Skip to main content

Use CasesConfigure Threat Detection, Investigation, and Response (TDIR) Use Case Categories

Configure the Malware Use Case

Configure Exabeam Security Operations Platform to protect against your environment against the Malware use case. Ensure that you collect the right data, set up investigation tools, enable response mechanisms, and import relevant Data Lake reports.

To protect against a use case, you might follow an end-to-end workflow that looks like:

  • Collect – Ensure that you bring in the correct logs for the use case and that all fields populate.

  • Detect – Use out-of-the-box rules and models to identify suspicious activity.

  • Investigate – Ask important questions about the data from log sources, rules, and models.

  • Respond – Isolate, neutralize, eliminate, and mitigate any threats you find.

  • Report – Gather all the evidence in a report so you can share your investigation with others or use for compliance purposes.

Let's configure everything you need to successfully follow each stage of this workflow.

Collect

Collect the data needed to investigate the Malware use case and ensure all context tables are populated correctly.

  • Ensure that you contacted Exabeam Customer Success and they helped you onboard and validate the log sources needed to implement the Malware use case.

  • Ensure that you have specific out-of-the-box context tables:

    • web_malicious_categories

    • user_is_privileged

    • is_ip_threat

    • is_dynamicdns_domain

    • is_ranked_domain

    • reputation_domains

    • web_ioc

  • Create a custom context table for network zones.

  • Ensure that users and assets have the correct labels based on the context tables. For example, if a user is in the user_is_privileged context table, navigate to the user's profile to verify they have the privileged label.

Detect

Ensure you have all mechanisms in place, like rules, models, watchlists, and Threat Hunter searches, to successfully identify suspicious activity.

Rules and models

Validate out-of-the-box rules and models to ensure you accurately detect anomalous activity.

  • Import the latest content packages on the Exabeam Community. These content packages contain the latest rules and models, which aren't available to install in Content Updates settings. You must download them from the Exabeam Community, then import them.

  • Ensure that related rules and models are triggering correctly.

Threat Hunter searches

To quickly search for events that indicate malware has infected your system, create and save the suggested Threat Hunter search queries.

Threat Hunter search

Search criteria

First access to a domain generated from a Domain Generation Algorithm (DGA)

  • Reasons – WEB-UD-DGA-F

  • Dates – Last 7 days

Configure Settings to Search for Data Lake Logs in Advanced Analytics

If you have an on-premises deployment, ensure that you configure certain Advanced Analytics settings so you can search for Data Lake logs from a Smart Timelines™ event.

If you have a cloud-delivered product offering, ensure that you configure Data Lake as a log source.

Investigate

Ensure you have the tools you need, like tasks and incident types, to investigate the evidence you collect from log sources, rules, and models.

Case Manager Incident Type

In Case Manager, ensure that you have the out-of-the-box Malware incident type, or create one if it isn't available out-of-the-box in your Exabeam product offering. Ensure the incident type has all corresponding incident fields.

Case Manager Tasks and Phases

In Case Manager, define a clear response plan to ensure everyone across your organization responds to a Malware incident consistently. Under each phase, prescribe the relevant tasks for investigating, containing, and remediating a Malware incident.

The out-of-the-box Malware incident type comes with suggested phases and tasks. If you don't have the out-of-the-box Malware incident type, create the following suggested phases and tasks for your custom Malware incident type.

Phase: Detection & Analysis

  1. Task name – Determine malware details

    Task instruction:

    • Determine if the malware is known.

    • If the malware is known, determine why the malware wasn't blocked.

    • If the malware is blocked, determine what other components (parent/child processes) were installed or run with the malware.

    • Determine what the malware components are.

    • Determine if the malware has been seen before.

    • Determine on which processor privilege level the malware ran, user or kernel mode; determine whether the malware is a rootkit.

    • Determine what family the malware belongs to.

    • Determine what adversaries use this malware.

  2. Task name – Review evidence of suspicious outbound network traffic

    Task instruction:

    • Determine if the asset connected to known malicious IP addresses or domains.

    • Determine if the asset abnormally connected to networks at abnormal times.

    • Determine if the asset connected from an abnormal country.

    • Determine if the asset connected to abnormal ports.

    • Determine if the asset sent unusual DNS requests.

    • Determine if there was an unusual amount of outbound network traffic.

  3. Task name – Determine if there were preventative controls.

    Task instruction:

    • Determine if an anti-virus or Endpoint Detection and Response (EDR) tool was installed on the host.

    • If an anti-virus or EDR tool was installed, determine if it was healthy and running.

  4. Task name – Assess impacted systems

    Task instruction:

    • Determine if the malware persisted on the system.

    • Investigate Windows Autoruns utility entries for unusual automatically launched executables.

    • Investigate scheduled tasks.

    • Determine if any Windows Dynamic Link Libraries (DLL) were hijacked.

    • Determine if any Windows registry keys were modified.

    • Determine if the system degraded or is unstable.

    • Determine if CPU or memory was used anomalously.

    • Determine if the system was rebooted unusually.

    • Determine if there was an unusual number of tasks or processes run at unusual times.

  5. Task name – Document all known Indicators of Compromise (IOC)

    Task instruction – Document all known domains, IP addresses, hashes, droppers, payloads, Microsoft Component Object Model (COM) objects, and Microsoft DLLs.

