Whitepaper. Advanced Threat Hunting with Carbon Black Enterprise Response

Similar documents
ADVANCED THREAT HUNTING

WHITEPAPER. Hunt Like a Pro: A Threat Hunting Guide for Cb Response

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Traditional Security Solutions Have Reached Their Limit

Carbon Black PCI Compliance Mapping Checklist

Reducing the Cost of Incident Response

The Convergence of Security and Compliance

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Streaming Prevention in Cb Defense. Stop malware and non-malware attacks that bypass machine-learning AV and traditional AV

RSA NetWitness Suite Respond in Minutes, Not Months

Advanced Threat Hunting:

White Paper. Closing PCI DSS Security Gaps with Proactive Endpoint Monitoring and Protection

NIST Special Publication

Product Security Program

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

McAfee Endpoint Threat Defense and Response Family

SentinelOne Technical Brief

esendpoint Next-gen endpoint threat detection and response

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Building Resilience in a Digital Enterprise

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

Transforming Security from Defense in Depth to Comprehensive Security Assurance

SentinelOne Technical Brief

SIEM Solutions from McAfee

Aligning with the Critical Security Controls to Achieve Quick Security Wins

DATA SHEET RSA NETWITNESS ENDPOINT DETECT UNKNOWN THREATS. REDUCE DWELL TIME. ACCELERATE RESPONSE.

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

The Convergence of Security and Compliance. How Next Generation Endpoint Security Manages 5 Core Compliance Controls

8 Must Have. Features for Risk-Based Vulnerability Management and More

THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

ForeScout Extended Module for Splunk

NOTHING IS WHAT IT SIEMs: COVER PAGE. Simpler Way to Effective Threat Management TEMPLATE. Dan Pitman Principal Security Architect

Mastering The Endpoint

The 2017 State of Endpoint Security Risk

Incident Response Agility: Leverage the Past and Present into the Future

Vulnerability Management Trends In APAC

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

GDPR: An Opportunity to Transform Your Security Operations

with Advanced Protection

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

CyberArk Privileged Threat Analytics

RSA INCIDENT RESPONSE SERVICES

RiskSense Attack Surface Validation for IoT Systems

A Practical Guide to Efficient Security Response

Managed Enterprise Phishing Protection. Comprehensive protection delivered 24/7 by anti-phishing experts

RSA INCIDENT RESPONSE SERVICES

Managed Endpoint Defense

Securing Your Microsoft Azure Virtual Networks

Advanced Endpoint Protection

Securing Your Amazon Web Services Virtual Networks

Automating the Top 20 CIS Critical Security Controls

McAfee Endpoint Security

4/13/2018. Certified Analyst Program Infosheet

THE STATE OF ENDPOINT PROTECTION & MANAGEMENT WHY SELF-HEALING IS THE NEW MANDATE

Application Whitelisting and Active Analysis Nick Levay, Chief Security Officer, Bit9

USM Anywhere AlienApps Guide

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

9 Steps to Protect Against Ransomware

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Are we breached? Deloitte's Cyber Threat Hunting

Operationalize Security To Secure Your Data Perimeter

THE EVOLUTION OF SIEM

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Cyber Resilience - Protecting your Business 1

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

2018 GLOBAL CHANNEL PARTNER SURVEY THYCOTIC CHANNEL PARTNER SURVEY REPORT

The Cognito automated threat detection and response platform

Combatting advanced threats with endpoint security intelligence

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

align security instill confidence

Resolving Security s Biggest Productivity Killer

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Data Sheet: Endpoint Security Symantec Multi-tier Protection Trusted protection for endpoints and messaging environments

THREAT INTELLIGENCE: UNDERSTANDING WHAT IT IS AND WHY YOU NEED IT

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

BUILDING APPLICATION SECURITY INTO PRODUCTION CONTAINER ENVIRONMENTS Informed by the National Institute of Standards and Technology

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

Sharing What Matters. Accelerating Incident Response and Threat Hunting by Sharing Behavioral Data

Defend Against the Unknown

Using Threat Analytics to Protect Privileged Access and Prevent Breaches

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

74% 2014 SIEM Efficiency Report. Hunting out IT changes with SIEM

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

MCAFEE INTEGRATED THREAT DEFENSE SOLUTION

Automated Context and Incident Response

CYBER RESILIENCE & INCIDENT RESPONSE

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Advanced Threat Defense Certification Testing Report. Symantec Corporation Symantec Advanced Threat Protection

