Nexthink V5 DemoSecurity – Malicious Anomaly

Situation

› Avoid damage resulting from the incident itself and the cost of the unplanned response

› Protection is not enough anymore to deal with advanced targeted malware detection and prevention• By 2018, 80% of endpoint protection platforms

will include user activity monitoring, analytics and forensic capabilities, up from less than 5% in 2013 (Source: Prevention Is Futile in 2020: Protect Information Via Pervasive Monitoring and Collective Intelligence, 30 May 2013, ID G00252476, by Neil MacDonald)

Solution

› Add behavior and anomaly detection to uncover risky activity and compromised devices

› Need to deal with a mix of malware, negligence and technology glitches. It’s all about 360 degrees insight all the time to:• Quickly mitigates the risks of employees' malware infected PCs.

Nexthink automatically analyzes the local and network activity to find PCs that connect to rogue destinations that aren't typical

• Become aware early enough about suspicious activity, misused systems, privileges abuse or careless behaviors before it turns into damaging attacks or activities

• Validate if appropriate configurations and policies remain enforced overtime

Alert came into our system to notify about a malicious activity in our infrastructure. Here is the alert displayed in the Finder.

Let’s drill-down to the alert…

4 devices with dangerous activity…

Let’s see what binary(ies) are involved

We can see a background running process (no user interaction) send quite some traffic out and already flagged as

high threat by the analytics platform

Let’s look at the network behavior and related anomalies… Here we see a periodic outbound connection sending 4MG of data each time

to a web domain in China. 4 internal computers are compromised. We have all the data here (ports, IP addresses, devices name, binary

name and path,..) to already react and stop an further impact

Here is how to extract all the data behind the visualization…

One click and here you are… copy/paste into xls works like a charm to share with your colleagues

Let’s look at where the data is going…

Oh the Chineese dropbox-like service…

Now that the malware is not running and all related ports and domains have been

blocked, let’s go back in time to understand how we got hit and why, and put in place to

relevant preventive measures

Here is the alert related to this device….

In all started from this toolbar installation….

That looks like executing 2 binaries….

Let’s see more…

First we have the setup.exe (to install the toolbar)… where what

this running from?

Hummm…. USB key (again!)

How but not only executed locally, also connected to the outside… not for long and not a lot of traffic. But long enough to bring

the malware in grrrrr!!!

Let’s look at the domain the malware came from…. But initiated from inside to go through our

perimeter defense… we need to enhance our protection there for sure!

Let’s add some additional information coming from

centralized Nexthink Library

That’s a web site you don’t want to connect Let’s also block it!

Curious why our endpoint security did not detect and block this activity and malware code…. Let’s see how the AV, Anti-Spyware are configured and

up to date… We might have a hole there….

Let’s select the security compliance checks I want to make…

Here are the 4 infected machines… with all protection in

place and well running….

So let’s view what this malware is exporting the hash to VirusTotal

for an analysis…

Ok 16 AV identified this binary as a trojan kind of code. We are running Microsoft

ForeFront… Let’s find it….

Here it is…. Ok got it… No luck this time… Thanks we did not only rely on protection but had real-time activity monitoring and anomaly analytics otherwise I don’t know him much date would have gone out

from how many computers

Let implement a watch on exe running from USB key and connecting to the outside, such awareness can definitely help catching many other variants of

such type of threats

Any time any exe on any device would connected to the outside,

now I will know!

Let’s use the Portal to report such dangerous activities in a dashboard

(for our CISO)