Today we unveiled that Bit9 + Carbon Black has joined the Facebook ThreatExchange community. This is a fast-growing group for sharing information about current and emerging threats and it is built on nice APIs, data protocols, and the typical West Coast attitude of iterating quickly. Our work with the ThreatExchange team to get to this point was incredibly frictionless.
We’re also announcing that all of our Carbon Black customers get a new Threat Intelligence Cloud (TIC)-provided threat intelligence feed that contains all the TLP:White data from ThreatExchange, as well as providing a connector for anyone who has a ThreatExchange account so you can pull all classifications of information into your Cb server using your own credentials.
Why did we do this? The more automated detection you can do for known indicators of compromise, the better. Threat intelligence is just noise if you cannot easily operationalize it. And if it takes time for people to manually search for various indicators, that’s not good, either. So you need a way to easily compare activity and known suspicious or malicious attributes, and that method should be automated.
With our integration with the ThreatExchange, that is really easy. The new TIC feed will just appear (almost like magic!). If you want more, and have a ThreatExchange account, you simply add an RPM, configure a couple of quick settings and you’re off to the races!
In fact, we’ve even made our connector available as an open-source project.
THREATEXCHANGE IN ACTION!
Our threat feeds contain indicators and patterns of compromise that are then compared against endpoint activity (and compared on the back-end so there’s no performance impact against the endpoints, even with thousands—or millions—of IOCs).
Once the feed is enabled, you can be alerted when hits happen and/or go ask which activity matched the ThreatExchange feed.
Wow, ok, we got two hits! Let’s dive into Putty by going to the Process Analysis page. You can quickly see this process tree does not look normal, with a lot of suspicious and, at this point, malicious execution starting to surface. For the Feed Hit, we can quickly see this is from the ThreatExchange feed and see it was a network connection over port 22. That makes sense because this is Putty.
From here, we might want to quickly isolate the machine from the rest of the environment (to stop any bleeding), and then “Go Live” with Live Response to connect directly to the endpoint to begin recovery and remediation (or gather further evidence and information).
For this purpose, let’s just kill putty.exe:
We’ve now very quickly begun the process of cleaning up and getting this state back toward a trusted state. Of course, for this attack this a bit more to do (a few other processes to kill), but that wasn’t the point of this post.
So what was the point?
We’re extremely excited to be part of the Facebook ThreatExchange community. You easily enable the automatic importing and monitoring for particular ThreatExchange information, and then you can be alerted anytime there is a match. From here triage takes just seconds, and you can seamlessly move into a deeper dive or into remediation.
With all the media coverage this week in the U.S. about CISA, threat intelligence sharing is getting its 15 minutes of fame. But when you share information, you’re just creating noise for the other parties if they cannot use computing power to consume it and apply it to their defenses. Through integrations like ours with ThreatExchange, you quickly raise your defensive bar by incorporating into your environment what all these other great companies are learning about attacker tactics, tools and infrastructure. We’re excited to see where this relationship goes, and we would love to get feedback from you.