  6. Task name – Find other users or assets affected

    Task instruction – Search the XDR or SIEM for IOCs, including:

    • Contacted IP addresses or domains

    • Executed hashes or files

    • Created services or Microsoft registry keys

    • Scheduled tasks

  7. Task name – Determine the scope of the breach

    Task instruction – Create a summarized, comprehensive list of all possibly affected hosts and users.

  8. Task name – Determine the malware infection's root cause

    Task instruction:

    To determine if the root cause is malvertisement:

    • Determine if anyone else visited the website.

    • Determine when the domain was registered.

    • Determine the reputation of the domain.

    • Determine if the domain is associated with a specific threat actor or geographical region.

    To determine if the root cause is email:

    • Determine if anyone else received the email.

    • Determine if anyone else received an email from the same sender.

    • Determine if anyone else received an email around the same time with the same subject.

    • Determine if anyone else received an email around the same time with the same email size or file attachment size.

    • Determine if there was a form or hyperlink in the email.

    • Determine if the user navigated to the hyperlink on the proxy server.

    • To determine if the user input their credentials to a website, determine if the user clicks on a link after they insert their credentials. If there is a link, determine if the user navigated to that link.

    • Determine if the credentials were used anomalously.

    • Determine if the user connected from a new geolocation.

    • Determine if the user connected from a new asset.

    • Determine if the user logged in at an unusual time.

    • Determine if the user successful authenticated using first-factor authentication, typically using credentials like a username and password, then failed to authenticate using two-factor authentication.

    • Determine what information you have about the sender's email address.

    • Determine where the sender's email address is registered.

    To determine if the root cause is USB:

    • Use the USB's serial number to determine if anyone else used the USB.

    • Use the serial number to determine what other files originated from the USB.

    • Determine where or on which machines the USB was plugged into.

  9. Task name – Validate logs were sent to the SIEM

    Task instruction – Validate that logs for the impacted users or systems were sent to the SIEM or system of record.

  10. Task name – Retrospectively search for anomalous activity

    Task instruction:

    • Determine when initial activity likely began and revise this as you investigate and learn new information.

    • Determine if logs from potentially impacted systems were sent to your centralized SIEM or log aggregation platform.

    • Determine if there was any additional anomalous activity, like if the account accessed new applications, triggered security alerts, or exfiltrated data.

    • Determine if any new processes were executed or software was installed. Investigate if the processes or software were used nefariously.

    • Determine if the user disabled any security tools on the endpoint, like Endpoint Detection and Response (EDR), Endpoint Protection Platform (EPP), or Data Loss Prevention (DLP) tools.

  11. Task name – Assess impacted systems

    Task instruction – Determine if the potentially impacted systems are critical business or infrastructure systems.

Phase: Containment

  1. Task name – Tell the SOC Manager about the incident

    Task instruction:

    • If needed, inform your SOC Manager of the incident and include the incident's expected start and end date.

    • Determine whether additional team members or teams, like HR, Legal, or Physical Security, must get involved.

  2. Task name – Initiate containment measures

    Task instruction:

    • Initiate playbook to quarantine and isolate affected devices.

    • Initiate playbook to force the user to change their password, initiate two-factor authentication, or disable the affected account if necessary.

Phase: Eradication

  1. Task name – Back up as needed

    Task instruction – Back up the data on affected devices. Back up a forensic image if necessary.

  2. Task name – Remediate

    Task instruction – Manually remove remnants like files, Microsoft registry keys, and autostart services, or re-image the impacted systems using the latest enterprise image and updated software patches.

Phase: Recovery

  1. Task name – Restore functional state of affected assets

    Task instructions:

    • After you re-image or clean the impacted systems, return the machines to users if it's safe to do so.

    • Ensure you restore the affected applications or network operations.

  2. Task name – Notify affected users

    Task instruction – Notify affected users that they were involved in a security incident and their credentials were reset.

  3. Task name – Implement relevant global security measures

    Task instructions:

    • Implement security controls to prevent a similar incident from happening.

    • Update security tools to detect new patterns or signatures.

    • Add appropriate monitoring measures to identify recurring infections; for example, create watchlists, update rules, or create Threat Hunter searches.

Phase: Post-Incident Activity

  1. Task name – Update documentation

    Task instruction:

    • Ensure the incident contains documentation of all relevant events and actions taken.

    • Identify methods to improve the team’s response to future incidents.

  2. Task name – Hold post-mortem meeting

    Task instruction:

    • Meet with your team. Review the incident and lessons learned.

    • Document and track administrative and technical gaps identified during the incident.

Case Manager Incident Email Communication

To collaborate on an incident with people across your organization, ensure that you configure incident email communication.

Respond

Enable response mechanisms you need to isolate, neutralize, eliminate, and mitigate any threats you find.

In Incident Responder, create triggers for all turnkey playbooks.

Report

To share your investigation with others or for compliance purposes, ensure you have the relevant out-of-the-box Data Lake reports:

  • Exabeam - Cisco OpenDNS Umbrella Summary

  • Exabeam - Discovered Attacks by Source and Destination

  • Exabeam - Endpoint Detection and Response - Incident Review

  • Exabeam - Endpoint Detection and Response - Security Posture

  • Exabeam - Endpoint Detection and Response Dashboard

  • Exabeam - Malwarebytes Summary

  • Exabeam - Top Attackers

  • Exabeam - Viruses Detected - Device Based