{"id":7835,"date":"2023-06-12T13:31:33","date_gmt":"2023-06-12T11:31:33","guid":{"rendered":"https:\/\/www.cytomic.ai\/tendencias\/id-700153\/"},"modified":"2023-06-12T14:25:41","modified_gmt":"2023-06-12T12:25:41","slug":"id-700153","status":"publish","type":"post","link":"https:\/\/www.cytomic.ai\/es\/soporte\/id-700153\/","title":{"rendered":"\u00bfQu\u00e9 son los Indicadores de ataque (IOA) en Advanced EPDR\/EDR?"},"content":{"rendered":"[vc_row type=&#8221;full_width_background&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; equal_height=&#8221;yes&#8221; content_placement=&#8221;middle&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; bg_color=&#8221;#7e5994&#8243; scene_position=&#8221;center&#8221; top_padding=&#8221;12&#8243; bottom_padding=&#8221;12&#8243; text_color=&#8221;light&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221; shape_type=&#8221;&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;3\/5&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;][\/vc_column][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/5&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;]<div class=\"iwithtext\"><div class=\"iwt-icon\"> <img decoding=\"async\" src=\"https:\/\/www.cytomic.ai\/src\/uploads\/2020\/03\/support-tiny.svg\" alt=\"\" \/> <\/div><div class=\"iwt-text\"> +34 900 840 407 <\/div><div class=\"clear\"><\/div><\/div>[\/vc_column][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/5&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;]<div class=\"iwithtext\"><div class=\"iwt-icon\"> <img decoding=\"async\" src=\"https:\/\/www.cytomic.ai\/src\/uploads\/2020\/03\/contact-tiny.svg\" alt=\"\" \/> <\/div><div class=\"iwt-text\"> support@cytomic.ai <\/div><div class=\"clear\"><\/div><\/div>[\/vc_column][\/vc_row][vc_row type=&#8221;full_width_content&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; equal_height=&#8221;yes&#8221; content_placement=&#8221;top&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221; shape_type=&#8221;&#8221;][vc_column column_padding=&#8221;padding-5-percent&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color=&#8221;#f3f3f3&#8243; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/3&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;][split_line_heading animation_type=&#8221;default&#8221;]<a href=\"#title1\">Productos relacionados_<\/a><\/p>\n<p><a href=\"#title2\">Introducci\u00f3n a conceptos de IOAs_<\/a><\/p>\n<p><a href=\"#title3\">Indicador de ataque avanzado_<\/a><\/p>\n<p><a href=\"#title3\">Gesti\u00f3n de indicadores de ataque_<\/a><\/p>\n<p><a href=\"#title4\">Mostrar todos los indicadores de ataque_<\/a>[\/split_line_heading][\/vc_column][vc_column column_padding=&#8221;padding-5-percent&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;2\/3&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;][vc_column_text]\n<h3>\u00bfQu\u00e9 son los Indicadores de ataque (IOA) en Advanced EPDR\/EDR?<\/h3>\n[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686570826591{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title1\">Productos Relacionados_<\/h6>\n[\/vc_column_text][vc_column_text]\n<ul>\n<li>Advanced EPDR<\/li>\n<li>Advanced EDR<\/li>\n<\/ul>\n[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686570878094{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title2\">Introducci\u00f3n a conceptos de IOAs_<\/h6>\n[\/vc_column_text][vc_column_text]En esta secci\u00f3n se incluyen los conceptos que el administrador necesita conocer para comprender los procesos involucrados en la detecci\u00f3n de IOAs, y en la ejecuci\u00f3n de acciones (autom\u00e1ticas y manuales) de resoluci\u00f3n.<\/p>\n<p><strong><span class=\"granate11b\">Evento<\/span><\/strong><br \/>\nAcci\u00f3n relevante ejecutada por un proceso en el equipo del usuario y monitorizada por Advanced EPDR\/EDR . Los eventos se env\u00edan a la nube de en tiempo real como parte del flujo de telemetr\u00eda. Las tecnolog\u00edas avanzadas de an\u00e1lisis autom\u00e1tico, los analistas y threat hunters los analizan en su contexto para determinar si son susceptibles de pertenecer a la cadena CKC de un ataque inform\u00e1tico.