Disrupt Your Adversaries: 5 Steps to Stopping Advanced Threats · 2016-02-01 · euide: Designing a...

eGuide: Designing a Continuous Response Architecture

Disrupt Your Adversaries: 5 Steps to Stopping Advanced Threats

2Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds

eGuide

Table of ContentsOverview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Defining the Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The Network is Not the Target . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Incident Response is Ad Hoc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Incident Response is Not Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Limited Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

The Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Proactive and Continuous Data Collection Powers Detection . . . . . . . . . . . . . . . . . . . . 7

Highlight Instead of Filter Data Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Apply Aggregated Threat Intelligence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Respond in Seconds with a Continuous Recording . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Contain, Inspect, Terminate & Remediate Threats with Live Response . . . . . . . . . . . .11

Security As a Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Security Platform Over Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13


3

eGuide

OverviewIt only takes a single breach to jeopardize your entire organization, and advanced threats have become increasingly more

targeted and sophisticated. We can no longer rely on response solutions that have been developed for use post-breach by

the IR consultant. Instead, we need to focus on solutions that enable enterprises to proactively prepare for advanced threats.

One of the biggest challenges facing security teams is having an effective endpoint strategy. Data acquisition, threat

discovery, incident response and forensics have become incomplete – with no insight into lateral movement and root cause.

We’ve relied on solutions that inundate us with too many alerts to prioritize and investigate – and we’ve blindly reimaged

machines by focusing on reactive forensic techniques. Responders need to focus on security solutions that can easily integrate

with third-party products and make advanced threats easier to see and faster to stop. Businesses need to view security as a

process and focus on solutions that can:

• Automate the tedious data acquisition process at the endpoint before a breach occurs

• Layer threat intelligence on top of continuously recorded visibility to highlight threats and expedite investigations

• Reduce the cost and complexity of incident response by instantly understanding the entire attack kill chain

• Intervene and contain advanced threats through endpoint isolation, attack termination and remediation

• Evolve and learn from investigations by using the right solutions to adjust your detection and prevention techniques

This eGuide will cover how responders can resolve these challenges to put their organization in a better security posture by

proactively preparing for advanced threats.

The Problem

Defining the ThreatThere are two types of attackers: opportunistic and advanced. The opportunistic attacker finds value in large-scale attacks.

The more hosts the attacker compromises, the quicker a signature is generated, making it easier to identify the attack.

The advanced attacker, on the other hand, finds value in small-scale and targeted attacks. By compromising fewer hosts, it

takes significantly longer to generate a signature (if at all). As a result, traditional endpoint prevention, detection and response

solutions are more likely to miss advanced and targeted attackers who infiltrate their enterprise.

Advanced (or zero-day) attacks can take multiple forms:

• Unknown attack with no patch

• Known attack with no patch

• Known attack with available patch not yet applied

Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds

HO

ST

S C

OM

PR

OM

ISE

D

DETECTION THRESHOLD DETECTION THRESHOLD

SIGNATURE AVAILABLE (if ever)

SIGNATUREAVAILABLE

HO

ST

S C

OM

PR

OM

ISE

D

TIMETIME

OPPORTUNISTIC ADVANCED

COMPROMISE AS MANY ENDPOINTS AS POSSIBLE

COMPROMISE AS FEWENDPOINTS AS POSSIBLE


4

eGuide


A response solution should be prepared for all attack phases, whether opportunistic or advanced, because you cannot know

in advance what’s bad. Also, many attackers can “live off of the land” by leveraging built-in tools to reduce the number of

new executables introduced into an environment—masking their lateral movement. This also enables an attacker to establish

approved user accounts escalating their privileges so they can come and go as they please. Threats are only as sophisticated

as they need to be. Attackers will never waste a $5 million payload if they do not have to. As a result, enterprises need solutions

that can identify all attack types—known or unknown—and respond accordingly.

The Network is Not the TargetSixty-five percent of data breaches happened on company endpoints.1 Many enterprises, however, still fail to deploy response

solutions that can deliver actionable visibility and intelligence down to the endpoint—opting instead to sink more security

dollars into their network.

