New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research

Search

360 Managed NDR (mNDR)

Technical Service Description

ExtraHop mNDR Delivered by Binary Defense

ExtraHop Reveal(x) 360 Network Detection and Response (“NDR”) is a powerful platform designed to unmask attackers and weaknesses “on the wire”, as the only place where attackers cannot bypass detection. With highly advanced and extensive capabilities, the product is necessarily complex to operate to achieve operational excellence. Recognizing this, ExtraHop has partnered with the premier managed security services organization – Binary Defense – to deliver a security operations capability to help customers achieve rapid time to value and operational excellence – all without having to increase staffing and ramp-up time.

Binary Defense (“provider”) delivers ExtraHop’s industry leading NDR product with all the required security expertise, operational excellence, and expert knowledge for customers who want the product, without the extra overhead in a managed service offering as managed NDR (“mNDR”) .

Two Tiers of Service

The service will be split into two tiers – a basic tier named “Essential”, and an advanced tier named “Apex”. The customer will be able to progress from a basic tier of services, as they mature, to a more advanced tier. The two tiers are more directly described below.

Essential

Essential tier is a basic tier of service, intended for customers primarily focused on urgently actionable security threats to their infrastructure. Under the Essential service tier, customers can expect to receive high fidelity notifications of potential incidents which they can take action on using the provided guidance. Under the Essential service tier, customers can expect the managed services team to identify active threats based on ExtraHop detections, perform triage to verify and validate the detection, develop a recommendation based on analysis, and escalate the threat to  the customer’s security operations (“SecOps”) team for remediation. In addition to the base ExtraHop detections library, the customer can expect the standard Binary Defense detection library maintained by the provider.

The Essential service tier is focused on providing high-fidelity identification and alerting of active attacks and threats to the customer environment. This foundational level of service makes the Essential tier ideal for customers who want the benefits of Network Detection and Response to help them respond to and remediate attacks as they happen, minimizing the impact and decreasing operational risk.

Apex

Apex tier is an advanced tier of service, intended for customers that wish to align ExtraHop’s product capabilities to their security operations (“SecOps”) functions, without adding additional headcount or building in-house capability. Under the Apex tier, in addition to those capabilities in the Essential tier, customers can expect to receive security alerts for environmental weaknesses, emerging threats, higher fidelity investigations including anomaly-based threat analysis, and potentially including correlation to other in-scope platforms. Additionally, the triage function becomes interactive with the customer to go beyond simply alerting to potential incidents – the managed services team will work with the customer’s security organization to identify scope, severity, and implications for attacks that are identified.

The Apex service tier supports multiple operational tiers of the NIST CSF security program model, with automation to continuously identify and characterize previously unknown assets in the customer environment, weaknesses that could turn into exploitable avenues for attackers, and bespoke detection capabilities. The Apex service tier suits customers who want the ability to get ahead of potential threats in a pro-active security program.

Technical Service Description – Essential

The following section describes the “Essential” tier of service for Managed NDR (mNDR) – including service scope, delivered capabilities, service tasks, and deliverables. Additionally, here we outline customer expectations to this tier of service, define expected outcomes, and explicitly define the RACI for roles and responsibilities.

Service Scope

The scope of services for Managed NDR (mNDR) is limited to the customer’s ExtraHop platform components (“ExtraHop platform”) contracted for services. Services do not extend to connected devices, services, or equipment beyond ExtraHop.

Service Capabilities

The following are the service capabilities of ExtraHop mNDR powered by Binary Defense, Essential service tier, aligned to platform management, cyber security operations, and advisory capabilities.

Platform Management

  • Monitoring – provider shall monitor customer’s ExtraHop platform availability and operational stability
  • Platform Support – provider shall facilitate troubleshooting with  customer and ExtraHop as required to remediate operational issues within the product environment, at Platinum level of support
  • Maintenance – provider shall perform maintenance on customer’s ExtraHop platforms – including managing users, platform updates, and scheduled maintenance, and platform configuration

