Add to collection(s) Add to saved
  1. No category
Uploaded by cigenih731

Bit9 Advanced-Threat-Hunting-with-Carbon-Black

advertisement 
Whitepaper
Advanced Threat Hunting
with Carbon Black
>
Whitepaper
>
TABLE OF CONTENTS
Overview
Threat Hunting Defined
Existing Challenges and Solutions
Prioritize Endpoint Data Collection Over Detection
Leverage Comprehensive Threat Intelligence
Expand Detection Beyond the Moment of Compromise
Threat Hunting within Carbon Black
General Threat Hunting
Hunting a Specific Threat
Summary
Advanced Threat Hunting with Carbon Black
2
>
Whitepaper
>
Overview
Forty-seven percent of incident responders claim they assume their enterprise is already compromised.1 By
preparing for a breach, enterprises can deliver a better security posture as well as set the foundational elements
necessary to proactively hunt for threats.
With that said, many organizations still focus on—and prioritize—the wrong protection techniques across
their environment. Despite the fact that 65 percent of 2013 data breaches happened on company endpoints2
(laptops, desktops, servers and POS systems), many enterprises still focus on securing their network—networks
that are increasingly difficult to secure with more employees operating outside of them.
With only 5 percent of data breaches compromising networks,3 attackers are ultimately targeting where the
data is: the endpoint. However, even if an enterprise is focusing on their endpoints, they typically prioritize
detection capabilities over data collection. This makes it difficult to expand detection beyond the moment of
compromise and accelerate the discovery of advanced threats.
Additionally, most attackers take days or less to compromise an enterprise. When they do, an advanced
attacker can escalate their privileges within a given environment to establish persistence. If acquired, the
attacker can essentially “live off the land” by using trusted tools to move in and out of an organization as well
as exfiltrate data.
This white paper will cover the capabilities necessary to proactively and efficiently hunt for threats
across your enterprise.
1
A SANS Analyst Survey, The Case for Endpoint Visibility, Jacob Williams, March 2014
2
2014 Verizon Data Breach Investigations Report
3
2014 Verizon Data Breach Investigations Report
Advanced Threat Hunting with Carbon Black
3
>
Whitepaper
>
Threat Hunting Defined
Enterprises are now realizing it is no longer a matter of if they will be breached, but rather a matter of when. As a result, many
businesses are looking for detection and response tools that can answer the ultimate question: “is my organization already
compromised?” To do so, they need tools that can not only detect and respond to threats, but also ones that can hunt them as
well. To hunt for threats, enterprises need tools that can accelerate threat discovery to quickly identify potential compromise
within the organization.
Existing Challenges and Solutions
PRIORITIZE ENDPOINT DATA COLLECTION OVER DETECTION
Many enterprises overload on detection capabilities from network security and/or threat intelligence providers. Although this
step is important, it shouldn’t be the first one you take. A majority of incident responders (52 percent) say they lack the necessary
visibility into endpoint vulnerabilities—citing it as a chief obstacle to efficient IR.4 Also, if you are deploying only scan-based
technologies on the endpoint you are leaving gaps in your data collection coverage as well as losing the context of an attack as it
moves across your enterprise.
“A majority of incident responders
(52 percent) say they lack the necessary
visibility into endpoint vulnerabilities”
— SANS INSTITUTE
When preparing to hunt for threats, ensuring that your endpoint security tools can continuously collect the critical data necessary
to conduct immediate and conclusive threat discovery is essential. During an investigation, the data collection process can be
tedious, time-consuming and expensive. By proactively collecting the critical data necessary, enterprises can instantly leverage an
historical record of their environment for threat hunting.
CONTINUOUS ENDPOINT VISIBILITY
RECORDED RELATIONSHIPS
Continuously Record
All File
Executions
All File
Modifications
All Network
Connections
All Registry
Modifications
Copy of Every
Executed Binary
Carbon Black automates the data acquisition process by deploying endpoint sensors across an entire enterprise that continuously
records all activity. The result is a solution that provides contextual and continuous endpoint visibility by maintaining the recorded
relationships of every file execution, file modification, registry modification, network connection, and executed binary in your
environment. In conjunction with the Bit9 + Carbon Black Threat Intelligence Cloud, organizations can efficiently classify threats
across their business to accelerate threat discovery.
4
A SANS Survey, Incident Response: How to Fight Back, Alissa Torres, August 2014
Advanced Threat Hunting with Carbon Black
4
>
Whitepaper
>
LEVERAGE COMPREHENSIVE THREAT INTELLIGENCE
Sixty-six percent of enterprises stated they suffered successive false alarms from their detection solutions.5 This is due to
organizations’ inability to both collect the right data and classify it instantly. The result is an enterprise that cannot fully scope
attacks impacting their business.
THREAT INTELLIGENCE CLOUD
Continuous Data
Collection
Continuous Endpoint Visibility &
Attack Classification
ENDPOINT
!
