Incident Response: Carbon Black
A few months ago I read about an emerging incident response technology called Carbon Black. At its core, Carbon Black acts as a surveillance camera for a system. It’s a lightweight sensor that constantly collects process and network information. More importantly, it shows relationships for each of these events. As an incident responder, these relationships are critical to understanding a possible incident.
Carbon Black is heavily incident response focused and it shows. You can create watch lists based on indicators of compromise, such as suspicious events, or newly seen processes. It has hooks into intelligence feeds such as VirusTotal that can alert you when there’s a hit in VirusTotal’s database for a particular process. There’s also an API available that allows for integration of this data into other systems.
What got me really excited about Carbon Black is the fact that its data is a fantastic complement to network security monitoring (NSM) data. Combining these two forms an incredibly comprehensive and powerful monitoring system. Imagine this scenario:
You have NSM sensors set up at critical ingress and egress points in your network and all of your nodes are monitored by Carbon Black sensors. One day while looking at your NSM data you see a system visit www.badmalwaresite.ru. Additionally, your NSM data tells you that this user may have downloaded “mypics.exe”, a suspicious executable. However, you can’t confirm if the download succeeded or even if the executable ran. Now you turn to your Carbon Black data and look up process information for this host around the time the download occurred. Carbon Black tells you that the user ran Internet Explorer and indeed downloaded “mypics.exe” to their system. Carbon Black also confirms that the user executed “mypics.exe” which spawned additional processes, including “backdoor.exe” that is now set to run as a service. You now see beaconing activity from this system in your NSM data. Given these new indicators of compromise you set up a watch list in Carbon Black to alert you of similar activity. Shortly, you find additional compromised systems. Looks like today will be a busy day.
Now imagine how long that would’ve taken without Carbon Black. You might instead create a forensic image and use forensic software to confirm your suspicions. This could take significant amounts of time and possibly interfere with a user’s normal work day. With NSM and Carbon Black data, you could confirm your suspicions relatively quickly. This is definitely a technology to keep an eye on. I’d encourage you to check out their website to learn more and try out a demo for yourself.