<\/p>\n<p><strong><span class=\"granate11b\">Indicio<\/span><\/strong><br \/>\nSecuencia de acciones poco frecuentes encontradas en los eventos generados por los equipos del cliente y que pueden pertenecer a un ataque inform\u00e1tico en fase temprana.<\/p>\n<p><strong><span class=\"granate11b\">Indicador de ataque (IOA)<\/span><\/strong><br \/>\nEs un indicio con alta probabilidad de pertenecer a un ataque inform\u00e1tico. Por lo general, se trata de ataques en fase temprana o en fase de explotaci\u00f3n. Generalmente, estos ataques no utilizan malware, ya que los atacantes suelen utilizar las propias herramientas del sistema operativo para ejecutarlos y as\u00ed ocultar su actividad. Se recomienda su contenci\u00f3n o resoluci\u00f3n con la mayor urgencia posible.<\/p>\n<p>Para facilitar la gesti\u00f3n de IOAs, Adaptive Defense 360 asocia a cada uno de ellos dos posibles estados, modificables de forma manual por el administrador:<\/p>\n<ul>\n<li><strong>Pendiente<\/strong>: el IOA est\u00e1 pendiente de investigaci\u00f3n y\/o resoluci\u00f3n. El administrador debe comprobar que el ataque es real y tomar las medidas necesarias para mitigarlo. Todos los IOAs nuevos se crean con el estado pendiente asignado.<\/li>\n<li><strong>Archivado<\/strong>: el IOA ya fue investigado por el administrador y las acciones de resoluci\u00f3n se completaron, o no fueron necesarias por tratarse de un falso positivo. Por cualquiera de estas razones, el administrador cierra el IOA.<\/li>\n<\/ul>\n<p>Advanced EPDR\/EDR muestra informaci\u00f3n relevante del IOA, como la t\u00e1ctica y t\u00e9cnica MITRE empleadas, los campos del evento registrado en el equipo que gener\u00f3 el IOA y, en caso de estar disponible, los informes siguientes:<\/p>\n<ul>\n<li><strong>Investigaci\u00f3n avanzada del ataque:<\/strong>\u00a0incluye informaci\u00f3n del equipo involucrado, una descripci\u00f3n detallada de la t\u00e1ctica y t\u00e9cnica utilizadas, recomendaciones para mitigar el ataque y la secuencia de eventos que desencaden\u00f3 la generaci\u00f3n del IOA.<\/li>\n<li><strong>Gr\u00e1fica del ataque:<\/strong>\u00a0incluye un diagrama de grafos interactivo con la secuencia de eventos que desencaden\u00f3 la generaci\u00f3n del IOA.<\/li>\n<\/ul>\n<p>Los informes tienen una duraci\u00f3n de un mes desde la generaci\u00f3n del IOA, transcurrido el cual dejar\u00e1n de estar accesibles. A su vez, un informe muestra los eventos que forman parte del ataque en el intervalo de los 30 d\u00edas anteriores a la detecci\u00f3n del IOA.[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686571598365{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title3\">Indicador de ataque avanzado_<\/h6>\n[\/vc_column_text][vc_column_text]Los indicadores de ataque avanzados son aqu\u00e9llos que realizan un seguimiento detallado de las aplicaciones que se ejecutan en los equipos, para detectar comportamientos sospechosos, analizar los eventos generados por las aplicaciones y determinar si constituyen un ataque.<\/p>\n<p>La existencia de este tipo de indicador avanzado por s\u00ed sola no implica que se est\u00e9 produciendo un ataque, y por ello es necesario que el administrador del parque inform\u00e1tico los analice para determinar si se trata de un ataque o no.<\/p>\n<p>Advanced EPDR\/EDR muestra informaci\u00f3n relevante del IOA avanzado, como la t\u00e1ctica y t\u00e9cnica MITRE empleadas y la secuencia de eventos registrada en el equipo que lo gener\u00f3.<\/p>\n<p>Los indicadores de ataque avanzados solo son compatibles con equipos con sistema operativo Windows.