By Sarah Miller and Dan Wodeyla
One of the things we at Bit9 + Carbon Black like to tell customers is that we “eat our own dog food.” That means the tools and integrations we sell are used in-house by our own security operations team. But what does that actually look like?
Here’s a recent incident our team worked, and how we used our tools.
A Bit9 + Carbon Black employee received this email:
This employee opened the email attachment.
This is what happened next:
The email attachment was a malicious document that reached out and downloaded a binary. Carbon Black was installed on that machine, so we had full visibility into network connections:
Speaking of this malicious document, a Word document writing a binary is pretty unusual. Bit9 also was installed, so this activity triggered an Advanced Threat Indicator (ATI).
We’ve configured Bit9 to send its event stream directly to our SIEM, where an ATI triggers an alert in real time that our SOC analysts see so they can then drill down into the tools to figure out what happened.
Within two minutes of the user’s click, we had an alert telling us to go look at this machine.
Just in case our SOC analysts weren’t paying close enough attention, we also have a Carbon Black watchlist that looks for files and emails us when it spots one. This email arrived within minutes of the file hitting the disk.
After receiving the Bit9 Alert from our SIEM, we went to the console to ban the files in this attack. When this host was investigated, we were able to confirm the user was in high-enforcement mode. This means that the file was automatically blocked from executing, which made response and remediation very easy from the SOC’s point of view.
All we had to do was:
1 ) Contact the user. (While all employees go through security training, mistakes happen and every incident is a learning opportunity to help raise security awareness.)
2) Use the Bit9 console and Carbon Black Live Response to:
- Upload the malicious files and all associated files for further analysis.
- Delete the files from the user’s machine using Carbon Black Live Response.
- Reboot the system to remove any possible artifacts in memory.
- Ban the file hash in the Bit9 console. Because we run in high enforcement, this was technically unnecessary, but banning provides additional assurance as well as an audit trail.
3) Use the data collected by Carbon Black to block the C2 domains used by the malware.
Here’s what those actions looked like:
Total time to respond and remediate? Less than 20 minutes—and it only took that long because the user was on a phone call and couldn’t be contacted immediately. The actual work of alert, banning, and further investigation took less than five minutes.
Our SOC celebrated a job well done by taking our lunch break to do some malware analysis in conjunction with our threat intelligence team, which included discovering our favorite malicious file icon ever: