Sandboxing and the SOC Place McAfee Advanced Threat Defense at the center of your investigation workflow As you strive to further enable your security operations center (SOC), you want your analysts and threat hunters to do their best detective work to pinpoint true positives so that triage and remediation efforts are properly prioritized and acted on. While threat hunting is a human-centric activity that relies on clues, intuitive hunches, and knowledge of adversaries tactics, techniques, and procedures (TTPs), automation can greatly improve the efficacy of SOC team members focused on this activity. When analysts and threat hunters have multiple tools at their disposal tools that are coordinated by integration, threat sharing, and automation they ll be more successful. Our study, Disrupting the Disruptors, Art or Science?, 1 reveals that, for the majority of investigations 61% to 80% across SOCs of all maturity levels an advanced sandbox solution like McAfee Advanced Threat Defense is essential. Why We Analyze Malware As we evaluate advanced technologies that help us improve our threat-hunting capabilities, let s not lose sight of why we analyze malware in the first place: Determine the nature of an unknown file is it benign or malicious? Get a better understanding of what a malicious file is actually doing Assess the impact of a malware infection Enhance detection by looking for indicators of compromise (IoCs) Make more informed choices and communicate this information to management Connect With Us 1 Sandboxing and the SOC
Why an Advanced Sandbox Is Integral to a Successful SOC Sandboxing is a foundational tool for SOC analysts and threat hunters across every level of maturity. In more mature organizations, sandboxing is complemented by a mix of other tools, including security information and event management (SIEM) solutions. McAfee Advanced Threat Defense provides not only static and dynamic malware analysis but also other capabilities that place it at the core of a comprehensive threat hunting and intelligence-sharing ecosystem. Providing more than basic behavioral analysis with file execution or sandboxing, McAfee Advanced Threat Defense also features in-depth static code analysis and McAfee Network Security Platform McAfee Web Gateway McAfee Threat Intelligence Exchange additional detection capabilities powered by machine learning. Automation is enabled by tight integration with solutions in the McAfee product portfolio, along with partner products; support for open standards; and a REST application programming interface (API). Serving as the nexus of the threat-hunting workflow, McAfee Advanced Threat Defense can collect and analyze samples from multiple sources, including manual submission, and provide indicators of compromise (IoC) information to any technology that is capable of ingesting it and using it in an actionable and intelligent manner for remediation. Technologies that make use of the IoCs range from perimeter intrusion prevention systems to threat intelligence platforms (TIPS) and security automation and orchestration platforms. STIX If McAfee Advanced Threat Defense deems the file to be malicious, its reputation is then automatically broadcast via McAfee Threat Intelligence Exchange to all the endpoints connected to DXL. This automatic distribution of threat reputation information helps us block zero-day threats before they can harm our environment. Senior Manager, Security Engineering, Large Software Company Any third-party secure email gateway McAfee Advanced Threat Defense Share McAfee Advanced Threat Defense IoCs with any product that consumes TAXII McAfee Enterprise Security Manager DXL Bro IDS Sensor Figure 1. A collaborative security ecosystem with McAfee Advance Threat Defense at the core increases the efficacy, efficiency, and accuracy of SOC investigations. 2 Sandboxing and the SOC
Collect, Ingest, and Analyze Let s take a deeper look at how McAfee Advanced Threat Defense enables automation and supports SOC investigation processes. The first step in the process involves collecting and ingesting threat data. Suspicious samples can be manually uploaded by SOC analysts or automatically delivered through tight integration between McAfee Advanced Threat Defense and security devices from the network edge through the endpoint. McAfee Advanced Threat Defense then uses a variety of analysis techniques to uncover malware from lowerintensity methods like file reputation and signatures to more sophisticated methods like dynamic analysis to analyze malware behavior and in-depth static code analysis to help classify samples. McAfee Advanced Threat Defense also uses machine learning to help uncover patterns in code to identify emerging threats, analyze behavioral patterns to identify maliciousness, and assess code to determine similarity to other malware families. Interoperability with McAfee products McAfee Advanced Threat Defense integrates with multiple products from the McAfee security portfolio currently McAfee Network Security Platform, McAfee Web Gateway, and McAfee Threat Intelligence Exchange. McAfee Threat Intelligence Exchange integrations with McAfee Application Control, McAfee Endpoint Security solutions, McAfee Server Security Suite, and McAfee Security for Microsoft Exchange further extend interoperability. Ingesting malware samples from these vectors, McAfee Advanced Threat Defense then applies its sandboxing analysis capabilities to arrive at usable threat data. Interoperability with non-mcafee technologies: email gateways and Bro sensors In addition to integrating with McAfee technologies, McAfee Advanced Threat Defense is also compatible with third-party security tools such as email gateways. SMTP traffic can be forwarded into any secure email gateway, such as Cisco ESA