Benefit of ‘upstream’ threat detection feed and why it is different to intrusion detection systems (IDS)
What we do
Dryad’s Red Sky Alliance analyst team uses Cisco Meraki and RedXray for our VIP client protection. For numerous reasons, prospective clients often confuse the RedXray threat intelligence feed with an Intrusion Detection System (IDS; alerting/monitoring) or Intrusion Prevention System (IPS; blocking/preventing). The Meraki device is different from RedXray service in several ways.
The Meraki is limited because it uses generic Sourcefire Snort rules and does not allow for the creation/use of custom snort rules. Meraki does not provide context or insight beyond the individual PCAP (packet capture) for each individual event. There is no contextual information along with the single alert, such as a PCAP before and after the event. RedXray identifies potential threats including breach data, keyloggers, and sinkhole traffic, coming from their organization’s network dating years back. Breach data can be, and likely will be, used in credential re-use attacks to gain an initial foothold into an organization. RedXray monitors these credentials beyond traditional services such as “haveibeenpwned” by using our proprietary sources.
Analysis has shown cyber threat analysts that if an organization is observed with a keylogger or checking into a sinkhole, they are already infected. This indicates the attacker has not yet attempted to move laterally within the network or is in the process of creating long-term access for future attacks (or to sell to other bad actors). A simple explanation for this is Meraki will tell you where you have been hit with wellknown exploits. RedXray provides preventative external threat information which can be used to prevent attacks in the first place.
Here’s a scenario
Consider the following scenario: A bad actor goes and queries a company’s domain, searching for emails and passwords in their collection of breach data. After finding credentials the hacker logs into an account and begins sending malicious documents to other members of the organizations, or to vendors and clients. Meraki might trigger an alert, but only after the other members of the organization have been infected and start beaconing (if they use a free TLD like .biz, .tk, .ml, .gq, etc.).
RedXray daily monitors the same underground breach sources and could have provided a notification email to reset the breached credentials, preventing an intrusion in the first place. The same scenario could be applied to a device infected with a keylogger, or devices communicating with a known sinkhole server. RedXray is primarily focused on cyber intelligence to take preemptive action before malicious activity occurs, while IDS/IPS devices such as Meraki are more effective after the delivery/installation phases.
Red Sky Alliance is in New Boston, NH USA and is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 888-RED-XRAY or (888)-733-9729, or email [email protected]
Website: https://www.wapacklabs.com/ LinkedIn: https://www.linkedin.com/company/wapacklabs/ Twitter: https://twitter.com/wapacklabs?lang=en