Skip to content
    June 9, 2023

    Inescapable: Why Detecting Behaviors Beats Zero-Days

    Why Blumira Detected the MOVEit Progress Zero-Day Early

    Blumira first detected and alerted on the MOVEit exploitation of CVE-2023-34362 on May 28th, 2023 — three days ahead of the MOVEit vulnerability announcement, allowing the customer to quickly respond. 

    By identifying patterns of behavior rather than moment-in-time activities, we were able to help our customer successfully detect and stop the attack before the risk of ransomware.

    Detecting on behaviors (TTPs) rather than on specific indicators of compromise (IOCs) alone such as file hashes, IP addresses, or domain names is a no brainer. Since attackers can easily swap out their IOCs, it’s more difficult for defenders to detect them.

    While it’s fairly simple for attackers to hide from AV or EDR signatures, it’s much harder to avoid the network traffic an attacker inevitably creates as they scan and move laterally within an environment.

    Pyramid of Pain

    Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

    How Blumira Detected the MOVEit Vulnerability

    The attacker was writing webshells, a common and long-used cybersecurity tactic, to obtain unauthorized access and control over the compromised server. MOVEit was using IIS processes to host its application, and attackers exploit vulnerabilities of applications running on IIS to run commands, steal data, or write malicious code into files used by the web server. 

    This behavior was detected automatically by one of the Blumira behavioral conditions that looks for webshells being written to file by processes in free Sysmon logs on Windows as a Priority 1 Suspect

    Blumira Findings

    Blumira alerted the customer in less than 30 seconds from the initial behavior which was triggered by an at-that-time unknown threat. 

    As a Priority 1 Suspect, this Finding indicated a need for immediate review of the behavior. This starts with ascertaining if the file is unknown to the organization as well as if the organization is currently under known-attacks such as penetration tests.*

    Workflow example

    Workflow Example for File Write Suspect

    With our new XDR offering, the Automated Host Isolation feature could have quarantined the host in less than a minute from the original attack. These capabilities bring the SMB and midmarket organizations who may have previously had no security program into line with the well-funded security teams in Fortune 1000 and large MSSPs with their existing IT staff. SMB and enterprise threats are converging into the same patterns, according to Verizon’s Data Breach Investigations Report (DBIR) in 2023. Being non-enterprise is no longer a way to avoid being targeted by attackers.

    Thankfully Magic Isn’t Real (Yet)

    Many detections are of high importance in the stack when dealing with Windows-based services, especially those exposed to the internet. There are other behaviors that follow these types of attacks, such as the IIS process (w3wp.exe) spawning a command shell or PowerShell. The ability to detect these methods rapidly, and those further into the stages of an attack such as reconnaissance and lateral movement, is a necessity for reducing risk and gaining the necessary visibility within your environment.

    We have seen this pattern time after time within Blumira as new attacks arise. When VMWare Horizon was attacked, we didn’t theorize where an attacker could enter, but rather protected the underlying hosts while looking for threatening behaviors. We take the approach of detecting where risk of intrusion lays based on behaviors that could occur when an attacker attempts to or succeeds in landing on that machine. 

    Most importantly, this was not a large team being thrown at unknown security problems, but rather a targeted and talented group of detection engineers who test and verify where these behaviors must fall in the stages of a cyber attack.

    AI Isn’t Going to Save Us Outright; Neither Will the 24×7 Managed SOC

    With a growing demand for cybersecurity professionals and a considerable number of open positions, the appeal of automation and AI has never been stronger. AI-powered tools such as LLMs, copilots, and your-flavor-of-GPT are set to be a permanent fixture in our future, and in many ways, they’re enhancing our ability to scale.

    It’s a testament to the industry’s innovative spirit, yet it’s crucial to remember that these tools should serve as an extension of the workforce, not a replacement. This is an exciting time for IT and infosec professionals who can utilize these tools to achieve greater efficiency and effectiveness.

    Managing cyber and information risks can seem overwhelming, and it’s not uncommon for businesses to feel paralyzed or to resort to generally accepted but unproven practices. In the past, these risks were often overlooked or even swept under the rug. However, with the rise of threats such as ransomware and the evolution of cyber insurance, risk management has become a pressing business issue. It’s no longer a topic that can be ignored; it’s a constant dialogue between business leaders, insurers, and IT/infosec teams. 

    The notion that any organization can simply find a fully staffed, 24×7 managed SOC that comprehends their environment well enough to offset all risk with ad-hoc remediations is not realistic. While migrating risk through such services can be a valid business strategy, it falls short as a comprehensive approach to protecting your employees, customers, and their data. 

    Security is not about magic; it’s about investing in the right team and the right tools for your organization. When choosing to offset risk to a managed 24×7 SOC, it’s crucial to ensure that the SOC leverages scalable technology and isn’t solely reliant on human resources.

    Moreover, it’s essential to be mindful of potential pitfalls. The pressure to reduce noise and meet SLAs in managed 24×7 SOCs can sometimes lead to overlooked threats. Clear communication and mutual understanding between the customer and SOC are vital for effective threat detection and response.

    What Should We Do, Then?

    While technology has vastly changed and significantly grown over the last few decades, the application of people and security to mitigate risk has not. Organizations still need their own internal IT infrastructure and team to support leadership and the needs of the company.

    This does not mean that every company needs a large IT team, but rather a group of people that can be depended on to steward the needs of the company with technology partners like Blumira. We often see teams of 1 or 2 internally with an MSP to support their day-to-day needs with much less risk and a deeper focus on visibility and maturity than larger teams, primarily due to that top-down goal of being better. 

    Treat these partners as extensions of your team and ensure that they can deliver what you need with your context. We on the vendor side can never know as much about your environment as you will, even if fully managing the environment. You will drastically reduce your own risk by growing internal IT maturity and embracing it across the organization. Likewise, you will gain a better ability to utilize these vendors in the way that works best for you and not just a compliance requirement you’ve been given. 

    Here at Blumira we provide organizations with a dedicated Solutions Architect as well as our own Security Operations team which is available 24×7. We price based on the size of the company and not how much data, as the reduction in visibility to save money always results in missed opportunities.

    Additionally we layer in as much as we can to ensure that your organization and teams are growing in their capabilities and reducing risk across the environment, rather than only worrying about the one big attack. These allow for Blumira SIEM and XDR customers to be well ahead of their peers in their defensive and risk mitigation growth path.

    * We have found that the large number of attacks in SMB and midmarket are caused by penetration tests and similar purposeful attacks within an environment. If you do not ask about the ongoing engagement, it often results in improperly labeled resolutions insofar as false positives are biased over proper valid, no action, or risk accepted closures.  

    Matthew Warner

    Matthew Warner is Chief Technology Officer (CTO) and co-founder of Blumira. Matt brings nearly two decades of IT and cybersecurity experience to his leadership position, and a genuine passion for cybersecurity education. Prior to founding Blumira, he was Director of Security Services at NetWorks Group, a managed...

    More from the blog

    View All Posts