Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Endpoint Standard: How To Triage Malware Attack if Suspected That Product Did Not Detect or Prevent

Endpoint Standard: How To Triage Malware Attack if Suspected That Product Did Not Detect or Prevent

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard (formerly CB Defense)
  • Carbon Black Cloud Sensor: All Versions

Objective

Steps to take if a malware attack is observed taking place on endpoint(s) in the environment and it is believed that the associated malicious behavior should have been detected or prevented by VMware Carbon Black Cloud Endpoint Standard. 

Resolution

  1. Place the sensor in quarantine: Carbon Black Cloud: How to Quarantine a Device from the Carbon Black Cloud Console?
  2. Collect sensor logs
Windows
macOS
Linux

If an affected device is wiped or re-imaged after logs are collected, it might not be possible to continue investigating the issue in case multiple iterations of diagnostic data are needed.
 
  1. Check Security Advisories and Threat Research content to see if it’s a known type of attack; If so, check that the right measures to prevent were in place. If yes, please go to step 4.
  2. Open a Support Case with the following information
    1. Sensor logs collected in step 2
    2. Hostname(s) of affected device(s)
    3. The policy and policy rule(s) in place which were expected to block the attack
    4. Any notable Alert IDs or Event IDs
    5. Any known IOCs, malware hashes or ransomware extensions; See How To Provide A Malware Sample To Carbon Black Support if able to upload a sample of the malware
Additional Information which may also be helpful (if possible):
  1. How many endpoints were affected?
  2. Approximate date and time the incident took place
  3. Is the ingress point known? 
  4. Did any user report suspicious behavior, if so, what did they observe?
  5. Were the affected endpoints accessible from the internet by design or unintentionally? 
  6. If SMB shares were involved, were they password protected? 
  7. Were the sensors remediated after quarantine? If so, what steps were taken?

Additional Notes

  • Support may assist in determining if Endpoint Standard failed to identify or stop an attack in the event that the appropriate policy rules were in place, but is not able to provide detection or prevention recommendations outside of a VMware Carbon Black product. Support is also unable to assist with complete analysis of a security incident, e.g. to identify exact source of an attack or to suggest full remediation steps (i.e. Incident Response)
  • VMware Carbon Black has many partners that can be contacted in case IR assistance is needed: Incident Response and Managed Security Service Providers - VMware
  • Users needing help during an IR investigation can also post in Threat Research to discuss with other UeX users in addition to searching the space for analysis and recommendations on known attack types

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎03-23-2021
Views:
891
Contributors