all to find the real threats. Sometimes they fail, with potentially disastrous consequences.
Too Much Data, Too Few Resources
The problem facing SOCs is twofold. The first issue is data volume. There's a lot of it. Modern networks are information firehoses, churning out rivers of data. Every year, better network telemetry increases that volume. The result is a surplus of alerts, which we can call 'candidate signals'. These are interesting data points that might warrant further investigation.
This is compounded by the second problem: resource scarcity. SOCs continually struggle to find enough talent to cope with the flood of data from increasingly complex infrastructures. Without those manual skills, many find themselves overburdened and unable to get the intelligence they need from the data that's coming in.
The natural reaction to not having enough of a signal is to add more data. For many SOCs, this means buying more tools and telemetry, typically in the form of endpoint detection and response (EDR) or endpoint protection platform (EPP) products.
This is the wrong approach. Many SOCs incident response platforms are already disjointed, comprising tools from different vendors, acquired over time, that don't play well together. This makes it difficult to get an end-to-end view of the incident response process, and in most cases also stops operators handing off interesting telemetry investigations to each other.
Adding to these platforms might create more relevant signals, but it won't help SOCs to spot them. It will do the opposite, creating more noise that drowns those signals out. Any attempt to fix the SOC by generating more data amplifies the underlying problem.
If the signal-to-noise ratio remains low, then the growth in network telemetry becomes a greater source of risk. Poor candidate signal filtering leaves operators unsure where to begin and blinds them to real, time-critical attacks. The results can be catastrophic.
The Answer to Alert Fatigue
SOCs can't dig themselves out of this hole by generating more data. Instead, they must address the underlying problem. They must find better ways to spot the right signals in the data they already have. To do that, they must alter the signal-to-noise ratio.
In practice, this means reducing the number of candidate signals. SOCs must present SOC analysts with fewer alerts so that they can focus their attention on what really matters.
The key to increasing the signal-to-noise ratio is a tightly integrated end-to-end tool chain. This is a set of tools that work together seamlessly with little overlap, and all able to exchange data with each other smoothly throughout the entire cycle of detection, containment, mitigation, cleanup, and post-incident analysis.
Cloud Funnel by SentinelOne
Aggregated Endpoint Telemetry in Your Data Lake. Retain Your Data Locally. Correlate With Other Data Sources. Automate SOAR Workflows.
This approach helps in several ways. First, it reduces the noise from different tools that would otherwise overlap with each other. This eliminates the shadow signals that can distract busy operators.
It also combines events and alerts into incidents, which are larger, more visible data elements that are easier to track. This gives analysts a top-down view of candidate signals without having to trawl through low-level events and correlate them manually.
Finally, it enables SOCs to better automate the detection, analysis, and reporting of incidents. This automation is a key part of the event correlation process.
A well-formed tool chain detects candidate signals early, developing them through several stages of analysis. This allows the SOC to either confirm and escalate candidate signals or dismiss them quickly if they are found to be benign. This helps to automatically mitigating many incidents without having to alert human operators, leaving them to focus on those alerts that need their attention.
Easing the SOC's Burden With Contextualized Data
SOCs that invest in tool chain integration will enjoy a smaller, refined set of alerts that come with the appropriate, contextualized data, ready for human operators to deal with efficiently.
This higher signal-to-noise ratio will show up on analyst screens, reducing their cognitive load. It will mean fewer investigation numbers and reduced investigation times. This will lead to better outcomes for SOCs in the form of shorter containment times and an overall reduction in response times. Ideally, this will prevent attackers from getting close to your infrastructure, but in the event of a successful compromise, it can also reduce attacker dwell time, mitigating the effect of the attack.
When it comes to handling fast-moving cybersecurity incidents, the sharper focus that comes from a less cluttered data environment can be the difference between containing an incident before it does any damage, and making the next week's headlines for all the wrong reasons.
Rapid Threat Hunting with Storylines
Time always seems to be on the attacker's side, but security analysts can get ahead by hunting threats faster than ever before.
