Clearly, the earlier malicious actions come to the eye of safety options and specialists, the extra successfully they’re in a position to reduce, and even stop injury. Due to this fact, whereas engaged on new detection guidelines for our SIEM system named the Kaspersky Unified Monitoring and Evaluation Platform, we pay particular consideration to figuring out attackers’ exercise on the very preliminary stage of an assault, after they attempt to gather details about infrastructure. We’re speaking about exercise associated to the discovery techniques in response to the Enterprise Matrix MITRE ATT&CK Information Base classification.
Fashionable attackers are more and more taking note of containerization infrastructure, which is the place somewhat harmful vulnerabilities are generally discovered. For instance, our Could report on exploits and vulnerabilities describes the CVE-2024-21626 vulnerability, which permits for a container escape. That’s why in our Q3 2024 SIEM system replace, among the many guidelines for figuring out atypical conduct that will point out attacker exercise on the preliminary information assortment stage, we’ve added detection guidelines that catch (i) makes an attempt to gather information on the containerization infrastructure, and (ii) traces of varied makes an attempt to control the containerization system itself.
This was performed by including detection guidelines R231, R433, and R434, that are already obtainable to Kaspersky Unified Monitoring and Evaluation Platform customers by the rule replace system. Particularly, they’re used to detect and correlate the next occasions:
- entry to credentials inside a container;
- launching a container on a non-container system;
- launching a container with extreme privileges;
- launching a container with entry to host assets;
- gathering details about containers utilizing commonplace instruments;
- trying to find weak spots in containers utilizing commonplace instruments;
- trying to find safety vulnerabilities in containers utilizing particular utilities.
Contemplating the above-described replace, there at the moment are greater than 659 guidelines obtainable on the platform, together with 525 guidelines with direct detection logic.
We proceed to align our detection guidelines with the Enterprise Matrix MITRE ATT&CK Information Base, which at the moment describes 201 strategies, 424 sub-techniques, and 1000’s of procedures. As of at the moment our resolution covers 344 MITRE ATT&CK strategies and sub-techniques.
As well as, we’ve improved many elderly guidelines by correcting or adjusting circumstances – for instance, to cut back the variety of false positives.
New and improved normalizers
Within the newest replace, we’ve additionally added to our SIEM system normalizers that will let you work with the next occasion sources:
- [OOTB] OpenLDAP
- [OOTB] Avaya Aura Communication Supervisor syslog
- [OOTB] Orion comfortable Termit syslog
- [OOTB] Postfix
- [OOTB] Barracuda Internet Safety Gateway syslog
- [OOTB] Parsec ParsecNET
- [OOTB] NetApp SnapCenter file
- [OOTB] CommuniGate Professional
- [OOTB] Kaspersky Industrial CyberSecurity for Networks 4.2 syslog
- [OOTB] Yandex Cloud
- [OOTB] Barracuda Cloud E mail Safety Gateway syslog
Our specialists have additionally improved normalizers for these sources:
- [OOTB] Yandex Browser
- [OOTB] Citrix NetScaler syslog
- [OOTB] KSC from SQL
- [OOTB] Microsoft Merchandise for KUMA 3
- [OOTB] Gardatech Perimeter syslog
- [OOTB] KSC PostgreSQL
- [OOTB] Linux auditd syslog for KUMA 3.2
- [OOTB] Microsoft Merchandise through KES WIN
- [OOTB] PostgreSQL pgAudit syslog
- [OOTB] ViPNet TIAS syslog
You could find the complete checklist of supported occasion sources within the Kaspersky Unified Monitoring and Evaluation Platform model 3.2 within the technical assist part of our website online, the place you too can get extra details about correlation guidelines. We’ll proceed to put in writing about enhancements to our SIEM system in future posts that may be discovered through the SIEM tag.
