This article explores our most beloved differentiator: the MalOpTM, short for malicious operation, which is the realization of our operation-centric approach, presenting the complete picture of an attack rather than overwhelming analysts with piecemeal alerts.
Most security teams can relate to alert fatigue, and it’s not uncommon for large enterprises to deal with alerts in extremely large and unmanageable quantities - up to tens of thousands per day.
These alerts are often reported individually and without a broader connection to related malicious activities, meaning defenders could be made aware of a singular issue through multiple streams with a scattered and chaotic approach.
As an alternative approach to traditional alerts, the MalOp provides a contextualized view of the full narrative of an attack, correlated across all impacted endpoints, in a single screen. For security analysts, this evolves their approach of reacting to incidents from an alert-centric view to responding with an operation-centric approach:
Two Minute Overview of a Sample MalOp™
At the core of the Cybereason technology is a highly advanced data analytics platform called the Cross-Machine Correlation Engine. This system analyzes a massive amount of data; automatically, and rapidly correlates every detail of multi-faceted attacks into a comprehensive view.
This advanced and automatic analysis increases analyst speed and accuracy by reducing the noise of alerts with a focused deconstruction of the overall operation. With all the information an analyst needs to scope and respond to a malicious operation concisely presented, analysts are able to drastically reduce their Mean Time to Respond (MTTR).
To realize these efficiency gains, every MalOp contains the following five critical categories of information about a malicious operation:
• Root Cause: The malicious activity that caused Cybereason to suspect that a malicious operation might be taking place. Whether through a well-crafted spear phishing email or other entry vector, cyber adversaries must first establish a foothold in the environment to build on and escalate the intrusion. The root cause (along with any other suspicious behavior and ultimately evidence) is always mapped to the MITRE ATT&CK framework. For example, a common root cause observed by Cybereason technology is the use of domain generation algorithms.
• Impacted Users and Machines: Today’s attackers almost never focus their malicious operation on a single user or machine. Although a specific user or asset might be the ultimate target, multiple systems will be leveraged along the path to their objective. All of the users and machines that are part of this larger operation are correlated into this single view. Determine the full scope of the operation and the breadth of compromise, which helps to drive a thorough and comprehensive response.
• Incoming and Outgoing Communications: Data exfiltration and command and control activity are excellent beacons to uncover attackers lurking in our environment. Incoming and outgoing network traffic across all impacted machines is provided and traffic identified as malicious is highlighted.
• Tools the Attackers Used: What is the attacker using to execute their malicious code and traverse the environment? Metasploit Meterpreter? Or perhaps they are stealthy and leveraging components built into the operating system to avoid detection—commonly called Living Off The Land (LOL). We see a lot of signed Microsoft Windows binaries being abused such as regsvr32.exe.
• Timeline of the Attack: This is the part of the MalOp our customers rave about. Automatically analyzing the activity across the vast environment and presenting the full timeline of the attack in a straightforward and visual way saves our customers untold amounts of time. Gone are the painful hours of examining alert time stamps to try and determine what happened, and when, during a malicious operation.
A MalOp serves up the critical information you need to observe, orient, decide, and act quickly. On the surface there is an attention to brevity, however, this is just the beginning of the information that we can uncover as we drill into a MalOp. As an example, the attack tree view gives great detail on every involved process and shows exactly what happened before and after the malicious activity was discovered.
The MalOp has transformed the day-to-day life of security analysts around the world, making them more efficient, less prone to burnout, and resulting in improved response and remediation times.
There are a few key things that set the Cybereason Defense Platform apart from other cybersecurity tools:
• Complete Data Collection: Detection of the most advanced and elusive attackers requires exhaustive and correlated data collection from the endpoint. Our platform processes 80 million events per second leaving adversaries nowhere to hide.
• Indicators of Behavior (IoBs): Traditional Indicators of Compromise (IOCs) and signatures are useful for catching known malware. To stop even the most sophisticated attacks and catch never-before-seen malware we leverage Indicators of Behavior, the more subtle chains of behavior that can surface an attack earlier and more reliably.
• Automated Response: Analysts can take remote remediation actions including machine isolation, killing processes, and opening remote shells, all from within an intuitive point and click interface—stopping attackers in their tracks.
• Ransomware Prevention and Deception: Cybereason uses a combination of behavioral detections and proprietary deception techniques surface the most complex ransomware threats and end the attack before any critical data can be encrypted.
• Future-Ready: The flexibility of our product and the new innovations being added every day, make Cybereason future-ready for wherever the fight takes us.
Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware attacks. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.