This optimisation process should begin as early as possible in the incident response process. The longer that the SOC allows less relevant candidate signals to linger, the more they will proliferate and the more difficult it will be to discern what's important. Triaging candidate signals as soon as possible frees up analysts to apply their skills to the signals that matter. In an industry where talent is hard to come by, it's imperative to keep those analysts as productive as possible.
With that in mind, now is the time to support these goals by revising your process chain to look for improvement opportunities. Take a beat and step back to examine your overall tool set and your team structure. At some point, you might find that generating more telemetry yields results, but only if you have the capabilities to weed out the noise quickly. In the meantime, less is more.
If you'd like to learn more about how the SentinelOne Singuarlity platform can help your organization achieve these goals, contact us for more information or request a free demo.
Finally! The long-awaited 2020 ATT&CK evaluation results published. And along with it, almost every participating vendor's interpretation of the results and how they excelled in the evaluation. As you read the industry's commentary on the results, keep an eye out for contrived and/or creatively adjusted metrics. Below you will find a data-first approach to understanding our performance.
The benefit of MITRE Engenuity ATT&CK is that testing data is open and publicly accessible. In an effort to be transparent with our results, in this post, we will only talk about the numbers and metrics published by MITRE Engenuity – so that you can validate the information for yourself and separate fact from fiction. No number fudging, no creative invention.
SentinelOne's MITRE Results
Here is a screenshot of SentinelOne evaluations from MITRE Engenuity; you will see that SentinelOne had:
100% Visibility – 174 of 174 steps
Highest Analytic Coverage – 159 of 174 steps
Zero Delayed Modifiers
Zero Config Change Modifiers
Source: MITRE Engenuity
Read on to understand how the above metrics are critical for an effective security posture.
The latest ATT&CK results were released Tuesday, April 20, 2021. While the Round 1 ATT&CK Evaluation (the first year of testing) was based on APT3 (Gothic Panda), and the Round 2 ATT&CK Evaluation focused on TTPs associated with APT29 (Cozy Bear), this year's evaluation focuses on emulating financial threat groups. Testing day 1 simulates the Carbanak adversary group's attack methodology. Their objective? Breach the HR Manager, quietly move about the network, identify payment data, and exfiltrate it. It involves 4 Windows computers and a Linux server and consists of 96 techniques in 10 steps. See the Carbanak emulation.
Testing day 2 simulates the FIN7 adversary group. Similarly, their objective is to steal financial data. This simulation involves five computers and 78 techniques in 10 steps.
2020 MITRE Engenuity ATT&CK Evaluations
Join our webinar to learn about SentinelOne's record-breaking results.
1. SentinelOne is the ONLY vendor to deliver 100% visibility with ZERO missed detections across all tested operating systems – Windows & Linux.
The foundation of a superior EDR solution is its ability to consume pertinent SecOps data at scale across a variety of OSes and cloud workloads while missing nothing in the process. With the increased sophistication and frequency of today's attacks, depth and breadth of visibility are fundamental capabilities that an EDR solution should deliver. Having no gaps in visibility means no blind spots, significantly reducing the attacker's ability to operate undetected.
Complete in-depth visibility is table stakes for any worthy EDR solution. No visibility, no breach protection!
As the ATT&CK evaluation data shows, SentinelOne had ZERO misses in this round. We detected 100% of attacks over Windows devices as well as Linux servers.
Detection Quality Separates the Wheat from the Chaff
2. SentinelOne delivered the MOST high-quality analytic detections to provide automated instant insight into adversary actions.
Analytics Detection Coverage (a count of any non-telemetry detection) rather than Detection Counts should be a factor to consider when deciding on the best EDR solution. Having a high number of general, tactic, or technique detections leads to higher quality detections because this ensures fewer attacks are missed. Having access to high-fidelity, high-quality detections gives enterprises more time to investigate events rather than searching through a sea of data that may be predominantly false positives.
