Investigating a suspicious security event on the endpoint and responding to a possible infection can be stressful and time-consuming. Was it a false alarm? Did the threat succeed at penetrating defenses? How did the attack occur? What can you do to contain adversarial presence in your environment?
Minerva’s Anti-Evasion Platform helps SOC analysts and incident responders by not only cutting down the number of infections they need to handle, but also by providing useful details as part of the events that our solution generates.
In general, the events generated by Minerva’s solution inform the organization about a prevented attack, rather than notifying the analyst about a successful compromise. As the result, customers usually consider such events as events of low or medium severity, taking into account criticality of the endpoint and additional threat intelligence from other sources. For example, consider the following event, in which Minerva informs the analyst that it interfered with an attempt by invoice.exe to perform memory injection.
Analysts who wish to examine this event more closely can click the More Details button to see additional information, which includes the following attack timeline. It captures the hierarchy of the processes that led to the event. This information helps the analyst reconstruct the attack steps and obtain additional context about the event.
According to this timeline, Minerva’s Anti-Ransomware Platform prevented the malicious program invoice.exe from succeeding at “self-injection,” which is a packing technique that can be used to evade detection by antivirus tools:
- The malware that triggered the event, invoice.exe, is at the bottom of the timeline.
- The timeline shows that the malicious process was spawned from chrome.exe, indicating that it was launched through the Google Chrome browser.
- The chrome.exe process is a child of OUTLOOK.EXE, an email client, which was spawned by the explorer.exe process that implements the Windows user interface.
These details suggest that the attack began with an email message that contained an embedded link, which the user clicked on to download the malicious file.
Armed with this information, the analyst can assess the event’s nature and derive threat intelligence for pivoting to other suspicious activities. The person can search the Minerva Management Console, our centralized-management component. The analyst can also look at other data sources, such as Security Information and Event Management (SIEM) solutions, to get a broader perspective on the event.
Minerva’s Anti-Evasion Platform can also assist in scenarios where it was not deployed prior to the incident. In this case, incident responders can deploy Minerva Agents into the infected environment to contain threats. This gives responders time to contain and eradicate malicious code. Minerva’s solution accomplishes this automatically if the intrusion involved evasive malware. In addition, responders can use our Endpoint Malware Vaccination capabilities to simulate the presence of infection markers to contain malware designed to avoid infecting the endpoint more than once.
Rather than require analysts and responders to overhaul their existing processes, Minerva’s solution blends into the organization’s established approaches to handling incidents, integrating with other security tools and augmenting protective capabilities of other solutions. By preventing more threats and easily containing infections, enterprises gain valuable time and resources.