Enriching Raw Telemetry with the Cybereason Historical Data Lake

Regardless of whether you are performing Threat Hunting across your most recent dataset or your long-term historical datasets, an important dimension to your data is the enrichment and contextualization process.

Contextual data provides the Threat Hunter (“hunter”) with additional data points and a more complete picture of the activity, allowing them to make more informed decisions about whether the activity should be investigated further or disregarded.  

The Cybereason Historical Data Lake, which logs all telemetry collected by our endpoint sensors, has two main use cases:

  • Historical Hunting: Applying intelligence/attack data, typically in the form of Indicators of Compromise (IOCs) from newly discovered historical campaigns, to older datasets; and,
  • Deep Investigation: Performing targeted, in-depth investigation into machines or users.

As of version 21.2.160, Historical Data Lake enriches raw telemetry from the endpoint sensors with our industry-leading MalOpTM (malicious operation) detection engine. This feature provides the hunter with invaluable context as to whether activity (results from their search) was detected as malicious in real-time by the Cybereason XDR Platform.

Given one of the goals of Threat Hunting is to surface threats that have evaded existing detection and prevention controls, this contextual data provides the hunter with enhanced focus. During historical hunting, the hunter may want to investigate results that have matched their search, yet were not detected as malicious (i.e. did not generate a MalOp) by the Cybereason XDR Platform at the time of the event.

In this scenario, the hunter may not want to waste valuable cycles investigating activity that has already been detected as malicious (and potentially remediated); they want to uncover new attacker activity, therefore their focus is on the results that are being reported as benign.

When performing Deep Investigation, however, the hunter may want to examine a machine or specific set of machines that have returned results identified as malicious (i.e. generated a MalOp) by the Cybereason XDR Platform at the time of the event. In this scenario, the hunter may want to use the identified malicious activity as a pivot point, establish a timeline of events, and uncover additional IOCs surrounding this pivot.

Bringing this to life, a typical hunting example and workflow may be as follows:

  • New attack data related to a historical attack campaign comes to light. The attack data consists of IP addresses, domains, and file hashes, as well as artifacts such as processes.
  • The hunter takes the attack data related to the campaign and prepares queries to be executed across all log telemetry in Historical Data Lake. 
  • The results from one query related to a simple process name search show one hit on one machine. Specifically, this hit is also related to a MalOp (indicated by the red ​​MalOp ​​icon).
  • The hunter may choose to investigate the machine that has returned a result associated with a MalOp in greater depth:

Screenshot 2022-03-16 at 10-50-57 Blog Historical Data Lake - Malop EnrichmentFigure 1: Hunter performing a simple process name search

Screenshot 2022-03-16 at 10-52-37 Blog Historical Data Lake - Malop EnrichmentFigure 2: Result on one machine associated with a MalOp

Screenshot 2022-03-16 at 10-53-42 Blog Historical Data Lake - Malop EnrichmentFigure 3: Hunter creating a ‘Replay’ to investigate the machine in greater depth

Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere. Learn more about Historical Data Lake here or schedule a demo today to learn how your organization can benefit from extended data retention and investigation.

Paul Bottomley
About the Author

Paul Bottomley

Paul is the Senior Product Manager for Threat Hunting and joined Cybereason in September 2021. Paul has over 10 years experience developing Threat Hunting products and services to global customers, which involved helping them surface attacker activity and cyber risk in their IT networks.

All Posts by Paul Bottomley