Detect, Analyze and Respond to Advanced Malware with DFLabs SOAR Platform and McAfee ATD

Posted byJohn Moran - 13th Jun 2018
Advanced Malware with DFLabs SOAR Platform and McAfee ATD

As malware attacks continue, attackers are going to great lengths to obfuscate both the intent and capabilities of their malicious payloads to evade detection and analysis. In addition, the rate at which new malware is being developed has reached staggering new levels. Zero-day malware is increasingly common in all environments and signature analysis is becoming less effective.

As a result, malware has become increasingly difficult to detect using more traditional detection mechanisms. Once detection occurs, it is often difficult to successfully analyze the malicious file to determine the potential impact and extract indicators. To successfully respond to a potential malware incident and minimize the impact, early detection and analysis are critical.

In this blog, we will briefly discuss how a security operations team can detect, analyze and respond to advanced, evasive malware by utilizing McAfee Advanced Threat Defense (ATD) with DFLabs IncMan SOAR platform, and present a simple use case example.

Utilizing McAfee ATD with DFLabs IncMan SOAR Platform

Early detection, analysis, and extraction of indicators are critical in successfully responding to and remediating a security incident involving malware. McAfee ATD enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike traditional sandboxes, it includes additional inspection capabilities that broaden detection and expose evasive threats. Tight integration between security solutions enables instant sharing of threat information across the environment, enhancing protection and investigation.

DFLabs IncMan and McAfee ATD together solve two specific challenges including; 1) How can I reliably detect malicious files? and 2) How can I determine capabilities and extract indicators from malicious files? Utilizing DFLabs IncMan’s integration with McAfee ATD and with the use of IncMan’s R3 Rapid Response Runbooks, organizations can automate and orchestrate the detection and analysis of suspected advanced and evasive malware, allowing faster and more effective response to malware incidents. In addition, ATD also provides users with critical insights into the capabilities of suspicious files, as well as indicators which may be further enriched through additional automated actions.

Use Case in Action

A potentially malicious file has been detected on a workstation, causing the security operations team to initiate the incident response process. The malicious file has been extracted from the workstation and included in the IncMan Incident as an Artifact. Next, the R3 Runbook predetermined for malware alerts and incidents will be used to scan the file, perform additional enrichment, then block the infected host, if necessary.

To begin, McAfee ATD is used to detonate the potentially malicious file. Once detonation has completed McAfee ATD will return information about the executable, including the determined severity level.  Next, a condition is set to determine if the severity returned by McAfee ATD is greater than 0, indicating that the file is likely malicious.

If it is determined by McAfee ATD that the file is likely malicious, an additional enrichment action is utilized to gather additional information from McAfee ePolicy Orchestrator (ePO) regarding the host that the malicious file was detected on. Following this, McAfee ePO is also used to tag the host with the appropriate tags indicating that it may be infected with malware.

Following the additional enrichment actions, a user choice decision point is reached. This user choice decision will prompt the analyst to make a manual decision regarding whether or not the workstation which generated the malware alert should be temporarily blocked from communicating outside the network.  All of the enrichment information from the previous actions, including the information from McAfee ATD and ePO will be available to the analyst to assist in the decision-making process.

If the analyst chooses to block this workstation at the perimeter, a containment action will utilize McAfee Web Gateway to block the IP of the workstation until further investigation and remediation can be conducted.

In Summary

By harnessing the power of McAfee ATD, along with the additional orchestration, automation and response features of DFLabs’ IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization. With malware continuing to be one of the top cyber attacks, it is critical that security operations have a streamlined process in place in order to be able to detect and respond to such security alerts.

If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.