How to Triage a Suspected Missed Malware Incident
search cancel

How to Triage a Suspected Missed Malware Incident

book

Article ID: 292254

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense)

Issue/Introduction

Steps to take if a malware attack is observed taking place on endpoint(s) in the environment and it is believed that the associated malicious behavior should have been detected or prevented by Carbon Black Cloud Endpoint Standard.

Environment

  • Carbon Black Cloud Console: All Versions
    • Endpoint Standard
  • Carbon Black Cloud Sensor: All Versions

Resolution

  1. Quarantine the Device(s)
  2. Collect sensor logs (these can either be collected locally or via live response)
    Collect Carbon Black Cloud Sensor Logs Locally
    Collect Carbon Black Cloud Sensor Logs Using Live Response

If an affected device is wiped or re-imaged after logs are collected, it might not be possible to continue investigating the issue in case multiple iterations of diagnostic data are needed.
 
  1. Check Security Advisories and Threat Research content to see if it’s a known type of attack; If so, check that the right measures to prevent were in place. If yes, please go to step 4.
  2. Open a Support Case with the following information
    1. Sensor logs collected in step 2
    2. Hostname(s) of affected device(s)
    3. The policy and policy rule(s) in place which were expected to block the attack
    4. Any notable Alert IDs or Event IDs
    5. Any known IOCs, malware hashes or ransomware extensions
Additional Information which may also be helpful (if possible):
  1. How many endpoints were affected?
  2. Approximate date and time the incident took place
  3. Is the ingress point known? 
  4. Did any user report suspicious behavior, if so, what did they observe?
  5. Were the affected endpoints accessible from the internet by design or unintentionally? 
  6. If SMB shares were involved, were they password protected? 
  7. Were the sensors remediated after quarantine? If so, what steps were taken?

Additional Information

  • Support may assist in determining if Endpoint Standard failed to identify or stop an attack in the event that the appropriate policy rules were in place, but is not able to provide detection or prevention recommendations outside of a Carbon Black product. Support is also unable to assist with complete analysis of a security incident, e.g. to identify exact source of an attack or to suggest full remediation steps (i.e. Incident Response)
  • Carbon Black has partners that do IR
Powered by Wolken Software