Hunt with the Attack Tree

To assist analysts with hunting and investigation activities, Cybereason provides an interactive Attack Tree. The Attack Tree is a hunting tool that displays a specific process chain of execution from start to finish. The functionality provides better insight into malicious behavior, and helps narrow down large data sets to focus on processes with security relevance.

Attack Tree overview

The following graphic shows a typical Attack Tree for a process.

Attack Tree Full

Analysts can use the Attack Tree to:

  • Understand what happened before and after a process was deemed malicious

  • Investigate what additional activity occurred in a suspicious execution chain

  • Quickly view all properties of every process in an execution chain

  • Gain contextual awareness for every process

Watch this video to learn how to use the Attack Tree.

Access the Attack Tree

You can access the Attack Tree for a process by clicking the attack tree icon Attack Tree Icon in the following areas of the Cybereason UI:

  • The Investigation screen results table

  • The left side of the Malop details screen Process profile portion

  • From the list of processes displayed when you click a process in the Malop details screen

Viewing options

To help you navigate the Attack Tree, choose a viewing option from the top right of the Attack Tree screen.

Attack Tree Views

Use the top two options to adjust the view of the tree within the UI:

  • Center selection: Adjust the view so the root process is in the center of the screen

  • Full screen: Toggle in and out of a full screen view

Use the lower three options to adjust the level of detail displayed in the tree:

  • Insight: Focuses on the Cybereason platform insights with regards to items in the specific execution tree. The Insight view displays the first process in the execution chain, all processes that Cybereason deemed suspicious or malicious, and their direct relatives (i.e. parent and child processes). Processes with the same name are grouped together for better viewing.

  • Aggregated: Provides a high-level view of the entire tree, including items displayed in the Insight view. Processes with the same name are grouped together for better viewing.

  • Full: Expands all processes that appear in the Aggregated view. Child processes remain collapsed for better viewing.

In all views, scroll to zoom in and out.

Elements of the Attack Tree

Attack Tree

Each bubble in the Attack Tree represents a process, or a group of processes with the same name. Each process displays connections to its direct relatives (i.e. parent and child processes).

The process for which you chose to view the tree is highlighted and the details of the process are displayed on the right. Suspicious processes are outlined in red and appear higher in the tree than other processes. Subsequent top-to-bottom ordering is alphabetical by process name.

The following graphic describes a process bubble in greater detail.

Attack Tree Process

Each process bubble contains:

  1. The name of the process.

  2. A plus or minus icon on the right of the process bubble to expand or collapse child process bubbles.

  3. A suspicions icon Suspicion Icon indicating if the process is connected to one or more suspicions, and a MalOp icon Malop icon if the process is associated with a MalOp.

  4. A number indicating how many processes are aggregated into that bubble.