Automated Endpoint Data Investigation
What Magna Saw to Find and Quarantine Riskware
Web browsers and toolbars can be important tools to increase employee productivity. They are commonly downloaded from various sites without much thought about any security implications.
Recently, LightCyber Magna augmented an organization’s endpoint security by quarantining a malicious web browser extension. Magna detected a change in behavior of one workstation, having already established a profile of normal activity for this device and its peers. More specifically, using automated endpoint data investigation, Magna detected a large number of failed DNS requests along with what appeared as seemingly random DNS requests from the workstation. Here’s what happened next:
- Magna automatically alerted a security analyst.
- The analyst took one minute to investigated the endpoint security risk by reviewing the automatically generated analysis and threat intelligence from the Magna Cloud Expert System displayed on the Magna Analyst Dashboard.
- It was easy to see that none of those DNS requests reached out to low reputation domains.
- The analyst then used Magna Pathfinder to examine the behavior of the endpoint which revealed a large number of browser processes running on the workstation in question. This was suspicious, and the analyst followed up with the owner.
- Before the owner had time to respond, Magna automatically detected Riskware named Artemis on that same workstation and alerted the security analyst. Artemis is a potentially unwanted program that affects the browser by changing the home page, redirecting searches to possibly malicious advertisements and reducing productivity by attempting to open pop-up ads. This is standard click-fraud, but it also provides a potential foothold for an attacker to gain access to the company network and launch a more damaging attack.
- The analyst then used the Network Prevalence feature within the Magna Analyst UI to determine that the file was nowhere else on the network.
- The Malicious File Termination feature within the Magna Analyst UI was then used to agentlessly quarantine the file on the workstation so it could not cause any damage.
In this case, automatic detection of suspicious network traffic with investigative endpoint data combined with immediate remediation eliminated a potentially harmful situation quickly and efficiently.