Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »

Cyber Crucible’s data extortion prevention software is, strictly speaking, a Windows kernel driver and Windows service. The software communicates with our remote servers for ingestion (mostly using REST). Upon ingestion to the Cyber Crucible servers (whether as a Kubernetes' based end user deployment, or our cloud presence), multiple data sources are combined to provide additional capabilities to advanced security users.

Locally to the machine (the Endpoint), behavioral analytics are used to Discover data extortion attack behaviors, and Respond by suspending the associated programs. The use of cloud analytics to provide additional data would, by the definition of the marketers of XDR (eXtended Discovery Response) products, means Cyber Crucible is an XDR product.

So, what’s the answer, then?
The team is OK with Cyber Crucible being called an EDR for extortion defense due to the edge computing, even though that’s seen as “last generation” in some circles The reason is that the X in XDR represents an evolution of an endpoint tool strategy in place in EDR’s as well, in that analytical computing power has been moved to remote servers (usually in a cloud of some type). With that additional power, comes two drawbacks: latency, and fragility. Neither are

Remote Analytic Latency as a Liability

Extortion criminals first focused on the speed of their attack, to turn the latency into a liability. This is expressed during attacks in a couple ways. The first being that, the attackers sped up their efficiency to ensure that irreversible attack actions were completed before the analytic server could respond. We saw that a great deal on tightly scoped tasks, such as credential theft - gone (to the attacker’s server) in a flash.

It is really important to note here that we are discussing detection and responses which, by their nature, wait for the attack to be underway. A non-cybersecurity analogy would be detecting bank robbers outside the bank, and locking the door, versus the bank relying on taking action before the robbers can steal too much money, or, with extortion, take too many hostages.

Longer running tasks like encryption required a combination of speed with 2 other tactics - parallel and distributed computing. The attackers realized that, on a system, running multiple extortion programs meant that any endpoint security tool had to inspect the behavior of each process. So, if 5000 files could be accessed on the network at one time in parallel on a system instead of 500 with one program, that’s much better for the attacker.

The extortionists do not have 10, 25, or 50 malware programs running just on one machine. They leveraged distributed computing methods to have the extortion run on many machines all at the same time. The most the Cyber Crucible has seen at once was around 75 machines. Now any type of security tool has to inspect 50 programs, across 75 machines - so 3,750 programs. That in itself is not a challenge for cloud computing, but remember that each program is, in the meantime, encrypting up to thousand of files per second.

As if this isn’t bad enough, some attackers began implementing a chess-like strategy, in which the extortion tools were monitored and controlled locally by a parent “commander”. This commander would re-spawn extortion tools if they were killed.

By this point in the extortion tool and tradecraft evolution, any tool that relied on remote analytic computing, and the latencies involved, are simply overwhelmed. Modern attacker tactics also no longer encrypt every piece of data in a business, so, by the time defenders “catch up”, the attacker’s goals are likely already accomplished.

We’ll discuss what Cyber Crucible does to correct this matter at the end.

Remote Analytic Fragility as a Liability

Previously, we discussed exploiting the latency of remote analytics infrastructures through the use of parallel and distributed computing. In this section, we’ll discuss the fragility of building endpoint security tools remote analytics.

Around 80% of EDR and XDR solutions require access to remote analytic servers to function optimally. Without access to the remote (usually cloud-based) “brain”, these tools are severely diminished in capability.

Attackers have combined the latency vulnerability discussed earlier, to conduct attacks on the EDR and XDR platforms that are completed long before “response” can be taken.

A common attack now seen is that the attackers gain access to adjust firewall rules, and block the endpoint security tools from accessing their analytic servers. The net effect is that the EDR/XDR tools lack the ability to analyze and respond to the extortion attack activities, making the attackers' job that much easier.

While the resiliency of endpoint tools from being tampered with by attackers is certainly a recurring issue vendors prefer to not discuss openly, in this case, the EDR or XDR can remain intact and ineffective.

What All This Means to Cyber Crucible - IS it an EDR or XDR?

The vulnerabilities concerning the latency and fragility of remote analytic server strategies, mean robust data extortion simply cannot rely on cloud computing. Cyber Crucible has elements of both EDR and XDR.

Cyber Crucible as an EDR

If we reduce an XDR to enable a combination of endpoint and other (usually things like network) telemetry, and define and EDR as strictly using endpoint telemetry to make decisions…

Then the millisecond-fast “clamping down” of extortion attack behaviors, that has to be resilient to the frailty of remote analytic engines…

Then Cyber Crucible’s automated response portion of the software is an EDR.

Due to the latency and frailty of remote analytic servers, Cyber Crucible had to invent a detection and response capability whose behavioral analytics use only information available on the endpoint at the time of attack.

Cyber Crucible as an XDR

The collection of endpoint telemetry for edge (endpoint) detection and response is valuable for a variety of other strategic investigatory activities such as threat hunting, insider threat detection, and IT audits. All telemetry is transmitted to the database (either customer appliance, or central Cyber Crucible database) for correlation and analysis. Data sources are combined and collated for rich data presentation.

Cyber Crucible’s open API means that analytical platforms (such as open XDR platforms like this, SOAR, or Robotic Process Automation) may combined this data with other data sources, to produce advanced automated capabilities.

Thus, this portion of Cyber Crucible’s capabilities, while not as time critical as the sub-second response required by our software’s EDR capabilities in times of impending extortion crisis, represents an value add to customers.

  • No labels