Partner Perspectives: VMRay + Carbon Black Bridge the Gap Between Threat Hunting & Incident Response


In 2016, Carbon Black and[ VMRay](<http://www.vmray.com/>) introduced an out-of-the-box integration combining the capabilities of two industry-best platforms: Cb Response and the VMRay Analyzer. Leveraging the threat hunting and incident response capabilities of Cb Response, alongside the malware analysis and detection capabilities of the VMRay Analyzer, created a unique platform for today’s Computer Incident Response Teams (CIRTs). ### Two Industry Leaders, Two Primary Use Cases, Many Shared Benefits For CIRTs, this integration addresses to two main challenges: efficiency during incident response and proactiveness during threat hunting. Increasing the speed, efficiency and accuracy of threat hunting and incident response processes is critical for hunting down and eliminating undetected threats that are dwelling within the infrastructure of an organization. ### Efficient Incident Response Incident response is a reactive process that can consume, or even overwhelm, a security team due to the amount of time and resources some incidents can require. Successful attacks can compromise an enterprise in minutes and evade discovery for months, requiring remediation efforts that can take days or weeks to complete. So, when an endpoint is compromised, speed and efficiency are vital. The integration between the VMRay Analyzer and Cb Response accelerates the investigation process, allowing teams to develop actionable intelligence and quickly take response measures to stop an attack and prevent it from spreading or recurring. ### Proactive Threat Hunting CIRTs need endpoint detection and response (EDR) solutions that incorporate proactive, continuous threat hunting capabilities to detect advanced threats that have already bypassed security protections. Cb Response offers the threat hunting capabilities desired by CIRTs. After an initial compromise, advanced attackers can quickly escalate their privileges, establish persistence in the environment and use trusted tools to move around inside the organization - without causing suspicion. This creates the need for threat hunters and incident responders to work together to ensure that attackers are detected and stopped, regardless of where and when that may occur. > _The[ 2017 Ponemon Cost of Breach Study](<https://info.resilientsystems.com/hubfs/IBM_Resilient_Branded_Content/White_Papers/2017_Global_CODB_Report_Final.pdf>) reported the average dwell time (from infection to detection) at 206 days._ CIRTs leverage many of the same tools, processes and skills for both IR and threat hunting. Working through a shared platform enables security professionals to respond to attacks more efficiently and collaboratively because different members of a team can be leveraged for their expertise during investigation. **What’s the Difference?** One significant difference between IR and threat hunting processes is the way actions are initiated. * Incident response is reactive. The objective is immediate and urgent: stop an attack in progress, and prevent it from spreading or recurring. * Threat hunting is proactive. It looks beyond the immediate moment of compromise to understand the context and background of an attack. It uses both current and historical endpoint data to discover and eliminate undetected threats resulting from past breaches. It also combines rich sources of threat intelligence with past events and patterns of threat behavior to enable new attacks that have familiar aspects to be recognized and established responses to be deployed. **Why VMRay Analyzer?** The VMRay Analyzer platform is a sophisticated malware sandbox. Its integration with Cb Response enables security professionals to rapidly detect and analyze endpoint attacks and intrusions that other technologies miss. VMRay Analyzer’s capabilities include: * **Visibility.** VMRay captures a complete view of malware behavior, from the micro to the macro level, with no blind spots. * **Evasion resistance.** Solutions based on older technologies often betray their presence to malware, which can then take evasive measures that leave gaps in visibility. VMRay Analyzer’s “invisible” agentless approach ensures that threats execute in the sandbox as they would in the wild, yielding threat intelligence that points the way to an effective response. * **Relevance**. VMRay Analyzer only reports what’s relevant by filtering out noise and false positives that can slow down detection and analysis. Only being presented with relevant threat intelligence helps IR teams get answers quickly, sparing them from having to sift through a mass of irrelevant data. ### The Incident Response Cycle In environments using Cb Response, sensors are deployed on enterprise endpoints to capture and store all endpoint activity, including file execution, network connections, registry modifications and unique binaries. The IR process begins when sensors detect anomalies on servers or other endpoints. This can include legitimate programs performing in abnormal ways that indicate a possible intrusion. The suspected file or binary is sent to a centralized server, an alert is generated, and the incident responder sets out to learn as much as they can about the threat in the shortest possible time. The responder can utilize Cb Response during their investigation, as it leverages aggregated intelligence from many different sources, including VMRay. When a sample is added to the VMRay Analyzer feed, the responder has the option to detonate and analyze its behavior in a single environment or multiple environments, depending on the scenario. The VMRay Analyzer tags suspicious processes and binaries with detailed threat information, which is returned to the Cb Response server. In turn, incident responders using the system’s Live Response feature can create a secure connection to infected hosts to pull or push files, kill processes, perform memory dumps, and quickly remediate from anywhere in the world. ### The Threat Hunting Cycle Any number of factors might prompt CIRTs to initiate the threat hunting process. They may want to: * Gain insight into a “close call” experienced during a recent attack, for example a ransomware or phishing attack. * Learn about a newly published vulnerability or exposure (CVE), such as a zero-day threat found in Microsoft Office. * Explore how vulnerable their organization is to threats that have recently targeted others in their industry. Cb Response enables security teams to instantly search across all endpoints and attack processes with a simple, easy-to read query. This makes it faster and easier to hunt for anomalies in real time, visualize the complete attack kill chain, and quickly respond to and remediate threats. VMRay Analyzer can be easily incorporated into the threat hunting process. Cb Response identifies endpoint threats, which are submitted to VMRay Analyzer for analysis, and the resulting threat intelligence is returned to Cb response, informing the remediation process. VMRay Analyzer provides complete visibility into endpoint threat activity, evasion resistance that ensures all steps in the kill chain are accurately revealed, and assurance that responders are receiving only the information most relevant to fast, accurate threat detection and removal. Together, the VMRay Analyzer and Cb Response provide an integrated solution that fulfills the needs of incident responders and threat hunters alike, enabling CIRTs to more collaboratively and efficiently detect and respond to threats in their enterprise. The post [Partner Perspectives: VMRay + Carbon Black Bridge the Gap Between Threat Hunting & Incident Response](<https://www.carbonblack.com/2018/09/11/partner-perspectives-vmray-carbon-black-bridge-the-gap-between-threat-hunting-incident-response/>) appeared first on [Carbon Black](<https://www.carbonblack.com>).