Indicators of compromise are more accurately indicators of possible compromise. When you see a likely DGA (domain generation algorithm) DNS query pop-up, a hit on your threat-intel list, a weird process lineage combination from host logs, an unrecognized DLL loaded, or PowerShell being run by an end-user – you’re seeing indicators of possible compromise.
It takes investigation to determine if it’s just innocently weird or if it’s part of an actual attack? That one event is just one of a cascade of connected events, and to determine if it’s an actual attack you need to be able to follow that deterministic chain of events in both directions of time. What happened before and after event?
What process on the endpoint actually issued DNS query that looks like a DGA domain? What process spawned that process? What else did that process do? Is the process a recognized DLL or EXE that would normally be issuing DNS queries? What other network connections did that process make?
In this webinar, we will present a sophisticated but typical attack that begins with a spearfishing email, installs a remote-administrative tool, and then uses pass-the-hash and related techniques to spread laterally to other systems, all the while communicating with its C&C server.
We will show you how this attack generates multiple indicators of compromise. Ideally, we are listening for and catching each IOC, and quickly recognize they are all connected and that an attack is under way.
But it’s more likely we pick up on just one of those IOCs or different teams see different IOCs because of their scopes of responsibility and monitoring tools.
We’ll show you how all of the IOCs connect and how each IOC is just a single point in the linear path of the attacker. It’s not unlike the blips on the radar a flight operations center might observe as a low flying jet briefly climbs in altitude to avoid mountains or for other tactical reasons. That’s an indicator of compromise but there’s an entire flight path to be uncovered if you consult local land sensors.
For this webinar, we’ll be correlating data from many sources and since Carbon Black has agreed to sponsor this real training for free, we’ll be in for a treat in being able to see the IOCs and intervening events portrayed graphically. Afterwards, Jimmy Astle will briefly show you how Carbon Black Response makes threat hunting fast and effective.