<\/p>\n<p><strong>CKC (Cyber Kill Chain)<\/strong><br \/>\nLa empresa Lockheed-Martin describi\u00f3 en 2011 un marco o modelo para defender las redes inform\u00e1ticas, en el que se afirmaba que los ciberataques ocurren en fases y cada una de ellas puede ser interrumpida a trav\u00e9s de controles establecidos. Desde entonces, la Cyber Kill Chain ha sido adoptada por organizaciones de seguridad de datos para definir las fases de los ciberataques. Estas fases abarcan desde el reconocimiento remoto de los activos del objetivo hasta la exfiltraci\u00f3n de datos.<\/p>\n<p><strong>Mitre corp.<\/strong><br \/>\nEmpresa sin \u00e1nimo de lucro que opera en m\u00faltiples centros de investigaci\u00f3n y desarrollo financiados con fondos federales dedicados a abordar problemas relativos a la seguridad. Ofrecen soluciones pr\u00e1cticas en los \u00e1mbitos de defensa e inteligencia, aviaci\u00f3n, sistemas civiles, seguridad nacional, judicatura, salud y ciberseguridad. Son los creadores del framework ATT&amp;CK.<\/p>\n<p><strong>ATT&amp;CK (Adversarial Tactics, Techniques, and Common Knowledge)<\/strong><br \/>\nConjunto de recursos desarrollados por la empresa Mitre Corp. para describir y categorizar los comportamientos peligrosos de los ciberdelincuentes, basados en observaciones a lo largo de todo el mundo. ATT&amp;CK es una lista ordenada de comportamientos conocidos de los atacantes, separados en t\u00e1cticas y t\u00e9cnicas, y que se expresan a trav\u00e9s de una matriz. Ya que esta lista es una representaci\u00f3n completa de los comportamientos que los hackers reproducen cuando se infiltran en las redes de las empresas, es un recurso \u00fatil para desarrollar mecanismos tanto defensivos como preventivos y resolutivos por parte de las organizaciones. Para m\u00e1s informaci\u00f3n sobre el framework ATT&amp;CK consulta\u00a0<a href=\"https:\/\/attack.mitre.org\/\">https:\/\/attack.mitre.org\/<\/a><\/p>\n<p><strong>T\u00e9cnica (\u201cC\u00f3mo\u201d)<\/strong><br \/>\nEn terminolog\u00eda ATT&amp;CK, las t\u00e9cnicas representan la forma o la estrategia con la que un adversario logra un objetivo t\u00e1ctico. Es decir, el \u201cc\u00f3mo\u201d. Por ejemplo, un adversario, para lograr el objetivo de acceder a algunas credenciales (t\u00e1ctica) realiza un volcado de las mismas (t\u00e9cnica).<\/p>\n<p><strong>Subt\u00e9cnica (\u201cC\u00f3mo\u201d)<\/strong><br \/>\nEn terminolog\u00eda ATT&amp;CK, una subt\u00e9cnica describe un &#8220;c\u00f3mo&#8221; para una t\u00e9cnica particular. Es un proceso o mecanismo para lograr el objetivo de una t\u00e1ctica. Por ejemplo, el Password Spraying es un tipo de ataque de fuerza bruta para lograr el Credential Access.<\/p>\n<p><strong>T\u00e1ctica (\u201cQu\u00e9\u201d)<\/strong><br \/>\nEn terminolog\u00eda ATT&amp;CK, las t\u00e1cticas representan el motivo u objetivo final de una t\u00e9cnica. Es el objetivo t\u00e1ctico del adversario: la raz\u00f3n para realizar una acci\u00f3n.[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686571709774{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title3\">Gesti\u00f3n de indicadores de ataque_<\/h6>\n[\/vc_column_text][vc_column_text]Por defecto, Advanced EPDR\/EDR asigna una configuraci\u00f3n de tipo Indicadores de ataque (IOA) a todos los equipos gestionados de la red, con todos los tipos de IOA activados por defecto. Para desactivar la detecci\u00f3n de un tipo de IOA espec\u00edfico:<\/p>\n<ol>\n<li>Selecciona el men\u00fa superior\u00a0<strong>Configuraci\u00f3n<\/strong>, men\u00fa lateral\u00a0<strong>Indicadores de ataque (IOA)<\/strong>.<\/li>\n<li>Haz clic en el bot\u00f3n\u00a0<strong>A\u00f1adir<\/strong>, se abrir\u00e1 la ventana de configuraci\u00f3n de\u00a0<strong>A\u00f1adir configuraci\u00f3n<\/strong>.<\/li>\n<li>Selecciona los IOAs que Advanced EPDR\/EDR buscar\u00e1 en el flujo de telemetr\u00eda generado por los equipos.<\/li>\n<li>Para poder seleccionar indicadores de ataque avanzados concretos, es necesario activarlos todos. Para ello, desplaza el control deslizante.<\/li>\n<li>Selecciona los equipos que recibir\u00e1n la nueva configuraci\u00f3n y haz clic en el bot\u00f3n\u00a0<strong>Guardar<\/strong>.