Behavioral Execution Prevention

Behavioral Execution Prevention enables you to detect and prevent attacks directly on the endpoint, enabling a faster response time for your organization.

To learn about supported platforms for Behavioral Execution Prevention, see Endpoint machine prevention features.

Attackers commonly use legitimate operating system software or third-party software to deliver and spread malware. Specifically, attackers abuse legitimate software functionality to execute malicious payloads, launch malicious droppers or download macros, obfuscate data, achieve persistence, and exfiltrate systems. As the threat landscape evolves, these techniques allow attackers to execute attacks more quickly than before, making it more critical for organizations to identify attacks earlier in the killchain and shorten response time.

While traditional antivirus tools are less likely to identify attacks that originate from trusted, native processes, the Cybereason platform’s Behavioral execution prevention feature uses a sophisticated set of rules to prevent attackers from abusing the functionality of legitimate software.

These rules use intricate research data to identify anomalies in the image name, command line, image file metadata, or the process hierarchy. While these sophisticated detections were previously available only as part of the Cybereason Endpoint Detection and Response (EDR) module, with Behavioral execution prevention, your organization can now utilize these detections at the endpoint level to significantly shorten the Mean Time to Response (MTTR). In addition, accessing the detection logic on the endpoint can also help in a scenario where the endpoint is disconnected from the Cybereason platform and is unable to send collected data, such as when working offline.

Behavioral execution identifies these anomalies as early as the process creation time, which limits the attack surface and effectively prevents phishing attacks, zero-day attacks, and drive-by attacks.

When Behavioral execution prevention or Variant payload prevention detects unusual process behavior that may indicate misuse of legitimate software to execute an attack, the Cybereason platform triggers a ‘Malicious process behavior’ MalOp. For more information, see Malicious process behavior.

To learn about supported platforms for Behavioral execution prevention, see Endpoint machine prevention features.

To configure Behavioral execution prevention, see Set the Behavioral Execution Prevention Modes.

Behavioral execution prevention detects the following behaviors:

  • Credential dumping

  • Phishing

  • Drive-by attacks

  • Zero-day exploits

and more.