Sensors – Bitdefender TechZone

With the XDR AWS Cloud Sensor, GravityZone XDR monitors activity that may indicate whether the security of cloud environments has been compromised. The sensor monitors for multiple indicators of attack.

The AWS Sensor recognizes anomalies by, first, establishing a baseline of normal behavior and then identifying when detected activities deviate from the baseline. GravityZone detects when a user performs an action outside of the baseline when a file with a suspicious extension has been uploaded and deviates from the baseline behavior when a cloud function performs an action outside of the usual scope of activity, and other cloud-specific detections.

In addition, the AWS Sensor identifies suspicious activity associated with many granular cloud service functions such as AWS Lambda®. The sensor detects when an attacker has executed a Lambda function that triggers a suspicious action. For example, it can distinguish when suspicious automatic code execution has been performed, such as using a Lambda function to create an access key to backdoor an AWS Identity and Access Management (IAM) user. As another example, when a Lambda function is used to update a security group to allow ingress on a port, GravityZone XDR will identify this as a maneuver that may allow an attacker to access the cloud instance.

The AWS Sensor detects other suspicious behavior such as when an unfamiliar user or host removes the default encryption from an AWS Simple Cloud Storage (S3) bucket. By performing this action, the attacker exposes all encrypted objects (using server-side encryption) in that S3 bucket. XDR detects when an attacker disables or removes monitoring services such as stopping Amazon’s logging service, CloudTrail, or deleting logs from the AWS monitoring service, CloudWatch. It also identifies when an attacker has performed reconnaissance events against an S3 bucket. GravityZone XDR can detect when a user experiences multiple login failures within a short period or when there are unsuccessful attempts at multi-factor authentication.

With the XDR Azure Cloud Sensor, GravityZone XDR monitors activities that may indicate whether the security of cloud environments has been compromised. The sensor can gather important information related to event types and values within the Azure environment. This allows GravityZone to retrieve and analyze various types of events and their corresponding values, providing insights into system activities, resource changes, and operational behaviors.

The Azure Cloud Sensor is equipped to detect a range of actions within the Azure environment. This includes identifying instances such as the deletion of a log analytics workspace resource, which can indicate the fact that the intruders are trying to hide their presence in the victim network. Creation or modification of a security system rule, which can expose applications or resources publicly. Creation of an Azure automation account, which can open several potential security risks like misconfigured connections. Azure automation account can establish connections to other Azure resources and external systems, and finally open potential entry points for attackers. Security sensors can detect if somebody is trying to enable public anonymous access to a storage account, which can potentially grant unprivileged access to resources.

By monitoring and analyzing these activities, the Azure Cloud Sensor enhances visibility, allowing organizations to promptly respond to security threats, enforce compliance, and maintain the integrity and security of their Azure infrastructure.

Active Directory Sensor detects activity associated with attacks that attempt to use compromised accounts, tokens, and objects. This includes not only end user accounts but system and service accounts.

The Identity Sensor detects attacks targeting the Kerberos network authentication protocol. Among the detections supported is the ability to detect when a Kerberos login is used to perform brute-force attacks against a system. During a brute-force attack, the malicious actor attempts to use rapidly generated passwords or encryption keys to gain system access. The sensor also detects additional Kerberos-related activities including use of stolen Kerberos tickets to move laterally across a network, requesting tickets with weak encryption—a common sign of malicious intent— and replay attacks. Replay attacks involve stealing packets from the network to forward them to a service or application.

The Identity Sensor also recognizes suspicious logins after a brute-force attack has been detected. The sensor identifies when an attacker registers a rogue Active Directory Domain Controller and uses it to inject malicious objects on other domain controllers within the same Active Directory infrastructure. It identifies when an attacker performs various activities on an Active Directory object and authenticates to remote systems using stolen credentials.

The powerful detection component of the GravityZone XDR Identity Sensor is complemented by response capabilities that enable security teams to take meaningful action; for example, security teams can disable an Active Directory account or force a password reset directly from the GravityZone management console.

The sensor for Azure Active Directory gathers and processes sign-in activities and configurations. The sensor can track and analyze user sign-in activities, including the date, time, location, and the IP address from which the sign-in occurred. This helps in identifying any suspicious or unauthorized access attempts which can indicate the credential lost. Also, provide details about the authentication methods used by users and the status of Multifactor Authentication (MFA). This information helps assess the effectiveness of authentication measures and identify any potential weaknesses.

The Azure AD Sensor can detect multiple actions within the Azure AD environment. For instance, it can identify instances where an application is created with suspicious permissions. It can also alert administrators when a new user is created and added to the domain administrators' group, which could indicate potential security risks. Additionally, the sensor can monitor, and flag excessive failed login attempts from the same source, whether they are due to credential-related errors or lockouts. Furthermore, it provides visibility into cases where an application is granted global administration rights, ensuring administrators are aware of any potential privileges granted to applications.

