Analyze MalOps and Determine Threat Level
When the Cybereason platform creates a MalOp, the MalOp represents a highly likely instance of malicious behavior. As a result, you want to fully analyze the processes, files, connections, machines, users, and other Elements associated with the MalOp to fully understand what is occurring in your environment.
This topic presents guidelines for investigating the details included with MalOps so you can better respond to the behaviors that present the biggest threat to your organization.
In this topic:
Investigate MalOp properties
To determine if a MalOp presents a threat to your organization, consider the properties listed in this section.
You can view information about a MalOp’s properties from:
The Malop details screen: Access the Malop details screen for a MalOp by clicking the MalOp on the Malops management screen.
The Investigation screen’s Element details pane: Search for the items associated with the unknown malware or access the Investigation screen straight from the MalOp’s Malop details screen. Click an item in the Investigation screen’s results grid to view the Element details pane.
Each MalOp type requires a different approach to investigation. See the Investigation column in the tables in the Malop Types and Components topic to learn which of the following properties to focus on based on MalOp type.
Files
Start by looking at the general properties associated with the files included in the MalOp:
Investigation Area |
Description |
|---|---|
File Name and Attributes |
Look at file name and attributes. For .exe files, the Cybereason platform reports a number of important details:
Suspicious data for any of these indicators shows a possibly malicious file worth investigating further. |
Suspicions and evidence |
Did the Cybereason platform associate any evidence or suspicions with this file? |
Signature |
Is the file signed and by whom? Anomalies in the signature can often be a sign of potentially malicious behavior |
File location |
Is the file in a suspicious folder, such as the /temp, AppData, ProgramData folders? If a file runs from locations such as these, this is a suspicious indicator. |
Reputation |
What is the file’s reputation? Based on the file’s reputation you may want to look further. |
The file details in the following image from the Element Details screen point to malicious activity because the file is unsigned and running from the temp folder.
Network
Every MalOp includes relevant network information in the Communication tab of the MalOp. Investigate these properties to see potentially malicious behavior on the network
When analyzing the network properties, ask yourself questions such as:
Investigation Area |
Description |
|---|---|
Network connections |
Ask questions about the communication and connections, including:
If you find unexpected answers to these questions, you need to investigate further into such connections. |
Listening connections |
Is there a listening connection or port on a process? |
DNS requests |
Investigate both resolved and unresolved DNS requests. Make sure that the behavior of these requests are expected or not. |
Processes |
What processes are performing the connections? Should they be? |
For example, the details in the following image suggest suspicious activity because a machine is connecting to port 4444, which is the default port for Metasploit’s meterpeter. In addition, we see these two machine transferring data.
Module
For each MalOp, investigate the modules included with the processes running as part of the MalOp. The MalOp details report the loaded modules associated with the malicious process. However, to view details about the modules, you must use the Investigation screen, either through the MalOp details or independently.
When analyzing modules, ask yourself questions such as:
Investigation Area |
Description |
|---|---|
Module properties |
What are the properties of the module or modules? Your Cybereason platform reports a number of details, including:
Scan these properties to check if you find suspicious indicators in the properties list. |
Floating modules |
Is the module floating? If you answer Yes, check the protection details for mismatches. |
Processes |
What processes are using these modules? Should they be using them? |
Intelligence |
Is this a known module when you search for it on the internet? |
In general, the more common the module, the less likely it is to be malicious.
Process
For each MalOp, the Cybereason platform collects a variety of information about the processes involved in the associated activities. The Malop Inbox reports the process details in the Processes tab of the MalOp details.
When analyzing the process properties, ask question such as:
Investigation Area |
Description |
|---|---|
Process details |
Scan the collected process details including:
|
Suspicions and evidences |
What suspicions and evidences are associated with the process? |
Process type |
What type of process is it - an OS process? 3rd party process? It is also a good idea to look at the product type for the process. |
Command line |
What is the command line returned for the process? Many malicious behaviors originate from command line arguments so be sure to check these closely. |
Process behaviors |
Does the process create other ways to persist itself, such as registry entries, scheduled tasks, services, or child processes? Does this process has a suspicious parent process? Is it an injected process? |
In addition, for all processes, you can view the Attack Tree to see how the process fits with other processes in your environments. For details on the Attack Tree, see Hunt with the Attack Tree.
The process details in the following image point to suspicious activity because, while the process claims to be from Microsoft, it is not signed by Microsoft. Additionally, the process is running from a temp folder and has an unknown reputation.
Analyze the Auto response status
For Endpoint Protection MalOps generated by Cybereason’s EPP features, look at the Malops management screen’s Auto response column. The Auto response column provides information on how Cybereason’s NGAV feature has responded to the incident, and helps you decide how to respond to it. The following table includes status descriptions, which types of malware are associated with each status, and suggested actions to take.
Malware status |
Description |
Malware types |
Suggested actions to take |
|---|---|---|---|
Disinfected |
Malware was detected and the malicious file was disinfected. In cases where it was not possible to disinfect the file, the file is removed from the machine. Note: in this case, the file is not quarantined, it is completely removed from the machine. |
Known |
No additional action is required. |
Failed to disinfect |
Malware was detected and prevented, but Anti-Malware could not disinfect or remove the file. |
Known |
Access the machine and remove the malware. |
Detected |
Malware was detected but no action was taken to prevent it. |
Unknown, Fileless |
Investigate the malware to determine if it is indeed malicious. If it is, access the machine and remove the malware. |
Prevented |
Malware was detected and prevented. |
Known, Unknown, Fileless |
No additional action is required. |
Done |
A user (analyst) has marked the malware as done |
All types |
No additional action is required. |
Excluded |
A user (analyst) has marked to exclude the malware. The malware is ignored by Anti-Malware on all endpoints. |
All types |
No additional action is required. |
Deleting on restart |
Malware was detected and prevented. It will be removed upon restart. |
Known |
No immediate action is required. Follow this MalOp to ensure the status becomes ‘Disinfected’ after restart, indicating that the malware was indeed removed. |
Quarantined |
Malware was detected and the malicious file was quarantined. Malware MalOps marked with the ‘Quarantined’ Auto response label indicate that the Cybereason platform has moved the malicious file to a different location to prevent it from executing. Quarantined files are placed in the following folder location:
Cybereason deletes quarantined files after 30 days. The cleanup is scheduled to run daily (every 24 hours) and on sensor startup. Note The Quarantined status is relevant only for malware triggered by Artificial Intelligence analysis and behavioral document protection. |
Unknown |
No additional action is required. |
Determine the threat level
After you investigate your MalOp, you need to consider all the answers together to determine if the behavior is malicious and requires further remediation.
When deciding how, or in what order, to address MalOps you have deemed a threat to your organization, consider:
The significance of the machines involved in the suspicious activities. Address machines that are more vital machines to your organization first.
The significance of the behavior. Severe activities should be address before other, less severe activities.
The significance of the users involved. Certain users may be more compromised than others. For example, suspicious activity on a CEO’s computer or on a machine with sensitive material is important to address immediately.
If you found several suspicious behaviors, it is likely you are dealing with an attack. If only one property is suspicious, the behavior may be benign.
Based on your responses to these answers, you may need to escalate MalOps, remediate potential threats, or exclude benign behaviors. See Manage the MalOp Workflow, Remediate MalOps, and Manage False Positives for more information.