This piece was authored by Tatiana Vollbrecht and originally published on the Carbon Black Tech Zone.
With the launch of the Managed Detection and Response (MDR) product, led by our expert cybersecurity analysts, we are able to provide a valuable new way to respond to threats. With this new MDR product, customers will now be able to have an extra set of eyes on their network who are able to proactively take action in the event that no staff is available to do so. This will alleviate many of the problems that organizations that are not able to hire a full-time, 24/7 staff may face. This much-awaited product puts our experts and expertise between our customers and the malicious actors to help give peace of mind when incidents occur.
Managed Detection and Response Product Launch
Managed Detection and Response (MDR) went live in December of 2021, and it wasn’t long before the MDR team proved their value in the efforts to defend our client’s networks. In less than a month from initial onboarding, one of the MDR analysts observed an attack within a customer’s environment that leveraged Mshta.exe and fileless PowerShell execution to communicate over the network with a command & control (C2) server. Using the in-depth telemetry of the CB sensor, the team immediately set to work in an attempt to find the possible root cause and scope of infection within the network.
Figure 1: Attacker leveraging Mshta.exe and PowerShell to communicate with C2 server.
The investigating analysts conducted a historical analysis within the customer’s environment to determine the scope of the attack and a potential timeline within the stored data that was available. The team was able to link the attack to poor policy configuration, which in turn limited the full capability of the product to block the attack. In this case, standard policy and policy best practices would have blocked this attack. However, this minimally configured custom policy allowed the device to be infected in the months prior, allowing the threat actors to gain the initial access into their network. Unfortunately for the customer, although the activity was observed by their own internal security team prior to initiating the MDR product, it was reported as normal/expected behavior. The team simply did not have the information, experience, or maybe even time required to delve into the alert and associate the indicators of compromise (IOC) with its attributed attack profile. These grave errors allowed the device to communicate with the C2 server sporadically over at least a 2-month timeframe as well as successfully infect additional devices on their network.
Figure 2: External C2 communication from the infected device.
The investigating team took quick action to contain the threat while maintaining balance to “do no harm” to business operations (when possible, of course). MDR analysts have various options within the Carbon Black Cloud (CBC) console to mitigate threats according to the severity of the threat and the operational impact of the asset it was discovered on. Mitigating options include (1) hash banning, (2) reconfiguring policy rules and asset policy reassignment, and (3) quarantining the asset from the network. Our team makes it a top priority to treat every incident as a unique case that takes into consideration potential asset business impact and scope of the threat. It’s important to note that due to the sensitive nature of allowing a third party to manipulate assets within your network, it was a purposeful decision that these additional actions require customer opt-in through policy configuration. Opting-in will allow policy changes and reassignments or asset quarantining. We want to ensure that our customers maintain control as to what can be modified within their own network.
For this incident, the analyst determined that cloning the device’s assigned policy and drafting custom blocking rules tailored according to the observed behavior would be sufficient to contain the threat with limited disruption to business operations. The infected device was also quarantined from the internal network to stop the spread to additional devices.
Within less than 2 hours, the impacted devices were quarantined and awaiting remediation, the customer was notified, and the environment scanned for further indicators of compromise. The MDR analysts even reviewed the organization’s current product policies and provided recommendations that would better protect their network.
Figure 3: Drafted policy changes to contain the observed threat.
This brings us to the next added benefit of choosing the Carbon Black Managed Detection and Response (MDR) product: our team. Prior to the release of this new product, Carbon Black analysts have been working for years on the Managed Detection (MD) team. In terms of experience, this means thousands of endpoints across various fields and industries that Carbon Black analysts have been exposed to and tens of thousands of hours investigating threats, in addition to top-of-the-line annual training. Because of this exposure, our team is highly sought after and coveted within the security industry for their breadth of experience, knowledge base, and years of training, especially within the Carbon Black Cloud products. This has been a great incentive for our customers whose team’s may be highly experienced but lack the range of exposure and product proficiency that is second nature for our team.
Our expertise and breadth of threat exposure allowed our Managed Detection and Response (MDR) analysts to determine that the observed indicators of the attack resembled those attributed to the DarkSide Ransomware campaign in the abovementioned incident. Like many other cyber threat groups, DarkSide is financially motivated to target high value organizations that they believe could possibly provide a larger payout once the encryption takes place. The group has been observed to tailor their malicious binaries according to their target, in order to avoid detection. To learn more about this group or how their behaviors can be tracked using the Carbon Black endpoint sensor, please refer to the following Threat Analysis Unit – Threat Intelligence Notification: TAU-TIN – DarkSide Ransomware.
The average dwell time for threat actors that specialize in ransomware is about 60 days. While that appears to be sufficient time for detection, that is often not the case due to unusual operating times, insufficient staffing, and limited exposure to the ever-changing threat landscape and evolving tactics. Based on historical data within this customer’s environment, they were not far from reaching this dwell time before the next phase of the attack. It is a testament to the effectiveness of the MDR team that the alert was immediately identified as a critical threat and that their actions stopped the attack and prevented any further malicious activity. As this example shows, it is an exciting time for the Carbon Black Managed Detection and Response team and our customers.
To learn more about VMware Carbon Black’s Managed Detection and Response product check out the following links.
Like to learn more? Watch this video that shows how the MDR service combines the security analysts as well as ML/algorithmic tools to quickly triage alerts and notify customers of likely security incidents. Since release, we have triaged over 17M security alerts.