Disrupting the Threat: Identify, Respond, Contain & Recover in Seconds
Table of Contents Overview 3 The Problem 3 Defining the Threat 3 The Network is Not the Target 4 Incident Response is Ad Hoc 5 Incident Response is Not Forensics 5 Limited Threat Intelligence 6 The Solution 7 Prioritize Data Collection Over Detection 7 Highlight Instead of Filter Data Collection 8 Apply Aggregated Threat Intelligence 9 Respond in Seconds with a Continuous Recording 10 Contain, Inspect, Terminate & Remediate Threats with Live Response 11 Security As a Process 12 Security Platform Over Product 13 Summary 13 2
Overview Data acquisition, threat discovery, incident response and forensics have become arduous and incomplete with no insight into lateral movement and root cause. We have relied on solutions that inundate us with too many alerts to prioritize and investigate and we ve blindly reimaged machines by focusing on reactive forensic techniques instead of proactive incident response solutions. Response solutions have been developed for use post-breach by the IR consultant, instead of created to enable an enterprise to proactively prepare for a breach. Responders need to focus on security solutions that can integrate with third-party products whether they are network security products, threat intelligence providers, SIEMs, SOC tools, or other IR solutions. Businesses need to view security as a process and focus on solutions that can: ++ Proactively automate the tedious and time-consuming data acquisition process at the endpoint before a breach occurs ++ Layer threat intelligence on top of that continuously recorded visibility to highlight advanced threats to expedite investigations ++ Reduce the cost and complexity of incident response by instantly understanding entire attack kill chain ++ Intervene and contain advanced threats through endpoint isolation, attack termination and remediation ++ Evolve, adapt and learn from your investigation by using the right solutions to adjust your detection and prevention techniques moving forward This will cover how responders can resolve these challenges and put your organization in a better security posture by proactively preparing for a breach. The Problem Defining the Threat There are two types of attackers: opportunistic and advanced. The opportunistic attacker finds value in large-scale attacks. The more hosts the attacker compromises, the quicker a signature is generated, making it easier to identify the attack. The advanced attacker, on the other hand, finds value in small-scale and targeted attacks. By compromising fewer hosts, it takes significantly longer to generate a signature (if at all). As a result, traditional endpoint prevention, detection and response solutions are more likely to miss advanced and targeted attackers who infiltrate their enterprise. SIGNATURE AVAILABLE DETECTION THRESHOLD COMPROMISE AS MANY ENDPOINTS AS POSSIBLE TIME ADVANCED HOSTS COMPROMISED HOSTS COMPROMISED OPPORTUNISTIC DETECTION THRESHOLD SIGNATURE AVAILABLE (if ever) COMPROMISE AS FEW ENDPOINTS AS POSSIBLE TIME Advanced (or zero-day) attacks can take multiple forms: ++ Unknown attack with no patch ++ Known attack with no patch ++ Known attack with available patch not yet applied 3
A response solution should be prepared for all attack phases, whether opportunistic or advanced, because you cannot know in advance what s bad. Also, many attackers can live off of the land by leveraging built-in tools to reduce the number of new executables introduced into an environment masking their lateral movement. This also enables an attacker to establish approved user accounts escalating their privileges so they can come and go as they please. Threats are only as sophisticated as they need to be. Attackers will never waste a $5 million payload if they do not have to. As a result, enterprises need solutions that can identify all attack types known or unknown and respond accordingly. The Network is Not the Target Sixty-five percent of 2013 data breaches happened on company endpoints. 1 Many enterprises, however, still fail to deploy response solutions that can deliver actionable visibility and intelligence down to the endpoint opting instead to sink more security dollars into their network. Organizations continue to spend a lot of money on network security solutions, but it s the endpoint that is the ultimate target of advanced threats and attacks. 2 451 Research Many enterprise security approaches can be viewed as hard on the outside, but soft in the middle because strong network defenses and weak endpoint security are a common practice. A secure corporate network should be a priority, but not the focus. This is because corporate networks are now unraveling as more employees continue to operate outside of them. These endpoints are connecting to a variety of unknown networks from a diverse set of locations with limited protection from next-generation firewalls. The endpoint is the target of attackers because this is where the valuable data resides. Enterprises must identify key data, assess the probability of that data being targeted by attackers, estimate the business impact of that data being compromised, and determine where that data is located. The answers to these questions ultimately will bring you back to the endpoint. Impact (to business) Low (minor) Medium (moderate) High (existential) Probability (adversary interest) High (very likely) Medium (possible) Low (unlikely) Documents User credentials Web services Physical computers Employee Personally Identifiable Information Office access Key IP CRM Email Content Financial Info Critical systems Public website Customer info Data center access 1 2014 Verizon Data Breach Investigations Report 2 When worlds collide: post-acquisition, Bit9 + Carbon Black emerges as a combined brand Javvad Malik and Adrian Sanabria 2 Sep, 2014 4
