Home  >  APT29  >  Results  >  Secureworks  >  Configuration

Secureworks Configuration

Product Versions

The evaluation included the following Secureworks offers

  • Red CloakTM Threat Detection and Response (agent version 2.0.7.10)
  • Managed Detection and Response Service

Description

Secureworks Red Cloak™ Threat Detection and Response (TDR) is a cloud-native security analytics application for security analysts to detect, investigate, and respond to security incidents. It is also the foundation for Managed Detection and Response powered by Red Cloak - a 24x7 managed security service that combines the following components;

  • Red Cloak™ Threat Detection and Response (TDR) for security analytics
  • 24x7 Alert investigation, validation, analysis, and proactive response
  • Live Chat with security experts
  • Proactive threat hunting
  • Remote Incident Response Assistance
  • Integrated threat intelligence

Red Cloak TDR collects and analyzes data from your endpoints, network, and cloud environments and uses threat intelligence to alert malicious activity. TDR applies the intelligence Secureworks gathers from over 1,000 incident response engagements performed annually as well as threat actor research performed by the Secureworks Counter Threat Unit™ research team. With Managed Detection and Response powered by Red Cloak, our security analysts are on watch 24x7 to investigate malicious activity, take response actions to reduce risk, and hunt for suspicious behaviors that could evade security controls.

Red Cloak TDR uses advanced analytics, machine learning, and deep learning strategies, collectively called ‘Detectors’, to identify suspicious and malicious activity. We create detectors based on our understanding of how adversaries act in the wild. Our purpose-built detectors ensure early and accurate alerting of adversary behavior. In fact, alerts in TDR are mapped to the MITRE ATT&CK framework to provide a common industry terminology for communicating techniques and tactics. TDR has detectors for phishing techniques, command and control activity including domain generation algorithms, DDOS, login anomalies, stolen credentials as well as a library of Tactic Graphs™ which correlate data points from endpoint and network sources to show living off the land and other ‘fileless’ intrusion techniques. Secureworks data scientists and researchers are continuously tuning, enriching, and adding to TDR detectors.

To enable the advanced analytics, TDR collects alerts, events, and telemetry from endpoint, network, and cloud sources. To enable endpoint visibility, the Secureworks Red Cloak Endpoint Agent is available as part of the solution or EDR tools supported by the Red Cloak Endpoint Partner Program can also be used. To enable network visibility, the Secureworks iSensor or a comprehensive list of supported firewall vendors can be used. TDR also leverages native cloud environment APIs for visibility and for taking response actions.

Product Configuration

The Secureworks agent collects ETW events for Red Cloak TDR. In the case of the PowerShell events that we used for the MITRE testing, those are captured through a feature called Script Block Logging that is default in PowerShell 5.0 and later. What we enabled prior to the MITRE testing is collecting additional ETW events. This config is currently available for customer use and will be the default config in the next release (May 2020).