Friday, March 29, 2024
HomeSECURITYThe MaxPatrol SIEM system received a large-scale expertise update

The MaxPatrol SIEM system received a large-scale expertise update

-


The MaxPatrol SIEM system received a large-scale expertise update

New rules for detecting threats have been added to Positive Technologies’ IS event monitoring system, MaxPatrol SIEM.

New event enrichment mechanisms have appeared: they help information security analysts confirm up to 90% of incidents without additional data request. Now MaxPatrol SIEM detects attacks on the domestic ClickHouse DBMS, as well as signs of the work of five more popular hacker tools – Sliver, NimPlant, Masky, PowerView and Evil-WinRM.

Positive Technologies specialists are constantly researching new cyber threats, monitoring the activity of hacker groups around the world, studying their tactics and techniques. Based on this data, experts create methods for identifying threats, which are regularly transferred to MaxPatrol SIEM in the form of examination packages. Thanks to this, users of the SIEM system can detect current threats and quickly respond to the actions of cybercriminals who are constantly developing new tools, methods and attack techniques, as well as improving previously created ones.

Positive Technologies specialists have developed for MaxPatrol SIEM IS event enrichment mechanisms. These mechanisms independently look for dynamic data that occurs during the development of an attack in order to provide information security analysts with a complete context of launched processes (previously in MaxPatrol SIEM was implemented mechanism for automatic construction of process chains).

“Additional context in MaxPatrol SIEM helps detect intruder activity. The more context there is in the event cards, the easier it is for information security specialists to “spin” attacks. The mechanism we added earlier for building chains of launched processes removed most of the routine tasks from SOC analysts, so we continued to work in this direction,” comments Kirill Kiryanov, head of the attack detection group on end devices, Positive Technologies. “To make incident investigation even easier, faster and more efficient, we have created new enrichment mechanisms. They provide rich context that helps operators verify up to 90% of incidents, thereby saving them from having to make additional queries in the system.”

The company’s experts have updated previously downloaded packages for detecting hacker tools and disguise methods . The rules added to MaxPatrol SIEM make it possible to detect the work of the increasingly popular Sliver and NimPlant tools, attempts to exploit ProxyNotShell vulnerabilities by the malicious Metasploit module, as well as the activity of the Masky, PowerView and Evil-WinRM frameworks, which are still included in the arsenal of cybercriminals.

With the help of new rules, MaxPatrol SIEM also detects advanced techniques for hiding intruders in the infrastructure, in particular:

  • launch processes without extension – used to bypass correlation rules, which take into account the explicit search for processes with the .exe extension, as well as for masking;

  • launching processes with a double extension, for example, .docx.exe – this method is used by attackers for phishing;

  • downloading processes or libraries signed with a Microsoft certificate that does not have a valid signature status – in this way, attackers try to disguise their toolkit as legitimate Microsoft programs.

“MaxPatrol SIEM regularly receives unique expert knowledge about threats that are most relevant for Russian companies. This knowledge allows you to identify complex targeted attacks and prevent them before serious consequences occur. Each examination package is accompanied by a detailed description available directly from the interface: what rules are included, how to configure event sources, how to properly respond to an incident,” says Petr Kovchunov, Senior Specialist of the Positive Technologies Knowledge Base and Information Security Expertise. — Attackers introduce new techniques, constantly experimenting. They have become more likely to use certain techniques to bypass protections and disguise themselves from SOC analysts, so in this update we have added rules to help detect such techniques.”

As part of a large-scale update of the examination, the product also received a new set of rules that allow detecting suspicious activity in the domestic ClickHouse database management system. The package includes more than 20 correlation rules that will help you quickly detect an attack at different stages – from reconnaissance to attempts to unload data from the DBMS or destroy it. The added expertise will help Russian companies using ClickHouse or planning to switch to it as part of import substitution to ensure the security of critical data. Previously, MaxPatrol SIEM loaded rule sets to detect attacks on PostgreSQL , Oracle Database , Microsoft SQL Server And MongoDB .

To start using the new rules and event enrichment mechanisms, you need to upgrade MaxPatrol SIEM to version 7.0 and install updates to the expertise packs.


erid:Kra23zvha Advertising. www.ptsecurity.com



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular