What's the concept of metaproducts, and why can't they be classified as SIEM/SOAR/XDR? We explore autopilot mechanisms for result-driven cybersecurity in conversation with a Positive Technologies expert.

Models potential attacker actions

• Predicts the non-tolerable events that suspicious activity may lead to and how many steps are left until risks are realized.
• Prediction is based on:
  • Network reachability of hosts: routing, access lists, NAT rules
  • Account permissions for remote login
  • RCE vulnerabilities on hosts
  • Remote login opportunities through VPN
  • Read access to lsass.exe process memory

Detects hacker activity chains

• Analyzes data from Positive Technologies sensors in the metaproduct and demarcates attacking, targeted, and captured resources.
• Correlates resources to build activity chains informed by knowledge of threat actor TPPs.
• Each chain contains a visualization of the attackers' path, plus a prediction of where they will move next.

Automates investigations

• Uses data from Positive Technologies sensors to build the full attack context and conduct an investigation.
• Obtains enrichment of the following activities:
  • Process startup: process -> session -> user
  • Remote login: RDP, SMB, WMI
  • Movement in the infrastructure: IP -> IP
  • VPN session creation: client IP -> external IP + username

Assesses threat severity

• MaxPatrol O2 views captured resources and assesses the proximity of a non-tolerable event.
  Upon receiving this information, the system escalates attack chain status to "Attention required" before stopping the hacker or prompting the operator to make a decision.
• The threat severity assessment algorithm continues to improve thanks to regular Positive Technologies cyberexercises and the contributions of Standoff 365 Bug Bounty participants.

Stops attackers

• Considers risks to business processes and suggests the optimal response scenario.
  The scenario can be implemented automatically or manually if adjustments are needed.
• Possible response actions:
  • Lock account: in the domain or locally, in Windows, Linux, or Mac.
  • Block IP address in the firewall: incoming/outgoing traffic.
  • Isolate host on the network.
  • Stop running process.
  • Revoke OpenVPN token.
  • Delete email message.

1. Based on the network topology and reachability of hosts, MaxPatrol O2 factors in vulnerability intelligence and models ways in which non-tolerable events might be realized. If risks haven't been identified in advance, the system calculates the attack vectors to the most critical hosts in the infrastructure.
2. MaxPatrol O2 analyzes sensor triggerings and identifies captured, targeted, and attacking resources, such as accounts, hosts, sessions, processes, files, and emails.
3. To assemble an in-depth chain of attacker activity, MaxPatrol O2 queries the relevant sensors for intelligence to build the full attack context, prioritize chains, and decide how to respond.
4. MaxPatrol O2 analyzes the data and correctly links new sensor triggerings with activity chains already in the system. If none of the existing activity chains can be extended with the new data, MaxPatrol O2 creates a new chain to link the triggering received from the sensor.
5. Based on data from the threat prediction module, MaxPatrol O2 assesses the severity level of the attack chain. If it exceeds the threshold value, the system switches the chain to the "Attention required" status and prompts the operator to select response measures.
6. MaxPatrol O2 provides the operator with response options for each resource type to stop the hacker and regain control of the captured resources. All that remains for the operator is to verify the chain and accept the proposed response scenario designed to minimize the impact on the company's critical business processes.