Cyber Security Operations

  • SecOps – provider shall have 24x7x365 security operations support for customer’s ExtraHop platform to review detections and identify threats to customer environment in near-real-time
  • Threat Data – provider shall maintain a regularly updated open and closed-source threat data library for detections and analysis of threats to customer environment
  • Anomaly Detection – platform shall provide automated alerting of behavior-based anomaly detections using cloud-scale Machine Learning (ML)
  • Rapid Threat Response – provider shall enact rapid assessment of customer environment when ExtraHop releases a “Threat Briefings” alert, proactively identifying and alerting customers to potentially exploitable assets with a goal to quickly identify, triage, and remediate assets before attackers have an opportunity to exploit them
  • Detection Analysis – provider shall review and triage security threat detections on customer’s ExtraHop platform with contextual analysis of detection attributes to determine threat criticality and potential impact to customer environment
  • In-Depth Analysis – provider shall provide packet-level analysis of detections as needed to triage an incident – leveraging full-packet data with insight down into encrypted communications, unmasking the full nature of an attack, its impact, including a timeline of events and affected assets (as packet data is available)
  • Recovery Support – provider shall act in a supporting role for forensic investigations to determine scope of impact (where continuous packet capture is present) for incident recovery operations by providing details as needed into the remediation process – such as affected assets, identities, and data – via a ticketing request process
  • Detection Tuning – provider shall collaborate with customer to identify low-value detections, or, detections which in the customer environment which the customer would rather not be alerted on

Advisory

  • Prioritized Remediation Guidance – provider shall provide customer with prioritized remediation guidance for clarity of response, minimizing attacker dwell time and opportunity
  • Threat Understanding – provider shall provide customer with insights for incidents, breaking down the technical details of an attack, allowing the client to assess risk and business impact.

Service Deliverables

  • Reporting – provider shall deliver the following reports, as described and on the prescribed schedule
    • Summary Report – system-generated executive overview and summary report of detections, potential risks, and identified assets delivered weekly
    • Asset Observability Report – summary report identifying previously unknown or new assets in the customer environment, delivered bi-weekly
    • Weaknesses Summary Report – summary report identifying observed weaknesses in the infrastructure – assets exhibiting critical weaknesses – such as high-risk protocols, expired certificates and high-risk configurations delivered monthly
  • Event Escalation – provider shall alert customer of security incidents according to the prioritized schedule in line with our escalation criteria and SLAs
    • Upon receiving an Alert, the SOC Analyst performs Initial Triage, Prioritization, and full Cyber Kill Chain Analysis. Their findings are documented within an Escalation Ticket and “peer reviewed” by a T2 or T3 Analyst within the SOC
    • Once peer reviewed, the Escalation Ticket is sent to the client with tactical mitigation recommendations and the SOC is available to support the client post-escalation through answering questions and providing additional information as needed
    • In the event of an Urgent (P1) Incident, the SOC contacts the client by phone to ensure mitigation steps are taken as quickly as possible
  • Remediation Guidance – for security events escalated to client, provider shall include remediation guidance where warranted, and collaborate with customer to fine-tune remediation recommendations to the customer’s environment and capabilities

Expectations and Service Level Objectives (SLO)

The section below defines prioritization levels, outlines a prioritization schedule, and provides services level objectives (SLO) for managed NDR (mNDR) powered by Binary Defense.

Prioritization Schedule

Priority One (P1) – priority one is classified as severely impacting customer business or technical operations, or causing a complete business outage; secondarily, a priority one event is one that constitutes conditions where an imminent threat is detected that has not yet become an incident but has the potential to severely impair or degrade business operations in the immediate future

Examples of P1 events include a malware infection that is actively exfiltrating sensitive data or a causing a mission-critical system to become unavailable or at-severe risk of being impacted to create a complete business disruption – for example, a ransomware application that is rapidly spreading through the environment and has impacted critical business services

Priority Two (P2) – priority two events are classified as significantly impacting customer business or technical operations ; or causing a significant degradation of sensitive business systems; secondarily, priority two events may become incidents, and constitute conditions where an analyst determines that there is a high percentage chance that the current significant impact will become a severe disruption in the near future if left unaddressed

Examples of P2 events include a ransomware infection that is localized to only a few systems, or impacting non-business-critical operations such that there is little or no business disruption or continuity issues – for example, a malware infection that infiltrated important systems, but is prevented from exploiting the environment due to compensating controls such as containment actions or egress rules

