Threat Response Center - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2023-12-27
Last date published
2024-03-25
Category
User Guide
Solution
Cloud
Abstract

Research and respond to zero-day exploits and global threat events in the Threat Response Center.

SOC teams spend considerable time and money researching and responding to global threat events and zero-day exploits. The Threat Response Center (TRC) in Cortex Xpanse simplifies and streamlines your response to threat events by aggregating the most important information about the threat and its impact on your organization in one place. From the Threat Response Center, you can accomplish the following:

  • Review a curated list of emergent and global threat events, and quickly identify the events that impact your organization.

  • Research a threat event. The Xpanse Security Research Team provides a threat summary, potential exploit consequences, previous exploit activity, and links to other reputable sources for additional information.

  • Assess the impact of a threat event on your organization. Review a detailed list of the affected software, turn on relevant attack surface rules, identify relevant incidents and alerts, and see how the risk is distributed across your organization.

  • Build a Remediation Plan. The Threat Response Center provides remediation guidance for each event, lists of relevant alerts and incidents by status and assignee, and click-throughs to incident and alert pages to begin remediation.

threat-response-center-intro.png

You cannot generate a report directly from the TRC, but the visualizations at the top of the TRC page are available for customer report generation in the Widget Library. To find the Widget Library, navigate to DashboardsWidget Library in the main menu on the left.

Which Threat Events Are Included in the Threat Response Center

Typically, a threat event is defined as a critical or high-risk vulnerability that allows threat actors direct access to assets, leading to widespread impact across corporate networks. Devices and applications impacted by such vulnerabilities are at risk of exploitation remotely over the public-facing Internet. These threats often allow threat actors to gain remote control of systems. 

Cortex Xpanse considers the following questions when evaluating the level of risk of a threat event and whether to include it in the Threat Response Center:

  • Is it a vulnerability without a patch?

  • Is it a “Known Exploitable Vulnerability” that has been weaponized by threat actors?

  • Can it be exploited remotely over the internet in an unauthenticated manner?

  • Is a proof of concept readily available? Has active exploitation in the wild been reported?

  • How widespread is the impact of the vulnerability? Does it impact many organizations or is limited to a certain section of the industry?

  • Is the vulnerability in an application or device that is routinely targeted by attackers?

  • Does it have a vendor severity rating of “Critical” or “High”? Does it have a CVSS score of 9 or higher?

  • Are there geo-political factors in play? (For example, is an APT targeting groups or individuals from specific countries or regions?)

How Often is the Threat Response Center Updated?

You can find the latest information on emerging threats in the Threat Response Center. The Xpanse Security Research Team creates and updates threat events in the Threat Response Center in the following situations:

  • When a new threat event occurs and the Xpanse Security Research Team determines the event is critical enough to add to the Threat Response Center.

  • When new information is discovered for existing threat events. The information on a threat event page is updated frequently as a threat evolves.