Please note we have recently updated our Privacy Policy, effective May 24, 2018. You may view the updated Privacy Policy here.
By using this website, you consent to the use of information that you provide us in accordance with the Privacy Policy.


Pre-Execution & Post-Execution Protection & Response with Carbon Black

October 11, 2016 / Stacia Tympanick Ben Johnson

It’s clear that vendors are all saying that they can do the same thing in terms of preventing unknown and malicious attacks, but when it comes down to the mat, who taps out?

Below, we’ve noted three specific attacks targeting your organization that Carbon Black can help with today.

1 – Memory attacks

Memory attacks can be deadly when penetrating a machine. Memory attacks are those attacks where no malicious payload really hits the disk (temporary files aside). The attack is typically a malicious document , applet or flash advertisement that exploits the corresponding legitimate application (like Acrobat Reader or Flash). It can also be a remote exploit of a legitimate service, where similar to the previously mentioned vectors, the malicious code runs in the legitimate process. In either case, because there is no new malware binary, it’s often harder to stop.

Custom rules are offered within Cb Protection to help ensure processes only run in particular context. For an example, with Adobe, Word, etc., rules can be set up so that nothing outside normal activity can execute. Joel Rising at Carbon Black calls this “IronBoxing”. This means use File Integrity Control, Memory Registry, and Execution Control rules to put an application in an “iron box,” preventing it from doing anything it does not normally do, that you do not trust it to do.  So for example, why does Word need to touch the memory space of Adobe Reader, why does it need to touch “CurrentControlSet” in the registry, why does it need to be launching other processes. Overall, this has been an incredible defense for our customers, ensuring that programs run as prescribed.

Cb Response does a remarkable job of picking up memory attacks. Insight from Cb Response includes: cross-process events and thread injections; a process targeted for injection; and when remote threads have been opened on a process to run in memory. With “Live Response,” you can pull a memory dump and reboot the machine to dump this attack out of RAM and still have the historical data to refer back to.

Cb Defense is well known for its defense against processes scraping memory, injecting into memory, or executing code from memory in unusual ways. Cb Defense realizes that although some applications are not inherently bad, they do have the capability to become a bad actor. With Cb Defense, we will allow trusted programs to run in the organization, but if they exhibit TTP’s, Tactics, Techniques, Procedures, that fall in line with a threat, we will begin to record so that you have visibility into these threats.

If a memory attack is detected/stopped, can you have the data on how it spawned in the first place? Can you go back and close any gaps that are open to that attack without historical data to reference? Those are critical questions to answer. When you’re considering adding technology to your stack, make sure it is enabling your people to be more effective.

2- Macros

If a executable is disguised as a macro, Cb Protection will stop it unless you have deemed it to be a trustworthy executable. We recently did an evaluation with a retail organization where they took an email that had a Word macro in it. The user was prompted enter their credentials to move forward. The script then tries to make a network connection. Once the network connection was made, the attack then brings down the executable to call for ransomware. Cb Protection stops this attack dead in its tracks when the executable attempts to run.

(Note: Cb Protection does not stop the macro until it attempts to execute the malware.)

With PDF exploits or macros, Cb Response gives you full visibility into the attack. To be transparent, Cb Response does not see the embedded macro code in the command line utility, but does see it make a network connection and write the executable.

In the example above, the program resided in the temp folder. Cb Response provided the visibility to go in and remove it. With Cb Response, you can create an alert that hits anytime a document has child processes of things such as wscript, cscript, PowerShell, or cmd. You can decide to automatically isolate a machine when this occurs.

Cb Defense can be configured to policy around documents, JavaScript files, or pdfs, just as it is configured with PowerShell. With most macros, Cb Defense sees a network connection pull down the executable or html file required for exploitation. With Cb Defense, simply deny any attempts for docs, pdfs, or JavaScript files from making network connections.

When evaluating products, be sure to ask when these solutions will stop a macro. Carbon Black provides actionable telemetry observed in your environment.

3- End-User Woes

This is a frequent topic of discussion for us. In Cb Protection set the stage of a “Medium Enforcement Policy” where the user has the freedom to allow an untrusted application. We can approach this a few ways. Let’s first give the end user the benefit of the doubt. If he/she does proceed through the first block, remember that this attack will probably require a few executions before landing in the pot of gold. With that in mind, they will need to blow through multiple prompts – not just one.

In this example, this person simply blows through the prompts. The custom rules that I mentioned above can be set up for any policy, regardless of enforcement level. We can also determine if anything is defined as malicious; we do not care if they are in a Low Enforcement policy (Reporting Unapproved Change). A best security practice here is to keep the machine in “High Enforcement”, where all unapproved change is blocked, to ensure you see all changes before applying them as trustworthy.

If an end user blows through the block messages Cb Response also provides the ability to “rewind the tape” to see what’s going. You can confidently know that the next time they are in for work, you are aware of their behaviors and decide to keep them in High Enforcement with Cb Protection. You can also authorize trustworthy changes that they request.

Additionally, Cb Defense will report on any behavior that exhibits malicious tactics, techniques, and procedures.

It’s hard to decipher through the datasheets and impressive pre-canned demos, so make sure you look into doing a proper evaluation that both addresses the needs of your organization and looks at what’s going on from an adversarial perspective.  Whether you focus more on prevention or detection, whether you want more out of the box or more flexibility, only you can make those decisions.  Make sure you understand how realistic attack scenarios are handled by the technologies you employ, and then make sure you are comfortable with those conclusions.  In order to mitigate risk, we all must understand how our environment stacks up and where we might need more technology or more people to get to a better place.


To learn more about Cb Protection, Cb Response and Cb Defense, click here.


TAGS: Carbon Black / Cb Defense / Cb Protection / Cb Response / memory attacks