ENDPOINT
!
CONSOLE
!
ENDPOINT
!
SERVER
With Carbon Black, enterprises get a holistic approach to threat hunting by layering a variety of threat intelligence feeds—from
within the Bit9 + Carbon Black Threat Intelligence Cloud—over its continuously recorded endpoint visibility. This enables
businesses to classify threats based on software reputation, network circumvention attributes, open-source malware tracking,
community-based threat intelligence, malicious domains, custom feeds and more.
By combining its unique process search, Carbon Black can hunt for threats based on its threat intelligence feeds or entire attack
processes captured by its continuous endpoint data collection. Also, by utilizing Carbon Black’s unique watchlist capabilities, any
process search done in the Carbon Black console can be saved as a watchlist to deliver real-time detection moving forward.
THREAT INTELLIGENCE CLOUD
ENDPOINT
CONSOLE
ENDPOINT
WATCHLIST OR PROCESS SEARCH
!
ENDPOINT !
SERVER
5
A SANS Survey, Incident Response: How to Fight Back, Alissa Torres, August 2014
6
2014 Verizon Data Breach Investigations Report
Advanced Threat Hunting with Carbon Black
5
>
Whitepaper
>
EXPAND DETECTION BEYOND THE MOMENT OF COMPROMISE
Approximately 90 percent of attacks take days or less to compromise an enterprise. Contrast that with the fact that nearly 80
percent of businesses can take weeks or longer to discover those same attacks,6 and clearly organizations have a threat
discovery problem. This threat discovery gap leaves enterprises susceptible to prolonged data breaches that can
exponentially impact their business.
“90 percent of attacks take days or
less to compromise an enterprise”
— 2014 VERIZON DATA BREACH INVESTIGATIONS REPORT
Many enterprises have trouble discovering advanced threats because they exclusively rely on the limited detection capabilities of
endpoint antivirus solutions. The figure below demonstrates how signatures are significantly better at discovering opportunistic
attackers. This is because opportunistic attackers find value in scale. Their objective is to compromise as many endpoints as
possible—and as a result—are likely to have a signature developed shortly thereafter. The advanced attacker—who only targets
a finite number of assets needed to accomplish a specific mission—can remain below the detection threshold and go significant
amounts of time without registering a signature, if they register one at all.
SIGNATURE
AVAILABLE
DETECTION THRESHOLD
COMPROMISE AS MANY
ENDPOINTS AS POSSIBLE
TIME
ADVANCED
HOSTS COMPROMISED
HOSTS COMPROMISED
OPPORTUNISTIC
DETECTION THRESHOLD
SIGNATURE AVAILABLE
(if ever)
COMPROMISE AS FEW
ENDPOINTS AS POSSIBLE
TIME
Additionally, an advanced attacker can move laterally to more critical systems in an attempt to escalate their privileges within
an environment. If the attacker succeeds, they can come and go as they please within a given enterprise “living off the land”
by leveraging built-in tools to reduce the number of new executables—reducing the amount of change they introduce into
the environment. As a result, the attacker can persist for long periods of time by adding more user and system accounts. By
proactively deploying continuous data collection to track an attacker’s every move, and classifying threats by leveraging robust
threat intelligence, enterprises can hunt across the attacker’s entire kill chain.
The example below also illustrates the shortcomings of endpoint visibility provided by most security solutions. With no
reputation or threat intelligence data to draw on, how do enterprises pick the needles out their data collection haystack? Without
understanding the prevalence of endpoint activity, how can organizations effectively prioritize detection events to accelerate the
discovery of targeted attacks? And without continuously maintaining the relationships of the data they collect, how do they fully
scope their entire enterprise efficiently and effectively?
Advanced Threat Hunting with Carbon Black
6
>
Whitepaper
>
TRADITIONAL
ENDPOINT VISIBILITY
EVENTS
EVENTS + INTELLIGENCE
EVENTS + INTELLIGENCE
+ PREVALENCE
EVENTS + INTELLIGENCE
+ PREVALENCE + RELATIONSHIPS
With Carbon Black, enterprises can leverage its recorded endpoint history to trace attacks back to their root cause and hunt
them based on exhibited behaviors and processes. By recording the entire attack process, event relationships, prevalence, and
reputation (threat intelligence) of the activity, you can roll back the tape to understand where it originated—even if it arrived
through a trusted software delivery system that eventually spawned an exploit. This can improve policy enforcement at the
endpoint, enhance your overall detection capabilities, and enable businesses to proactively hunt both past and present threats.
Threat Hunting within Carbon Black
GENERAL THREAT HUNTING
An example of threat hunting is illustrated below. Say you are concerned with the following behavior, have read an article on
this topic, or previously seen a malicious actor do this—such as an unsigned binary with at least one network connection that is
running out of a temp folder. To hunt for these characteristics you query within Carbon Black’s process search.
