The Cybereason Difference: Introduction to the MalOp

April 11, 2021 | 3 minute read

Welcome to the April edition of our series The Cybereason Difference (inaugural post here). Each post of this series explores a unique way that Cybereason empowers defenders.

There are a few key things that set the Cybereason Defense Platform apart from other cybersecurity tools:

• The Malop™: Short for malicious operation, the MalOp™ is the realization of our operation-centric approach, presenting the complete picture of an attack rather than overwhelming analysts with piecemeal alerts.

• Complete data collection: Detection of the most advanced and elusive attackers requires exhaustive and correlated data collection from the endpoint. Our platform processes 80 million events per second leaving adversaries nowhere to hide.

• Indicators of Behavior (IOBs): Traditional Indicators of Compromise (IOCs) and signatures are useful for catching known malware. To stop even the most sophisticated attacks and catch never-before-seen malware we leverage IOBs.

• Automated response: Analysts can take remote remediation actions including machine isolation, killing processes, and opening remote shells, all from within an intuitive point and click interface—stopping attackers in their tracks.

• Behavioral Document Protection: Cybereason detects and blocks ransomware hidden in the most common business document formats, including those that leverage malicious macros and other stealthy attack vectors.

• Future-ready: The flexibility of our product and the new innovations being added every day, make Cybereason future-ready for wherever the fight takes us..

This month we’re exploring our most beloved differentiator: the MalOp. Most security teams can relate to alert fatigue, and it’s not uncommon for large enterprises to deal with alerts in extremely large and unmanageable quantities - up to tens of thousands per day.

These alerts are often reported individually and without a broader connection to related malicious activities, meaning defenders could be made aware of a singular issue through multiple streams with a scattered and chaotic approach.

Our alternative approach to traditional alerts, the MalOp provides a contextualized view of the full narrative of an attack, correlated across all impacted endpoints, in a single screen. For security analysts, this evolves their approach of reacting to incidents from an alert-centric view to responding with an operation-centric approach.

At the core of the Cybereason technology is a highly advanced data analytics platform called the Cross Machine Correlation Engine. This system analyzes a massive amount of data; automatically, and rapidly correlates every detail of multi-faceted attacks into a comprehensive view. This advanced and automatic analysis increases analyst speed and accuracy by reducing the noise of alerts with a focused deconstruction of the overall operation.

With all the information an analyst needs to scope and respond to a malicious operation concisely presented, analysts are able to drastically reduce their Mean Time to Respond (MTTR).

To realize these efficiency gains, every MalOp contains the following five critical categories of information about a malicious operation:

• The root cause: The malicious activity that caused Cybereason to suspect that a malicious operation might be taking place. Whether through a well-crafted spear phishing email or other entry vector, cyber adversaries must first establish a foothold in the environment to build on and escalate the intrusion. The root cause (along with any other suspicious behavior and ultimately evidence) is always mapped to the MITRE ATT&CK framework. For example, a common root cause observed by Cybereason technology is the use of domain generation algorithms.

• The impacted users and machines: Today’s attackers almost never focus their malicious operation on a single user or machine. Although a specific user or asset might be the ultimate target, multiple systems will be leveraged along the path to their objective. All of the users and machines that are part of this larger operation are correlated into this single view. Determine the full scope of the operation and the breadth of compromise, which helps to drive a thorough and comprehensive response.

• Ingoing and outgoing communications: Data exfiltration and command and control activity are excellent beacons to uncover attackers lurking in our environment. Incoming and outgoing network traffic across all impacted machines is provided and traffic identified as malicious is highlighted.

• The tools the attacker used: What is the attacker using to execute their malicious code and traverse the environment? Metasploit Meterpreter? Or perhaps they are stealthy and leveraging components built into the operating system to avoid detection—commonly called Living Off The Land (LOL). We see a lot of signed Microsoft Windows binaries being abused such as regsvr32.exe.

• The timeline of the attack: This is the part of the MalOp our customers rave about. Automatically analyzing the activity across the vast environment and presenting the full timeline of the attack in a straightforward and visual way saves our customers untold amounts of time. Gone are the painful hours of examining alert time stamps to try and determine what happened, and when, during a malicious operation.

A MalOp serves up the critical information you need to observe, orient, decide, and act quickly. On the surface there is an attention to brevity, however, this is just the beginning of the information that we can uncover as we drill into a MalOp. As an example, the attack tree view gives great detail on every involved process and shows exactly what happened before and after the malicious activity was discovered. 

What to see it in action? Check out the short video below for a walkthrough of a sample MalOp:

 

2 Minute Overview of a Sample MalOp™

The MalOp has transformed the day-to-day life of security analysts around the world, making them more efficient, less prone to burnout, and resulting in improved response and remediation times. Be sure to check back for the next edition of The Cybereason Difference where we will be covering Cybereason’s unique approach to complete data collection.

Justin Buchanan
About the Author

Justin Buchanan

Justin Buchanan, Director of Product Marketing, is responsible for the go-to-market strategy of Cybereason’s Endpoint Protection Platform (EPP) offerings. Driven by his background in IT and his deep understanding of customers’ desired outcomes, Justin is passionate about how Cybereason can help customers—and the security industry as a whole—reverse the adversary advantage and empower defenders.

All Posts by Justin Buchanan