Blog

Behaviors For Enterprise Security Visibility

June 20th, 2016 by Peter Nguyen

Malicious computer fileWhat Magna Saw to Provide Security Visibility to Detect Risky Behavior in the Workplace

Consumers are easy victims when it comes to free utilities to enhance the performance of their computers. Maybe it’s because Windows PCs become sluggish after months of use, or maybe it’s because consumers want the best performance. No matter what the reason, PC cleaners or PC optimization tools should only be installed from reputable sources. In an enterprise environment, however, only IT approved tools should be installed.

Recently, Magna found suspicious traffic from a workstation to the domain w.vemonisoni.com, and triggered an alert named Command & Control. Upon investigation, the Security Analyst saw in the Magna Analyst UI that this domain was being accessed by only a single host out of the other 1000’s that were inside the organization, and that single host opened 100s of sessions over the past 5 days. The Security Analyst saw that the domain was even more suspicious – since it was registered only 71 days ago, there was little to no threat intelligence about the domain or IP address. This was just the first step in his analysis, using the automated investigation built into the Magna Behavior Detection platform.

command_control_behavior_screenshot

Figure 1: Screenshot of the Command & Control as displayed in the Magna Behavioral Attack Detection platform

A few minutes after the Security Analyst started his investigation, he saw another alert named Riskware coming from the same workstation. This is because Magna automatically interrogated the host once was suspicious Command & Control activity was detected, and Magna found a file that was only installed on the single workstation in the entire enterprise. That file was an executable in the user’s download directory, with the name regcureprosetup. That raised additional flags, so the analyst used the built in Malicious File Termination (MFT) feature within the Magna Analyst UI to temporarily quarantine the file.

 

Figure 2: Screenshot of the automated investigation performed by Magna to confirm Riskware is installed on the endpoint

While MFT was running, the Security Analyst used some other tools to confirm what Magna found, and confirmed that the file was not installed on any other machine inside the organization. The Analyst also pivoted to the User view, and confirmed that the user’s credentials were not responsible for any other suspicious activity on the network. The Analyst then opened a ticket so that the desktop team could follow up and ensure that the Riskware was removed from the endpoint.

Even though this was just a minor security incident, without the behavioral detection and automated investigation capabilities of the Magna platform, it could have been worse 3 months later and required a lot more time for proper investigation. But using this as an example, Magna provided Security Visibility to the customer so that risky behavior by employees could be detected. Moving forward, the customer implemented more formal security policies and education to their employees, so that only IT approved tools were installed on laptops and workstations.

Click here to schedule a short demo of how LightCyber Magna can help improve your organization’s security environment.

 

Leave a Reply

Your email address will not be published. Required fields are marked *