However, when securing the endpoint, many rely on antivirus software as the chief component to their endpoint security strategy but this hampers the ability of an enterprise to detect, respond or prevent multiple attack forms as they happen. Organizations ultimately need continuous visibility, customizable detection and rapid response solutions at the endpoint. Not only will this expedite response, but it ultimately will improve and complement your network security as well. Incident Response is Ad Hoc Many enterprises may not invest in incident response solutions because they feel they lack the skilled staff needed to perform conclusive and confident investigations. In addition, many organizations may perceive incident response solutions as far too complex for them to leverage effectively. Without a response plan in place, if an organization is breached, reactively deploying an incident response solution can be time-consuming and extremely expensive. For an enterprise, the goal should be to build out your security maturity framework. This means deploying solutions that enable enterprises to make the best possible decisions. Many organizational approaches to incident response are ad hoc and unpredictable with no formal security programs. Success is usually predicated on luck and not much else. The goal for an enterprise should be to build a formal incident response plan as well as deploy solutions that can reduce the cost and complexity of a response. Responders also should look to optimize their enterprise s security so that any response is reliable, predictable and adaptive to the changing threat landscape. Security Maturity Framework LEVEL 1 AD HOC LEVEL 3 PROACTIVE LEVEL 2 REACTIVE LEVEL 4 MANAGED LEVEL 5 OPTIMIZED Unpredictable Not Standardized Formative Measured Adaptive No formal Security program or organization Respond to critical alerts only Formal security organization, basic auditing Comprehensive security program and oversight Expand from investigation to hunting Process is characterized for organization Process is measured and controlled Process is continuously improved No Formal process Success depends on luck Process is characterized for projects Success depends on individual heroics Success depends on execution Success is demonstrable Success is predictable 5
Incident Response is Not Forensics With forensics, a breach has already happened, data has already been lost, and now you are tasked with the clean up. You may have been alerted to the breach by a third party, but now it is your job to understand what went wrong. To add to the problem, your enterprise may not have proactively collected data before the breach, which means you now will spend the next several weeks or months collecting the desperately needed data to fully scope and understand the attack. Because you are now reactively collecting data after the breach, unraveling lateral movement especially if the attacker cleaned up their tracks by deleting prior payloads means that understanding the root cause may take months, years or even longer to discover. When responding to an incident and discovering a potential compromise, as a responder it is your job to contain the attack before data is lost. When responding, there is still a chance to stop the bleeding and intervene with an ongoing attack. This means you need to leverage response solutions that can expedite this process to detect, respond, contain and remediate the problem as quickly as possible. Limited Threat Intelligence Many organizations lack the necessary threat intelligence to help them fully detect and classify attacks as they happen. Threat intelligence should be a valuable part of any detection or response solution. Without threat intelligence, enterprises can lose valuable insight into threats as they arrive in their environment. SOC analysts and IR teams can also suffer from alert fatigue because they receive too many alerts to prioritize and investigate. With no way to sift through the noise, enterprises are finding it difficult to efficiently respond. Organizations need to focus on solutions that can accelerate the discovery of advanced threats as opposed to those that just produce more detection events. Fixing this will exponentially reduce the dwell time of threats in an environment by accelerating investigations to minimize the scope of an attack. No one provider has a lock on the world s threat intelligence, but many organizations still deploy security solutions that only integrate with a finite number of providers. Responders need security solutions that offer the ability to integrate with a wide range of threat intelligence feeds, as well as enable organizations to add their own custom feeds. This affords businesses the opportunity to incorporate threat intelligence feeds not initially offered by a security solution. 6
The Solution Prioritize Data Collection Over Detection If you are not prepared for a breach by prioritizing data collection before the moment of compromise, you are likely leveraging forensic tools to collect data during an investigation. Collecting data takes time, money and effort. Not to mention that reactively collecting data usually produces incomplete data sets with no way of scoping the full breadth of an attack. All of this prolongs the dwell time of the attacker and potentially magnifies the number of impacted machines in your organization extending time to recovery. Carbon Black enables enterprises to prepare for a breach by proactively automating and continuously recording the critical data before the moment of compromise so you can instantly leverage data during an investigation when a threat is discovered. This reduces the dwell time of attackers exponentially by enabling you to dive into your response immediately and recover faster. Breach Discovered (attacker identified) D CO V RE ET SP EC O TI N O SE ER Y Reactively collecting data here is time consuming, expensive & incomplete N Proactively collecting data here is automated, efficient & conclusive Recovered (attacker expelled) RE Compromised (attacker present) DWELL TIME 7