Priority Three (P3) – priority three events are classified as low immediate impact but pose some threat to customer business or technical operations; secondarily, priority three events may be part of a wider attack or provide insights into future adversary operations and should be reviewed and noted

Examples of P3 events include detected reconnaissance activity, low risk/low-impact malware, or other activity that does not have an impact to the customer environment – for example, scans of ssh servers, port scans, or other reconnaissance activity

Note: Incidents where the classification cannot be determined using available data are by default classified as Priority One. Typically, security incidents where there is not enough data to determine scope and severity are assumed to be of the highest classification, until properly re-classified with verifiable data. Incidents may be re-classified as investigations unfold, and as the provider SOC interacts with the customer to determine the full scope and impact of an event or incident.

PriorityCommunication MethodDetection NotificationEscalation Notification
P1Primary: phone Secondary: ticket30 minutes*4 hours
P2Primary: ticket8 hours
P3Primary: ticket24 hours
P4Primary: ticket72 hours

* Contact by phone for P1 incidents within 30 minutes, 4 hours for an investigation ticket escalation

Expectations of Customer

  • Allow platform alerting outbound communication to the provider monitoring system – essential for alerting and ticketing
  • Client will monitor and work within the Binary Defense ticketing system/platform
  • Client will allow communication of ExtraHop devices outbound to ExtraHop and Binary Defense systems for management and monitoring
  • Client enables remote access to the ExtraHop devices on their network for ExtraHop and  Binary Defense management, administration and monitoring, as needed

Expected Outcomes

Customer outcomes from the Essential service tier of managed NDR powered by Binary Defense are as follows:

  • Management – 24x7x365 management and monitoring of ExtraHop platform, virtual or physical, as contracted in the agreement
  • Analyst Coverage – 24x7x365 SOC and analyst coverage of security detections, incidents, and escalations with SLOs as defined above in this document
  • Detection Expertise – Review, triage, and provide customer with analysis of detections raised in the ExtraHop platform
  • Collaboration – Collaborate with customer in incident scenarios – providing remediation guidance and contextual understanding of declared incidents and security events by ticket update as needed during an active incident

Technical Service Description – Apex

The following section describes the “Apex” tier of service for Managed NDR (mNDR) – including service scope, delivered capabilities, service tasks, and deliverables. Additionally, here we outline customer expectations to this tier of service, define expected outcomes, and explicitly define the RACI for roles and responsibilities.

Service Scope

The scope of services for Managed NDR (mNDR) is limited to the customer’s ExtraHop platform components (“ExtraHop platform”) contracted for services. Services do not extend to connected devices, services, or equipment beyond ExtraHop.

Service Capabilities

The following are the service capabilities of ExtraHop mNDR powered by Binary Defense, Apex service tier, aligned to platform management, cyber security operations, and advisory capabilities.

Platform Management

  • Monitoring – provider shall monitor customer’s ExtraHop platform availability and operational stability
  • Platform Support – provider shall facilitate troubleshooting with  customer and ExtraHop as required to remediate operational issues within the product environment
  • Maintenance – provider shall perform maintenance on customer’s ExtraHop platforms – including managing users, platform updates, and scheduled maintenance, and platform configuration

Cyber Security Operations

  • SecOps – provider shall have 24x7x365 security operations support for customer’s ExtraHop platform including L1 and L2 SOC analyst coverage to review detections and identify threats to customer environment in near-real-time
  • Threat Data – provider shall maintain a regularly updated open and closed-source threat data library for detections and analysis of threats to customer environment
  • Anomaly Detection – platform shall provide automated alerting of behavior-based anomaly detections using advanced machine learning and the ExtraHop ThreatCloud
  • Rapid Threat Response – provider shall enact rapid assessment of customer environment when ExtraHop releases a “Threat Briefings” alert, proactively identifying and alerting customers to potentially exploitable assets with a goal to quickly identify, triage, and remediate assets before attackers have an opportunity to exploit them
  • Detection Development – provider will work to continuously tune and update the deployed detection library leveraging industry frameworks, such as the MITRE ATT&CK framework, Cyber Kill Chain, etc.   limited in scope to detections that utilize network attributes (such as port, protocol, payload) in detection rules
  • Detection Analysis – provider shall review and triage security threat detections on customer’s ExtraHop platform with contextual analysis of detection attributes to determine threat criticality and potential impact to customer environment
  • In-Depth Analysis – for P1 events, provider shall provide packet-level analysis of detections as needed to triage an incident – leveraging full-packet data with insight down into encrypted communications, within the limitations of the current platform, its impact, including a timeline of events and affected assets (as packet data is available)
  • Recovery Support – provider shall support customer incident recovery operations by providing details as needed into the remediation process – such as affected assets, identities, and data
  • Detection Tuning – provider shall collaborate with customer to identify low-value detections, or, detections which in the customer environment which the customer would rather not be alerted on
  • Asset Analysis Prioritization – provider shall work with customer to create prioritizations for critical assets
  • Anomaly Investigation – provider shall investigate potential significant security incidents identified through anomaly detection in the platform
  • Incident Investigation – provider will correlate across  multiple security events to identify patterns and trends that may indicate a larger incident. In response to these events, provider may leverage additional data sets and platforms outside of ExtraHop, as available, to investigate.