<\/li>\n<\/ol>\n[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686571823440{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title3\">Mostrar todos los indicadores de ataque_<\/h6>\n[\/vc_column_text][vc_column_text]\n<ol>\n<li>Selecciona el men\u00fa superior\u00a0<strong>Estado<\/strong>, panel lateral\u00a0<strong>Indicadores de ataque (IOA)<\/strong>.<\/li>\n<li>En la parte superior de la ventana indica el intervalo de datos a mostrar.<\/li>\n<li>El widget\u00a0<strong>Servicio Threat Hunting<\/strong>\u00a0contiene los eventos, indicios e indicadores de ataque detectados en el intervalo elegido.<\/li>\n<li>Haz clic en el \u00e1rea\u00a0<strong>Indicadores de ataque<\/strong>. Se abrir\u00e1 el listado Indicadores de ataque (IOA) que muestra todos los IOAs detectados en el intervalo de tiempo seleccionado.<\/li>\n<\/ol>\n<p>Cada IOA mostrado en el listado Indicadores de ataque (IOA) tiene asociado un men\u00fa de contexto con las opciones:<\/p>\n<ul>\n<li><strong>Visualizar los IOAs detectados en el equipo<\/strong><br \/>\nMuestra el listado Indicadores de ataque (IOA) filtrado por el campo Equipo.<\/li>\n<li><strong>Visualizar equipos con el IOA detectado<\/strong><br \/>\nMuestra el listado Indicadores de ataque (IOA) filtrado por el campo Indicador de ataque.<\/li>\n<li><strong>Archivar uno o varios indicadores de ataque<\/strong><br \/>\nCuando la causa que motiv\u00f3 el IOA ha sido resuelta, o cuando se ha comprobado que se trataba de un falso positivo, el administrador puede archivar el IOA detectado.<\/li>\n<\/ul>\n[\/vc_column_text][\/vc_column][\/vc_row][vc_row type=&#8221;full_width_background&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; equal_height=&#8221;yes&#8221; content_placement=&#8221;middle&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; bg_color=&#8221;#7e5994&#8243; scene_position=&#8221;center&#8221; top_padding=&#8221;12&#8243; bottom_padding=&#8221;12&#8243; text_color=&#8221;light&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221; shape_type=&#8221;&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;3\/5&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;][\/vc_column][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/5&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;]<div class=\"iwithtext\"><div class=\"iwt-icon\"> <img decoding=\"async\" src=\"https:\/\/www.cytomic.ai\/src\/uploads\/2020\/03\/support-tiny.svg\" alt=\"\" \/> <\/div><div class=\"iwt-text\"> +34 900 840 407 <\/div><div class=\"clear\"><\/div><\/div>[\/vc_column][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/5&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;]<div class=\"iwithtext\"><div class=\"iwt-icon\"> <img decoding=\"async\" src=\"https:\/\/www.cytomic.ai\/src\/uploads\/2020\/03\/contact-tiny.svg\" alt=\"\" \/> <\/div><div class=\"iwt-text\"> support@cytomic.ai <\/div><div class=\"clear\"><\/div><\/div>[\/vc_column][\/vc_row][vc_row type=&#8221;full_width_content&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; equal_height=&#8221;yes&#8221; content_placement=&#8221;top&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; scene_position=&#8221;center&#8221; text_color=&#8221;dark&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221; shape_type=&#8221;&#8221;][vc_column column_padding=&#8221;padding-5-percent&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color=&#8221;#f3f3f3&#8243; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;1\/3&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;][split_line_heading animation_type=&#8221;default&#8221;]<a href=\"#title1\">Related Products<\/a><\/p>\n<p><a href=\"#title2\">Introduction to IOAs Concepts_<\/a><\/p>\n<p><a href=\"#title3\">Indicator of attack_<\/a><\/p>\n<p><a href=\"#title4\">Advanced Indicator of attack_<\/a><br \/>\n<a href=\"#title5\">Managing Indicators of attack_<\/a><br \/>\n<a href=\"#title5\">Show all IOAs on a network_<\/a>[\/split_line_heading][\/vc_column][vc_column