By leveraging the Azure AD integration with GravityZone XDR Identity Sensor security teams can gain visibility into user activities, authentication methods, access controls, and security events. This information is invaluable for monitoring and securing the Azure AD environment, detecting anomalies, investigating incidents, and maintaining a robust security posture. From the response capabilities, security teams can enforce password reset and block user accounts directly from the GravityZone console.

Microsoft Intune is a cloud-native service dedicated to the management of mobile devices and applications. It offers comprehensive capabilities for mobile device management (MDM) and mobile application management (MAM). By integrating with Azure Active Directory (Azure AD), Intune provides robust access control and permissions management, ensuring that only authorized users have appropriate access to resources.

If compromised, Intune can have severe consequences as it grants attackers the power to distribute malicious applications, enforce harmful policies, and potentially manipulate device BitLocker policies on employees' Intune-managed devices. This can result in the distribution of malware, disruption of device functionality, and compromise of sensitive data, posing significant risks to a company's security and operations.

The Gravityzone XDR sensor for Microsoft Intune plays a crucial role in detecting various actions within the Intune environment. For example, it can detect changes in device ownership, such as when an Intune device is transitioned from company-owned to personal or vice versa. This provides administrators with visibility and control over device ownership and helps enforce appropriate policies based on ownership status.

The sensor can alert administrators when Intune policies are assigned to specific groups. This ensures that policies are effectively applied across the intended scope of users or devices, allowing for consistent and centralized policy enforcement. Additionally, the Intune Sensor can identify the creation of Intune apps with specific attributes, such as install/uninstall command line options, setup file paths, detection/requirement rule scripts, or filenames. This empowers administrators to monitor and manage the deployment and configuration of Intune apps, ensuring compliance with organizational standards and enhancing security measures.

The hijacking of Microsoft Office 365 accounts is considered one of the ultimate prizes for cyber-criminals. They often use phishing attacks to lure victims into exposing their valuable Office 365 credentials. Insight into such behavior is invaluable to security teams. GravityZone XDR detects attacks against or originating from Office 365 accounts and emails.

The GravityZone XDR sensor for Office 365 is a powerful tool that focuses on identifying specific activities within Office 365 accounts that may be indicative of cyber-criminal behavior. It scans for various actions, for example, checking for instances where Office 365 anti-phishing protection has been disabled deliberately. This raise concerns as it leaves the system vulnerable to phishing attacks. By monitoring user creation behavior, sensors particularly flag cases where newly created users are exempted from multi-factor authentication requirements. This kind of attitude suggests an attempt to bypass security measures. Sensors can analyze if the documents have been uploaded to SharePoint and OneDrive with suspicious macros. Uploading documents with malicious macros can serve as a delivery mechanism for malware, making it crucial to identify such activities.

The Productivity Applications Sensor extends its detection capabilities beyond just Office 365 accounts to email activity within Microsoft Exchange Online™. It diligently identifies and flags various suspicious behaviors like email exfiltration, these emails can be used to download files from a compromised user's account. Spear phishing emails can be recognized to prevent users from compromising their account credentials. If users unknowingly provide their account credentials or sensitive information in response to these phishing attempts, their accounts can be compromised, leading to unauthorized access and data breaches. Furthermore, the sensor keeps a close watch on suspicious mailbox permission activity, which involves monitoring instances where a user suddenly receives permission to access multiple mailboxes within a short period. Additionally, sensors can recognize unusual email deletion, which checks if a user deletes many emails in a mailbox they do not own.

Along with identifying this suspicious behavior, GravityZone XDR helps security teams take action to protect their businesses. As response capabilities of this integration, security teams can respond to incidents by deleting suspicious emails and taking suspend actions on Office 365 accounts, all from the GravityZone dashboard.

Google Workspace is a critical asset for companies, making it a prime target for skilled attackers. If compromised, attackers can exploit it in several ways, such as launching targeted phishing campaigns, extracting sensitive data, or establishing persistence within the infrastructure. The potential impact of such attacks underscores the importance of securing and closely monitoring Google Workspace to mitigate the risk of unauthorized access and data breaches.

The Google Workspace Sensor possesses the capability to detect a range of actions that may indicate potential security risks or unauthorized access. These actions encompass the creation of a new administrator, which could signify a security threat, as well as any attempts to disable or delete security rules and password modifications initiated by administrators. Moreover, the sensor is equipped to identify instances of excessive failed login attempts originating from the same source, which may suggest brute force attacks. It can also recognize the implementation of suspicious custom policies on organizational unit devices.

In addition, the sensor can identify anomalies in user behavior that deviate from the normal baseline. These anomalies include instances where a user uploads an executable file to a shared drive or a file with more than one extension, recognizes requests for access to numerous files or directories, deletes many files across multiple shared locations, and downloads multiple files. Furthermore, the sensor can identify if a user sends a significant number of emails within a short timeframe or shares a substantial quantity of files from various shared drives with a specific address in a brief period.

In addition to detecting such questionable activities, GravityZone XDR assists security teams in implementing measures to safeguard their organizations.