Detect, Analyze, and Action on Malicious Process Detected by EDR
Category: Configuration Management Database (CMDB), Endpoint, Data Enrichment and Threat Intelligence
Cyware Products Used:
Respond
Orchestrate
Intel Exchange
Cyware Email Services
Third-Party Integrations Used:
Active Directory: To retrieve user and asset information for the organization.
VirusTotal: To enrich identified malicious indicators.
Titanium EDR: To detect malicious endpoint activities and stop malicious activity.
Problem Statement
Endpoint detection and response (EDR) tools detect known malicious activity. After threat detection, organizations need a solution that provides visibility, investigation, and remediation capabilities on endpoints to prevent the spreading of threats.
Solution
Organizations need a solution that can automatically use the EDR tool detections to detect the malicious nature of the threats and automatically take necessary actions to stop the spreading of threats within the organization. This document explains the procedure to automatically detect, analyze, and respond to threats detected by EDR solutions.
How do we solve this problem?
The solution starts by querying Tanium EDR solution for malicious process detection alerts. You can also use a preferred EDR tool for this solution. See Endpoint integrations.
Create an Incident in CFTR: The malicious process detected in Tanium is onboarded to Respond as an incident along with the detection details.
User and Asset Correlation: The playbook retrieves the details of the affected user and the endpoint to retrieve the following information.
Affected User Details: The affected user details are sent to Active Directory to find more details about the user and the supervisor.
Affected Endpoint Details: The playbook searches for the affected endpoint in the Respond asset module to find more details about the endpoint.
Hash Enrichment: The malicious hash details retrieved from Tanium EDR are sent to Intel Exchange and VirusTotal application for enrichment. Intel Exchange provides external and internal enrichment details of the hash along with the confidence score. VirusTotal enrichment also provides additional information about the malicious nature of the identified hashes.
Inform Asset Owner: The playbook now sends an email notification to the affected endpoint owner stating the detection of malicious activity and asking for acknowledgment from the owner.
Update Respond Incident: The affected user details and asset details are updated to the Respond incident and the incident is kept ready for investigation.
Remediation: The playbook creates two different actions in CFTR for remediation of the threat.
Quarantine the Asset: A new action is created in Respond to quarantine the affected asset. The action sends a request to Tanium EDR to quarantine the asset.
Investigate the Threat: A new action is created to investigate the malicious process. Based on the enrichment details retrieved from Intel Exchange and VirusTotal, the action sends a request to stop the malicious activity on Tanium EDR.
Learnings and Closure: The playbook now updates the remediation actions with the details and updates the learnings for the incident.
Optional Configurations
You can also configure Collaborate to send notifications to security teams about the malicious process and applicable remediation actions.
Benefits
Reduces Analyst Workload
The solution allows security teams to automate the detection and remediation of commonly identified malicious activities and can free up analyst time and SOC workload.
Proactive Threat Hunting
The solution provides end-to-end visibility into users and asset details and allow security teams to detect suspicious behavior, provide contextual information, and block malicious activities.
Complete Response and Remediation
The solution automatically onboards suspicious activities to the Respond tool to enable complete threat response. Additionally, the process makes sure that the malicious activity is stopped and the affected assets are quarantined quickly after detection.