Automate Evidence Gathering and Threat Containment by Orchestrating Response Efforts with Carbon Black Defense

The integration between DFLabs’ IncMan R3 Rapid Response Runbooks and Carbon Black Defense’s next-generation antivirus and EDR solution allows companies to automate evidence gathering and threat containment efforts, and cut dwell times down to a manageable level.

Equipped with strong evidence data gathered from Carbon Black Defense, analysts and security teams can quickly disposition and act to remediate an incident. Carbon Black Defense uses their award-winning Streaming Prevention technology to take a holistic approach to an organization’s critical infrastructure.

The Problem

Sophisticated attacks that organizations have been experiencing cause traditional antivirus to become ineffective. Signature-based detection mechanisms can still detect known threats, but the new generation of non-malware attacks are going undetected in our networks and lying dormant for extended periods of time, enabling attackers to use our environments as their own personal playground.

To manage these deficiencies, Security Operation Centers are employing a wider range of tools to close the gap created by their antivirus solution. Evidence gathering across these tools have added to an analyst’s investigational times, which are allowing our adversaries ample time to secure their foothold in our networks.

Three common problems include:

  1. Attack vectors have morphed from file to file-less tactics which have caused traditional, signature-based antivirus to no longer be an effective detection mechanism
  2. Dwell time is being measured in days which have exceeded triple-digit figures
  3. Manual evidence gathering costs Security Operations teams valuable time when investigating possible incidents
DFLabs and Carbon Black Solution

An incident can turn into a breach in a few minutes, and this makes early detection and remediation a crucial aspect of an organization’s security program. Utilizing IncMan’s integration with Carbon Black Defense allows organizations to automate evidence gathering at their endpoints and present their analysts with critical information such as running processes, system information, and historical event detail to accelerate their decision-making ability to quickly remediate an issue.

These remediation tasks range from terminating processes on a victim machine to completely removing it from the network to allow for hands-on investigation and recovery.

About Carbon Black Defense

Carbon Black Defense is a next-generation antivirus and endpoint detection and remediation solution which utilizes Carbon Black’s proprietary Streaming Prevention technology to protect organizations from the full spectrum of malware and non-malware attacks.

By leveraging event stream processing, Streaming Prevention in Carbon Black Defense continuously updates risk profiles made from endpoint activity and when multiple potentially malicious events are observed, Carbon Black Defense will take action to block the would-be attack. This next-generation antivirus solution is proving why Carbon Black Defense will be the industry’s de facto standard in the following years.

Use Case

An IDS alert is received and triggers an incident in IncMan. Through an R3 Rapid Response Runbook, enrichment actions are initiated by first querying IP reputation services for the source of the suspicious activity. A second IP reputation service is then queried to verify the results of the first query. Once the reputation checks have been completed, the priority of the incident is set according to the results of the reputation checks and a ticket is opened in the organization’s ticket management system.

IncMan continues to process the runbook by gathering additional enrichment data for the incident handler. User account information is pulled from Active Directory and Carbon Black Defense is queried to collect system information, including all running processes on the victim machine. In addition to system information, IncMan also queries Carbon Black Defense events from the victim machine observed in the last 30 days.

Once the enrichment information is gathered, the incident handler will receive notification of the incident. The incident handler will be prompted with a User Choice decision to determine if containment actions may be appropriate. The incident handler can review the information gathered up to this point to determine if automated containment actions should be performed at this point. If the incident handler determines the activity is malicious and automated containment actions are appropriate, the machine will be quarantined from the network and the source address will be blocked at the firewall.

Carbon Black Defense Actions

Enrichment:

  • Directory Listing
  • Download File
  • Event Details
  • List Processes
  • Memory Dump
  • Policies List
  • Search Into Events
  • Search Process
  • System Info

Containment:

  • Change Device Status
  • Delete File
  • Terminate Process
Summary

Carbon Black Defense is an extremely powerful endpoint solution, capable of detecting advanced threats, supporting detail data enrichment, and enabling rapid incident response. Orchestrating actions between Carbon Black Defense and other third-party solutions through IncMan integrations allows organizations to harness the power of Carbon Black Defense at any stage of the incident response process, providing a more efficient and effective response process.

Detect, Analyze and Respond to Advanced Malware with DFLabs SOAR Platform and McAfee ATD

As malware attacks continue, attackers are going to great lengths to obfuscate both the intent and capabilities of their malicious payloads to evade detection and analysis. In addition, the rate at which new malware is being developed has reached staggering new levels. Zero-day malware is increasingly common in all environments and signature analysis is becoming less effective.

As a result, malware has become increasingly difficult to detect using more traditional detection mechanisms. Once detection occurs, it is often difficult to successfully analyze the malicious file to determine the potential impact and extract indicators. To successfully respond to a potential malware incident and minimize the impact, early detection and analysis are critical.

In this blog, we will briefly discuss how a security operations team can detect, analyze and respond to advanced, evasive malware by utilizing McAfee Advanced Threat Defense (ATD) with DFLabs IncMan SOAR platform, and present a simple use case example.

Utilizing McAfee ATD with DFLabs IncMan SOAR Platform

Early detection, analysis, and extraction of indicators are critical in successfully responding to and remediating a security incident involving malware. McAfee ATD enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike traditional sandboxes, it includes additional inspection capabilities that broaden detection and expose evasive threats. Tight integration between security solutions enables instant sharing of threat information across the environment, enhancing protection and investigation.

DFLabs IncMan and McAfee ATD together solve two specific challenges including; 1) How can I reliably detect malicious files? and 2) How can I determine capabilities and extract indicators from malicious files? Utilizing DFLabs IncMan’s integration with McAfee ATD and with the use of IncMan’s R3 Rapid Response Runbooks, organizations can automate and orchestrate the detection and analysis of suspected advanced and evasive malware, allowing faster and more effective response to malware incidents. In addition, ATD also provides users with critical insights into the capabilities of suspicious files, as well as indicators which may be further enriched through additional automated actions.

Use Case in Action

A potentially malicious file has been detected on a workstation, causing the security operations team to initiate the incident response process. The malicious file has been extracted from the workstation and included in the IncMan Incident as an Artifact. Next, the R3 Runbook predetermined for malware alerts and incidents will be used to scan the file, perform additional enrichment, then block the infected host, if necessary.

To begin, McAfee ATD is used to detonate the potentially malicious file. Once detonation has completed McAfee ATD will return information about the executable, including the determined severity level.  Next, a condition is set to determine if the severity returned by McAfee ATD is greater than 0, indicating that the file is likely malicious.

If it is determined by McAfee ATD that the file is likely malicious, an additional enrichment action is utilized to gather additional information from McAfee ePolicy Orchestrator (ePO) regarding the host that the malicious file was detected on. Following this, McAfee ePO is also used to tag the host with the appropriate tags indicating that it may be infected with malware.

Following the additional enrichment actions, a user choice decision point is reached. This user choice decision will prompt the analyst to make a manual decision regarding whether or not the workstation which generated the malware alert should be temporarily blocked from communicating outside the network.  All of the enrichment information from the previous actions, including the information from McAfee ATD and ePO will be available to the analyst to assist in the decision-making process.

If the analyst chooses to block this workstation at the perimeter, a containment action will utilize McAfee Web Gateway to block the IP of the workstation until further investigation and remediation can be conducted.

In Summary

By harnessing the power of McAfee ATD, along with the additional orchestration, automation and response features of DFLabs’ IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization. With malware continuing to be one of the top cyber attacks, it is critical that security operations have a streamlined process in place in order to be able to detect and respond to such security alerts.

If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.