column_padding=&#8221;padding-5-percent&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221; column_link_target=&#8221;_self&#8221; gradient_direction=&#8221;left_to_right&#8221; overlay_strength=&#8221;0.3&#8243; width=&#8221;2\/3&#8243; tablet_width_inherit=&#8221;default&#8221; tablet_text_alignment=&#8221;default&#8221; phone_text_alignment=&#8221;default&#8221; column_border_width=&#8221;none&#8221; column_border_style=&#8221;solid&#8221; bg_image_animation=&#8221;none&#8221;][vc_column_text]\n<h3>Installation requirements of products based on Cytomic Platform for Windows<\/h3>\n[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1585668102613{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title1\">Related Products_<\/h6>\n[\/vc_column_text][vc_column_text]\n<ul>\n<li>Cytomic EPDR<\/li>\n<li>Cytomic EDR<\/li>\n<\/ul>\n[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686568872071{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title2\">Introduction to IOA Concepts_<\/h6>\n[\/vc_column_text][vc_column_text]This section details the concepts that administrators need to know to understand the processes involved in the detection of IOAs, and in the execution of remedial actions (automatic and manual).<\/p>\n<p><strong><span class=\"granate11b\">Event<\/span><\/strong><br \/>\nAn action executed by a process on a user\u2019s computer and monitored by Advanced EPDR\/EDR. Events are sent to the cloud in real time as part of the telemetry. Automated analysis advanced technologies, analysts, and threat hunters analyze them in their context to determine whether they could be part of the CKC of a cyberattack.<\/p>\n<p><strong><span class=\"granate11b\">Indicator<\/span><\/strong><br \/>\nA sequence of unusual actions found in the events generated on customers\u2019 computers and which could be part of an early-stage cyberattack.<\/p>\n<p><strong><span class=\"granate11b\">Indicator of attack (IOA)<\/span><\/strong><br \/>\nThis is an indicator with a high probability of being a cyberattack. These are generally attacks in early stages or in exploit phase. These attacks do not normally use malware, as adversaries usually use the operating system\u2019s own tools to execute the attack and thereby hide the traces of their activity. We recommend that you contain or remedy attacks as soon as possible.<\/p>\n<p>To help manage IOAs, Advanced EPDR\/EDR gives each one a status which can be manually edited by the administrator:<\/p>\n<ul>\n<li><strong>Pending<\/strong>: The IOA is pending investigation and\/or resolution. The administrator must verify whether the attack is real and take the necessary measures to mitigate it. All new IOAs are created with the status \u2018Pending\u2019.<\/li>\n<li><strong>Archived<\/strong>: The IOA has already been investigated by the administrator and the remedial actions have been taken, or were unnecessary as it was a false positive. The administrator closes the IOA for any of these reasons.<\/li>\n<\/ul>\n<p>Advanced EPDR\/EDR shows relevant IOA information, such as the MITRE tactic and technique used, the events recorded on the computer that generated the IOA, and, if available, the following reports:<\/p>\n<ul>\n<li><strong>Advanced attack investigation<\/strong>: Includes information about the computer involved, a detailed description of the tactics and techniques used, recommendations to mitigate the attack, and the sequence of events that triggered the generation of the IOA.<\/li>\n<li><strong>Attack graph<\/strong>: Includes an interactive diagram with the sequence of events that led to the generation of the IOA.<\/li>\n<\/ul>\n<p>NOTE: The reports last for a month after the IOA is generated. After this period, they are no longer accessible. Also, a report shows the events that are part of the attack for the 30 days prior to the detection of the IOA.