We recently held the webinar “AI Hunting in Action”, which showed how Cybereason’s security team detected and handled a sophisticated attack against one of our customers. If you missed the webinar, you can watch a recording of it. It’s worth viewing if you’re curious about how threat hunting can be used to determine if adversaries are already in your environment or how AI Hunting is probably the best approach for handling attacks that use advanced tools and techniques.
And if you listened to the webinar and asked a question after the presentation, read on. In this blog, Shlomi Avivi, vice president of information security at Cybereason and the person who lead the webinar, answers some of the questions that attendees asked.
The webinar is called AI Hunting in Action. When was AI used?
Cybereason’s AI hunting engine lead to the automatic detection of a few elements in this attack, including the initial alert on the compromised account. The AI element identifies malicious behavior, and automatically provides analysts with relevant context so they can further expand their hunt.
How did the threat actor obtain the credentials?
The incident was detected after behavior indicating a compromised user was spotted, specifically the use of a tool with behavior that’s similar to Mimikatz. However, we did not find evidence about the initial penetration vector. In most cases, initial penetration is achieved using social engineering, like sending a malicious downloadable in a phishing email or using a malicious driveby. In this case, since most of the infected machines were servers and not PCs, we assume the initial infection exploited a remote code execution vulnerability on an Internet-facing server.
If sophisticated attackers can spoof a commonly used tool or vendor command set, is a tool or a well-trained analyst the best way to identify and prevent malicious activity, or is a combination of the two the optimal approach?
The best approach is to combine a behavior-based security detection tool (one that can spot these incidents even if the attacker uses legit tools) with a well-trained analyst who can perform threat hunting. The analyst should also be equipped with investigative tools.
Did this event lead to your solution generating a template (something like a repeatable automated process) to stop similar attempts in the future?
Our product automatically detected several parts of this attack. As we discovered more of the attackers’ activities, we built additional detection mechanisms into our product. We always fine tune and update our detection mechanisms based on our findings and published TTPs.
Is it true that the attacker had persistent scheduled tasks on 16 machines in addition to the initially infected machine?
Yes. That was part of this attack’s sophistication.
Can Cybereason detect fileless malware attacks, like the reflective DLL technique mentioned in the webinar?
When "reviewing persistence" was shown in the presentation, where was the GUI from? Is it a Cybereason tool?
Yes. Isn’t it cool? You can learn more about our investigation console here.
Among other things, it seems like a dumping DLL path for all loaded executables is a good idea. Does the product allow for such a thing?
You recommended that security teams not just dismiss false positives. How much time should be devoted to false positive analysis when security teams have little time to analyze alerts about known threats?
It's hard to put a number on it since things like the team and the alert impact the answer. The most important thing is to not invest time in a false positive alert more than once. When an alert that’s already been deemed a false positive is triggered, analysts should be trained to spot and dismiss it. Also, the analysts should have a security product that enables them to whitelist the process so it doesn’t trigger a false positive again.
How much time passed between the first attack and when it was detected? And what was the time to resolution?
Since this customer was not regularly a managed service customer, we saw the alert only after the customer asked us to investigate it. At that point, it was a few weeks after the alert had been triggered.
The investigation process (which was more extensive than what I showed in my presentation, which focused on the highlights) was around two days.
How does Cybereason work with the attack life cycle and help with incident response ?
The Cybereason platform provides visibility and response capabilities for malicious behaviors carried out by attackers throughout the entire attack life cycle. For incident response, the platform provides context and investigation abilities that allow immediate action and presents an entire view of your environment.
Cybereason also provides managed services with our analysts monitoring customer environments, providing proactive threat hunting and assisting customers with detection and incident response.