eGuide: Designing a Continuous Response Architecture
Disrupt Your Adversaries: 5 Steps to Stopping Advanced Threats
2Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
eGuide
Table of ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Defining the Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
The Network is Not the Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Incident Response is Ad Hoc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Incident Response is Not Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Limited Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
The Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Proactive and Continuous Data Collection Powers Detection . . . . . . . . . . . . . . . . . . . . 7
Highlight Instead of Filter Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Apply Aggregated Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Respond in Seconds with a Continuous Recording . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Contain, Inspect, Terminate & Remediate Threats with Live Response . . . . . . . . . . . .11
Security As a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Security Platform Over Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
eGuide: Designing a Continuous Response Architecture
3
eGuide
OverviewIt only takes a single breach to jeopardize your entire organization, and advanced threats have become increasingly more
targeted and sophisticated. We can no longer rely on response solutions that have been developed for use post-breach by
the IR consultant. Instead, we need to focus on solutions that enable enterprises to proactively prepare for advanced threats.
One of the biggest challenges facing security teams is having an effective endpoint strategy. Data acquisition, threat
discovery, incident response and forensics have become incomplete – with no insight into lateral movement and root cause.
We’ve relied on solutions that inundate us with too many alerts to prioritize and investigate – and we’ve blindly reimaged
machines by focusing on reactive forensic techniques. Responders need to focus on security solutions that can easily integrate
with third-party products and make advanced threats easier to see and faster to stop. Businesses need to view security as a
process and focus on solutions that can:
• Automate the tedious data acquisition process at the endpoint before a breach occurs
• Layer threat intelligence on top of continuously recorded visibility to highlight threats and expedite investigations
• Reduce the cost and complexity of incident response by instantly understanding the entire attack kill chain
• Intervene and contain advanced threats through endpoint isolation, attack termination and remediation
• Evolve and learn from investigations by using the right solutions to adjust your detection and prevention techniques
This eGuide will cover how responders can resolve these challenges to put their organization in a better security posture by
proactively preparing for advanced threats.
The Problem
Defining the ThreatThere are two types of attackers: opportunistic and advanced. The opportunistic attacker finds value in large-scale attacks.
The more hosts the attacker compromises, the quicker a signature is generated, making it easier to identify the attack.
The advanced attacker, on the other hand, finds value in small-scale and targeted attacks. By compromising fewer hosts, it
takes significantly longer to generate a signature (if at all). As a result, traditional endpoint prevention, detection and response
solutions are more likely to miss advanced and targeted attackers who infiltrate their enterprise.
Advanced (or zero-day) attacks can take multiple forms:
• Unknown attack with no patch
• Known attack with no patch
• Known attack with available patch not yet applied
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
HO
ST
S C
OM
PR
OM
ISE
D
DETECTION THRESHOLD DETECTION THRESHOLD
SIGNATURE AVAILABLE (if ever)
SIGNATUREAVAILABLE
HO
ST
S C
OM
PR
OM
ISE
D
TIMETIME
OPPORTUNISTIC ADVANCED
COMPROMISE AS MANY ENDPOINTS AS POSSIBLE
COMPROMISE AS FEWENDPOINTS AS POSSIBLE
eGuide: Designing a Continuous Response Architecture
4
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
A response solution should be prepared for all attack phases, whether opportunistic or advanced, because you cannot know
in advance what’s bad. Also, many attackers can “live off of the land” by leveraging built-in tools to reduce the number of
new executables introduced into an environment—masking their lateral movement. This also enables an attacker to establish
approved user accounts escalating their privileges so they can come and go as they please. Threats are only as sophisticated
as they need to be. Attackers will never waste a $5 million payload if they do not have to. As a result, enterprises need solutions
that can identify all attack types—known or unknown—and respond accordingly.
The Network is Not the TargetSixty-five percent of data breaches happened on company endpoints.1 Many enterprises, however, still fail to deploy response
solutions that can deliver actionable visibility and intelligence down to the endpoint—opting instead to sink more security
dollars into their network.
“Organizations continue to spend a lot of money on network security solutions, but it’s the endpoint that is the ultimate target of advanced threats and
attacks.” 2
— 451 Research
Many enterprise security approaches can be viewed as hard on the outside, but soft in the middle—because strong network
defenses and weak endpoint security are a common practice. A secure corporate network should be a priority, but not the
focus. This is because corporate networks are now unraveling as more employees continue to operate outside of them. These
endpoints are connecting to a variety of unknown networks from a diverse set of locations with limited protection from
next-generation firewalls.
