Instrumenting Carbon Black with Verodin SIP

Carbon Black offers one of the leading Next-Generation Antivirus and EDR products as well as a mix of complementary solutions. Like other leading EDRs, Carbon Black is powerful and highly configurable; this gives Carbon Black and similar EDRs great extensibility. Extensibility can also bring complexity when it comes to validation, optimization, and realizing the full potential of a solution — and it’s not just limited to Carbon Black or other EDRs. We see this across modern endpoint, network, email, and cloud security tools including firewall, IPS, email gateway, DLP, proxy, WAF, SIEM, and many others.

This piece will focus on validating the configuration of the Carbon Black Cb Response. We’ll simply reference “Carbon Black Cb Response” more generally as “Carbon Black” throughout this piece. We will leverage prescriptive actions to mitigate any gaps and apply configuration assurance to validate that the changes made are actually doing what was intended. More simply, we’re going to look at how to maximize the security value and investment value of Carbon Black through security instrumentation.

The Verodin Security Instrumentation Platform (SIP) is used to help manage, measure, improve, and communicate security effectiveness. SIP provides organizations with a business platform for security that works by identifying gaps, prescriptively outlining how to mitigate those gaps, validating that the mitigation was successful, automating the monitoring process to ensure that what was working stays working, and finally, communicating and reporting security effectiveness with evidence-based metrics to leadership.

We’ll look at using Verodin SIP to instrument two areas within Carbon Black. First, we’ll take a look at instrumenting the Carbon Black Watchlist capability. Then, we’ll look into validating Carbon Black’s threat intelligence integrations.

Carbon Black Watchlist

The image below is from the Verodin SIP Director. We’ve selected a very simple host-based action from the Verodin SIP Library that we’re going to run against Carbon Black. The Verodin SIP Library comes with default behaviors that are regularly updated and are used for validating security tools. Verodin SIP is also an Open Content Platform, which means that in addition to content provided by Verodin, you can use your own custom actions or import actions from third parties, such as ISACs and threat intelligence vendors. You can learn more about the overall Verodin SIP architecture here.

The action that we’ve selected is designed to operate on an endpoint. Verodin SIP allows you to conduct tests safely in your production environments across network, email, and cloud. But because organizations often want to validate their endpoint security tools against destructive actions like malware, it’s recommended that this type of validation be conducted on a non-production system – usually a VM or dedicated hardware – that is running a paring of an operating system and a security tool for which we want to validate.

Specific host applications such as databases and web servers don’t need to be installed. This is because Verodin SIP is validating the security controls protecting those systems, so you needn’t install anything outside of the OS, the security tool, and a Verodin SIP Actor on the test system. We’ll get into a bit more on the Verodin SIP Actors later.

This Host CLI action demonstrates how a debugger is assigned to an application using Image File Execution Options or IFEO. During the action, a new registry key will be added. This happens when Internet Explorer is launched, and that causes calc.exe (the calculator program) to run in debugger mode. Attackers will take advantage of IFEO by assigning malicious applications as the debugger for common programs. This can allow an attacker to gain persistence and privilege escalation on a compromised machine such as a Windows 7 or Windows 10 system.

It’s also worth noting that this particular action should be executed as the system or admin. This is a selectable option within Verodin SIP when the action is run. In fact, this particular action maps directly to multiple MITRE ATT&CK tests across persistence and privilege escalation.

Carbon Black MITRE Attack

Now that we have chosen to run this action, the below image within Verodin SIP appears and allows us to select various options. Note that we are running as the user admin and the Verodin SIP Actor for endpoint we are using for this action resides on Windows 10 system. In addition to that system running Windows 10 and the Verodin SIP Actor, it’s also running Carbon Black. Verodin SIP Actors are controlled by the Verodin SIP Director to execute the ad-hoc or automated actions of your choosing.

Instrument Carbon Black

Illustrated below are the results of the Host CLI action. The most important items to note are that when the Verodin SIP Actor action completed its CBrun, it was not blocked, and an event was not created. In other words, our Host CLI action was successful and, based on this Carbon Black configuration, the endpoint wasn’t protected, and nothing reported the incident.

It’s very important to note that this is not a condemnation of Carbon Black. Security instrumentation is about the optimization and validation of security tools. So, identifying that something might be misconfigured is simply a step in the instrumentation process and shouldn’t be viewed as negative as it relates to the tested product.

Instrument Carbon Black Dashboard

In the image above, on the bottom right, you will see the “Screenshots” and “CLI Log” buttons. In addition to Verodin SIP identifying if the Host CLI action was blocked and/or created an event, it also captures the actual output from the command line when the attack was run. This CLI log is shown in the truncated image below.

Windows Powershell Carbon Black

Further, Verodin SIP also conducts screen captures while the action is run, as shown below with the calculator application running per the Verodin SIP action parameters.

Instrument Carbon Black Dashboard

At this point we’ve run a Host CLI action against our target Verodin SIP Actor and found that Carbon Black was not configured to block or alert on the action. Now we want to leverage prescriptive details from Verodin SIP to help us optimize Carbon Black.

Let’s switch over from Verodin SIP to the Carbon Black Process Search. We’ll simply paste in the registry information that was provided to us within the Verodin SIP action description in the first screenshot of this action, so we can conduct a query. This is illustrated below with several powershell.exe results.

Cb Response Powershell

We can pick any one of these powershell.exe results and preview it (as shown in the next image) to get greater detail within Carbon Black.