[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686569081448{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title2\">Indicators of Attack_<\/h6>\n[\/vc_column_text][vc_column_text]Advanced indicators of attack provide in-depth monitoring of the applications on your computers. They enable you to detect suspicious behaviors, analyze the events generated by applications, and determine if an event is an IOA.<\/p>\n<p>The mere presence of this type of indicator of attack does not mean that an attack is taking place. You must analyze the advanced indicator of attack to determine whether it is an attack or not.<\/p>\n<p>Advanced EPDR\/EDR shows relevant information about advanced IOAs, such as the MITRE tactics and techniques used, and the sequence of events logged on the computer that generated the IOA.<\/p>\n<p>NOTE: Advanced indicators of attack are compatible only with Windows computers.<\/p>\n<p><strong>CKC (Cyber Kill Chain)<\/strong><br \/>\nIn 2011, Lockheed-Martin drafted a framework or model for defending computer networks, which stated that cyberattacks occur in phases and each of them can be interrupted through certain controls. Since then, the Cyber Kill Chain (CKC) has been adopted by IT security organizations to define the phases of cyberattacks. These phases range from remote reconnaissance of the target\u2019s assets to data exfiltration.<\/p>\n<p><strong>MITRE Corporation<\/strong><br \/>\nA not-for-profit company that operates several federally-funded R&amp;D centers dedicated to addressing security issues. It offers practical solutions in the fields of defense and intelligence, aviation, civil systems, national security, judiciary, health, and cybersecurity. It is the creator of the ATT&amp;CK framework.<\/p>\n<p><strong>ATT&amp;CK (Adversarial Tactics, Techniques, and Common Knowledge)<\/strong><br \/>\nA set of resources developed by the MITRE Corporation to describe and categorize cybercriminal activities based on observations from around the world.. ATT&amp;CK is a structured list of known attack behaviors categorized into tactics and techniques and shown as a matrix. Because this list is a comprehensive representation of the behaviors that hackers use when they infiltrate networks, it is a useful resource to develop defensive, preventive, and remedial strategies for organizations. For more information about the ATT&amp;CK framework, see\u00a0<a href=\"https:\/\/attack.mitre.org\/\">https:\/\/attack.mitre.org\/<\/a><\/p>\n<p><strong>Technique (\u2018How\u2019)<\/strong><br \/>\nIn ATT&amp;CK terminology, techniques represent the method (or the strategy) that an adversary uses to achieve a tactical objective. In other words, the \u2018how\u2019. For example, to access credentials (tactic), an adversary executes a data dump (technique).<\/p>\n<p><strong>Sub-Technique (\u2018How\u2019)<\/strong><br \/>\nIn ATT&amp;CK terminology, sub-techniques represent the \u201chow\u201d of a specific technique. They refer to the processes or mechanisms used by adversaries to achieve the objective of a tactic. For example, password spraying is a type of brute force attack to accomplish the objective of the Credential Access tactic.<\/p>\n<p><strong>Tactic (\u2018Why\u2019)<\/strong><br \/>\nIn ATT&amp;CK terminology, tactics represent the ultimate motive or goal of a technique. It is the tactical objective of the adversary: the reason to take an action.[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686569132552{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title3\">Managing Indicators of Attack_<\/h6>\n[\/vc_column_text][vc_column_text]By default, Advanced EPDR\/EDR assigns an Indicators of attack (IOA) settings profile to all computers on the network, with all types of IOAs enabled by default. To disable the detection of a specific type of IOA:<\/p>\n<ol>\n<li>Click the\u00a0<strong>Settings<\/strong>\u00a0menu at the top of the console. Click\u00a0<strong>Indicators of attack (IOA)<\/strong>\u00a0from the side menu.<\/li>\n<li>Click the\u00a0<strong>Add<\/strong>\u00a0button. The\u00a0<strong>Add settings<\/strong>\u00a0page opens.