CloudSOC and Security.cloud for Microsoft Office 365

Aligning Agency Cybersecurity Practices with the Cybersecurity Framework

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Sandboxing and the SOC

Comprehensive Database Security

Cisco Advanced Malware Protection for Endpoints

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Transcription:

Advanced Threat Hunting with Carbon Black Enterprise Response

TABLE OF CONTENTS Overview Threat Hunting Defined Existing Challenges and Solutions Prioritize Endpoint Data Collection Over Detection Leverage Comprehensive Threat Intelligence Expand Detection Beyond the Moment of Compromise Threat Hunting within Carbon Black General Threat Hunting Hunting a Specific Threat Summary Advanced Threat Hunting with Carbon Black 2

Overview Forty-seven percent of incident responders claim they assume their enterprise is already compromised. 1 By preparing for a breach, enterprises can deliver a better security posture as well as set the foundational elements necessary to proactively hunt for threats. With that said, many organizations still focus on and prioritize the wrong protection techniques across their environment. Despite the fact that 65 percent of data breaches happened on company endpoints 2 (laptops, desktops, servers and POS systems), many enterprises still focus on securing their network networks that are increasingly difficult to secure with more employees operating outside of them. With only 5 percent of data breaches compromising networks, 3 attackers are ultimately targeting where the data is: the endpoint. However, even if an enterprise is focusing on their endpoints, they typically prioritize detection capabilities over data collection. This makes it difficult to expand detection beyond the moment of compromise and accelerate the discovery of advanced threats. Additionally, most attackers take days or less to compromise an enterprise. When they do, an advanced attacker can escalate their privileges within a given environment to establish persistence. If acquired, the attacker can essentially live off the land by using trusted tools to move in and out of an organization as well as exfiltrate data. This white paper will cover the capabilities necessary to proactively and efficiently hunt for threats across your enterprise. 1 A SANS Analyst Survey, The Case for Endpoint Visibility, Jacob Williams, March 2014 2 2014 Verizon Data Breach Investigations Report 3 2014 Verizon Data Breach Investigations Report Advanced Threat Hunting with Carbon Black 3

Threat Hunting Defined Enterprises are now realizing it is no longer a matter of if they will be breached, but rather a matter of when. As a result, many businesses are looking for detection and response tools that can answer the ultimate question: is my organization already compromised? To do so, they need tools that can not only detect and respond to threats, but also ones that can hunt them as well. To hunt for threats, enterprises need tools that can accelerate threat discovery to quickly identify potential compromise within the organization. Existing Challenges and Solutions Prioritize Endpoint Data Collection Over Detection Many enterprises overload on detection capabilities from network security and/or threat intelligence providers. Although this step is important, it shouldn t be the first one you take. A majority of incident responders (52 percent) say they lack the necessary visibility into endpoint vulnerabilities citing it as a chief obstacle to efficient IR. 4 Also, if you are deploying only scan-based technologies on the endpoint you are leaving gaps in your data collection coverage as well as losing the context of an attack as it moves across your enterprise. A majority of incident responders (52 percent) say they lack the necessary visibility into endpoint vulnerabilities Sans Institute When preparing to hunt for threats, ensuring that your endpoint security tools can continuously collect the critical data necessary to conduct immediate and conclusive threat discovery is essential. During an investigation, the data collection process can be tedious, time-consuming and expensive. By proactively collecting the critical data necessary, enterprises can instantly leverage an historical record of their environment for threat hunting. Continuous Endpoint Visibility Recorded Relationships All File Modifications All File Executions All Registry Modifications All Network Connections Copy of Every Executed Binary All Cross-Process Events Carbon Black Enterprise Response automates the data acquisition process by deploying endpoint sensors across an entire enterprise that continuously records all activity. The result is a solution that provides contextual and continuous endpoint visibility by maintaining the recorded relationships of every file execution, file modification, registry modification, network connection, and executed binary in your environment. In conjunction with the Carbon Black Intel, organizations can efficiently classify threats across their business to accelerate threat discovery. 4 A SANS Survey, Incident Response: How to Fight Back, Alissa Torres, August 2014 Advanced Threat Hunting with Carbon Black 4

