Examine XDR Malops
Note
To use these features, you can add the XDR package to your instance of the Cybereason platform for an additional cost. Contact your Customer Success Manager for details about this package.
The Cybereason platform generates XDR MalOps when the Cybereason platform determines that suspicious events reported by your connected XDR integrations are likely related. This enables you to potentially find larger patterns of behavior instead of focusing one-by-one on individual alerts.
To help generate XDR MalOps, Cybereason XDR uses a MalOp detection engine that considers the MITRE ATT&CK framework and attack indicators/identities associated with events to identify highly likely attack sequences. The MalOp detection engine automatically aggregates events sharing the same attack targets into steps, and also correlates different steps/events based on common indicators and attack sequences. The engine enables you to move away from manually investigating different events, and instead focus on the end-to-end attack story and improve your mean time to triage (MTTR) considerably.
Note
The Cybereason XDR MalOp detection engine is not generally available. Contact your Customer Success Manager to gain access to this feature.
The MalOp detection engine receives all suspicious events with the MITRE ATT&CK tags. Then, the detection engine analyzes and groups events together based on similar indicators from proprietary detection rules managed by the Cybereason Security Research team. For example, if multiple events share a similar IP address or user identity as the main performer of the event, the MalOp detection engine might group these events together in a step.
Some steps, when performed together in a sequence, can also be grouped together if they share a similar indicator. For example, if you have a suspicious login activity followed by a malicious activity with data, these steps can be grouped together.
In addition, the engine analyzes steps and connections between steps to determine if these steps are considered a MalOp, based on a number of criteria:
Total events
Variety of suspicious names
Variety of data sources
Data source category
Total targeted users/hosts
Events severity
Sequences of activity that match known attack patterns
Accuracy of detections, including how many times and how often these detections occur, as many repeated detections may indicate a false positive
Specific sequences of events that meet specified levels around the criteria above are then considered MalOps.
The engine also calculates the severity for the MalOp based on the assessment of the criteria above. The engine assigns a status for the MalOp of New or Auto-resolved if all events associated with the MalOp were previously mitigated by the connected vendor platforms/products.
The MalOp detection engine enables you to narrow millions of events to a much smaller percentage of suspicious events, and then to a very limited number of MalOps that are highly likely to be malicious and require your attention.
When the Cybereason platform generates an XDR Malop, the platform groups suspicious events together based on the MITRE ATT&CK tactic/technique/sub-technique for the events. Each of these groupings is considered a “step” in the XDR MalOo. In these steps, you are able to see all the suspicious events, which helps you determine if there is a larger pattern of behavior across your organization by comparing numerous suspicious events in the same context of the MalOp “step”.
When analyzing suspicious events, the Cybereason platform focuses on the performer and victim identities involved in the suspicious events. These values may differ from the traditional source and target values, as the identity data can include various user accounts, not just machine-based information. In some cases, such as during lateral movement attack stages, the initial victim becomes the performer. This is just one scenario in which the platform would trigger a MalOp.
XDR MalOps are separate from the EDR MalOps (AI Hunting and Endpoint Protection) found on the Malops management screen, and only reference data gathered from XDR integrations.
Watch this video on XDR MalOps:
In this topic:
View and understand XDR MalOps
After the platform generates the MalOps, you should view the MalOps and understand what is happening.