The endpoint is the target of attackers because this is where the valuable data resides. Enterprises must identify key data,
assess the probability of that data being targeted by attackers, estimate the business impact of that data being compromised,
and determine where that data is located. The answers to these questions ultimately will bring you back to the endpoint.
Pro
ba
bil
ity
(ad
vers
ary
inte
rest
)
Impact (to business)
Low
(minor)
Medium
(moderate)
High
(existential)
High
(very likely)Documents
User credentials
Web services
Key IP
CRM
Email Content
Financial Info
Medium
(possible)
Physical computers
Employee Personally Identifiable Information
Critical systems
Public website
Customer info
Low
(unlikely)Office access Data center access
1 2014 Verizon Data Breach Investigations Report
2 “When worlds collide: post-acquisition, Bit9 + Carbon Black emerges as a combined brand”
– Javvad Malik and Adrian Sanabria – 2 Sep, 2014
eGuide: Designing a Continuous Response Architecture
5
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
However, when securing the endpoint, many rely on antivirus software as the chief component to their endpoint security
strategy—but this hampers the ability of an enterprise to detect, respond or prevent multiple attack forms as they happen.
Organizations ultimately need continuous visibility, customizable detection and rapid response solutions at the endpoint.
Not only will this expedite response, but it ultimately will improve and complement your network security as well.
Incident Response is Ad HocMany enterprises may not invest in incident response solutions because they feel they lack the skilled staff needed to perform
conclusive and confident investigations. In addition, many organizations may perceive incident response solutions as far too
complex for them to leverage effectively. Without a response plan in place, if an organization is breached, reactively deploying
an incident response solution can be time-consuming and extremely expensive.
For an enterprise, the goal should be to build out your security maturity framework. This means deploying solutions that
enable enterprises to make the best possible decisions. Many organizational approaches to incident response are ad hoc and
unpredictable with no formal security programs. Success is usually predicated on luck—and not much else. The goal for an en-
terprise should be to build a formal incident response plan as well as deploy solutions that can reduce the cost and complexity
of a response. Responders also should look to optimize their enterprise’s security so that any response is reliable, predictable
and adaptive to the changing threat landscape.
None
AV signatures
Only detects known malware
AV signatures
Only stops known malware
Reimage machines
No root cause analysis
LEVEL 1Vulnerable
Visibility
Detection
Prevention
Response
Integration
LEVEL 2Reduced Risk
LEVEL 3Strong Posture
LEVEL 4Best Protection
None
Silos
Polling, scanning
Reputation data
Algorithms
Remove admin rightsBasic whitelisting
Manual root-cause and scope analysisPost-mortem forensics
Anti-exploitation
Alerts, logs consolidated in SIEM
Real-time visibility & continuous recording of endpoint state
Single-source threat intelligence
Simple indicators
Custom bans
Automated root-cause and scope analysis
Data correlated with network secu-rity, SIEMS, etc.
Real-time visibility & continuous recording �of endpoint activity
Aggregated, multi- vendor threat intel
Patterns and behavior
Policy-based default-deny
Attack disruption & containment
Customizable forms �of prevention
Automatedremediation
Customized integration via open APIs
Security Maturity Framework
eGuide: Designing a Continuous Response Architecture
6
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
Incident Response is Not ForensicsWith forensics, a breach has already happened, data has already been lost, and now you are tasked with the clean up. You may
have been alerted to the breach by a third party, but now it is your job to understand what went wrong. To add to the problem,
your enterprise may not have proactively collected data before the breach, which means you now will spend the next sever-
al weeks or months collecting the desperately needed data to fully scope and understand the attack. Because you are now
reactively collecting data after the breach, unraveling lateral movement—especially if the attacker cleaned up their tracks by
deleting prior payloads—means that understanding the root cause may take months, years—or even longer—to discover.
When responding to an incident and discovering a potential compromise, as a responder it is your job to contain the attack be-
fore data is lost. When responding, there is still a chance to stop the bleeding and intervene with an ongoing attack. This means
you need to leverage response solutions that can expedite this process to detect, respond, contain and remediate the problem
as quickly as possible.
