With the recent “news” that malware was using Dropbox for command and control as well as data exfiltration (malware has been communicating via legitimate cloud and social sites for several years), we felt it would be a good time to point out the power of endpoint visibility.
By knowing which process is making a connection, as well as information such as parent process, child processes, who wrote the binary in question, etc., a whole new world of both response and detection is enabled. Using Carbon Black data, it’s very simple to start alerting on this sort of activity. To begin, we start by searching for anything that isn’t dropbox.exe that is communicating to the dropbox.com domain
process_name:* -process_name:dropbox.exe domain:dropbox.com
As you can see, the most recent results right now are all iexplore.exe. We can go page by page, or I can just filter out iexplore.exe to see what we then get:
process_name:* -process_name:dropbox.exe -process_name:iexplore.exe domain:dropbox.com
The only problem here is we still have some browser and email clients. While you probably do not want to ignore them in reality (at least to start with), we’re going to negate them now to reduce our search results. We’re going to leverage both using process names as well as process md5sums so that you get the idea that doing either (or both) is possible. So now we have:
This search still yields several results, but it is much more manageable. The results include a handful of anti-virus processes, but they also include winword.exe and svchost.exe.
Now, unfortunately for this specific blog post (but fortunately for our customer!), none of these hits are actual malicious activity (analysis omitted for brevity). The takeaway here is that we can determine how widespread Dropbox usage is in our environment, and (even more importantly) we can add a watchlist that will alert us when something (other than those excluded above), connects to Dropbox. You also can limit the search to particular users (such as a SYSTEM account), or specify multiple domains like Amazon, Box, and Google Drive, or look for processes connecting to the cloud that have an unusual parent, and more.
While we’re excited to see exposure about the issue of malware trying to blend in, as with Dropbox, it’s really not a new concept. With endpoint visibility, you can actually see which processes are making malicious connection. This information aids in detecting suspicious behavior as well as helping you understand how your enterprise uses a cloud-based service such as Dropbox.