We recently held the webinar “AI Hunting in Action”, which showed how Cybereason’s security team detected and handled a sophisticated attack against one of our customers. If you missed the webinar, you can watch a recording of it. It’s worth viewing if you’re curious about how threat hunting can be used to determine if adversaries are already in your environment or how AI Hunting is probably the best approach for handling attacks that use advanced tools and techniques.
And if you listened to the webinar and asked a question after the presentation, read on. In this blog, Shlomi Avivi, vice president of information security at Cybereason and the person who lead the webinar, answers some of the questions that attendees asked.
Cybereason’s AI hunting engine lead to the automatic detection of a few elements in this attack, including the initial alert on the compromised account. The AI element identifies malicious behavior, and automatically provides analysts with relevant context so they can further expand their hunt.
The incident was detected after behavior indicating a compromised user was spotted, specifically the use of a tool with behavior that’s similar to Mimikatz. However, we did not find evidence about the initial penetration vector. In most cases, initial penetration is achieved using social engineering, like sending a malicious downloadable in a phishing email or using a malicious driveby. In this case, since most of the infected machines were servers and not PCs, we assume the initial infection exploited a remote code execution vulnerability on an Internet-facing server.
The best approach is to combine a behavior-based security detection tool (one that can spot these incidents even if the attacker uses legit tools) with a well-trained analyst who can perform threat hunting. The analyst should also be equipped with investigative tools.
Our product automatically detected several parts of this attack. As we discovered more of the attackers’ activities, we built additional detection mechanisms into our product. We always fine tune and update our detection mechanisms based on our findings and published TTPs.
Yes. That was part of this attack’s sophistication.
The Cybereason platform has several detection and protection mechanisms against fileless attacks. This includes detection of reflective loading and malicious PowerShell use.
Yes. Isn’t it cool? You can learn more about our investigation console here.
Yes.
It's hard to put a number on it since things like the team and the alert impact the answer. The most important thing is to not invest time in a false positive alert more than once. When an alert that’s already been deemed a false positive is triggered, analysts should be trained to spot and dismiss it. Also, the analysts should have a security product that enables them to whitelist the process so it doesn’t trigger a false positive again.
Since this customer was not regularly a managed service customer, we saw the alert only after the customer asked us to investigate it. At that point, it was a few weeks after the alert had been triggered.
The investigation process (which was more extensive than what I showed in my presentation, which focused on the highlights) was around two days.
The Cybereason platform provides visibility and response capabilities for malicious behaviors carried out by attackers throughout the entire attack life cycle. For incident response, the platform provides context and investigation abilities that allow immediate action and presents an entire view of your environment.
Cybereason also provides managed services with our analysts monitoring customer environments, providing proactive threat hunting and assisting customers with detection and incident response.