Microsoft Powershell Carbon Black

If we go further within Carbon Black, we can even perform some process analysis that illustrates the connection of PowerShell to calc.exe.

Carbon Black Analysis

But we don’t just want to investigate this action within Carbon Black – we want to optimize it so the next time this happens we are alerted. So, let’s create a Carbon Black Watchlist for this search query and tie it to an alert exemplified in the screenshot below. Note that the “Name” and the “Description” fields are populated by copying the details from the Verodin SIP action description.

Carbon Black Watchlist Verodin

Once we save our Carbon Black Watchlist changes, we can view all the Carbon Black Watchlists to see our handiwork. Within the Watchlist and under “Defense Evasion, Persistence, Privilege Escalation…” you’ll notice the related details including the registry query and its alert association.

Cb Response Carbon Black Watchlist

Now, let’s validate that this Carbon Black Watchlist and alert we just created actually does what we want it to. Within Verodin SIP, this is called “configuration assurance” and is executed by simply running that initial action again – now against a Carbon Black instance that has had a bit of instrumentation done. You can see this in the Verodin SIP Director image below with the “Run Again” button on the top left. We are running the exact same action against the exact same system, with the only difference being the changes we made above to Carbon Black.

Carbon Black Dashboard

Success! As you can see below in the green event box, we’ve now created an event. We’re still not blocking it, but that’s just because we added a watchlist and alert in Carbon Black to focus on detection – not prevention – for this example. Further, if we drill in the green event, the details are also supplied in the same image below. Take a look at the Verodin SIP Message field that calls out the Carbon Black Watchlist.

Carbon Black detection events

We can even go deeper by drilling into the Verodin SIP raw data which uses API to pull even more context from Carbon Black, as illustrated below.

Carbon Black detection events

Finally, we can go back into Carbon Black to make sure that the details provided by Verodin SIP for the Carbon Black Watchlist resulted in an alert. Taking a look at the Carbon Black Triage Alerts, we see that the events are indeed displayed.

Carbon Black Triage Alerts

Carbon Black Threat Intelligence

Let’s move away from the Carbon Black Watchlist and into a completely new example that will look at using Verodin SIP to help instrument the Carbon Black Threat Intelligence capability. Carbon Black has a number of threat intelligence capabilities. We’re going to run a simple test to make sure that everything is working as expected.

It’s worth mentioning that another capability within Verodin SIP is Environmental Drift Detection. This capability uses automated test evaluations to help ensure that something that was working yesterday is still working today and will still be working in the future. It also helps mitigate issues – ranging from configuration changes and patches to network hardware adjustments and user errors – that often break security tools. Environmental Drift Detection is fantastic for validating that your systems haven’t drifted away from a known good state across prevention, detection, correlation, etc.

Pictured below are just a few of the Carbon Black threat intelligence options. Let’s focus on the Suspicious Feed option.

Cb Response Dashboard events

Moving back over to the Verodin SIP Director pictured below, we have a map view of a few network zones (white circles) and a few Verodin SIP Actors (black circles). We also have a Windows 10 system running Carbon Black with a Verodin SIP Actor for endpoint on it. This is the same type of test environment we covered in the first example.

Windows Carbon Black Verodin

As in the previous example, we want to select an endpoint action, so on the dimension filters within the Verodin SIP Director, we filter the action types by endpoint (see below). I’ve chosen a Host CLI action with persistence that invokes a Winlogon registry change. This particular action uses a malicious bat file placed in the registry.

Winlogon Carbon Black endpoint

When we run this action against our Windows 10 system running Carbon Black with the Verodin SIP Actor (see below), we see that the action was neither blocked or detected.

Windows 10 Carbon Black

If we drill into the CLI Log as we did in the Watchlist example, we can see that the action completed successfully. In other words, the malicious activity wasn’t stopped or detected.

Carbon Black watchlist log

The fix for this is extremely simple within Carbon Black. As per the image below, all we need to do is turn on the “Create Alert” option. As discussed earlier as it relates to environmental drift, this box may have been checked within Carbon Black but was then accidentally disabled. Validation tests like this and thousands of others can be leveraged in an automated way to ensure that things that were working or checked stay working and checked. In this case, we’re simply running an ad-hoc test to illustrate that something that we would normally prefer to be turned on is actually turned off.

Cb feed Carbon Black

Now that we’ve turned on the alerting option within the Carbon Black Suspicious Feed selection, let’s run the exact same action against the exact same system to see if it worked.

As you can see below, it does work. Note the message with the words “Threat Feed Hit.” That’s our Verodin SIP action triggering Carbon Black, and Verodin SIP making an API call back into Carbon Black to see if there are any results.

As a final step, we’ll go back into Carbon Black to check out the Triage Alerts. As we can see, the Verodin SIP actions are now being detected and Carbon Black is successfully alerting on these actions.

Carbon Black watchlist alerts

While these examples were focused on the endpoint solution Carbon Black, Verodin SIP can be used to measure, manage, improve, and communicate security effectiveness across your entire security stack. Your current security tool may not be to blame for unblocked or undocumented attacks on your network – it just needs to be instrumented to realize its true value. To learn more about Verodin SIP, request a demo.



*** This is a Security Bloggers Network syndicated blog from Verodin Blog authored by Verodin Blog. Read the original post at: https://www.verodin.com/post/instrumenting-carbon-black-with-verodin-sip