“Organizations continue to spend a lot of money on network security solutions, but it’s the endpoint that is the ultimate target of advanced threats and

attacks.” 2

— 451 Research

Many enterprise security approaches can be viewed as hard on the outside, but soft in the middle—because strong network

defenses and weak endpoint security are a common practice. A secure corporate network should be a priority, but not the

focus. This is because corporate networks are now unraveling as more employees continue to operate outside of them. These

endpoints are connecting to a variety of unknown networks from a diverse set of locations with limited protection from

next-generation firewalls.

The endpoint is the target of attackers because this is where the valuable data resides. Enterprises must identify key data,

assess the probability of that data being targeted by attackers, estimate the business impact of that data being compromised,

and determine where that data is located. The answers to these questions ultimately will bring you back to the endpoint.

Pro

ba

bil

ity

(ad

vers

ary

inte

rest

)

Impact (to business)

Low

(minor)

Medium

(moderate)

High

(existential)

High

(very likely)Documents

User credentials

Web services

Key IP

CRM

Email Content

Financial Info

Medium

(possible)

Physical computers

Employee Personally Identifiable Information

Critical systems

Public website

Customer info

Low

(unlikely)Office access Data center access

1 2014 Verizon Data Breach Investigations Report

2 “When worlds collide: post-acquisition, Bit9 + Carbon Black emerges as a combined brand”

– Javvad Malik and Adrian Sanabria – 2 Sep, 2014


5

eGuide


However, when securing the endpoint, many rely on antivirus software as the chief component to their endpoint security

strategy—but this hampers the ability of an enterprise to detect, respond or prevent multiple attack forms as they happen.

Organizations ultimately need continuous visibility, customizable detection and rapid response solutions at the endpoint.

Not only will this expedite response, but it ultimately will improve and complement your network security as well.

Incident Response is Ad HocMany enterprises may not invest in incident response solutions because they feel they lack the skilled staff needed to perform

conclusive and confident investigations. In addition, many organizations may perceive incident response solutions as far too

complex for them to leverage effectively. Without a response plan in place, if an organization is breached, reactively deploying

an incident response solution can be time-consuming and extremely expensive.

For an enterprise, the goal should be to build out your security maturity framework. This means deploying solutions that

enable enterprises to make the best possible decisions. Many organizational approaches to incident response are ad hoc and

unpredictable with no formal security programs. Success is usually predicated on luck—and not much else. The goal for an en-

terprise should be to build a formal incident response plan as well as deploy solutions that can reduce the cost and complexity

of a response. Responders also should look to optimize their enterprise’s security so that any response is reliable, predictable

and adaptive to the changing threat landscape.

None

AV signatures

Only detects known malware

AV signatures

Only stops known malware

Reimage machines

No root cause analysis

LEVEL 1Vulnerable

Visibility

Detection

Prevention

Response

Integration

LEVEL 2Reduced Risk

LEVEL 3Strong Posture

LEVEL 4Best Protection

None

Silos

Polling, scanning

Reputation data

Algorithms

Remove admin rightsBasic whitelisting

Manual root-cause and scope analysisPost-mortem forensics

Anti-exploitation

Alerts, logs consolidated in SIEM

Real-time visibility & continuous recording of endpoint state

Single-source threat intelligence

Simple indicators

Custom bans

Automated root-cause and scope analysis

Data correlated with network secu-rity, SIEMS, etc.

Real-time visibility & continuous recording �of endpoint activity

Aggregated, multi- vendor threat intel

Patterns and behavior

Policy-based default-deny

Attack disruption & containment

Customizable forms �of prevention

Automatedremediation

Customized integration via open APIs

Security Maturity Framework


6

eGuide


Incident Response is Not ForensicsWith forensics, a breach has already happened, data has already been lost, and now you are tasked with the clean up. You may

have been alerted to the breach by a third party, but now it is your job to understand what went wrong. To add to the problem,

your enterprise may not have proactively collected data before the breach, which means you now will spend the next sever-

al weeks or months collecting the desperately needed data to fully scope and understand the attack. Because you are now

reactively collecting data after the breach, unraveling lateral movement—especially if the attacker cleaned up their tracks by

deleting prior payloads—means that understanding the root cause may take months, years—or even longer—to discover.

When responding to an incident and discovering a potential compromise, as a responder it is your job to contain the attack be-

fore data is lost. When responding, there is still a chance to stop the bleeding and intervene with an ongoing attack. This means

you need to leverage response solutions that can expedite this process to detect, respond, contain and remediate the problem

as quickly as possible.

