Wednesday, October 17, 2012

Incident Response in 3.08 MB

I don't normally post anything on specific software products but occasionally I come across a commercial tool that truly excites me. One recent example is a tool called Carbon Black from Kyrus. I had participated in the beta testing of the product last year and I recently decided to revisit the production release.

For years, defensive strategies I helped to implement such least privilege, patch management, user account control, and system hardening has kept the majority of the malicious binaries off the hosts I have supported. Recently, these defenses seem to be working less and less, however. The bad guys are getting better and I suspect this has to do with organizations implementing the aforementioned strategies in a much more efficiently and consistent manner which has forced the attackers to adapt.

Attackers have graduated to using exploits against third party software and browser plugin's such as Java and Flash. They are writing to the Microsoft Windows users profile and HKCU registry keys when local administrator rights are not present. It seems to be working well and organizations I speak with are left relying on lagging AV and IPS signatures for detection and prevention. The issue is compounded for smaller companies, that do no have a full time IR team in place.

The idea behind Carbon Black (CB) is to monitor code execution. A small Windows agent is deployed to each host throughout the enterprise. This agent hashes each process, monitors the sub processes, module loads, registry edits, file writes, and network connections. Digital signatures and the activity of each binary is stored on the CB server.

The interface is well thought and intuitive. You can easily filter and drill down or up the relational data easily and quickly based on any of these aforementioned data points. Once potential indicators have been identified, it is easy to correlate the related activity.

For example, there was a recent string of well done phishing emails that got pass my org's spam filters. Claiming to be from ADP Internet Services, the email contained a malicious link that brought the unsuspected user to a web server that was hosting a JAR file.

The user, realizing the error of her actions, forwarded the email to me. Our corporate AV and IPS never detected the incident. Using CB to filter for unsigned files, I determined that an exe was dropped to temp folder in the Windows user profile.

From there I was able to quickly drill down to the sub process loaded, file writes, and registry edits. Not only did I know exactly what was changed on the system but now I had the MD5's of the indicators.

Using these hashes to filter for processes and sub-processes on all my hosts, I could determine if anyone else clicked the link and was compromised.


The team at CB have also started to add some plugin's to the toolkit. These include; an autorun's checker, virurtotal submission using the VT API, and csv data exports to list just a few. These have some great potential and I cannot wait to see more developed. Additionally, I would like to see support *nix and OSX. But overall, I think the tool is a fantastic asset and am looking forward to demoing it to the rest of my team.

Happy Hunting!


  1. If you like CB, you should try Bit9. They guys have been in the app whitelisting gamne for 9+ years..

  2. Great post with nice tutorial. Thanks for sharing. incident management