Full Report
Empower SecOps teams to stop incidents before they become breaches
Analysis Summary
This article primarily introduces a new product, **Wiz Defend**, which is a cloud detection and response solution, rather than detailing a specific piece of malware or a traditional offensive tool/TTP. The focus is on the defensive capabilities and how it maps internal procedures to security frameworks like MITRE ATT&CK for improved cloud security operations.
Here is the summary structured based on the required format, focusing on the *tool* (Wiz Defend) being described and the security *techniques* it maps against.
# Tool/Technique: Wiz Defend
## Overview
Wiz Defend is a cloud detection and response product designed to help SecOps, Security Analysts, and Incident Responders gain precise detections, real-time protection, and automation capabilities within cloud environments. It integrates telemetry from various cloud layers (identity, data, network, compute) and uses the Wiz Security Graph to enhance threat detection, investigation, and response across the incident lifecycle.
## Technical Details
- Type: Tool (Cloud Detection and Response Platform)
- Platform: Cloud Environments (supporting identity, data, network, compute, secrets, and PaaS layers)
- Capabilities: Cross-layer threat detection, noise reduction, real-time protection, automated containment, unified investigation storyline, root cause analysis, AI-driven incident story generation, and MITRE ATT&CK mapping.
- First Seen: Public Preview Announcement (Contextually recent, related to the acquisition of Gem Security in April 2024).
## MITRE ATT&CK Mapping
Wiz Defend actively uses the MITRE ATT&CK framework to align telemetry and identify security gaps using an Incident Readiness dashboard. While the article does not provide specific technique IDs covered by the product's detections, it implies coverage across the entire kill chain relevant to cloud threats:
- **[General Cloud Kill Chain Coverage]**
- **Focus Areas Implied:** Lateral Movement, Container Escape, Automated IAM Attacks.
## Functionality
### Core Capabilities
- **Detection:** Triggering precise, cross-layer threat detections powered by the Wiz Research Team, leveraging thousands of built-in detections combining control plane data, network logs, identity data, and runtime telemetry (via eBPF Sensor).
- **Investigation:** Accelerating Mean Time To Respond (MTTR) through a simplified, unified, and visual timeline that focuses on investigation over manual data correlation.
- **Preparation:** Identifying visibility gaps (missing telemetry, incomplete runtime coverage) and providing recommendations mapped to MITRE ATT&CK.
### Advanced Features
- **AI Integration (AskAI Copilot):** Generates rich "Incident Stories" explaining attack progression and potential impact in natural language, and auto-answers subsequent investigation questions (e.g., attacker access method, subsequent actions).
- **Runtime Response:** Ability to block threats at runtime or execute one-click containment playbooks directly from threat issues.
- **Workflow Integration:** Streamlines processes by integrating with existing SIEM or SOAR platforms.
- **Root Cause Analysis:** Helps bridge organizational silos by linking runtime events back to configuration or code issues, promoting fixing root causes in code.
## Indicators of Compromise
As a defensive tool/platform, Wiz Defend does not generate offensive IOCs. Instead, it ingests and correlates cloud-native IOCs and behavioral patterns related to known cloud threats (like **SeleniumGreed**).
- File Hashes: N/A (Focuses on correlation, not signature distribution)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Correlates internal cloud network activity, including VPC log sources. (No external C2 indicators listed).
- Behavioral Indicators: Identifies threat progression related to complex cloud attacks such as lateral movement, container escape, and resource abuse.
## Associated Threat Actors
The article does not associate Wiz Defend with specific threat actors, but it references detecting advanced cloud-native attacks, such as the flow demonstrated by **SeleniumGreed** (a cryptomining exploit documented in January 2024).
## Detection Methods
- **Signature-based detection:** Utilizes thousands of built-in rules based on enriched telemetry.
- **Behavioral detection:** Employs behavioral baselines and cross-layer correlation powered by the Wiz Security Graph.
- **YARA rules if available:** Not explicitly mentioned regarding YARA, but eBPF-based sensors suggest deep kernel/workload visibility.
## Mitigation Strategies
- **Real-time Containment:** Blocking threats at runtime or using one-click containment playbooks.
- **Remediation Generation:** AI generates suggested remediation and response steps.
- **Proactive Hardening:** Closing visibility gaps by addressing missing telemetry and runtime coverage based on ATT&CK alignment checks.
- **Process Improvement:** Fostering a collaborative "security flywheel" between CloudSec, SecOps, and Development teams to fix root causes in code.
## Related Tools/Techniques
- **Gem Security:** The technology stack acquired by Wiz in April 2024 that formed the basis of Defend's SecOps-first capabilities.
- **Traditional Tools (Referenced as being replaced/augmented):** SIEM, EDR (Wiz Defend aims to solve the cloud complexity issues these legacy tools struggle with).
- **Attacks Referenced:** Cloud-native attack flow (e.g., SeleniumGreed).