Limited Threat IntelligenceMany organizations lack the necessary threat intelligence to help them fully detect and classify attacks as they happen. Threat

intelligence should be a valuable part of any detection or response solution. Without threat intelligence, enterprises can lose

valuable insight into threats as they arrive in their environment.

SOC analysts and IR teams can also suffer from alert fatigue because they receive too many alerts to prioritize and investigate.

With no way to sift through the noise, enterprises are finding it difficult to efficiently respond. Organizations need to focus on

solutions that can accelerate the discovery of advanced threats as opposed to those that just produce more detection events.

Fixing this will exponentially reduce the dwell time of threats in an environment by accelerating investigations to minimize the

scope of an attack.

No one provider has a lock on the world’s threat intelligence, but many organizations still deploy security solutions that only

integrate with a finite number of providers. Responders need security solutions that offer the ability to integrate with a wide

range of threat intelligence feeds, as well as enable organizations to add their own custom feeds. This affords businesses the

opportunity to incorporate threat intelligence feeds not initially offered by a security solution.


7

eGuide


The Solution

Proactive and Continuous Data Collection Powers DetectionIf you are not prepared for a breach by prioritizing data collection before the moment of compromise, you are likely

leveraging forensic tools to collect data during an investigation. Collecting data takes time, money and effort. Not to mention

that reactively collecting data usually produces incomplete data sets with no way of scoping the full breadth of an attack. All of

this prolongs the dwell time of the attacker and potentially magnifies the number of impacted machines in your organization—

extending time to recovery.

Carbon Black Enterprise Response enables enterprises to prepare for a breach by proactively automating and continuously

recording the critical data before the moment of compromise so you can instantly leverage data during an investigation when

a threat is discovered. This reduces the dwell time of attackers exponentially by enabling you to dive into your response

immediately and recover faster.

Proactively collecting data here is automated, efficient & conclusive

DWELL TIME

Reactively collecting data here is time consuming, expensive & incomplete

DETECTION

RESPONSE

RECOVERY

Compromised(attacker present)

Breach Discovered(attacker identified)

Recovered(attacker expelled)


8

eGuide


Highlight Instead of Filter Data CollectionMost detection solutions filter out endpoint visibility when detecting threats in an environment. They typically provide the

specific instance of the attack and its compromised host, but by filtering out endpoint visibility, they lose sight of lateral

movement, root cause and the entire scope of the attack during an investigation. As a responder, your goal should be to

understand the scope and root cause as confidently and quickly as possible.

Instead of filtering out visibility, Carbon Black Enterprise Response highlights detected activity over its continuously recorded

endpoint data to enable you to instantly “roll back the tape” from the detection event all the way to root cause. By proactively

recording and maintaining the relationships of every file execution, file modification, registry modification, network connec-

tion, cross-process event and executed binary Carbon Black delivers conclusive and confident insight into the full scope of an

attack—enabling you to respond rapidly.

Apply Aggregated Threat Intelligence

Copy of every executed binary

Network connections

File executions

File modi cations

Cross-process events

Registry modi cations

Discovered

Carbon Black Enterprise Response highlights detected activity within endpoint visibility to

understand root cause and scope

Detection probablility increases overtime

Investigations seek root cause

GOAL: Understand Root Cause

User Visits Website

Is sent malicious Java applet

Spawns first stage payload

Spawns second stage payload

Injects code into Windows

Explorer

Takes malicious actions


9

eGuide


Proactively collecting critical data is a starting point, but it’s not the finish line. It’s what you do with that data that’s important.

Many detection and response solutions have either visibility or threat intelligence, but rarely have both. Applying threat intelli-

gence on top of continuous endpoint visibility enables responders to detect attacks in real time and prioritize investigations.

With Carbon Black Enterprise Response, not only is the data acquisition process automated and continuously recorded,

but comprehensive threat intelligence also is simultaneously applied on top of that visibility. This delivers instant attack

classification and reputation of recorded endpoint activity that’s immediately accessible and consumable during an

investigation. This enables responders to drive purposeful investigations and inquiries across their entire organization.

Cb Enterprise Response applies threat intelligence through the Carbon Black Threat Intel service, which offers a robust offering

of third-party and proprietary threat feeds and reputation services. Cb Enterprise Response integrates with network security

providers such as Check Point, Fidelis, FireEye and Palo Alto Networks and extends to offer you the flexibility to integrate and

apply your own custom feeds as well.

