VMWare Carbon Black Archives - Security IT Summit | Forum Events Ltd
Posts Tagged :

VMWare Carbon Black

UK Hacking Fines

How to block hidden malicious commands in obfuscated scripts

960 640 Guest Post

By Chris Corde, VP of Product Management, VMWare Carbon Black

For a long time now, our Threat Analysts have flagged the growing threat of script-based attacks, especially from Microsoft PowerShell and Windows Management Interface script commands, and their ability to escape notice in many antivirus solutions. Increasingly, these types of attacks have become the common standard for gaining entry into corporate systems and moving laterally to inflict damage. Today, we announce several new features to help prevent and detect script abuse, including an extension of our ability to prevent script-based attacks build on AMSI integrations, and the ability to translate the actual contents of obfuscated PowerShell scripts in the Carbon Black Cloud console.      

In our current work from home/COVID-19 environment, these script based attacks continue to grow in size and global spread. Common tools like PowerShell enable attackers to hide their intent behind obfuscated script content, and the resulting lateral movement is facilitated by the abuse of Windows Management Interface (WMI), Google Drive and process hollowing. According to our latest Incident Response Report, lateral movement made up a third (33%) of today’s attacks.  

Detecting Stealthy Script Abuse 

To combat this stealthy attack technique, the Carbon Black Cloud has added capabilities that expose the exact commands behind obfuscated PowerShell scripts. By adding this capability directly into our NGAV product console, we’re able to assist less experienced security teams in detecting attacks they may have otherwise missed, as well as accelerate a formerly time-consuming investigation process. This feature also includes new insights on PowerShell scripts for those using older, legacy systems that don’t support AMSI.  

Due to broad usage of PowerShell in enterprise IT environments, many of these obfuscated scripts go unnoticed by EPP solutions because they trigger either no alert, or deceivingly low-level alerts. This makes it easy for threat actors to hide nefarious commands. Normally, you would have to copy that script and paste into an external script translation app that would offer limited details around the command line, and could take anywhere from several hours to days to resolve. The ability to translate these obfuscated scripts with a button-click during alert triage or threat hunting will save analysts hours of investigation time, by allowing them to quickly see the code and determine whether the intent is malicious or not immediately.  

Preventing Script Abuse Without Decreasing Productivity 

Thanks to our Threat Analysis Unit, VMware Carbon Black built prevention rules onto our AMSI inspection capabilities, along with machine learning to translate these previously hidden scripts. Customers can now quickly at the click of a mouse, translate the script in the Carbon Black Cloud dashboard to see the entire decoded script within seconds, along with an assigned risk score.  This new functionality brings a level of protection and visibility for these advanced attacks rarely seen in endpoint protection platforms, providing customers’ immediate access in-console to the script translation details during both alert triage and threat hunting.  

PowerShell alerts are highlighted in the console, showing the reason why a specific script was flagged, and delivering additional context behind the prevention to speed resolution times. When customers investigate the specific details, they can now simply click a button to translate the obfuscated script.  

In addition to translating obfuscated scripts, we’ve also improved readability of PowerShell scripts through syntax highlighting, making it easier for customers to scan for string content vs PowerShell command-lets and function calls while searching for threats.  

Working closely with our Threat Analysis Unit, we’ve also expanded prevention capabilities for script-based Windows attacks built on Microsoft AMSI Integrations into our default prevention policy, making it easy for customers using our product to have an effective security posture right out of the box,  

VMware Carbon Black’s Threat Analysis Unit updated the default policy to include additional granularity for frequently used off-the-shelf attacker frameworks seen regularly in script-based attacks. These updated rules offer high-fidelity prevention for script-based attacks that decrease false positives and take the strain off already resource-deficient security teams. These updated preventions are available upon download of our latest Windows sensor 3.6 coming out this week.  


Defender confidence on the rise in a maturing UK cyber threat landscape

960 640 Stuart O'Brien

By Rick McElroy, Cybersecurity Strategist, VMWare Carbon Black

Looking at the headlines around cyberattacks and security breaches, we’d be forgiven for thinking that organisations face an insurmountable cybersecurity task. However, when we delve deeper into the UK cybersecurity landscape, a more nuanced picture emerges. In fact, there is a real sense of positivity on the horizon when it comes to UK organisations’ assessment of their ability to detect and defend against cyberattacks. Despite the knowledge that the volume and complexity of attacks they’re facing continue at a sustained high level, our latest UK Threat Report found that more than three quarters of UK organisations felt more confident in their ability to repel cyberattacks than they did twelve months previously.

Supporting this sense of confidence, we also found that investment in cyber defence is holding up well, with 93% of UK organisations surveyed saying they plan to increase cybersecurity spending. Nevertheless challenges remain, not least in the fact that despite this growing confidence 84% of UK organisations surveyed said that they had suffered at least one data breach in the past twelve months caused by an external cyberattack. Here are four more things we learned when we asked 250 UK CIOs and CISOs about the threat landscape they face in the final quarter of 2019.

  1. Despite growing confidence, the attack landscape remains severe

Eighty-four percent of organisations said the volume of attacks they face has increased, while nine in ten said that these attacks had become more sophisticated. Globally, we found a sharp rise in the prevalence of phishing attacks as the attack type most likely to result in a data breach, and this was reflected in the UK where it was the cause of 33% of breaches. In fact, this figure had jumped from 20% in our January 2019 report. This global trend is a clear sign that attackers are going after the weakest link – end users. This is also a factor in the increase reported in breaches caused by ransomware, which jumped as a cause of successful breaches from 14% in January to 20%.

This focus on user-related breach vectors may also indicate that defenders are succeeding in making organisations a harder target for more direct malware-led attacks. The study found that the percentage of breaches caused by process failures and out of date security halved during the period from January 2019. This is another sign of a maturing approach to cybersecurity, where controllable factors are now a key focus.

2. Reputational damage outweighs financial impact when breaches happen

Given the high profile of regulatory changes in the past eighteen months, it is not surprising that 72% of businesses reported suffering reputational damage as a result of a data breach. The public is now much more aware of the risks and responsibilities that organisations bear around data protection and quick to lose trust in those who appear negligent. Perhaps more surprising is that the percentage reporting financial impacts from breaches was only 35%, lower than the global average of 44%. In fact, more than half (54.5%) of UK organisations said there had been no financial impact from the breach at all. At this stage it seems that organisations don’t see monetary loss on the same scale as reputational damage.

3. Emerging technologies and cyber skills scarcity are cause for concern

Looking to the coming year, the research found a significant level of concern in the UK about how emerging technologies such as 5G and fast-paced digital transformation projects are going to create cyber risk. In line with global sentiment, nine in ten respondents said they had concerns, which ranged from the potential for new and more destructive attack types to the difficulty in gaining full visibility over new projects and technologies. Almost a quarter (25%) said that they would need a bigger team to cope with these threats. However, recruiting staff with the necessary skills is a growing problem, with 55% of UK organisations saying the recruitment climate had grown more challenging in the past twelve months. Looking overseas to plug the gap is unlikely to be a solution as the situation is even more difficult globally – an average of 61% of businesses worldwide said recruiting the right skills has become more difficult. 

4. Threat hunting is firmly on the agenda

 Ninety percent of UK companies surveyed said that threat hunting had strengthened company defences and thirty percent had found significant evidence of malicious activity. This is almost double the sixteen percent who found significant evidence of malicious activity in January 2019. While this may be in part due to increasing levels of cyber threat activity, the high percentage increase indicates that threat hunting is becoming more effective, as defender skills and experience increases.

    5. A stronger outlook for UK cybersecurity

Taken together, these research findings indicate a maturing approach to cyber security as UK businesses adjust to the “new normal” where high volume, sophisticated cyberattacks are a factor of doing business. Organisations are locking down the controllable factors such as process weakness and out of date security, while at the other end of the scale they are proactively threat hunting. This is building defender confidence and power, as businesses get smarter about identifying where the risks lie and what tools they can deploy to mitigate them.  While new challenges loom on the horizon, the cybersecurity community in the UK is now better-positioned and more confident to meet and defend against them.