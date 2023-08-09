If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs. ManageEngine vs. Atlassian Confluence).

Admittedly, the components of each software were different, but the guidance was by and large the same. That’s because financially motivated attackers’ goals and objectives didn’t change; they sought, and will continue to seek, a particular type of asset, with a particular set of capabilities to extort money from organizations through the theft or destruction of data.

Attackers will mainly attempt to exploit public services to exfiltrate data in bulk, expand access to internal resources or deploy ransomware. They are usually able to achieve these objectives by gaining unauthorized access to the victim environment by leveraging valid credentials or exploitation of the public service to bypass authentication, achieve remote code execution, or upload a web shell. Because the attackers are doing the same thing, the defenders focused on collecting the same types of data such as authentication logs, web access logs, process execution events, filesystem, and file transfer activity.

Most recently, we’ve seen repeat offenses in the mass exploitation of managed file transfer (MFT) attacks, which begs the question, how can we take what we’ve learned from previous mass exploitation events and apply it to prevent further scaling of MFT exploitations? In an effort to help the community offload some of these learnings, IBM Security X-Force is releasing a common framework for detection and response for MFTs, where the only customization required is the unique process names, paths, ports, log files, etc. This blog analyzes how we built the framework and explores how AI can be used to further scale detection guidance beyond MFTs.