Trend Micro Vision One has a feature called Targeted Attack Detection (previously called Early Warning Service) that provides the current active attack campaigns and the enabled protection services on their environment.
Make sure that the requirements are me before enabling the Targeted Attack Detection. Refer to Enabling the required services for Targeted Attack Detection.
|Periodic analysis of your Smart Protection Network data||Modern attacks often involve multiple seemingly unrelated threats. Analysis of Smart Protection Network data allows Trend Micro Vision One to identify previously isolated detections that are likely to be part of complex attack chains.|
|Continuous analysis of attack campaigns||Trend Micro threat researchers monitor and analyze attack campaigns affecting organizations around the world. Their research provides context to identified indicators and allows Trend Micro Vision One to predict possible next steps by attackers.|
The Attack campaign provides the information to identify and understand the campaign focus:
- Targeted Countries / Regions ( ex. North America, Europe)
- Targeted Industries (ex. healthcare, Financial)
- What platform is currently being attacked. (ex. Windows, Linux, Mac OS)
Click the image to enlarge.
Targeted Attack Detection advises the customer on its risk level based on this information, at the same time, identifying how many Trend protection services were enabled in the environment for security posture assessment.
This section displays the total number of affected endpoints. In this context, "endpoint" consists of desktops and servers. You can find the count and percent change for each category below the total.
Clicking the total opens another screen that displays the following details for each affected endpoint:
- Endpoint GUID
- Combined severity of the detected attack indicators
- Reasons behind the assigned severity
- Actions that you can perform to mitigate risk
- The first time an attack indicator was observed on the endpoint
This section displays comparative line graphs for four attack phases that precede command-and-control communication. The attack phases follow the MITRE ATT&CK® technique Matrix for Enterprise.
The graphs provide the following information:
- How suspicious event counts from the last 14 days compared to your organization's baseline
- Notable short-term or persistent changes to suspicious event counts (in the form of spikes or steps)
|Elevated Suspicious event counts in Initial Access and/or Persistence||Attackers are attempting to gain or maintain their foothold on your network. If successful, they may gain account credentials and access remote systems.|
|Elevated suspicious event counts in Credential Access and/or Lateral Movement||Data exfiltration or some form of system impact may soon occur. Attackers may interrupt, manipulate, steal, or destroy your critical assets.|
|Negligible suspicious event counts in any attack phase||The numbers are lower than the baseline for your organization and therefore do not require your attention.
Graphs are based on Smart Protection Network data that was analyzed within a specific period. The data may change when any of the following events occur.
To detect more suspicious events, enable the recommended security features on all endpoints.
The image below indicates the attack phases and their correlation to an active attack campaign which indicates which pattern of attack.
Click the image to enlarge.