Advisory

  • Prioritized Remediation Guidance – provider shall provide customer with prioritized remediation guidance for clarity of response, minimizing attacker dwell time and opportunity
  • Threat Understanding – provider shall provide customer with insights for incidents, breaking down the technical as well as business impact arising from threat detections

Service Deliverables

  • Reporting – provider shall deliver the following reports, as described and on the prescribed schedule
    • Summary Report – system-generated executive overview and summary report of detections, potential risks, and identified assets delivered weekly
    • Asset Observability Report – summary report identifying previously unknown or new assets in the customer environment, delivered bi-weekly
    • Weaknesses Summary Report – summary report identifying observed weaknesses in the infrastructure – assets exhibiting critical weaknesses – such as high-risk protocols, expired certificates and high-risk configurations delivered monthly
  • Incident Alerting – provider shall alert customer of security incidents according to the prioritized schedule, in the manner agreed upon during on-boarding, but defaulting to the BDS ticketing system
  • Detection Library  – as described above, the provider shall deliver a curated detection library, limited in scope to network activity to aid investigations, or identify threats to the customer environment.  Provider will develop security-related custom detections, when necessary, to assist in defending against active threats or to support client-specific security needs
  • Remediation Guidance – provider shall include remediation guidance where warranted, and collaborate with customer to fine-tune remediation recommendations to the customer’s environment and capabilities

Expectations and Service Level Objectives (SLO)

The section below defines prioritization levels, outlines a prioritization schedule, and provides services level objectives (SLO) for managed NDR (mNDR) powered by Binary Defense.

Prioritization Schedule

Priority One (P1) – priority one is classified as severely impacting customer business or technical operations, or causing a complete business outage; secondarily, a priority one event is one that constitutes conditions where an imminent threat is detected that has not yet become an incident but has the potential to severely impair or degrade business operations in the immediate future

Examples of P1 events include a malware infection that is actively exfiltrating sensitive data or a causing a mission-critical system to become unavailable or at-severe risk of being impacted to create a complete business disruption – for example, a ransomware application that is rapidly spreading through the environment and has impacted critical business services

Priority Two (P2) – priority two events are classified as significantly impacting customer business or technical operations ; or causing a significant degradation of sensitive business systems; secondarily, priority two events may become incidents, and constitute conditions where an analyst determines that there is a high percentage chance that the current significant impact will become a severe disruption in the near future if left unaddressed

Examples of P2 events include a ransomware infection that is localized to only a few systems, or impacting non-business-critical operations such that there is little or no business disruption or continuity issues – for example, a malware infection that infiltrated important systems, but is prevented from exploiting the environment due to compensating controls such as containment actions or egress rules

Priority Three (P3) – priority three events are classified as low immediate impact but pose some threat to customer business or technical operations; secondarily, priority three events may be part of a wider attack or provide insights into future adversary operations and should be reviewed and noted

Examples of P3 events include detected reconnaissance activity, low risk/low-impact malware, or other activity that does not have an impact to the customer environment – for example, scans of ssh servers, port scans, or other reconnaissance activity

Note: Incidents where the classification cannot be determined using available data are by default classified as Priority One. Typically, security incidents where there is not enough data to determine scope and severity are assumed to be of the highest classification, until properly re-classified with verifiable data. Incidents may be re-classified as investigations unfold, and as the provider SOC interacts with the customer to determine the full scope and impact of an event or incident.