Highlight Instead of Filter Data Collection Most detection solutions filter out endpoint visibility when detecting threats in an environment. They typically provide the specific instance of the attack and its compromised host, but by filtering out endpoint visibility, they lose sight of lateral movement, root cause and the entire scope of the attack during an investigation. As a responder, your goal should be to understand the scope and root cause as confidently and quickly as possible. Continuously Record All File Modifications All File Executions All Network Connections All Registry Modifications Copy of Every Executed Binary All Cross-Process Events Instead of filtering out visibility, Carbon Black highlights detected activity over its continuously recorded endpoint data to enable you to instantly roll back the tape from the detection event all the way to root cause. By proactively recording and maintaining the relationships of every file execution, file modification, registry modification, network connection, cross-process event and executed binary Carbon Black delivers conclusive and confident insight into the full scope of an attack enabling you to respond rapidly. Discovered User Visits Website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Detection probablility increases overtime Investigations seek root cause GOAL: Understand Root Cause Carbon Black highlights detected activity within endpoint visibility to understand root cause and scope 8
Apply Aggregated Threat Intelligence Proactively collecting critical data is a starting point, but it s not the finish line. It s what you do with that data that s important. Many detection and response solutions have either visibility or threat intelligence, but rarely have both. Applying threat intelligence on top of continuous endpoint visibility enables responders to detect attacks in real time and prioritize investigations. With Carbon Black, not only is the data acquisition process automated and continuously recorded, but comprehensive threat intelligence also is simultaneously applied on top of that visibility. This delivers instant attack classification and reputation of recorded endpoint activity that s immediately accessible and consumable during an investigation. This enables responders to drive purposeful investigations and inquiries across their entire organization. Carbon Black applies threat intelligence through the Bit9 + Carbon Black Threat Intelligence Cloud service, which offers a robust offering of third-party and proprietary threat feeds and reputation services. Carbon Black integrates with network security providers such as Check Point, Fidelis, FireEye and Palo Alto Networks and extends to offer you the flexibility to integrate and apply your own custom feeds as well. Third-Party Threat Research Team Analysis of threat data from millions of endpoints Threat Intelligence Cloud Threat Indicators Reputation Trust rating for known-good, known-bad & unproven software & domains Indicators of attack behaviors and compromise Endpoints Attack Classification Comprehensive attack context & attribution Threat Prioritization, Detection & Response Continuous Data Collection On-Premises Server The combination of visibility and threat intelligence also enables responders to design and save complex queries as real-time detection events within Carbon Black (known as watchlists). This offers the ability to detect based on entire attack processes, network activity, threat intelligence, attack behaviors and more not just individual events. This powerful combination also enhances your detection capabilities by delivering actionable alerts to reduce alert fatigue. By automating both the data collection and applied threat intelligence process responders also gain instant insight when diving into an investigation. 9
Respond in Seconds with a Continuous Recording By automating the tedious and time-consuming data acquisition process and layering threat intelligence on top of that visibility, responders can roll back the tape in Carbon Black to understand the root cause the instant compromise is discovered. By understanding the context and relationships within the collected data, Carbon Black also can perform surgical investigations to identify deleted payloads, lateral movement, malicious outbound connections, and more to identify every step, move and behavior of an attack. This enables responders to see the entire kill chain of an attack in seconds to fully scope the environment and instantly isolate, contain and remediate impacted machines. By understanding root cause and the entire attack scope during an investigation, Carbon Black can reduce the cost of blind reimaging by only responding to affected endpoints. By leveraging a recorded history, Carbon Black also can help enterprises immediately learn from their investigations to improve their threat prevention, detection and response in the future. Deleted Payload User Visits Website Is sent malicious Java applet Spawns first stage payload Spawns second stage payload Injects code into Windows Explorer Takes malicious actions Lateral movement With Carbon Black, instantly Roll back the tape with a recorded history to understand the full attack scope Discovered Spawns second stage payload Injects code into Windows Explorer Takes malicious actions 10
Contain, Inspect, Terminate & Remediate Threats with Live Response Once a threat is identified, IR teams need to be able to drive action on those impacted endpoints. Many security teams, however, are leveraging multiple tools to identify, respond and remediate threats from their environment. With Carbon Black, responders receive one complete solution for all of their IR needs. By leveraging a recorded history, IR teams can understand the entire scope of an attack, narrow their focus and then drive action on those endpoints. Through one sensor and console, responders can disrupt threats by isolating and containing impacted endpoints. This affords responders time to thoroughly examine those endpoints such as identifying all currently running processes, registry settings, archiving all session data and retrieving files from a remote host without fear of the attack spreading. Attackers can also remediate threats by killing live attack processes, changing registry settings, removing files and validating the success of that remediation. Also, with Carbon Black s live response capabilities you can customize on-sensor actions by executing your third-party response tools from a single console. This enables capabilities such as disk and memory dumping tools to be used as part of your incident response process within Carbon Black. With endpoint threat banning in Carbon Black, you can instantly stop, contain and disrupt advanced threats as well as block the future execution of similar attacks. This expands Carbon Black s ability along with its leading endpoint threat isolation and live response capabilities to recover from advanced threats faster than any endpoint threat detection and response solution on the market. User Visits Website IDENTIFY ROOT CAUSE & REMEDIATE MACHINE Deleted Payload KILL ATTACK PROCESS Is Sent Malicious Java Applet Spawns First Stage Payload Spawns Second Stage Payload BLOCK NETWORK COMMUNICATION Injects Code Into Windows Explorer Takes Malicious Actions ISOLATED 11