Limited Threat IntelligenceMany organizations lack the necessary threat intelligence to help them fully detect and classify attacks as they happen. Threat
intelligence should be a valuable part of any detection or response solution. Without threat intelligence, enterprises can lose
valuable insight into threats as they arrive in their environment.
SOC analysts and IR teams can also suffer from alert fatigue because they receive too many alerts to prioritize and investigate.
With no way to sift through the noise, enterprises are finding it difficult to efficiently respond. Organizations need to focus on
solutions that can accelerate the discovery of advanced threats as opposed to those that just produce more detection events.
Fixing this will exponentially reduce the dwell time of threats in an environment by accelerating investigations to minimize the
scope of an attack.
No one provider has a lock on the world’s threat intelligence, but many organizations still deploy security solutions that only
integrate with a finite number of providers. Responders need security solutions that offer the ability to integrate with a wide
range of threat intelligence feeds, as well as enable organizations to add their own custom feeds. This affords businesses the
opportunity to incorporate threat intelligence feeds not initially offered by a security solution.
eGuide: Designing a Continuous Response Architecture
7
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
The Solution
Proactive and Continuous Data Collection Powers DetectionIf you are not prepared for a breach by prioritizing data collection before the moment of compromise, you are likely
leveraging forensic tools to collect data during an investigation. Collecting data takes time, money and effort. Not to mention
that reactively collecting data usually produces incomplete data sets with no way of scoping the full breadth of an attack. All of
this prolongs the dwell time of the attacker and potentially magnifies the number of impacted machines in your organization—
extending time to recovery.
Carbon Black Enterprise Response enables enterprises to prepare for a breach by proactively automating and continuously
recording the critical data before the moment of compromise so you can instantly leverage data during an investigation when
a threat is discovered. This reduces the dwell time of attackers exponentially by enabling you to dive into your response
immediately and recover faster.
Proactively collecting data here is automated, efficient & conclusive
DWELL TIME
Reactively collecting data here is time consuming, expensive & incomplete
DETECTION
RESPONSE
RECOVERY
Compromised(attacker present)
Breach Discovered(attacker identified)
Recovered(attacker expelled)
eGuide: Designing a Continuous Response Architecture
8
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
Highlight Instead of Filter Data CollectionMost detection solutions filter out endpoint visibility when detecting threats in an environment. They typically provide the
specific instance of the attack and its compromised host, but by filtering out endpoint visibility, they lose sight of lateral
movement, root cause and the entire scope of the attack during an investigation. As a responder, your goal should be to
understand the scope and root cause as confidently and quickly as possible.
Instead of filtering out visibility, Carbon Black Enterprise Response highlights detected activity over its continuously recorded
endpoint data to enable you to instantly “roll back the tape” from the detection event all the way to root cause. By proactively
recording and maintaining the relationships of every file execution, file modification, registry modification, network connec-
tion, cross-process event and executed binary Carbon Black delivers conclusive and confident insight into the full scope of an
attack—enabling you to respond rapidly.
Apply Aggregated Threat Intelligence
Copy of every executed binary
Network connections
File executions
File modi cations
Cross-process events
Registry modi cations
Discovered
Carbon Black Enterprise Response highlights detected activity within endpoint visibility to
understand root cause and scope
Detection probablility increases overtime
Investigations seek root cause
GOAL: Understand Root Cause
User Visits Website
Is sent malicious Java applet
Spawns first stage payload
Spawns second stage payload
Injects code into Windows
Explorer
Takes malicious actions
eGuide: Designing a Continuous Response Architecture
9
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
Proactively collecting critical data is a starting point, but it’s not the finish line. It’s what you do with that data that’s important.
Many detection and response solutions have either visibility or threat intelligence, but rarely have both. Applying threat intelli-
gence on top of continuous endpoint visibility enables responders to detect attacks in real time and prioritize investigations.
With Carbon Black Enterprise Response, not only is the data acquisition process automated and continuously recorded,
but comprehensive threat intelligence also is simultaneously applied on top of that visibility. This delivers instant attack
classification and reputation of recorded endpoint activity that’s immediately accessible and consumable during an
investigation. This enables responders to drive purposeful investigations and inquiries across their entire organization.