PriorityCommunication MethodDetection NotificationEscalation Notification
P1Primary: phone Secondary: ticket30 minutes*4 hours
P2Primary: ticket8 hours
P3Primary: ticket24 hours
P4Primary: ticket72 hours

* Contact by phone for P1 incidents within 30 minutes, 4 hours for an investigation ticket escalation

Expectations of Customer

  • Allow platform alerting outbound communication to the provider monitoring system – essential for alerting and ticketing
  • Client will monitor and work within the Binary Defense ticketing system/platform
  • When necessary, client will allow communication of ExtraHop devices outbound to ExtraHop and Binary Defense systems for management and monitoring
  • When necessary, client will create and allow remote access to the ExtraHop devices on their network for ExtraHop and  Binary Defense management, administration and monitoring, as needed

Expected Outcomes

Customer outcomes from the Essential service tier of managed NDR powered by Binary Defense are as follows:

  • Management – 24x7x365 management and monitoring of ExtraHop platform, virtual or physical, as contracted in the agreement
  • Analyst Coverage – 24x7x365 SOC and analyst coverage of security detections, incidents, and escalations with SLOs as defined above in this document
  • Detection Expertise – Review, triage, and provide customer with analysis of detections raised in the ExtraHop platform
  • Collaboration – Collaborate with customer in incident scenarios – providing remediation guidance and contextual understanding of declared incidents and security events by ticket update as needed during an active incident
  • Advanced Capabilities – Security capabilities including custom detections, proactive security capabilities, and weakness detection and analysis
  • Incident Support – Work in a supporting role to provide data, requested packet-based evidence (where available), or operational support to rapidly close out and remediate issues in scenarios where a customer experiences a serious incident.

Roles & Responsibilities

Customer Onboarding – Operational Handoff

  • Customer will designate a single point of contact for required tasks and resolution of any onboarding-related issues, and will provide contact information and escalations information
  • ExtraHop will provide a Coordinator (key point of contact, or project manager) and a Solutions Architect (subject-matter expert) to ensure implementation is complete and ready for operational hand-off. **Managed NDR customers are required to purchase Implementation services through ExtraHop professional services.
  • Binary Defense will provide an Onboarding Coordinator to ensure smooth transition into the service, and will provide contact information and escalations information

Platform Management

  • Customer will designate a single point of contact for contact, coordination, and resolution of all platform management related issues
  • ExtraHop will provide break-fix support through Binary Defense, following the support process
  • Binary Defense will initiate, coordinate, and collaborate with customer and ExtraHop support to resolve platform availability issues
  • Binary Defense will plan, deploy, and validate platform updates and configuration changes as required

CyberSecurity Operations

  • Customer will provide a point of contact for security operations issues, and an escalation matrix with details to contact as needed in case of escalations
  • Binary Defense will provide technical security expertise to triage, investigate and escalate, and support customer’s ExtraHop platform as defined in this document
  • Binary Defense will notify customer point of contact of security incidents in accordance with the escalation matrix defined in this document
  • Binary Defense will maintain ticketing platform as store of record, unless otherwise defined in the customer agreement

Exceptions and Escalations

  • Customer will provide an escalation matrix for exceptions and escalations, as defined in this document
  • Customer will respond to escalations and exceptions notifications, and work in collaboration with Binary Defense to perform recommended actions and rapidly remediate issues identified
  • Binary Defense will notify customer of any exception conditions or escalations according to the prioritization matrix, defined in the customer’s service tier
  • Binary Defense will perform escalations activities as defined in the prioritization matrix, defined in the customer’s service tier

Customer Onboarding – Operational Handoff

This section defines technical components required and the operations handoff process for Managed NDR. Items to be completed for Binary Defense to successfully onboard a customer into the managed NDR service, including links to documentation as included.