In the ATT&CK evaluation, "Techniques" and "Tactics" are the key measures of data precision.
Technique: The epitome of relevant and actionable data – fully contextualized data points that tell a story, indicating what happened, why it happened, and crucially, how it happened.
Tactic: The next level down in the hierarchy, representing categories of techniques that tell us the actor's steps in achieving their ultimate goals (persistence, data egress, evasions, etc.) In short, the 'what' and the 'why.'
These two detection classifications are the core of the MITRE ATT&CK framework and are of the highest value in creating context. According to MITRE Engenuity's published results, out of all participants in this evaluation, SentinelOne recorded the highest number of analytic detections.
Detection Delays are Deadly
3. SentinelOne experienced zero delayed detections, making EDR real-time.
Time is a critical factor whether you're detecting an attack or neutralizing it.
A delayed detection, according to MITRE Engenuity, is not immediately available to the analyst; it may come in minutes or hours after the adversary has performed the malicious activity.
A delayed detection during the evaluation often means that an EDR solution required a human analyst to manually confirm suspicious activity due to the inability of the solution to do so on its own. The solution typically needs to send data to the analyst team or third-party services such as sandboxes, which in turn analyzes the data and alerts the customer, if required. However, many critical parts of this process are done manually, resulting in a window of opportunity for the adversary to do real damage.
Adversaries operating at high speed must be countered with machine speed automation that's not subject to the inherent slowness of humans.
As the ATT&CK evaluation data shows, SentinelOne had zero delayed detections in this evaluation.
4. SentinelOne required zero configuration changes, making EDR effortless.
According to MITRE Engenuity, Config change refers to any detection that was made possible only because the vendor changed the initial configuration.
However, in a real-world scenario, SOC operators do not have time to customize settings, especially during an ongoing attack. Constantly tuning, fine-tuning, and adjusting a product means the battle is lost before it starts. In reality, SOC operators wouldn't even know what changes to make. Without an alert, they would not know what to look for to drive the configuration change.
Technology-powered solutions should work at an enterprise-scale right out of the box to realize immediate time-to-value. SentinelOne Enterprise-Grade EDR deploys in seconds and works at total capacity instantly, as shown by the MITRE Engenuity evaluation data.
Storyline Automatically Connects the Dots
5. SentinelOne produced one console alert per targeted device.
Ask any SOC Operator about their biggest frustrations, and alert fatigue will be high among them. They constantly struggle to identify the serious threat indicators while wading through false positives. Rather than getting alerted on every piece of telemetry within an incident and fatiguing the already-burdened SOC team, an EDR solution should eliminate the noise before it reaches you by automatically grouping individual data points into combined alerts.
Consolidating hundreds of data points across a 48-hour advanced campaign, SentinelOne correlated and crystallized the attack into one complete story, represented as a single alert per target machine. SentinelOne provides instant insights within seconds rather than having analysts spend hours, days, or weeks correlating logs and linking events manually.
SentinelOne reduces the amount of manual effort needed, helps with alert fatigue, and significantly lowers the skillset barrier of benefiting from EDR.
What the Results Mean for You
As a security leader, it's important that you look at how you can improve your security posture and reduce risk while reducing the burden on your security team. While evaluating, look for an EDR solution that:
Provides complete visibility without any blind spots
Automatically correlates detections instead of relying on humans to interpret and manually stitch the data
Defeats adversaries in real-time
Works out-of-the-box as expected without needing continuous tune-ups
Includes granular remediation capabilities for automated cleanup and recovery
SentinelOne's exceptional performance in 2020 ATT&CK evaluations once again prove that purpose-built, future-thinking solutions deliver the in-depth visibility, automation, and speed that the modern SOC needs to combat adversaries. As evidenced by the results data, SentinelOne excels at visibility and detection, and even more importantly, in the autonomous mapping and correlating of data into fully indexed and correlated stories through Storyline technology. This technology advantage sets us apart from every other vendor on the market.
