Does Carbon Black Alert on CVE Actions?
search cancel

Does Carbon Black Alert on CVE Actions?

book

Article ID: 287673

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Does Carbon Black Alert on this Action found in this CVE?

Environment

  • Carbon Black Cloud Console: Current Version

Resolution

  • No, the actions seen by the abuse of a CVE are normally within the normal operations of usage.  Creating a new specific rule for each CVE would not be maintainable.
  • Potential next steps:
    • Check TAU for any reports regarding the CVE.  A report on a threat is provided on an as-needed basis based on multiple factors.
    • Understand the CVE.
    • Understand if/how the common software is used in the network.
    • Determine if a custom watchlist is warranted to monitor any misuse of the commonly used software.
    • Contact Support to express interest in a particular threat or possibly get more information.

Additional Information

  • Carbon Black reviews new or updated CVEs daily and adjusts the behavioral rules as needed to cover possible Tactics, Techniques and Procedures (TTPs).
  • Carbon Black has an extensive binary reputation database of malware which we keep up to date on literally a daily basis.
  • Example of why creating a specific rule for each CVE would be unmanageable:
    • If the CVE reports Firefox versions < 82.0.3 (CVE-2020-26950) are vulnerable.  Alerts should not occur for each use of Firefox.  Instead, the vulnerability requires a certain environmental configuration before or after Firefox start that should alert.