<\/li>\n<li>Select the IOAs that Advanced EPDR\/EDR is to search for in the telemetry generated by the computers.<\/li>\n<li>Select the computers that you wish to receive the new settings profile and click\u00a0<strong>OK<\/strong>.<\/li>\n<\/ol>\n[\/vc_column_text][vc_column_text css=&#8221;.vc_custom_1686569220681{padding-top: 40px !important;padding-bottom: 20px !important;}&#8221;]\n<h6 id=\"title4\">Show all IOAs detected on a network_<\/h6>\n[\/vc_column_text][vc_column_text]\n<ol>\n<li>Click the\u00a0<strong>Status<\/strong>\u00a0menu at the top of the console.<\/li>\n<li>Click\u00a0<strong>Indicators of attack (IOA)<\/strong>\u00a0from the side menu.<\/li>\n<li>At the top of the page, you can see the time period to show.<\/li>\n<li>The\u00a0<strong>Threat Hunting Service<\/strong>\u00a0widget shows the events, indicators, and indicators of attack detected during that period.<\/li>\n<li>Click the\u00a0<strong>Indicators of attack<\/strong>\u00a0area. The Indicators of attack (IOA) list opens. This list shows all the IOAs detected during the selected period.<\/li>\n<\/ol>\n<p>Each IOA shown in the Indicators of attack (IOA) list has a context menu with the options:<\/p>\n<ul>\n<li><strong>View the IOAs detected on this computer<\/strong><br \/>\nShows the Indicators of attack (IOA) list filtered by the Computer field.<\/li>\n<li><strong>View the computers on which this IOA was detected<\/strong><br \/>\nShows the Indicators of attack (IOA) list filtered by the Indicator of attack field.<\/li>\n<li><strong>Archive IOA<\/strong><br \/>\nWhen the event that triggered an IOA has been resolved, or when it has been found to be a false positive, the administrator can archive the IOA.<\/li>\n<\/ul>\n[\/vc_column_text][\/vc_column][\/vc_row]\n","protected":false},"excerpt":{"rendered":"<p>[vc_row type=&#8221;full_width_background&#8221; full_screen_row_position=&#8221;middle&#8221; column_margin=&#8221;default&#8221; equal_height=&#8221;yes&#8221; content_placement=&#8221;middle&#8221; column_direction=&#8221;default&#8221; column_direction_tablet=&#8221;default&#8221; column_direction_phone=&#8221;default&#8221; bg_color=&#8221;#7e5994&#8243; scene_position=&#8221;center&#8221; top_padding=&#8221;12&#8243; bottom_padding=&#8221;12&#8243; text_color=&#8221;light&#8221; text_align=&#8221;left&#8221; row_border_radius=&#8221;none&#8221; row_border_radius_applies=&#8221;bg&#8221; overlay_strength=&#8221;0.3&#8243; gradient_direction=&#8221;left_to_right&#8221; shape_divider_position=&#8221;bottom&#8221; bg_image_animation=&#8221;none&#8221; shape_type=&#8221;&#8221;][vc_column column_padding=&#8221;no-extra-padding&#8221; column_padding_tablet=&#8221;inherit&#8221; column_padding_phone=&#8221;inherit&#8221; column_padding_position=&#8221;all&#8221; background_color_opacity=&#8221;1&#8243; background_hover_color_opacity=&#8221;1&#8243; column_shadow=&#8221;none&#8221; column_border_radius=&#8221;none&#8221;&#8230;<\/p>\n","protected":false},"author":4,"featured_media":414,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[32,33,27],"tags":[],"class_list":{"0":"post-7835","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-edr","8":"category-epdr","9":"category-soporte"},"_links":{"self":[{"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/posts\/7835","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/comments?post=7835"}],"version-history":[{"count":3,"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/posts\/7835\/revisions"}],"predecessor-version":[{"id":7843,"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/posts\/7835\/revisions\/7843"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/media\/414"}],"wp:attachment":[{"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/media?parent=7835"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/categories?post=7835"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cytomic.ai\/es\/wp-json\/wp\/v2\/tags?post=7835"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}