The combination of visibility and threat intelligence also enables responders to design and save complex queries as real-time

detection events within Cb Enterprise Response (known as watchlists). This offers the ability to detect based on entire attack

processes, network activity, threat intelligence, attack behaviors and more—not just individual events. This powerful combina-

tion also enhances your detection capabilities by delivering actionable alerts to reduce alert fatigue. By automating both the

data collection and applied threat intelligence process responders also gain instant insight when diving into an investigation.

Continuous Data CollectionThreat Prioritization,

Detection & Response

Endpoints

Attack Patterns, IOCs, Binary Analysis

Advanced Threat Detection

What’s Good, What’s Bad,What’s Unknown

Software Reputation

Who, What, Where, Why

Attack Classification

!


10

eGuide


Respond in Seconds with a Continuous RecordingBy automating the tedious and time-consuming data acquisition process and layering threat intelligence on top of that

visibility, responders can “roll back the tape” in Carbon Black Enterprise Response to understand the root cause the instant

compromise is discovered. By understanding the context and relationships within the collected data, Cb Enterprise Response

also can perform surgical investigations to identify deleted payloads, lateral movement, malicious outbound connections, and

more to identify every step, move and behavior of an attack. This enables responders to see the entire kill chain of an attack in

seconds to fully scope the environment and instantly isolate, contain and remediate impacted machines.

By understanding root cause and the entire attack scope during an investigation, Cb Enterprise Response can reduce the cost

of blind reimaging by only responding to affected endpoints. By leveraging a recorded history, Cb Enterprise Response also

can help enterprises immediately learn from their investigations to improve their threat prevention, detection and response in

the future.

User Visits

Website

Is sent malicious

Java applet

Spawns first

stage payload

Lateral movement

Deleted Payload

Spawns second

stage payload

Spawns second

stage payload

Injects code into

Windows Explorer

Injects code into

Windows Explorer

Takes malicious

actions

Takes malicious

actions

With Carbon Black, instantly “Roll back the tape” with a recorded

history to understand the full attack scope

Discovered


11

eGuide


Contain, Inspect, Terminate & Remediate Threats with Live ResponseOnce a threat is identified, IR teams need to be able to drive action on those impacted endpoints. Many security teams,

however, are leveraging multiple tools to identify, respond and remediate threats from their environment. With Carbon Black

Enterprise Response, responders receive one complete solution for all of their IR needs.

By leveraging a recorded history, IR teams can understand the entire scope of an attack, narrow their focus and then drive

action on those endpoints. Through one sensor and console, responders can disrupt threats by isolating and containing

impacted endpoints. This affords responders time to thoroughly examine those endpoints—such as identifying all currently

running processes, registry settings, archiving all session data and retrieving files from a remote host—without fear of the attack

spreading. Attackers can also remediate threats by killing live attack processes, changing registry settings, removing files and

validating the success of that remediation.

Also, with Cb Enterprise Response’s live response capabilities you can customize on-sensor actions by executing your

third-party response tools from a single console. This enables capabilities such as disk and memory dumping tools to be used

as part of your incident response process within Cb Enterprise Response.

With endpoint threat banning in Cb Enterprise Response, you can instantly stop, contain and disrupt advanced threats as well

as block the future execution of similar attacks. This expands Cb Enterprise Response’s ability—along with its leading endpoint

threat isolation and live response capabilities—to recover from advanced threats faster than any endpoint threat detection and

response solution on the market.

KILL ATTACK PROCESS

IDENTIFY ROOT CAUSE &REMEDIATE MACHINE

BLOCK NETWORKCOMMUNICATION

User Visits Website

Is Sent Malicious Java Applet

Spawns First Stage Payload

DELETED PAYLOAD

Spawns Second Stage Payload

Injects Code Into Windows Explorer

Takes Malicious Actions

ISOLATED


12

eGuide


Security As a Process

When developing an incident response plan security should never be viewed as static. Everything should work as an ongoing

process and lifecycle with the goal of ensuring that any response can evolve, adapt and learn from the investigation after it

is concluded. Without continuous endpoint recording, live response and threat intelligence at the core of your enterprise’s

response plan this can be extremely difficult.

IT hires staff to support technology. Security operations buys technology to support staff.

