BI.Zone EDR (Endpoint Detection and Response) ранее BI.Zone Sensors

Main article: Security Information and Event Management (SIEM)

2023

Release of Deception module for BI.Zone EDR

On September 12, 2023, BI.ZONE announced the release of the Deception module for BI. ZONE EDR (Endpoint Detection and Response, formerly BI.ZONE Sensors). The Deception module allows, already at the reconnaissance stage, to detect even an advanced attacker who can bypass the detection mechanisms. Key EDR features are now available not only on Linux and Windows, but also on macOS. 

Deception allows you to create fake bait objects that are indistinguishable from real infrastructures customer objects, both at the endpoints and in. domain Active Directory Bait attracts attention, malefactor as it is potentially useful for development. attacks information Cybercriminal interacts with it at the stage of reconnaissance and development of the attack inside the compromised infrastructure and falls into a trap. The latter can be any workstation server and corporate network with the installed EDR agent BI. ZONE EDR.

BI. ZONE EDR record both bait attempts and attempts to use bait accounts to access corporate network resources or authentications in an Active Directory domain. This provides high-precision attack alerts. Data the incident appears in the product interface and can also be forwarded to external IRP//systems for further response.SOARSIEM Thus, Deception allows you to detect attacks that cannot be detected in another way, or ensures their detection early - before the intranet moves begin. 

The Deception module adapts the decoys to the peculiarities of the customer's infrastructure so that the attacker does not suspect that he is a fake object in front of him. In particular, the bait uses the company's accounting format, and activity is emulated on behalf of the fake accounts.

BI. ZONE EDR are a product on the Russian market in which EDR and Deception are presented on a single technological platform. The customer does not need to install two different solutions - this saves time and resources for the purchase, implementation and maintenance of the product. Any host with an installed agent becomes a trap automatically, without requiring the deployment of individual servers for this task, and EDR receives additional threat detection technology. noted Teymur Heirhabarov, Director of the Department of Monitoring, Response and Research of Cyber ​ ​ Threats.

Domain traps include fake accounts in Active Directory: placed in a privileged group, with Kerberos pre-authentication disabled or with reversible encryption enabled, as well as fake service accounts in Active Directory with the service principal name (SPN) attribute set.

Local traps include stored fake credentials in a browser or in a standard OS account manager, embedding fake credentials in RAM, creating OS configuration files and utilities with fake credentials, and creating Windows registry keys with fake credentials. Another major update - support for EDR on macOS - expands monitoring, detection and response features on Apple devices. The agent allows you to collect a wide range of telemetry from devices running macOS, as well as inventory historical data and configuration of the device and OS on a schedule. Combining monitoring of current activity with an inventory of historical data and device configuration makes it possible to identify not only active attacks, but also past compromises, configuration flaws and vulnerabilities that can be exploited by an attacker to develop an attack. At the same time, BI. ZONE EDR provides an effective response to macOS. The capabilities of the macOS agent and Deception module are available to SOC/MDR clients of the BI. ZONE TDR service.

Implementation in Angara SOC

Angara Security has implemented an EDR class solution from BI.Zone in its SOC, which announced this on June 5, 2023.

BI.Zone Sensors will help Angara Security strengthen its expertise in protecting endpoints from complex threats, increase detection capabilities, speed up decision-making when analyzing suspected incidents, and ultimately provide customers with a better service for monitoring and responding to cyber incidents. Read more here.