and Proofpoint, and those email gateways, in turn, can forward an email attachment to McAfee Advanced Threat Defense for analysis. On the network side, McAfee Advanced Threat Defense is interoperable with open source Bro Network Security Monitor (bro.org). While Bro is an intrusion detection system (IDS) and not a replacement for a robust intrusion prevention system (IPS), like McAfee Network Security Platform, Bro sensors are often used by SOCs and deployed as a temporary IDS to a suspected network segment to monitor and capture traffic. Bro carves files from network traffic and places them in a file directory. McAfee Advanced Threat Defense integrates with this directory and can read those files. Bro uses scripts that can automatically extract a file from network traffic in milliseconds and, through the use of a Python script and the McAfee Advanced Threat Defense REST daemon, Bro sends it to McAfee Advanced Threat McAfee Advanced Threat Defense offers numerous advanced capabilities that can support investigations, including: Comprehensive OS support that covers the most widely used operating systems for endpoint, servers, and mobile devices Detailed reports that provide critical information for investigation assembly output, network packet captures (pcaps), graphical function call diagrams, and memory dumps User interactive mode, which enables analysts and threat hunters to interact directly with malware samples Deeper sample analysis by forcing additional execution paths that remain dormant in typical sandbox environments Sample submission to multiple virtual environments to speed investigation by determining which environment variables are needed for file execution Extensive unpacking capabilities, which reduce investigation time from days to minutes 3 Sandboxing and the SOC
Defense for analysis. By using more network sensors to get a second look at potentially malicious traffic, your investigators can gain greater confidence that they are getting a true positive. It also provides your SOC team with a better understanding of threat behavior and a deeper analysis of what s happening on your network. Features that Support Deeper, More Accurate Investigations X-Mode or interactive mode Hunters and analysts alike can leverage McAfee Advanced Threat Defense X-Mode, or Interactive Mode, to find useful clues about threats that piggyback on legitimate applications. This is particularly applicable to large organizations, which are often the targets of advanced persistent threats (APTs). As a result of reconnaissance missions, bad actors gain insights into whitelisted applications used by the targeted organization on a daily basis. From there, they create threats wrapped into the code of a known whitelisted application and embed malicious payloads, like keyloggers. The user can t see the threat. However, on the back end, if your analyst or threat hunter interacts with the malicious code in the McAfee Advance Threat Defense sandbox which is constantly on the lookout for anomalous or malicious activity it will identify malicious activity. Once a suspicious file is uploaded, the analyst can interact with the sample and gain a better understanding of the user experience since they actually see what the user would see. For example, within an isolated sandbox, your analyst can click through features of the whitelisted application and execute various operations, like running an embedded macro. Your analysts and threat hunters now have free reign to do deeper manual investigation without worrying about lateral propagation to other assets in your network and causing harm. X-mode is especially helpful when it comes to extremely evasive malware that requires human interaction in order to execute. For example, let s say a bad actor sends an email with a password-protected spreadsheet attachment along with the password. If the user opens the spreadsheet and enters the password, the hidden malware is triggered, and it infects the system. In X-mode, analysts can interact with the malware within the sandbox, such as entering a password to unlock the sample and trigger the malware so that they can better understand how such evasive threats work and the associated user experience. X-mode is also a great tool for training junior analysts. Customize for your unique operating system Threats targeted at a specific organization based on user activity, authorized applications, and the predominant operating system in use have become an overriding point of focus for many enterprises. If a malware author knows the specific version of Microsoft Windows OS that an enterprise uses, for example, they can leverage that information to optimize the malware and make it as damaging as possible, but less obvious than malware running on a completely different operating system. They can also tailor the malware according to various OS versions in order to infiltrate as many systems as possible. 4 Sandboxing and the SOC
