Environment
- Carbon Black Cloud: All Products
Question
Does Carbon Black Alert on this Action found in this CVE?
Answer
- No, the actions seen by the abuse of a CVE are normally within the normal operations of usage. Creating a new specific rule for each CVE would not be maintainable.
Example: If the CVE reports Firefox versions < 82.0.3 (CVE-2020-26950) are vulnerable. Alerts should not occur for each use of Firefox. Instead, the vulnerability requires a certain environmental configuration before or after Firefox start that should alert.
- Potential next steps:
- Check TAU for any reports regarding the CVE. A report on a threat is provided on an as-needed basis based on multiple factors.
- Understand the CVE.
- Understand if/how the common software is used in the network.
- Determine if a custom watchlist is warranted to monitor any misuse of the commonly used software.
- Contact Support to express interest in a particular threat or possibly get more information.
Additional Notes
- Carbon Black reviews new or updated CVEs daily and adjusts the behavioral rules as needed to cover possible Tactics, Techniques and Procedures (TTPs).
- Carbon Black has an extensive binary reputation database of malware which we keep up to date on literally a daily basis.
Related Content