Leverage Comprehensive Threat Intelligence Sixty-six percent of enterprises stated they suffered successive false alarms from their detection solutions. 5 This is due to organizations inability to both collect the right data and classify it instantly. The result is an enterprise that cannot fully scope attacks impacting their business. Carbon THREAT INTELLIGENCE Black Threat CLOUD Intel Continuous Data Collection Continuous Endpoint Visibility & Attack Classification ENDPOINT! ENDPOINT ENDPOINT!!! CONSOLE SERVER With Carbon Black Enterprise Response, enterprises get a holistic approach to threat hunting by layering a variety of threat intelligence feeds from within the Carbon Black Intel over its continuously recorded endpoint visibility. This enables businesses to classify threats based on software reputation, network circumvention attributes, open-source malware tracking, community-based threat intelligence, malicious domains, custom feeds and more. By combining its unique process search, Carbon Black Enterprise Response can hunt for threats based on its threat intelligence feeds or entire attack processes captured by its continuous endpoint data collection. Also, by utilizing Carbon Black Enterprise Response s unique watchlist capabilities, any process search done in the Carbon Black Enterprise Response console can be saved as a watchlist to deliver real-time detection moving forward. THREAT Carbon INTELLIGENCE Black Threat CLOUD Intel ENDPOINT ENDPOINT CONSOLE WATCHLIST OR PROCESS SEARCH! ENDPOINT! SERVER 5 A SANS Survey, Incident Response: How to Fight Back, Alissa Torres, August 2014 6 2014 Verizon Data Breach Investigations Report Advanced Threat Hunting with Carbon Black 5

Expand Detection Beyond the Moment of Compromise Approximately 90 percent of attacks take days or less to compromise an enterprise. Contrast that with the fact that nearly 80 percent of businesses can take weeks or longer to discover those same attacks,6 and clearly organizations have a threat discovery problem. This threat discovery gap leaves enterprises susceptible to prolonged data breaches that can exponentially impact their business. 90 percent of attacks take days or less to compromise an enterprise 2014 Verizon Data Breach Investigations Report Many enterprises have trouble discovering advanced threats because they exclusively rely on the limited detection capabilities of endpoint antivirus solutions. The figure below demonstrates how signatures are significantly better at discovering opportunistic attackers. This is because opportunistic attackers find value in scale. Their objective is to compromise as many endpoints as possible and as a result are likely to have a signature developed shortly thereafter. The advanced attacker who only targets a finite number of assets needed to accomplish a specific mission can remain below the detection threshold and go significant amounts of time without registering a signature, if they register one at all. Opportunistic OPPORTUNISTIC Advanced ADVANCED HOSTS COMPROMISED SIGNATURE AVAILABLE COMPROMISE AS MANY ENDPOINTS AS POSSIBLE DETECTION THRESHOLD HOSTS COMPROMISED DETECTION THRESHOLD SIGNATURE AVAILABLE (if ever) COMPROMISE AS FEW ENDPOINTS AS POSSIBLE TIME TIME Additionally, an advanced attacker can move laterally to more critical systems in an attempt to escalate their privileges within an environment. If the attacker succeeds, they can come and go as they please within a given enterprise living off the land by leveraging built-in tools to reduce the number of new executables reducing the amount of change they introduce into the environment. As a result, the attacker can persist for long periods of time by adding more user and system accounts. By proactively deploying continuous data collection to track an attacker s every move, and classifying threats by leveraging robust threat intelligence, enterprises can hunt across the attacker s entire kill chain. The example below also illustrates the shortcomings of endpoint visibility provided by most security solutions. With no reputation or threat intelligence data to draw on, how do enterprises pick the needles out their data collection haystack? Without understanding the prevalence of endpoint activity, how can organizations effectively prioritize detection events to accelerate the discovery of targeted attacks? And without continuously maintaining the relationships of the data they collect, how do they fully scope their entire enterprise efficiently and effectively? Advanced Threat Hunting with Carbon Black 6