Cb Enterprise Response applies threat intelligence through the Carbon Black Threat Intel service, which offers a robust offering
of third-party and proprietary threat feeds and reputation services. Cb Enterprise Response integrates with network security
providers such as Check Point, Fidelis, FireEye and Palo Alto Networks and extends to offer you the flexibility to integrate and
apply your own custom feeds as well.
The combination of visibility and threat intelligence also enables responders to design and save complex queries as real-time
detection events within Cb Enterprise Response (known as watchlists). This offers the ability to detect based on entire attack
processes, network activity, threat intelligence, attack behaviors and more—not just individual events. This powerful combina-
tion also enhances your detection capabilities by delivering actionable alerts to reduce alert fatigue. By automating both the
data collection and applied threat intelligence process responders also gain instant insight when diving into an investigation.
Continuous Data CollectionThreat Prioritization,
Detection & Response
Endpoints
Attack Patterns, IOCs, Binary Analysis
Advanced Threat Detection
What’s Good, What’s Bad,What’s Unknown
Software Reputation
Who, What, Where, Why
Attack Classification
!
eGuide: Designing a Continuous Response Architecture
10
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
Respond in Seconds with a Continuous RecordingBy automating the tedious and time-consuming data acquisition process and layering threat intelligence on top of that
visibility, responders can “roll back the tape” in Carbon Black Enterprise Response to understand the root cause the instant
compromise is discovered. By understanding the context and relationships within the collected data, Cb Enterprise Response
also can perform surgical investigations to identify deleted payloads, lateral movement, malicious outbound connections, and
more to identify every step, move and behavior of an attack. This enables responders to see the entire kill chain of an attack in
seconds to fully scope the environment and instantly isolate, contain and remediate impacted machines.
By understanding root cause and the entire attack scope during an investigation, Cb Enterprise Response can reduce the cost
of blind reimaging by only responding to affected endpoints. By leveraging a recorded history, Cb Enterprise Response also
can help enterprises immediately learn from their investigations to improve their threat prevention, detection and response in
the future.
User Visits
Website
Is sent malicious
Java applet
Spawns first
stage payload
Lateral movement
Deleted Payload
Spawns second
stage payload
Spawns second
stage payload
Injects code into
Windows Explorer
Injects code into
Windows Explorer
Takes malicious
actions
Takes malicious
actions
With Carbon Black, instantly “Roll back the tape” with a recorded
history to understand the full attack scope
Discovered
eGuide: Designing a Continuous Response Architecture
11
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
Contain, Inspect, Terminate & Remediate Threats with Live ResponseOnce a threat is identified, IR teams need to be able to drive action on those impacted endpoints. Many security teams,
however, are leveraging multiple tools to identify, respond and remediate threats from their environment. With Carbon Black
Enterprise Response, responders receive one complete solution for all of their IR needs.
By leveraging a recorded history, IR teams can understand the entire scope of an attack, narrow their focus and then drive
action on those endpoints. Through one sensor and console, responders can disrupt threats by isolating and containing
impacted endpoints. This affords responders time to thoroughly examine those endpoints—such as identifying all currently
running processes, registry settings, archiving all session data and retrieving files from a remote host—without fear of the attack
spreading. Attackers can also remediate threats by killing live attack processes, changing registry settings, removing files and
validating the success of that remediation.
Also, with Cb Enterprise Response’s live response capabilities you can customize on-sensor actions by executing your
third-party response tools from a single console. This enables capabilities such as disk and memory dumping tools to be used
as part of your incident response process within Cb Enterprise Response.
With endpoint threat banning in Cb Enterprise Response, you can instantly stop, contain and disrupt advanced threats as well
as block the future execution of similar attacks. This expands Cb Enterprise Response’s ability—along with its leading endpoint
threat isolation and live response capabilities—to recover from advanced threats faster than any endpoint threat detection and
response solution on the market.
KILL ATTACK PROCESS
IDENTIFY ROOT CAUSE &REMEDIATE MACHINE
BLOCK NETWORKCOMMUNICATION
User Visits Website
Is Sent Malicious Java Applet
Spawns First Stage Payload
DELETED PAYLOAD
Spawns Second Stage Payload
Injects Code Into Windows Explorer
Takes Malicious Actions
ISOLATED
eGuide: Designing a Continuous Response Architecture
12
eGuide
Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
Security As a Process
When developing an incident response plan security should never be viewed as static. Everything should work as an ongoing
process and lifecycle with the goal of ensuring that any response can evolve, adapt and learn from the investigation after it
is concluded. Without continuous endpoint recording, live response and threat intelligence at the core of your enterprise’s
response plan this can be extremely difficult.
