Behavioral Attack Detection Beats Traditional Anti-Virus Solutions

May 21st, 2016 by Peter Nguyen

social network concept

social network concept

How Magna Worked to Help One Company Learn It Was the Victim of an Advanced Attack

In 2015, a security analyst at a manufacturing company noticed that the anti-virus engines on many of the company’s laptops were out of date even though software had been configured to update automatically. Once the anti-virus software downloaded new virus definition files, the software detected malware on seven laptops. The security analyst, with the assistance of the company’s IT team, quickly reimaged the infected laptops.

The security analyst was not surprised that the anti-virus software had found malware, since zero-day and custom malware can easily evade end point protection tools with out-of-date virus definition files. Since anti-virus depends on current signatures, the laptops were easy targets for malware when the virus definition files failed to update.

Fast forward to nine months later, when the manufacturing company kicked off a Proof of Value (PoV) assessment of LightCyber Magna™. During the assessment, the Magna Behavioral Attack Detection platform profiled the manufacturing company’s network for about two weeks by inspecting network packets from a TAP port. Pathfinder was also configured to learn about the different processes, loaded DLLs, and executables on all their endpoints.

This PoV assessment made a startling discovery. About one week after Magna was deployed, the security analyst was notified of several Remote Command Execution Alerts originating from executives’ laptops. This was worth investigating immediately, because like most executives, the executives at the manufacturing company did not typically use Powershell or perform Windows administrative operations using Remote Procedure Calls (RPC). RPC traffic was very uncommon in the rest of the network. Magna security alerts indicated possible lateral movement from the laptops belonging to the executives.

Luckily for the security analyst, Magna Pathfinder scanned these suspicious laptops using agentless endpoint analysis. Based on anomalies from expected activity, Magna fired several more alerts revealing that the suspect laptops were infected with malware. In total, Pathfinder determined that malware had been installed on eight laptops. Analysis of the malware variant by the security analyst determined that it was very similar to the malware that had been supposedly cleaned from their network in August. So, the security analyst quickly used Magna’s Malicious File Termination feature to quarantine these files. He then set up calls with each executive to properly wipe and reimage the compromised laptops.

Looking at the results of the Pathfinder scans, the security analyst also noticed that the timestamps on the infected files were dated from a few months ago. So, the security analyst connected the dots and realized that the custom malware, or malware variant, was most likely crafted specifically for this manufacturing company. And, if he did not evaluate the LightCyber Magna Behavioral Attack Detection platform, their network would still be compromised.

With Magna now deployed in their network, the security analyst was confident that any further attacks, whether they be attempts to learn or move about the network or new malware infections, would be quickly detected by Magna. And while detecting an attack is always a good thing, LightCyber Magna’s integrated remediation features to quarantine suspicious files, or to block outbound access to suspicious domains, also makes the security analyst’s job much easier.

It is important to note that no matter what malware prevention tools have been installed on corporate networks, malware continues to find ways to infiltrate them and infect end points. And once an attacker has established a foothold in a network, simply quarantining a malware file may not stop the attack. By augmenting end point protection software with behavioral profiling, companies can detect the most dangerous threats—the advanced attacks with lateral movement to sensitive servers—and eliminate follow-on attacks to ensure corporate data remains safe.

To find out how LightCyber Magna could help keep your organization free of attacks, complete a short form to request a customized demo.

Leave a Reply

Your email address will not be published. Required fields are marked *