For a long time, security professionals over invested in “set-it-and-forget-it” detection capabilities like antivirus. We’ve since wised up and moved on to detection, detection, and more detection, but as a result, we started to drown in a sea of alerts. Even valid alerts are just noise if you can’t appropriately respond to them.
Cyber defense, after all, is about humans fighting humans. It’s no longer AV fighting worms. So the true problem is that most of us are in a state of continuous response, handling many, many alerts every day and often guessing what to do based on inconclusive information.
When an alert deserves actual attention, we cobble together several tools and often have to lean on IT to help us put our tools on the asset in question to start collecting evidence and taking action. It’s a losing game. Not anymore. Enter Carbon Black 5.0, introduced on January 27.
The continuous recording and centralized storage inherent in Carbon Black enables you to quickly gain access to endpoint context and visibility, regardless of which thread you have to pull:
So, you pull on that thread, be it an IP-address, filepath, or hash (or many, many others), and you get hits. You get process instances that match those attributes.
Let’s dive in to start doing triage and analysis:
With Carbon Black, we’re trying to put all this information at your fingertips. We want you to easily answer questions such as: “When did this process start?” “Who is its parent?” “Does it have children?” “Is it signed?” etc. But more than just answering these questions, Carbon Black shows you the various events the process was performing:
But what’s your immediate goal? As a responder, you’re trying to quickly assess root cause and understand what occurred. With Carbon Black, you can walk up and down the tree and see all the event activity that occurred for each process.
Here’s the nice shot of the process tree for this example attack:
On the left, you have Outlook.exe, which started this whole thing via Internet Explorer and Acrobat, On the right, you have what occurred after including eventguide.pdf, svchost.exe, and a bunch of other commands and utilities to help accomplish the attacker’s goal. It doesn’t take much digging to see what occurred.
(Note: I’m skipping over a lot of events that would easily raise eyebrows, because the point isn’t to explain this specific attack; it’s to show you how you can be more operationally effective.)
So what now? Call IT and re-image? Go grab a forensics tool, walk to the person’s desk (or hope IT can push it out for you) and start collecting more data?
Not anymore. Carbon Black 5.0 enables you to respond LIVE!
The first thing a responder would most likely want to do is STOP THE BLEEDING. With Carbon Black 5.0, we have built-in endpoint isolation where our sensor can stop all communications except with our server. The compromised endpoint won’t be able to do anything, but you’ll still have communications with it:
Ok great, bleeding stopped, but you can do more. With Live Response, Carbon Black gives you a terminal right in our Web console and via the already-existing sensor on the endpoint. You just click “Go Live” and you’re in.
Time to do more investigation and begin your cleanup and recovery:
Several built-in commands give you unprecedented control and action capabilities within your endpoint threat detection and response solution:
Want to dump memory to preserve it for analysis or litigation? Just upload something like Winpmem and you’re all set.
Additionally, you can look at registry key values, files and more:
From here, as a responder, I would take various IOCs, IOAs, and behavioral information from this attack and convert those into watchlists and feeds to drive detection.
The next time these hashes, IPs, or patterns of compromise are used, I will be alerted on them quickly. And, with Carbon Black 5.0, you can spend your time inside the new “Alert Triage” section to help prioritize, resolve and score your alerts:
Carbon Black 5.0 also computes dwell time, machine hygiene, top offenders, best alert resolvers, and more, enabling you to directly measure your team’s improvement over time. Now, show your organization’s leaders how effective—and fast—you are at battling threats.
Early-adopter customers have called Carbon Black 5.0 a “game changer.” It’s already helped them take action and leverage more threat intelligence than ever before from our partners and our own Threat Intelligence Cloud.
We’ve also added new event types such as remote thread injection and other activities that memory attacks leverage. Additionally we’ve introduced more partnerships and integrations with on-premises network security products to move toward the one-plus-one-equals-three solution.
Feel free to reach out to us and make the call for yourself as to whether or not Carbon Black 5.0 is truly a “game changer.”