You view XDR MalOps in the XDR Malops tab of the XDR screen. For each MalOp, in the MalOp grid, you can view the following:
Column |
Description |
---|---|
MalOp name |
The name of the MalOp, generated from the suspicious events that triggered it. Select this value to open the XDR Malops details screen. |
Severity |
The calculated severity of the MalOp, based on the contributing suspicious events and steps involved. Values include:
For more details, see Suspicious Events Severity Scores |
MalOp ID |
Unique identifier for the MalOp |
Creation time |
Time the platform created the MalOp |
Last event in |
The last time of an event was associated with the MalOp |
First event in |
The first time an event was associated with this Malop. |
MalOp steps |
The sequence of unique threats that led to the creation of the XDR MalOp. Each step that makes up an XDR MalOp represents a unique threat. For example, if there are 15 suspicious events that represent a phishing attempt, the Cybereason platform will consider that 1 step in the overall attack story. |
Total suspicious events |
The number of suspicious events that contributed to this MalOp. Click the value to open the Suspicious events tab, which will be filtered to only include these events. |
Description |
A field populated by the Cybereason platform that contains additional information about the MalOp that may aid in remediation. For some XDR MalOps, this field may be empty. |
Status |
The position journey in the investigation and remediation process. Values include:
|
Recommended actions |
The recommended response actions to take for the indicators in the different steps of the MalOp. |
Response status |
If you have enabled Response actions in selected integrations, the status of response actions for the different steps in the MalOp. The percentage indicates the total amount of successful completion of response actions. For example, if you have four possible response actions you can perform from Cybereason XDR, and only two of the actions have been completed successfully, the percentage is 50%. |
Search for and filter XDR MalOps
You can search for an XDR MalOp by name or MalOp. From the search bar, select MalOp name or MalOp id from the drop down menu, and start typing the name or MalOp ID. The search box will automatically list valid results.
You can filter the items in the MalOps list by creation time, investigation status, or severity. Click the filter icon to open or collapse the filter menu.
As you search or filter the XDR MalOps, the XDR MalOps screen updates the displayed MalOps accordingly.
Understand the MalOp summary and scope
When you first view the XDR MalOp details, you want to quickly gain an idea of the MalOp’s basic details, including what happened and the scope of the suspected attack.
In the XDR MalOp details, on the left side of the MalOp details, you can view the overview details about the MalOp, including the Summary tab and the Response tab.
In the Summary pane, you can view the basic MalOp details, including:
MalOp Summary: A text summary of the events that contributed to the MalOp, as well as MalOp metadata (MalOp ID, severity, status, etc.)
MalOp Scope: A list of affected assets (machines and users), the steps involved, and the data sources reporting the suspicious events
View the steps and events in the MalOp
As each XDR MalOp is created based on the likely connection of multiple suspicious events in the same attack chain, as part of the XDR MalOp details, you can view the associated suspicious events that are associated with this MalOp.
You view the steps in the MalOp in the Overview tab:
You view the suspicious events for a MalOp in the Suspicious events tab of the XDR MalOp details:
This tab contains the following parts:
Suspicious events list: The suspicious events list for the suspicious events associated with the step. These details are the same as the details displayed in the Suspicious events screen.
Step selector: Once you have selected a step and have the details card open, you can use the step selector drop down list to move between steps:
For details on how to analyze suspicious events, see Analyze Suspicious Events.
In addition, you can view the indicators of correlation between steps to better understand how steps in the MalOp are related:
The top correlation list shows those items that are related between steps, as well the number of occurrences of these items.
Analyze the indicators of behavior in the MalOp
In addition to understanding the scope and steps in a MalOp, you also should view the indicators of behavior associated with a MalOp. Analyzing these indicators will help you confirm whether the MalOp represents actual malicious behavior or a false positive.
In the XDR MalOp details, the indicators of behavior display in the Detected elements tab:
The Detected elements in the XDR MalOp include related indicators that are not physical assets in your organization. These elements may include:
Message
Attachment (File)
Links
Connection
Access (IP address)
For each detected indicator, you view relevant details to help you determine the malicious nature of this indicator or not. Each indicator in the Detected Elements tab list will have different details, depending on the type of Element:
Element |
Displayed Indicators |
---|---|
Message |
|
Attachments |
|
Links |
|
Connection |
|
Login |
|
The Detected elements tab displays up to 50 items per element. If there are more than 50, the list will display the top 50 indicators. In the list of the top 50 events, unmitigated events where no action has been taken will be displayed before events where there is an action taken.
If you would like to see all indicators, you can view these indicators per suspicious event in the Suspicious events tab. These indicators are displayed in the Additional details section of the event details.
