The goal was to understand the associations between these events and the data or changes they would create and which could be monitored for as a part of a detection strategy. This included real-time file activity, network data and process data on the system, events recorded in the system or the application logs, and changes in the application’s database. All these potential data sources were documented for every application as well as the process required to acquire them.
“Our analysis confirmed our belief: All of these tools are largely architected the same way, which means that the approach to detection and response for all MFT solutions would generally be the same,” the researchers said.
MFT-Detect-Response framework components
The resulting MFT detection and response framework called MFT-Detect-Response has several components. MFTData contains details specific for every application such as process names, file names, file paths, configuration file location, configuration options, log file location, logged events in case of various actions, port numbers, dependencies and more.
Another component called MFTDetect contains scripts that leverage the MFTData to generate detections automatically that can be used with popular incident response and detection tools such as Velociraptor or SIEM systems that support the Sigma signature format. The detection signatures would trigger if processes associated with the covered MFTs call system tools like powershell, certutil, cmd.exe, or wmic.exe with specific commands or arguments, or if system services like rundll32, regsvr32, mshta, wscript, cscript, or conhost are called by the MFTs in suspicious ways. These Windows tools and services are commonly abused by attackers in post-exploitation activities.
Another framework component called MFTRespond contains scripts that can help incident responders collect relevant data from one of the supported MFTs in case a compromise is suspected. Finally, the MFTPlaybook component contains a MFT incident response playbook template that can be used as a starting point for incident responders to build incident response playbooks for MFT software.
Using AI to build detection signatures for any application
The IBM X-Force researchers built a proof-of-concept AI engine that leverages IBM’s watsonx AI and data platform to automate the process needed to build detection solutions like those in the MFT detection framework, but for any type of software. The engine automatically analyzes documentation, forums and system data to identify processes that security teams should monitor, can produce customized detection and response playbooks and can produce a risk score for the defenders based on an analysis of the likelihood that a technology will be targeted in mass-exploitation attacks if an exploit is released.
