Stories from the SOC is a weblog sequence that describes latest real-world safety incident investigations carried out and reported by the AT&T SOC analyst crew for AT&T Managed Extended Detection and Response clients.
Executive abstract
As we transfer in direction of extra automation, we should always bear in mind the chance of over-automating, or no less than make a aware choice to simply accept the dangers. This is very essential in automating response actions, which left unchecked may wreak havoc with day-to-day enterprise operations.
Investigation
The alarm
One night after regular enterprise hours, an alarm got here in indicating a software program bundle trying to execute on a server was auto-mitigated by SentinelOne. The software program bundle was behaving in a method that was taken as trying to evade detection by the SentinelOne agent and subsequently rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software program bundle was trying to execute had a “Protect” coverage utilized, the auto-mitigation steps for a dynamically detected “Malicious” ranking included killing and quarantining the method.
A “policy” setting in SentinelOne is the outlined stage of automated response exercise the endpoint detection and response instrument (EDR) has permission to carry out for every grouping of belongings. Whereas a “Detect” coverage will create an alert that may be managed for post-investigation response actions, a coverage setting of “Protect” will take automated response actions. The intrusion stage of these automated response actions will be personalized, however all of them carry out an automatic motion with no individual trying on the state of affairs first.
The under picture is for an alarm for malware which ended up being course of automation software program
however nonetheless was automitigated (course of killed) by SentinelOne as proven within the log excerpt under.
The enterprise influence
The subsequent morning, with enterprise hours again in full swing, the client reached out to us involved about the results of the automated response motion. The buyer acknowledged that the software program bundle is a crucial a part of their enterprise infrastructure and will by no means be stopped from executing. The software program had been working on that very same server the prior a number of months, since coming into SOC monitoring.
The buyer questioned why after a number of months with the SentinelOne agent working on the server did the agent instantly consider the software program bundle was malicious. We weren’t ready the reply the query particularly for the reason that decision-making behind figuring out and ranking a course of as “Malicious” versus “Suspicious” or benign is a proprietary logic.
What we may state is that any EDR resolution value its value will regularly replace indicator of compromise (IOC) signatures. Any worthwhile EDR resolution may also embrace not solely static detection but additionally behavior-based dynamic detection. In the case of SentinelOne, there may be the pre-execution habits evaluation that permits for course of termination pre-execution as effectively. And after all, any software program bundle run on a server is topic to updates for safety, effectivity, or product characteristic upgrades.
Taken as an entire, it means any endpoint being protected is a really dynamic battleground with the potential for an up to date software program bundle that didn’t set off IOC guidelines yesterday triggering tehm at this time. Or a non-updated software program bundle could instantly be recognized as potently malicious as a result of up to date machine studying IOC habits evaluation. Remember when JNDI calls have been thought-about benign?
Lessons realized
Just as we be taught the CIA safety triad is a balancing act between confidentiality, integrity and availability, there’s a stability to be struck between using fast automated response actions and the slower reasoning of human analysis previous to response actions. An EDR resolution will instantly and infallibly perform the coverage which it has been programmed to implement, however in a ruthless trend. A human analysis will take longer, however it will possibly take into account prior historical past, the validity of the triggering IOCs in context, and the nuances of how choosing one response motion over one other would possibly influence your total enterprise.
Automation, machine studying, synthetic intelligence, and the like have their place. Their advantages will little question improve as know-how develops. But the human element will all the time be needed. The MXDR SOC and our clients (being the people that we’re) should work collectively to outline the crucial belongings and enterprise processes that ought to by no means be touched by automated intrusion. We should additionally work collectively to seek out the area in your setting the place these swift and ruthless automated response actions are a bonus. And it’s a very human choice to conclude how a lot danger we are able to tolerate in every implementation.