Full Report
A new approach to detect and respond to cloud-native threats
Analysis Summary
This article primarily discusses the challenges and solutions for Security Operations (SecOps) in cloud environments, heavily featuring the capabilities of the "Wiz Defend" product by Wiz. Therefore, the primary focus of the summary will be on the platform and the associated attacks it is designed to counter.
# Tool/Technique: Wiz Defend Platform
## Overview
Wiz Defend is a security operations platform designed to provide SecOps teams with the necessary context, visibility, and automated detection capabilities to address real-time threats in cloud environments. It addresses the limitations of traditional SIEM/EDR tools in handling the volume and complexity of cloud security data by fusing data across identity, data, network, compute, and control planes.
## Technical Details
- Type: Tool (Security Operations Platform)
- Platform: Cloud Environments
- Capabilities: Comprehensive breach readiness analysis, high-fidelity cross-layer threat detection, context-led investigation, native response/containment, agentless scanning capability, mapping coverage to MITRE ATT&CK.
- First Seen: Not explicitly stated for the product launch, but tied to emerging cloud security operations needs.
## MITRE ATT&CK Mapping
The product specifically maps its telemetry coverage to the MITRE ATT&CK matrix for comprehensive breach readiness analysis:
- **Defense Evasion**
- **T1027** - Obfuscated Files or Information (Implied by needing to detect hidden threats via deep context)
- **Execution**
- **T1059** - Command and Scripting Interpreter (Relevant to RCE observed in PAN-OS exploitation)
- **Lateral Movement**
- **T1570** - Lateral Movement (Fundamental capability addressed by cross-layer threat detection)
- **Impact**
- **T1486** - Data Encrypted for Impact (General malware/ransomware concern)
## Functionality
### Core Capabilities
- **Data Fusion:** Automatically correlates and fuses security data from identity, data, network, compute, and control plane sources.
- **Detection Rules:** Utilizes thousands of detection rules curated by Wiz Research, enhanced by behavioral analytics to reduce noise.
- **Visualization:** Automates the construction of threat graphs and timelines for investigation, leveraging the Wiz Security Graph for deep context.
### Advanced Features
- **Agentless Scanning:** Crucial for monitoring restricted compute instances (like third-party firewalls or appliances) where agents cannot be installed.
- **Breach Readiness Assessment:** Continuously assesses telemetry coverage against the MITRE ATT&CK matrix.
- **AskAI:** Streamlines investigation by providing rich threat stories and answers to responders' immediate questions.
- **Native Response:** Provides opinionated guidance for containment actions at both the control plane and workload levels.
## Indicators of Compromise
The article does not list specific IOCs for the Wiz Defend product itself, but focuses on the IOCs associated with the primary threat discussed in the case study: **The PAN-OS RCE exploitation chain.**
- File Hashes: N/A (Focus shifts to the malware deployed post-exploitation)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A (Focus is on the vulnerability exploitation mechanism)
- Behavioral Indicators: Successful exploitation leading to the deployment of malware and subsequent **lateral movement** to other workloads.
## Associated Threat Actors
- Unspecified advanced threat actors engaged in rapid exploitation of newly disclosed vulnerabilities (e.g., the PAN-OS campaign).
## Detection Methods
Wiz Defend's detection is based on:
- **Contextual Analysis:** Fusing data across cloud layers.
- **Behavioral Analytics:** Tuning alerts to reduce noise.
- **Signature-less Detection:** Relying on rich context (Wiz Security Graph) rather than traditional signatures where agents cannot be deployed.
## Mitigation Strategies
- **Prioritization and Remediation:** Using agentless scanning and risk context (via Wiz Cloud) to identify and prioritize vulnerable assets (e.g., *PAN-OS* devices exposing management interfaces).
- **Improving SecOps Workflow:** Adopting a new operating model that breaks down silos between CloudSec, SecOps, and Dev teams using the common language of the Wiz Security Graph.
- **Response Guidance:** Utilizing opinionated guidance for containment actions provided by Wiz Defend.
## Related Tools/Techniques
- **PAN-OS Vulnerabilities (CVE-2024-0012 & CVE-2024-9474):** The specific exploitation chain detailed in the case study that justifies the need for advanced cloud SecOps detection.
- Traditional SIEM and EDR solutions (identified as insufficient for modern cloud complexity).
***
# Tool/Technique: PAN-OS RCE Exploitation Chain
## Overview
A specific, rapidly exploited vulnerability chain present in Palo Alto's PAN-OS software, which allows remote threat actors to achieve Remote Code Execution (RCE) on exposed firewall management interfaces, leading to subsequent malware deployment and lateral movement within the victim's environment.
## Technical Details
- Type: Vulnerability Exploitation/Attack Vector leading to Malware deployment
- Platform: Palo Alto Networks PAN-OS (Firewall Software running on virtualized appliances)
- Capabilities: Authentication bypass, privilege escalation, Remote Code Execution (RCE).
- First Seen: Exploitation in the wild confirmed shortly after disclosure on November 8th, 2023 (0-day campaign).
## MITRE ATT&CK Mapping
The specific techniques align with initial access and execution:
- **Initial Access**
- **T1190** - Exploit Public-Facing Application
- **T1190.001** - Exploit Public-Facing Web Application (Applicable as the management interface is exposed)
- **Privilege Escalation**
- **T1068** - Exploitation for Privilege Escalation
- **Execution**
- **T1059** - Command and Scripting Interpreter (Achieved via RCE)
## Functionality
### Core Capabilities
- **Authentication Bypass (CVE-2024-0012):** Allows unauthorized access to the PAN-OS management interface if public-facing.
- **Privilege Escalation/RCE (CVE-2024-9474):** Once authenticated (or bypassed), this vulnerability allows elevation to execute arbitrary code.
### Advanced Features
- **Rapid Weaponization:** Proof-of-Concept exploits were added to attacker arsenals almost immediately upon public disclosure, leading to widespread infection within 24 hours for vulnerable, exposed assets.
## Indicators of Compromise
(No direct IOCs provided in the text, but the *context* implies specific attack patterns):
- Behavioral Indicators: Accessing the PAN-OS management interface without proper authentication followed by execution of system commands or unauthorized file drops (malware deployment).
## Associated Threat Actors
- Unspecified threat actors exploiting the vulnerabilities immediately following public disclosure.
## Detection Methods
- **Traditional Tools:** Difficult due to agents not being installable/practical on third-party/provided instances (like virtual firewalls).
- **Recommended:** Agentless scanning and visibility (Wiz Cloud) to identify the presence of vulnerable versions, followed by Wiz Defend's cross-layer analysis to detect post-exploitation activity.
## Mitigation Strategies
- Patching PAN-OS with the relevant security advisories.
- Restricting public internet exposure of the PAN-OS management interface.
## Related Tools/Techniques
- Lateral movement techniques used post-RCE to compromise other workloads.