For the details, if the value of a specific field is a single value, such as the sender email address for a Message, you will see the value. If there are a collection of values, such as the number of attachments for an email message, you will see the total number of items.
You can filter the list by the MalOp step (just like in the Suspicious events tab) or by the action taken to help you address indicators where no action has been taken:
View potential response actions for the MalOp
To help resolve the MalOp, you will need to take response actions. You can perform these in your third-party integrated platforms or directly from Cybereason XDR (for supported actions in supported integrations).
In the XDR MalOp details, the recommended response actions are displayed in the Overview section, in the Response tab.
Follow the recommendations on the specific items or perform these actions from Cybereason XDR as needed. For details on how to perform XDR response, see Perform Response for XDR MalOps.
Add MalOp feedback
To help the Cybereason Security Research team, for any MalOp, you can provide feedback on the MalOp, including whether the MalOp is a legitimately malicious MalOp or a false positive, the accuracy of the events that were associated with the MalOp, and what types of behaviors in your organization are found in the MalOp.
The Cybereason Security research team takes this feedback to further refine the out-of-the-box detection rules to help generate the most accurate and meaningful MalOps for real-life security needs.
XDR MalOp examples
The following examples describe how you might use the XDR MalOps, XDR MalOp details, and Suspicious Events screens to investigate a potential attack.
Example |
Details |
---|---|
Example 1: Cloud account takeover |
The following XDR MalOp shows a Cloud account takeover XDR MalOp. In the MalOp details, you can see the steps in the attack sequence. Step 1: Additional Cloud Roles: A GCP user gains owner permissions on their account. This account manipulation allows the user to create additional users, as seen in step 2. Step 2: Cloud Account: The user adds a new GCP account. This could be an attacker’s attempt to maintain persistence in the system. Step 3: Data Destruction: Using the new account, the attacker compromises GCP resources by destroying data. Step 4: Clear Linux or Mac System Logs: The attacker attempts to evade detection by clearing the audit log. In the Suspicious Events tab, you can see the 5 suspicious events that contributed to this XDR MalOp: Notice that although there are 5 events, the Malop only contains 4 steps. This is because the Cybereason platform recognizes that certain separate events (such as GCP new user gained new permissions and Owner permissions added to account) represent one action taken by the attacker. By hovering over a step in the details screen, you can see the specific suspicious events that contribute to the step. |
Example 2: Business email compromise |
The following XDR Malop details screen displays a Business Email Compromise XDR Malop. From the Overview tab, we can determine that the following unique steps were taken: Step 1: Spearphishing Attachment: The email account do_not_reply@capitol-supply.com attempts to gain initial access to a system by sending targeted emails to select company email accounts, including roberte@demo.loc. Step 2: Valid Accounts: The user roberte reports finding suspicious login activity on their account. In the Suspicious events tab of the MalOp details you can see the 12 suspicious events that contributed to this XDR MalOp: The Cybereason platform identifies each phishing attempt as belonging to a single unique initial access attempt, and further recognizes that a victim in the first step subsequently reported suspicious login activity. |
Example 3: Data Manipulation |
The following XDR MalOp detected by the XDR MalOp detection engine shows a Data manipulation MalOP with malicious access to a network and misuse of an organization’s data. In the Overview tab of the MalOp details, you can see the following steps in the MalOp: Step 1: Valid accounts login: An attacker targeted 6 different user identities to gain access to the company’s network through a Microsoft program. If you look at the Suspicious events tab for this MalOp, you will see 22 different events, all with the same IP address: Note Although this example does not show the IP address of 10.10.10.10 for all events, if you look at the xdrqa+1 value and hover over it, this column would also display the IP address 10.10.10.10 in addition to the xdrqa value. Step 2: Data manipulation: Following the access to the system, the MalOp detection engine found the resttest101012 identity performed data destruction activities after it gained access in the previous step. Because the detection engine noticed the same user identity in both steps, the steps are connected together in the same attack sequence. If you look at the Suspicious events tab for this step, you will see the IP address of 10.10.10.10: |