Another mechanism to help analysts and threat hunters track down and thwart these APTs is the ability to customize the analysis environment in McAfee Advanced Threat Defense. You can analyze potential threats in an environment with a specific OS version or specific applications. Malware samples can then be safely detonated inside the customized analysis VMs. This is a great boon for your threat-hunting efforts, as it mirrors your own environment and helps your team extract IoCs that will accelerate the remediation process and maximize its effectiveness. Share and Publish After rigorous analysis using a variety of methods, McAfee Advanced Threat Defense can share its IoCs and convictions. Outputs include critical investigation information, such as disassembly, function call diagrams, dropped file detail, processes, and registry changes. McAfee Advanced Threat Defense becomes the publisher sharing metadata and results with threat intelligence platforms, machine data analysis solutions, and SIEMs. Data Exchange Layer and Open Data Exchange Layer By leveraging the bi-directional communication fabric Data Exchange Layer (DXL), McAfee Advanced Threat Defense can publish its threat intelligence to McAfee Threat Intelligence Exchange, which instantly shares this information across your entire security ecosystem, enabling your solutions both McAfee products and compatible third-party products to work together to adapt their policies and more quickly address threats with appropriate protection and remediation. Open Data Exchange Layer (OpenDXL), the open source version of DXL, further extends the playing field by providing simple open source tools, expertise, and a supportive community. Any application, whether internally developed or vendor supplied, can tap into the real-time capabilities of the DXL communications fabric, and thereby take advantage of the rich store of threat intelligence made available by McAfee Advanced Threat Defense. STIX/OpenTAXII McAfee Advanced Threat Defense further demonstrates our ability to create, support, and expand a collaborative security ecosystem by embracing widely used standards that enable sharing of cyberthreat intelligence. It publishes the information in Open Source format, notably Structured Threat Information Expression (STIX)- formatted threat information via Trusted Automated exchange of Indicator Information (TAXII), a transport mechanism for sharing threat intelligence. As a STIX/TAXII publisher, McAfee Advanced Threat Defense allows solutions that are not directly integrated with it to easily consume IoCs with details like hashes, malicious IPs, and user IDs. Information of this kind allows SOC analysts and threat hunters to get a clearer understanding of the intent of a file or action. Support for STIX/TAXII open standards has real value in that the information generated by McAfee Advanced Threat Defense can be parsed and correlated through 5 Sandboxing and the SOC
virtually any SIEM solution that supports TAXII. Analysts and threat hunters can then get a more holistic understanding of what s happening in their environment, both historically and in real time. Detailed analysis reports Rich and thorough analysis reports from McAfee Advanced Threat Defense provide meaningful data that enables analysts and threat hunters to pivot into action quickly. These easy-to-understand reports provide value across the entire organization from the SOC to the C-suite. Mapping directly to the MITRE ATT&CK framework: The MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK ) framework can help analysts gain a better understanding of adversaries and their work. By including the ATT&CK framework in McAfee Advanced Threat Defense, McAfee has made it easier for analysts to more quickly understand the techniques, tactics, and procedures (TTPs) of a given threat. Once they have this information, they can act faster to implement corresponding defenses or discovery methods. Some of the most significant and useful information presented in the McAfee Advanced Threat Defense report includes the following: Behavior classification: This high-level indicator of the classification of malware offers a great deal of value to analysts and threat hunters by providing immediate insights into the intent of files that have been analyzed. Figure 3. Detailed McAfee Advanced Threat Defense reports provide critical information for investigation including MITRE ATT&CK framework mapping. Figure 2. Sample of behavior classification and severity level reporting. Figure 4. A filtered view of the MITRE ATT&CK report focuses on identified techniques. 6 Sandboxing and the SOC
Detailed information and IoCs: McAfee Advanced Threat Defense produces in-depth threat intelligence for investigation, including disassembly output, memory dumps, graphical function call diagrams, embedded or dropped file information, user API logs, and PCAP information. Threat time lines help visualize attack execution steps. Figure 6. The Timeline Activity report visualizes execution steps of the analyzed threat. Figure 5. Assembly code, graph analysis, and IoCs. 7 Sandboxing and the SOC
Conclusion McAfee Advanced Threat Defense offers numerous advanced capabilities that can support security operations teams, analyst investigations, and threat hunting, including: Comprehensive OS support that covers the most widely used operating systems for endpoint, servers, and mobile devices Detailed reports that provide critical information for investigation from assembly output, network packet captures (pcaps), graphical function call diagrams, and memory dumps User interactive mode, which enables analysts and threat hunters to interact directly with malware samples Deeper sample analysis by forcing additional execution paths that remain dormant in typical sandbox environments Sample submission to multiple virtual environments to speed investigation by determining which environment variables are needed for file execution Extensive unpacking capabilities, which reduce investigation time from days to minutes To learn more about what Advanced Threat Defense can do for your team, visit http://www.mcafee.com/atd 1. https://www.mcafee.com/enterprise/en-us/assets/reports/rp-survey-results-disrupting-disruptors-art-science.pdf McAfee technologies features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Learn more at mcafee.com. No computer system can be absolutely secure. 2821 Mission College Blvd. Santa Clara, CA 95054 888.847.8766 www.mcafee.com McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation. Copyright 2019 McAfee, LLC. 44226_0119 JANUARY 2019 8 Sandboxing and the SOC