IT hires staff to support technology. Security operations buys technology to support staff.
With continuous endpoint visibility at the backbone of Carbon Black Enterprise Response, responders can detect, respond and
remediate in seconds. However, the goal should be to evolve, adapt and strengthen your prevention and detection solutions
moving forward as well. With Carbon Black, any attack tactic, technique or procedure can be saved as a watchlist to detect in
real time moving forward. Additionally, both Cb Enterprise Response and Cb Enterprise Protection now work together to
automate Cb Enterprise Response’s real-time detection capabilities with Cb Enterprise Protection’s leading advanced threat
prevention solution. Cb Enterprise Protection’s can now pull in Cb Enterprise Response watchlists and drive prevention policy off
of those detection events as they occur—providing the most comprehensive protection against advanced threats.
VISIBILITYMonitor and record
every endpoint
DETECTIONDetect attacks in real time
without signatures
RESPONSE PREVENTIONStop attacks with proactive,customizable techniques
Rapidly analyze, contain,disrupt and remediate attacks
Define watchlists in Cb Enterprise Response
Automate watchlist alerts from Cb Enterprise Response in Cb Enterprise Protection
Instantly dive back into Cb Enterprise Response for deeper
analysis and investigations
Leverage Cb Enterprise Protection event rules to automate prevention policy off
Cb Enterprise Response watchlist alerts
eGuide: Designing a Continuous Response ArchitectureeGuide
Security Platform Over ProductMost security solutions lock you into their ecosystem. Part of the challenge when leveraging multiple security products is
getting them to work together and collaborate to give you the level of protection you desire. This could be integrating your
existing endpoint security with network security products, pulling in third-party threat intelligence providers, combining
multiple security products, or other challenges.
Carbon Black Enterprise Response is a security platform, not a product. We understand that it’s your data to use how you want.
By leveraging Cb Enterprise Response’s open APIs, you can easily and seamlessly integrate all endpoint sensor data and threat
intelligence with custom, proprietary or third-party security solutions. Also, you can easily pull network providers and custom
threat feeds into Cb Enterprise Response to tailor your detection and response capabilities for your specific enterprise. IT hires
staff to
support technology. Security operations buys technology to support staff. Invest in solutions that enable your people to make
the best possible decisions.
SummaryMany enterprise security solutions claim to have continuous endpoint visibility—reactively scanning, sweeping or polling your
environment for a set list of known indicators or signatures. But this approach can take hours for a single result, disrupt the
performance of your organization’s endpoints, and miss insight into root cause and lateral movement. Enterprises must prepare
to be breached and focus on these 5 critical steps:
• Automate the tedious and time consuming data collection process
• Apply aggregated threat intelligence to enhance visibility
• Leverage a recorded history to understand the entire kill chain
• Contain, inspect, terminate and remediate endpoint threats
• Improve response processes and procedures over time
The only way to fully protect against the advanced threat is prepare. Cb Enterprise Response is the first and only endpoint
threat detection and response platform that enables SOC and IR teams to prepare for a breach through continuous endpoint
recording, customized detection, live response, remediation, and rapid attack recovery with threat banning. Built entirely on
open APIs, Cb Enterprise Response delivers unparalleled security operations development capabilities to integrate with and
build on top of Cb Enterprise Response for best-of-breed detection and response tailored for your organization. Top IR firms
and MSSPs have made Cb Enterprise Response a core component of their detection and response services.
1100 Winter Street Waltham, MA 02451 USA
P 617.393.7400 F 617.393.7499
www.carbonblack.com
About Carbon Black
Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the
best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance
of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity,
making it easy to track an attacker’s every action, instantly scope every incident, unravel entire attacks and determine
root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint
defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident response, and
market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to:
Disrupt. Defend. Unite.
2016 © Carbon Black is a registered trademark of Carbon Black, Inc. All other company or product names may be the trademarks of their
respective owners. 20160121 RKB