Security As a Process RESPONSE PREVENTION When developing an incident response plan security should never be viewed as static. Everything should work as an ongoing process and lifecycle with the goal of ensuring that any response can evolve, adapt and learn from the investigation after it is concluded. Without continuous endpoint recording, live response and threat intelligence at the core of your enterprise s response plan this can be extremely difficult. IT hires staff to support technology. Security operations buys technology to support staff. With continuous endpoint visibility at the backbone of Carbon Black, responders can detect, respond and remediate in seconds. However, the goal should be to evolve, adapt and strengthen your prevention and detection solutions moving forward as well. With Carbon Black, any attack tactic, technique or procedure can be saved as a watchlist to detect in real time moving forward. Additionally, both Carbon and Bit9 now work together to automate Carbon Black s real-time detection capabilities with Bit9 s leading advanced threat prevention solution. Bit9 can now pull in Carbon Black watchlists and drive prevention policy off of those detection events as they occur providing the most comprehensive protection against advanced threats. Automate watchlist alerts from Carbon Black in Bit9 Define watchlists in Carbon Black Leverage Bit9 event rules to automate prevention policy off Carbon Black watchlist alerts Instantly dive back into Carbon Black for deeper analysis and investigations 12
Security Platform Over Product Most security solutions lock you into their ecosystem. Part of the challenge when leveraging multiple security products is getting them to work together and collaborate to give you the level of protection you desire. This could be integrating your existing endpoint security with network security products, pulling in third-party threat intelligence providers, combining multiple security products, or other challenges. Carbon Black is a security platform, not a product. We understand that it s your data to use how you want. By leveraging Carbon Black s open API, you can easily and seamlessly integrate all endpoint sensor data and threat intelligence with custom, proprietary or third-party security solutions. Also, you can easily pull network providers and custom threat feeds into Carbon Black to tailor your detection and response capabilities for your specific enterprise. IT hires staff to support technology. Security operations buys technology to support staff. Invest in solutions that enable your people to make the best possible decisions. Summary Many enterprise security solutions claim to have continuous endpoint visibility reactively scanning, sweeping or polling your environment for a set list of known indicators or signatures. But this approach can take hours for a single result, disrupt the performance of your organization s endpoints, and miss insight into root cause and lateral movement. Enterprises must prepare to be breached. To so, they need to focus on: + + Automating the tedious and time consuming data collection process + + Applying aggregated threat intelligence to enhance their visibility + + Leveraging a recorded history to understand the entire kill chain + + Containing, inspecting, terminating and remediating endpoint threats + + Improving response processes and procedures over time The only way to fully protect against the advanced threat is prepare. Carbon Black is the first and only endpoint threat detection and response platform that enables SOC and IR teams to prepare for a breach through continuous endpoint recording, customized detection, live response, remediation, and rapid attack recovery with threat banning. Built entirely on open APIs, Carbon Black delivers unparalleled security operations development capabilities to integrate with and build on top of Carbon Black for best-ofbreed detection and response tailored for your organization. Top IR firms and MSSPs have made Carbon Black a core component of their detection and response services. ABOUT BIT9 + CARBON BLACK The combination of Bit9 + Carbon Black offers the most complete answer to the newer, more advanced threats and targeted attacks intent on breaching an organization s endpoints. This comprehensive approach makes it easier for organizations to see and immediately stop advanced threats. Our solution combines Carbon Black s lightweight endpoint sensor, which can be rapidly deployed with no configuration to deliver incident response in seconds, and Bit9 s industry-leading prevention technologies. Benefits include: + Continuous, real-time visibility into what s happening on every computer + Real-time threat detection, without relying on signatures + Instant response by seeing the full kill chain of any attack + Protection that is proactive and customizable Bit9 + Carbon Black delivers a comprehensive solution for continuous endpoint threat security. This is why thousands of organizations worldwide from 25 Fortune 100 companies to small businesses use our proven solution. The result is increased security, reduced operational costs and improved compliance. 2014 Bit9 is a registered trademark of Bit9, Inc. All other company or product names may be the trademarks of their respective owners. 20150528 266 Second Avenue Waltham, MA 02451 USA P 617.393.7400 F 617.393.7499 www.bit9.com