Separating the Signal from the Noise

Time is money.
Analysts have precious little of it.

Both people and machines are taxed to the limits in ingesting huge volumes of data. The mean time to detect an attack for many enterprises lingers between two days to a week.* Learn how analysts can save time by leveraging McAfee Security Operations solutions to focus on what matters the most and make the best use of automation, human-machine teaming, and other advanced analytics.

*2016 SANS Incident Response Survey

Introduction

Storyline

An alarm is triggered, indicating that the behavior of Joshua Newman, a trusted employee, has exceeded normal thresholds. Investigation will reveal that the employee has executed a suspicious file, that happens to be a zero-day malware, into the network, resulting in large amounts of data being accessed and sent to suspicious external IP addresses.

Instructions

As a security analyst, you must review the given information and decide how to investigate and respond to the incident. You must do so quickly as the clock is ticking. Test your skills to see if you can select the best signals for investigation.

Security analysts deal with multiple security alerts that may challenge them to determine what needs to be attended to first, making it difficult to identify a real threat. The following is a dashboard that a typical analyst may find at the start of the day, using McAfee’s SIEM solution, the McAfee Enterprise Security Manager.

Decision point:

You received an alert concerning an elevated user risk score. What would be the suggested starting point for further investigation within the McAfee Enterprise Security Manager dashboard?

  • A. Device Type Summary
  • B. Average Event Severity
  • C. Event Distribution
  • D. Event Source Users
  • E. Advanced Search
laptop

The correct response is B.

The Average Event Severity window tells you what events to prioritize given the assigned risk scores. This helps you save time and focus on the most pressing events.

You pivot into McAfee Behavioral Analytics, a user and entity behavior analytics solution, to gain insight into user behavior. You notice one user, Joshua Newman, as the source for this alert and see the top five riskiest users in the network. While insider threats can be a blind spot for existing security programs, McAfee Behavioral Analytics detects and provides visuals of insider behavior, threats, and attacks.

Decision point:

What is the suggested action to take next?

  • A. Investigate the activities that increased Joshua’s risk score
  • B. Investigate the 4 other riskiest users to see if they were connected with this incident
laptop

Correct answer is A.

This will identify the unusual activities responsible for raising Joshua’s risk score and contextual events to further the investigation.

The user risk score for Joshua increased significantly during the last two days.
(hover over the highlighted areas to see more)

User risk score for Joshua User risk score for Joshua User risk score for Joshua User risk score for Joshua
Next

Joshua worked unusual hours and transferred large amounts of data to an external URL. These activities may indicate data exfiltration.

Joshua worked unusual hours and transferred large amounts of data to an external URL
Next

Decision point

You are responding to the incident. What are the two suggested actions to take next?

  • A. Shut down all workstations in the corporate network
  • B. Identify the presence of lateral movement and if any malware file was implanted into protected network assets
  • C. Change inbound firewall rules to shut off all external access into the corporate network
  • D. Add a correlation rule that triggers when Joshua disconnects from the network
  • E. Identify the initial attack vector and malware processes that might be implanted in Joshua’s device
0

The correct answer is B and E.

These actions provide context for the investigation including the extent of the threat within the organization’s network and vulnerabilities that need to be fixed.

You pivot back to McAfee Enterprise Security Manager and right click on Joshua’s name to summarize all of the contextual events related to this incident. You see a detected malware event and file with a tempting title called Corporate Payroll SENSITIVE. In reality, that file is a zero-day threat with a weaponized payload.
(hover over the highlighted areas to see more)

You pivot back to ESM You see a detected malware event
Next

Decision point

Continuing the investigation, what are the two suggested actions to take next?

  • A. Identify the results of the latest vulnerability scan on Joshua’s workstation
  • B. Identify when the corporate IDS/IPS signatures were last updated
  • C. Identify the processes in Joshua’s workstation that created the communication sockets to the external world
  • D. Investigate the logon/logoff activities associated with Joshua’s credentials that occurred before and after the incident was detected
  • E. Identify when Joshua’s domain password was last changed
Continuing the investigation, what are your 2 immediate next steps?
0

The correct answer is C and D.

These actions provide further context for the investigation including the communication sockets that were used during the attack and if Joshua’s logon/logoff activities were abnormal.

To quickly gather evidence, you pivot to and leverage McAfee’s guided investigation capabilities. You are shown specific questions to investigate, based on known evidence, and given answers to those questions to work more quickly. There, you discover that Joshua’s workstation has been communicating with malicious IP addresses. You also see the processes running from his workstation.
(hover over the highlighted areas to see more)

To quickly gather evidence, you leverage McAfee’s guided investigation capabilities You are shown specific questions to investigate You also see the processes running from his device
Next

Decision point

To efficiently handle the incident, what is the suggested action to take next?

  • A. Block all inbound and outbound communications with the external domains associated with this incident
  • B. Identify the file hash of the zero-day threat that was implanted by Joshua for backtracking
  • C. Add Joshua to the watchlist for further monitoring
  • D. All of the above

The correct answer is D.

By blocking the inbound and outbound communications with external domains associated with the incident, you prevent future attacks from a domain with a known bad reputation. By identifying the file hash of the zero-day threat, you can enable the backtracing feature in the Enterprise Security Manager to tell you if any other workstations in your network have been exposed to the same threat. Finally, by adding Joshua to the watchlist, you make it easier to monitor suspicious activities from Joshua in the future.

As a part of your response efforts, you launch a set of corrective actions:

  • Quarantine the workstations associated with this incident
  • Temporarily block network traffic to/from those workstations until remediation efforts are complete
  • Perform an aggressive anti-malware scan on the workstations associated with this incident

(hover over the highlighted areas to see more)

As a part of your response efforts, you launch a set of corrective actions As a part of your response efforts, you launch a set of corrective actions
Next

In this incident investigation and response exercise, you utilized McAfee Enterprise Security Manager to oversee the events impacting your organization and then quickly honed in on the events with the highest severity. Since the highest severity event concerned a user that had exceeded his risk threshold, you pivoted into McAfee Behavior Analytics to compare his behavior against those of his past, peer group, and organization. You confirmed that his behavior had changed drastically over the past two days and that his activities suggested data exfiltration. Within the McAfee Enterprise Security Manager console, you summarized the contextual events related to the incident and confirmed that the user’s workstation was hit with a zero-day malware. With McAfee’s guided investigation capabilities, you leveraged human-machine teaming to identify the suspicious activities connected to the infected workstation and took corrective actions to respond to the incident.

laptops laptops-esm laptops-ba laptops-ai
Next

Results

Please complete this form to receive your score and completion time via email.



Additional resources for download:

Learn about McAfee Behavioral Analytics data source and use case coverage:

Behavioral Analytics White Paper

Read the "Disrupting the Disruptors, Art or Science?" - a study conducted by McAfee that examines organizations' threat hunting capabilities:

Security Operations Report

Learn how MGM Resorts International slashed time to protect, detect, and remediate:

Customer Case Study

*McAfee technologies' features and benefits depend on system configuration and may require enabled hardware, software or service activation. Demos document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. Cost and time reduction scenarios described are intended as examples of how a given McAfee product, in the specified circumstances and configurations, may affect future costs and provide cost and time savings. Circumstances and results will vary. McAfee does not guarantee any cost of cost reduction. No computer system can be absolutely secure.

About Us | Newsroom | Careers | Blog | Contact Us | Legal Notices

Copyright © McAfee, LLC