Packet to Process - In a Snap

Automation is the end goal but look for quick, significant wins along the way

In our recent client engagements, there has been a clear, common theme - A concerted push toward more modern, automated and rationalised Security operational processes, frameworks, data analytics and underlying infrastructure. This can manifest in many ways but one key one is that deployed security controls must integrate in order to facilitate automated data exchange, containment and investigative pivot across disparate but associated data repositories.

Network-based and Endpoint-based security analytics have traditionally been quite silo’ed. This is somewhat understandable since their primary data sources are quite different - Network based analytics focuses typically on packets and flows, identified by src/dst IP and src/dst port, whereas Endpoint based analytics focuses typically on host-based Processes and Files, identified by file hash and characteristics.

The challenge is that modern malware and attacks almost always traverse the network and involve on-Endpoint process level activity. The harsh reality is that for Security Operations analysts tasked with triaging these sorts of potential security incidents, they tend to, while under pressure, fallback to using cumbersome, manual techniques to cross-compare analytics derived from the Network, with analytics derived from the Endpoint.

What if pivoting from packet to process was a simple as a click?

Corvil and Carbon Black believe in empowering Security Analysts with proactive detection of threat activity, streamlined triage workflows and actionable insights, without Security Analysts needing to get bogged down with manual processes and the nitty gritty of how to wade through the data generated by each in order to cross compare potentially related activities. Automated pivot from packet to process is a great example of how Corvil and Carbon Black have taken a very important but otherwise cumbersome task and turned it into a simple, intuitive, one-click task for Security Analysts. Let's take a look at a scenario where we can see this integration in action:

Scenario: Attacker gains a foothold on a corporate laptop on the internal network of an organisation. Corvil and Carbon Black are deployed and are utilized by the organisation’s Security Ops team to rapidly identify and triage the attacker’s activity.

Attacker invokes powershell on the compromised host in order to perform a range of tasks including discovery and privilege escalation. Below we can see the attacker downloading mimikatz from a staging server over a non-standard port:

Below we can see Corvil has detected this activity and not only reports it in real-time, but it also provides additional Corvil enriched context to make this detection more actionable, such as

  • Logged on Windows user
  • Is the last logged on Windows user privileged? (e.g. Domain Admin)
  • File hashes and true file type
  • Corvil’s current risk score for this specific host
  • Endpoint type / OS

We can also see how for the Security Analyst, with a simple click, they can launch a range of options for how they can investigate further using Corvil and integration with Carbon Black:

First, the Security Analyst wants to get a better sense of what other hosts this suspect host has been communicating with and the nature of that traffic. With a click, the Analyst opens Corvil’s interactive “Host Connectivity Map”, which reveals there are other associated hosts which the Analyst should also take a closer look at next:

Ok, so now the Analyst clicks in Corvil to get, without leaving the Corvil user interface, immediate insights on what host-based process and process tree launched that web based download of mimikatz via powershell session. Corvil, in the background, queries the Cb Response API, uses an auto generated, fine grained filter and retrieves information on the process and displays it:

The Analyst now knows it was powershell session based web download and they are keen to dig in further. Clicking the provided link, the Cb Response user interface is opened and a filtered search is auto-run to immediately show the Analyst the offending process on the host:

From here the Analyst can explore the associated process tree further and even “Go Live > _” or “Isolate the host”:

Below we can see, in the processes audit history, the exact web download which Corvil originally detected in real time:

As you can see, Corvil and Carbon Black integrate seamlessly to provide a single-click pivot from packet to process. We see in practice that this integration saves Security Analysts significant amounts of time as they triage large numbers of alerts and potential security incidents on a daily basis. In fact, Gartner are now suggesting that perhaps “Network Detection and Response” is a thing in its own right, to compliment “Endpoint Detection and Response”. It makes sense and we believe that increasing integration between these two is critical for modern Security Operations.

If you will be at the upcoming Cb Connect event in New York City, drop by our Corvil booth for a live demo. We’d love to show you the integration first hand and have a discussion. Otherwise please Schedule a Demo or Contact Us.

Graham Ahearne

Graham Ahearne, Director, Product Management
Pico is a leading provider of technology services for the financial markets community. Pico provides a best-in-class portfolio of innovative, transparent, low-latency markets solutions coupled with an agile and expert service delivery model. Instant access to financial markets is provided via PicoNet™, a globally comprehensive network platform instrumented natively with Corvil analytics and telemetry. Clients choose Pico when they want the freedom to move fast and create an operational edge in the fast-paced world of financial markets.