Once searched, you receive 76 hits with one at the bottom that jumps out at you. To dive further, you click on this particular
binary to open up Carbon Black’s process analysis view
Advanced Threat Hunting with Carbon Black
7
>
Whitepaper
>
When analyzing this binary on the process analysis page Carbon Black puts a variety of information at your fingertips. You
immediately see that the process is unsigned and has spawned a rundll32.exe process. To get further context, you click on the
Alliance Feed drop-down to further classify the potential attack.
Advanced Threat Hunting with Carbon Black
8
>
Whitepaper
>
In the Alliance Feed section, you notice some very troubling scores associated with this given process.
When you scroll down to look at what this given process did to the filesystem you notice that it wrote multiple binaries.
Advanced Threat Hunting with Carbon Black
9
>
Whitepaper
>
When diving in deeper and looking at the details of a specific binary, you notice that it has very little metadata, it is unsigned and it
has a large threat score. At a glance, you can also see that three hosts (endpoints) have observed this particular binary.
Additionally, you can see that it has made a network connection. Moving forward, you can use this IP and domain as an indicator of
compromise for future detection alongside the filename, hash value and other exhibit behaviors.
Advanced Threat Hunting with Carbon Black
10
>
Whitepaper
>
HUNTING A SPECIFIC THREAT
CVE-2014-1776 comes out and there are rumors of an IE exploit that uses vgx.dll and flash. You search off of three known
sets of criteria:
1. Targets Internet Explorer
2. Requires vqx.dll to be loaded by iexplorer.exe process
3. Triggered by malicious Flash file
Using Carbon Black you can instantly identify this criteria:
process_name:iexplore.exe modload:vgx.dll modload:*.ocx
Once searched, you find 175 matching processes. You then take the next step of looking for instances where these processes also
have child processes, which case matches *.dll, such as:
modload:vgx.dll process_name:iexplore.exe modload:*.ocx childproc_name:*.dll
Advanced Threat Hunting with Carbon Black
11
>
Whitepaper
>
You then dive further into the specific instance of Internet Explorer and immediately see that it is spawning a process with the
name 0159.dll. You then scroll down to review what activity is associated with the child process 0159.dll.
Summary
With the number of advanced attacks increasing every day—most undiscovered through traditional detection and response
tools—truly hunting for threats within your environment can be a laborious task. To combat this, enterprises must focus on:
++ PRIORITIZING ENDPOINT DATA COLLECTION OVER DETECTION: Businesses need to continuously record the critical data
necessary while also maintaining the relationships of those data sets to fully scope an attack.
++ LEVERAGING COMPREHENSIVE THREAT INTELLIGENCE: Alongside continuous data collection, enterprises must possess
the capability to layer threat intelligence and reputation over the data they collect to instantly classify and prioritize threats—
accelerating threat discovery in the process.
++ EXPANDING DETECTION BEYOND THE MOMENT OF COMPROMISE: Businesses should deploy solutions that can hunt both past
and present threats based off of a continuously recorded history—not just individual events.
Organizations need to continue to make the endpoint a priority when it comes to information security. When hunting for threats,
enterprises need a solution that can “roll back the tape” to understand an attack’s root cause. As a result, Carbon Black delivers the
best solution to hunt for threats, accelerate threat discovery, respond in seconds and proactively prepare businesses for a breach.
ABOUT BIT9 + CARBON BLACK
The combination of Bit9 + Carbon Black offers the most complete answer to the newer, more advanced threats and targeted attacks
intent on breaching an organization’s endpoints. This comprehensive approach makes it easier for organizations to see—and
immediately stop—advanced threats. Our solution combines Carbon Black’s lightweight endpoint sensor, which c­ an be rapidly deployed
with no configuration to deliver “incident response in seconds,” and Bit9’s industry-leading prevention technologies. Benefits include:
+
+
+
+
Continuous, real-time visibility into what’s happening on every computer
Real-time threat detection, without relying on signatures
Instant response by seeing the full “kill chain” of any attack
Protection that is proactive and customizable
Bit9 + Carbon Black delivers a comprehensive solution for continuous endpoint threat security. This is why thousands of organizations
worldwide—from 25 Fortune 100 companies to small businesses—use our proven solution. The result is increased security, reduced
operational costs and improved compliance.
© 2014 Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners.
266 Second Avenue
Waltham, MA 02451 USA
P 617.393.7400 F 617.393.7499
www.bit9.com
Related documents
A. Explain the nature of marketing plans. B. Explain the role of
A. Explain the nature of marketing plans. B. Explain the role of
Apocalypse Assignment
Apocalypse Assignment
ex_buisness_expansion
ex_buisness_expansion
1984 Anticipation Guide
1984 Anticipation Guide
Statement of Richard Perle Fellow, American Enterprise Institute Before the
Statement of Richard Perle Fellow, American Enterprise Institute Before the
Stress Management - Dr. Fayose
Stress Management - Dr. Fayose
Download
advertisement