TRADITIONAL Traditional ENDPOINT Endpoint VISIBILITY Visibility EVENTS EVENTS + INTELLIGENCE EVENTS + INTELLIGENCE + PREVALENCE EVENTS + INTELLIGENCE + PREVALENCE + RELATIONSHIPS With Carbon Black Enterprise Response, enterprises can leverage its recorded endpoint history to trace attacks back to their root cause and hunt them based on exhibited behaviors and processes. By recording the entire attack process, event relationships, prevalence, and reputation (threat intelligence) of the activity, you can roll back the tape to understand where it originated even if it arrived through a trusted software delivery system that eventually spawned an exploit. This can improve policy enforcement at the endpoint, enhance your overall detection capabilities, and enable businesses to proactively hunt both past and present threats. Threat Hunting within Carbon Black Enterprise Response General Threat Hunting An example of threat hunting is illustrated below. Say you are concerned with the following behavior, have read an article on this topic, or previously seen a malicious actor do this such as an unsigned binary with at least one network connection that is running out of a temp folder. To hunt for these characteristics you query within Carbon Black Enterprise Response s process search. Once searched, you receive 76 hits with one at the bottom that jumps out at you. To dive further, you click on this particular binary to open up Carbon Black Enterprise Response s process analysis view. Advanced Threat Hunting with Carbon Black 7

When analyzing this binary on the process analysis page Carbon Black Enterprise Response puts a variety of information at your fingertips. You immediately see that the process is unsigned and has spawned a rundll32.exe process. To get further context, you click on the Alliance Feed drop-down to further classify the potential attack. Advanced Threat Hunting with Carbon Black 8

In the Alliance Feed section, you notice some very troubling scores associated with this given process. When you scroll down to look at what this given process did to the filesystem you notice that it wrote multiple binaries. Advanced Threat Hunting with Carbon Black 9

When diving in deeper and looking at the details of a specific binary, you notice that it has very little metadata, it is unsigned and it has a large threat score. At a glance, you can also see that three hosts (endpoints) have observed this particular binary. Additionally, you can see that it has made a network connection. Moving forward, you can use this IP and domain as an indicator of compromise for future detection alongside the filename, hash value and other exhibit behaviors. Advanced Threat Hunting with Carbon Black 10

Hunting a Specific Threat CVE-2014-1776 comes out and there are rumors of an IE exploit that uses vgx.dll and flash. You search off of three known sets of criteria: 1. Targets Internet Explorer 2. Requires vqx.dll to be loaded by iexplorer.exe process 3. Triggered by malicious Flash file Using Carbon Black Enterprise Response you can instantly identify this criteria: process_name:iexplore.exe modload:vgx.dll modload:*.ocx Once searched, you find 175 matching processes. You then take the next step of looking for instances where these processes also have child processes, which case matches *.dll, such as: modload:vgx.dll process_name:iexplore.exe modload:*.ocx childproc_name:*.dll Advanced Threat Hunting with Carbon Black 11

You then dive further into the specific instance of Internet Explorer and immediately see that it is spawning a process with the name 0159.dll. You then scroll down to review what activity is associated with the child process 0159.dll. Summary With the number of advanced attacks increasing every day most undiscovered through traditional detection and response tools truly hunting for threats within your environment can be a laborious task. To combat this, enterprises must focus on: Prioritizing Endpoint Data Collection Over Detection: Businesses need to continuously record the critical data necessary while also maintaining the relationships of those data sets to fully scope an attack. Leveraging comprehensive threat intelligence: Alongside continuous data collection, enterprises must possess the capability to layer threat intelligence and reputation over the data they collect to instantly classify and prioritize threats accelerating threat discovery in the process. Expanding detection beyond the moment of compromise: Businesses should deploy solutions that can hunt both past and present threats based off of a continuously recorded history not just individual events. Organizations need to continue to make the endpoint a priority when it comes to information security. When hunting for threats, enterprises need a solution that can roll back the tape to understand an attack s root cause. As a result, Carbon Black Enterprise Response delivers the best solution to hunt for threats, accelerate threat discovery, respond in seconds and proactively prepare businesses for a breach. About Carbon Black Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity, making it easy to track an attacker s every action, instantly scope every incident, unravel entire attacks and determine root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident response, and market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to: Disrupt. Defend. Unite. 2016 Carbon Black is a registered trademark of Carbon Black, Inc. All other company or product names may be the trademarks of their respective owners. 20160115 RKB 1100 Winter Street Waltham, MA 02451 USA P 617.393.7400 F 617.393.7499 www.carbonblack.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback