One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8312813 |
| Date de publication | 2023-02-23 11:00:00 (vue: 2023-02-23 11:06:32) |
| Titre | Stories from the SOC - The case for human response actions |
| Texte | Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Extended Detection and Response customers.
Executive summary
As we move towards more automation, we should remember the risk of over-automating, or at least make a conscious decision to accept the risks. This is especially important in automating response actions, which left unchecked could wreak havoc with day-to-day business operations.
Investigation
The alarm
One evening after normal business hours, an alarm came in indicating a software package attempting to execute on a server was auto-mitigated by SentinelOne. The software package was behaving in a way that was taken as attempting to evade detection by the SentinelOne agent and therefore rated as “Malicious” by the SentinelOne Artificial Intelligence logic. Since the server on which the software package was attempting to execute had a “Protect” policy applied, the auto-mitigation steps for a dynamically detected “Malicious” rating included killing and quarantining the process.
A “policy” setting in SentinelOne is the defined level of automated response activity the endpoint detection and response tool (EDR) has permission to perform for each grouping of assets. Whereas a “Detect” policy will create an alert that can be managed for post-investigation response actions, a policy setting of “Protect” will take automated response actions. The intrusion level of those automated response actions can be customized, but they all perform an automated action without a person looking at the situation first.
The below image is for an alarm for malware which ended up being process automation software
but nonetheless was automitigated (process killed) by SentinelOne as shown in the log excerpt below.
The business impact
The next morning, with business hours back in full swing, the customer reached out to us concerned about the result of the automated response action. The customer stated that the software package is a critical part of their business infrastructure and should never be stopped from executing. The software had been running on that same server the prior several months, since entering SOC monitoring.
The customer questioned why after several months with the SentinelOne agent running on the server did the agent suddenly believe the software package was malicious. We were not able the answer the question specifically since the decision-making behind identifying and rating a process as “Malicious” versus “Suspicious” or benign is a proprietary logic.
What we could state is that any EDR solution worth its price will continually update indicator of compromise (IOC) signatures. Any worthwhile EDR solution will also include not only static detection but also behavior-based dynamic detection. In the case of SentinelOne, there is the pre-execution behavior analysis that allows for process termination pre-execution as well. And of course, any software package run on a server is subject to updates for security, efficiency, or product feature upgrades.
Taken as a whole, it means any endpoint being protected is a very dynamic battleground with the potential for an updated software package that did not trigger IOC rules yesterday triggering tehm today. Or a non-updated software package may suddenly be identified as potently malicious due to updated machine learning IOC behavior analysis. Remember when |
| Envoyé | Oui |
| Condensat | able about accept act action actions activity advantage after agent alarm alert all allows also always analysis analyst another answer any applied are artificial assets at&t attempting auto automated automating automation automitigated availability back balance balancing based battleground been behaving behavior behind being believe below benefits benign between blog business but calls came can carry case cia component compromise concerned conclude conducted confidentiality conscious consider considered context continually could course create critical customer customers customized day decision define defined describes detected detection detection but develops did doubt due dynamic dynamically each edr efficiency ended endpoint entering environment especially evade evaluation evening excerpt execute executing execution executive extended fashion feature upgrades find first from full grouping had has have havoc history hours how human humans identified identifying image immediate immediately impact implement implementation important incident include included increase indicating indicator infallibly infrastructure integrity intelligence intrusion investigation investigations ioc iocs is a its jndi just killed killing learn learned learning least left lessons level like log logic longer looking machine make making malicious malware managed may means might mitigated mitigation monitoring months more morning move much must mxdr necessary never next non nonetheless normal not nuances one only operations out over overall package part perform permission person place policy post potential potently pre price prior process processes product programmed proprietary protected quarantining question questioned rated rating reached real reasoning recent remember reported response result risk risks rules run running ruthless same security selecting sentinelone sentinelone artificial series server setting several should shown signatures since situation slower soc soc software solution space specifically state stated static steps stopped stories struck subject suddenly summary swift swing take taken team technology tehm today termination therefore those together tolerate tool touched towards triad trigger triggering unchecked update updated updates use validity versus very way well what when where whereas which whole why will without work world worth worthwhile wreak yesterday your |
| Tags | Malware Tool |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.