How AI can help defenders scale detection guidance for enterprise software tools

If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs. ManageEngine vs. Atlassian Confluence).

Admittedly, the components of each software were different, but the guidance was by and large the same. That’s because financially motivated attackers’ goals and objectives didn’t change; they sought, and will continue to seek, a particular type of asset, with a particular set of capabilities to extort money from organizations through the theft or destruction of data.

Attackers will mainly attempt to exploit public services to exfiltrate data in bulk, expand access to internal resources or deploy ransomware. They are usually able to achieve these objectives by gaining unauthorized access to the victim environment by leveraging valid credentials or exploitation of the public service to bypass authentication, achieve remote code execution, or upload a web shell. Because the attackers are doing the same thing, the defenders focused on collecting the same types of data such as authentication logs, web access logs, process execution events, filesystem, and file transfer activity.

Most recently, we’ve seen repeat offenses in the mass exploitation of managed file transfer (MFT) attacks, which begs the question, how can we take what we’ve learned from previous mass exploitation events and apply it to prevent further scaling of MFT exploitations? In an effort to help the community offload some of these learnings, IBM Security X-Force is releasing a common framework for detection and response for MFTs, where the only customization required is the unique process names, paths, ports, log files, etc. This blog analyzes how we built the framework and explores how AI can be used to further scale detection guidance beyond MFTs.

MFTs: The next frontier of mass exploitation events

Over the past year, hundreds of organizations have been compromised through MFT attacks. The mass exploitation of MOVEit and GoAnywhere has elevated MFTs — software that I surmise security teams were largely unfamiliar with until now — into a prominent attack vector. These internet-connected automated services enable the transfer of sensitive enterprise data between parties (Figure 1).

Figure 1: MFT software is designed to create data exchanges between various entities often requiring it to be exposed to the Internet

By compromising MFTs, attackers can expedite their attacks — immediately jumping to the data exfiltration stage (Figure 2). They don’t need to pivot, move laterally, or take further action to deploy malware because they landed right in the pot of gold and are able to steal the data directly from the MFT to extort their victims.

Figure 2: Stages of an attack

MFTs are critical tools because they manage critical data, begging the question why was the security community blindsided by these attacks?

Because it’s not realistic to expect security teams to know the function and architecture of every single tool or have a complete software inventory for the environments they protect. Massive workloads and overwhelmed security teams hinder defenders from proactively inspecting or even just familiarizing themselves with the inner workings of every software in their environment. In fact, it’s not until a vulnerability has been disclosed that they’re trying to figure out the core components of a tool — when they are already racing against time to patch a system, or worse, contain an incident, pressured by the risk of business impact.

With this “similarity” hypothesis in mind, we examined some of the most popular MFTs in the market to understand if lessons from past exploitations of MFTs can help us prepare and prevent future ones. The goal was to proactively gather valuable data sources for popular MFT solutions and determine if a common framework can be created to proactively build detection and response strategies for new software.

My team looked at how each of the software tools works, where the log data is located, what process names security teams would need to look for, and then recreated what an attacker would do to identify where in the logs or processes would the malicious activity present. (Figure 3).

Figure 3: MFT analysis process

Our analysis confirmed our belief: all of these tools are largely architected the same way, which means that the approach to detection and response for all MFT solutions would generally be the same.

The index we’re releasing, which is now available on GitHub, includes a sample of 13 different detection and response frameworks for the most common and exposed MFT solutions that we analyzed. This effort is meant to offload some of these learnings from defenders, to not only significantly reduce time required for defenders to stop an attack, but to also help prevent future mass exploitation.

The detection and response frameworks we’re releasing include the following MFTs:

  1. Cerberus FTP Server
  2. FileZilla
  3. Cornerstone MFT
  4. Solawinds Serv-U
  5. JSCAPE
  6. OracleMFT
  7. WingFTP
  8. Aspera
  9. Diplomat MFT
  10. MyWorkDrive
  11. EasyFTPServer FTPD
  12. ShareFile
  13. ShareTru

Using AI to scale detection frameworks

This undertaking highlighted the dire need to help defenders to optimize their use of time. There are thousands of disparate software tools deployed across enterprises, so while defenders are highly skilled in identifying malicious activity, they must first know where to look. How do we scale this framework? We need a way to prioritize assets based on how they help an attacker achieve their goals and objectives, how exposed they are, and what impact they could have on our organization.

To address this challenge, we turned to watsonx and created an easy repeatable process to assess assets by their attractiveness to attackers. Using one of IBM’s foundation models, we created a proof-of-concept AI engine that analyzes documentation, forums, system data and correlates with environmental context, enabling security teams to quickly understand the underlying components of a solution, so that they can develop a detection and response strategy.

The AI engine can also evaluate the likelihood an internet-connected technology will be targeted for mass exploitation if an exploit is released, producing a risk score for the user. Once the user uploads documentation for any type of software into the AI engine, it will:

  • Identify critical processes that security teams should monitor
  • Produce customized detection and response playbooks
  • Provide a risk score to defenders, indicating the likelihood that the software will be targeted for mass exploitation if an exploit is released

This proof of concept is evidence that foundation models can empower defenders tremendously — optimizing their use of time and helping them be more targeted and focused on what matters most. As we continue to develop the AI engine, we’ll be using it to help the IBM Security X-Force Incident Response team drive faster detection and response outcomes — offloading the need to decipher a specific software to the machine.

The hypothesis also shows us that when we’re more intentional about looking for patterns, connections, and commonalities across mass exploitation events, we can create frameworks that help defenders more quickly collect the necessary information and drive faster response. And with AI we can scale these actions, creating a powerful tool to support teams in the wake of a security incident.

If you’re attending Black Hat Las Vegas and are interested in learning more you can attend my session: Breaking the Cycle: Getting in Front of the Next Massive Exploitation on Wednesday, August 9 at 3:00 p.m. PT.

To learn how IBM Security X-Force can help with anything regarding cybersecurity including incident response, threat intelligence or offensive security services, schedule a meeting here: IBM Security X-Force Scheduler.

If you are experiencing cybersecurity issues or an incident, contact IBM Security X-Force for help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

More from Defensive Security

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

X-Force certified containment: Responding to AD CS attacks

6 min read - This post was made possible through the contributions of Joseph Spero and Thanassis Diogos. In June 2023, IBM Security X-Force responded to an incident where a client had received alerts from their security tooling regarding potential malicious activity originating from a system within their network targeting a domain controller. X-Force analysis revealed that an attacker gained access to the client network through a VPN connection using a third-party IT management account. The IT management account had multi-factor authentication (MFA) disabled…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today