With continuous endpoint visibility at the backbone of Carbon Black Enterprise Response, responders can detect, respond and

remediate in seconds. However, the goal should be to evolve, adapt and strengthen your prevention and detection solutions

moving forward as well. With Carbon Black, any attack tactic, technique or procedure can be saved as a watchlist to detect in

real time moving forward. Additionally, both Cb Enterprise Response and Cb Enterprise Protection now work together to

automate Cb Enterprise Response’s real-time detection capabilities with Cb Enterprise Protection’s leading advanced threat

prevention solution. Cb Enterprise Protection’s can now pull in Cb Enterprise Response watchlists and drive prevention policy off

of those detection events as they occur—providing the most comprehensive protection against advanced threats.

VISIBILITYMonitor and record

every endpoint

DETECTIONDetect attacks in real time

without signatures

RESPONSE PREVENTIONStop attacks with proactive,customizable techniques

Rapidly analyze, contain,disrupt and remediate attacks

Define watchlists in Cb Enterprise Response

Automate watchlist alerts from Cb Enterprise Response in Cb Enterprise Protection

Instantly dive back into Cb Enterprise Response for deeper

analysis and investigations

Leverage Cb Enterprise Protection event rules to automate prevention policy off

Cb Enterprise Response watchlist alerts

eGuide: Designing a Continuous Response ArchitectureeGuide

Security Platform Over ProductMost security solutions lock you into their ecosystem. Part of the challenge when leveraging multiple security products is

getting them to work together and collaborate to give you the level of protection you desire. This could be integrating your

existing endpoint security with network security products, pulling in third-party threat intelligence providers, combining

multiple security products, or other challenges.

Carbon Black Enterprise Response is a security platform, not a product. We understand that it’s your data to use how you want.

By leveraging Cb Enterprise Response’s open APIs, you can easily and seamlessly integrate all endpoint sensor data and threat

intelligence with custom, proprietary or third-party security solutions. Also, you can easily pull network providers and custom

threat feeds into Cb Enterprise Response to tailor your detection and response capabilities for your specific enterprise. IT hires

staff to

support technology. Security operations buys technology to support staff. Invest in solutions that enable your people to make

the best possible decisions.

SummaryMany enterprise security solutions claim to have continuous endpoint visibility—reactively scanning, sweeping or polling your

environment for a set list of known indicators or signatures. But this approach can take hours for a single result, disrupt the

performance of your organization’s endpoints, and miss insight into root cause and lateral movement. Enterprises must prepare

to be breached and focus on these 5 critical steps:

• Automate the tedious and time consuming data collection process

• Apply aggregated threat intelligence to enhance visibility

• Leverage a recorded history to understand the entire kill chain

• Contain, inspect, terminate and remediate endpoint threats

• Improve response processes and procedures over time

The only way to fully protect against the advanced threat is prepare. Cb Enterprise Response is the first and only endpoint

threat detection and response platform that enables SOC and IR teams to prepare for a breach through continuous endpoint

recording, customized detection, live response, remediation, and rapid attack recovery with threat banning. Built entirely on

open APIs, Cb Enterprise Response delivers unparalleled security operations development capabilities to integrate with and

build on top of Cb Enterprise Response for best-of-breed detection and response tailored for your organization. Top IR firms

and MSSPs have made Cb Enterprise Response a core component of their detection and response services.

1100 Winter Street Waltham, MA 02451 USA

P 617.393.7400 F 617.393.7499

www.carbonblack.com

About Carbon Black

Carbon Black leads a new era of endpoint security by enabling organizations to disrupt advanced attacks, deploy the

best prevention strategies for their business, and leverage the expertise of 10,000 professionals to shift the balance

of power back to security teams. Only Carbon Black continuously records and centrally retains all endpoint activity,

making it easy to track an attacker’s every action, instantly scope every incident, unravel entire attacks and determine

root causes. Carbon Black also offers a range of prevention options so organizations can match their endpoint

defense to their business needs. Carbon Black has been named #1 in endpoint protection, incident response, and

market share. Forward-thinking companies choose Carbon Black to arm their endpoints, enabling security teams to:

Disrupt. Defend. Unite.

2016 © Carbon Black is a registered trademark of Carbon Black, Inc. All other company or product names may be the trademarks of their

respective owners. 20160121 RKB

Date post:	17-Jun-2020
Category:	Documents
Upload:	others
View:	0 times
Download:	0 times