Required Components

  • Architect and Design – Customer will provision the needed data capture infrastructure, to deliver packet flows to ExtraHop sensors. ExtraHop will provide high level guidance on needs for a quality data feed/feeds, but actual implementation and architecture of this data feed is the responsibility of the customer
  • Deploy – Customer will install any physical appliances into the customer’s data center(s), virtual sensor(s) on-premises or in the cloud, allocate & provision a management IP address for administrative access to the sensor(s)
  • Implement – Customer & ExtraHop will work jointly to complete appliance specific post-deployment checklists to ensure default passwords are changed, NTP & time zone are set, SSL certificates are configured, cloud service terms are accepted, firewall rules are configured, and secure remote access is enabled for the ExtraHop account & support teams
    • Customer “360 Admin” will create local accounts for provider, granting “System and Access Administration” privileges
  • Customize – Customer & ExtraHop will review data feed within ExtraHop console, validate data feed, connect appliances, configure syslog, webhooks, open data streams for Detections, Alerts, and System Health notifications to Client’s SIEM and/or Binary Defense, classify non-RFC1918 IP addresses as part of internal network, target specific device groups for advanced analysis, configure device discovery, deploy forwarders (as needed), integrations are configured (if needed), configure tuning parameters
  • Customer Handoff – ExtraHop will deliver knowledge transfer, documentation, deployment diagram, and review with Customer and Binary Defense that the ExtraHop platform meets the outlined requirements from the Architect, Deploy, Implement, and Customize deliverables
  • Operational Handoff – Operational handoff will be a series of steps after the customer’s environment is complete, and ready for management, that will transition the customer’s ExtraHop Reveal(x) 360 platform into the management cadence of the provider.
    • ExtraHop will facilitate a handoff meeting, including customer stakeholders and Binary Defense point of contact
    • Binary Defense will provide customer with necessary accounts to be added into the console for management
    • Customer will add accounts, and Binary Defense will test to ensure creation was successful
    • ExtraHop will deliver the Handoff step, as defined in Required Components (above in this document)
    • Customer and Binary Defense will validate the escalation matrix and contact sheet(s)
    • Binary Defense will provide customer a walk-through of the ticketing platform and security and platform management ticketing workflows
    • Binary Defense will create accounts, and validate functionality in the Binary Defense security platform

Start of Service

Service will begin as soon as one or more sensors connect to the central management console, post data-feed validation, with an expected service effective date on or within 30 days of ExtraHop contract signature date.

Platform Management

This section explicitly outlines the tasks and responsibilities of ExtraHop platform management by Binary Defense.

  • Sensor management – Provider shall schedule, deploy, and verify sensor upgrades/updates using a change management process coordinated with customer
  • Administrative Functions – Provider shall perform user management functions, add/update/remove users and roles for platform functionality as required
  • Health check – Provider shall manage and maintain the health and operational capability of sensors

Support & Security Escalations

This section describes the workflow and process for various escalations that may be required during the course of Security Operations of the mNDR service.

Support Issues

Customer support issues will function according to the following process guidelines.

  • Customer will log into Binary Defense ticketing platform to open a general support ticket
  • ExtraHop will provide support by working cases submitted from the provider into the dedicated ExtraHop support queue. Escalations will move existing support cases, as needed, into the engineering escalations queue
  • When necessary and prudent, as determined by the provider, a conference bridge will be established to work critical support issues through resolution
  • Provider shall have access to customer account and support tickets through ExtraHop, on behalf of the customer, from start until end of contractual relationship

Security Issues

Security incidents will function according to the following process guidelines.

  • Customer will receive alerts with the appropriate method, per the Prioritization matrix as defined in this document
  • Security issues will be treated as sensitive, requiring the appropriately defined contact as defined in the escalation matrix
  • Binary Defense will collaborate with the customer on security issues, using the Binary Defense ticketing platform as a means of keeping a store of record for the identified issues in a secure facility
  • When necessary and prudent, as determined by the provider, a conference bridge will be established to work critical security issues through resolution

Escalation Matrix (example)

The escalation matrix below defines the roles and priorities for customer contacts, as an example that will be built out during the onboarding phase.

RoleContact NameContact EmailContact PhoneContact PriorityNotes
Analyst Manager CISO  (999) 999-9999Primary Secondary Escalation 1 Escalation 2 Escalation 3 
      

The escalation matrix below defines the roles and priorities for Binary Defense contacts

RoleContact NameContact EmailContact PhoneContact PriorityNotes
Account Manager  (999) 999-9999Primary Secondary Escalation 1 Escalation 2 Escalation 3 
Role #2     
Role #3