The Carbon Black Cloud console is web-based with one lightweight agent deployed to endpoints. The single agent allows for consolidation across AV, EDR, vulnerability, and security auditing technologies. No stand-up or maintenance of on-premises servers is required – offloading work from infrastructure and security teams. 

The console is accessed through a supported web browser: 

• Windows: Chrome, Edge, Firefox 
• MacOS: Chrome, Firefox, Safari 

For purposes of this lab use Google Chrome to access the console. On login you will land on the CBC Dashboard. The main navigation menu is located on the left-hand side of the web console.  

Login to Carbon Black Cloud: 

• URL: https://defense-prod05.conferdeploy.net/ (or Launch the Carbon Black Malware Shortcut)
• Username: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)  
• Password: (listed in text file Carbon_Black_Cloud_Malware_Credentials.txt on the Carbon Black Malware desktop)

The dashboard gives a high-level overview of your environment with interactive widgets.

The Alerts page displays events of known threats or potential risks to your environment. To navigate to the Alerts page, select Alerts from the left-hand menu. 

Regularly review alerts to determine whether action needs to be taken or policies need to be modified. Alert notifications can be setup to email designated administrators when an alert occurs. Alerts can also be forward to a SIEM with the Carbon Black open API (https://developer.carbonblack.com/reference/carbon-black-cloud/cb-defense/latest/rest-api/).

An alert will show: 

• Status – Run status and policy status
  • Run Status: process ran/did not run
  • Policy status: policy applied/no policy applied
• First Seen – What time the events of alerts first occurred 
• Reason – High level overview of the reason the alert occurred 
• Severity – Numerical score from 1 to 10, 1 being lowest severity and 10 being highest 
• Target Value – Acts as a multiplier for the severity score; target value can be assigned per policy group 
• Device – Device that was alerted upon 

Alert severity indicates the relative importance of an alert and acts as a prioritization assistant (one being lowest severity and ten being highest, mission critical). The following describe the ranges of severity:  

• Severity 1-2: Activities such as port scans, malware drops, changes to system configuration files, persistence, etc. 
• Severity 3-5: Activities such as malware running, generic virus-like behavior, monitoring user input, potential memory scraping, password theft, etc. 
• Severity 6-10: Activities such as reverse command shells, process hollowing, ransomware, destructive malware, hidden processes and tool sets, applications that talk on the network but should not, etc. 

Filters are available on the left-hand. This can be used to filter into alerts of interest by device, severity, etc. 

CBC Alerts – Alert Details | Alert Details show additional information for further investigation into malicious/suspicious events. 

To view additional information about an alert, click the chevron to expand. The Alert Details show additional information about the processes, behaviors (or TTP’s – Tactics, Techniques, and Procedures), recommended steps for remediation, and notes/tags. 

The Techniques section in Alert Details shows what behaviors, or TTPs (tactics, techniques, and procedures), were exhibited by the specified process. TTP’s are color coded, with red being a higher severity. TTP’s can be clicked into to view further information about the TTP and what it means. Carbon Black also correlates MITRE techniques to TTPs which are also displayed. Clicking a MITRE technique will take you directly to the MITRE page correlating to that technique. 

CBC Alerts | You can quickly pivot to the Alert Triage (tree icon), Investigate, or additional actions with the linked buttons.

An alert visualization is generated for all alerts that occur. The visualization provides an easy to understand and digest view of what occurred during the attack sequence. To view an alert visualization, called the Alert Triage, click the tree icon in the upper right of alert details.

CBC Alerts – Alert Triage| Alert Triage shows alert in visual format. Each node can be clicked into for more details about the selected process on the right.

The Alert Triage displays a tree containing events associated with the alert. A node represents an individual process or event. You can click a node to view additional process details on the right including reputation, TTPs (behaviors), command line used, and other information. The Alert Triage provides actionable information about the events that occurred during an alert: including where prevention was applied, source, and what the attacker may have been attempting.

A red exclamation mark on an individual event indicates that a policy was applied.

CBC Alerts – Enriched Events| Click the chevron next to an enriched event to view additional details. 

The alert can be viewed in a log level format as well for more rich, process level behavioral information such as: command line, parent command line, if the device was on or off-premise at the time of the event, etc. These logs can be viewed in the Observations section, which you can find by scrolling down to the bottom of the Alert Triage page.  

The CBC next-gen AV and EDR solution offers flexible Policies. Policies determine preventative rules as well as sensor functionality. Carbon Black gives administrators control and visibility into how prevention works in your environment. 

Each endpoint with a sensor installed will belong to a single policy. A policy defines how the sensor should behave on the endpoint, blocking/preventative rules, exclusions and allowances, and other configurations. 

In this lab we have put the Horizon TestDrive endpoints into the ‘Virtual Desktops’ policy group that copies settings from 'Standard' with some adjustments for VDI. The Standard policy group comes OOTB (alongside the Monitored and Advanced policies) and is meant to act as a day-one, production viable policy that gives additional preventative layers beyond a traditional AV. 

The CBC next-gen AV and EDR solution offers flexible Policies. Policies determine preventative rules as well as sensor functionality. Carbon Black gives administrators control and visibility into how prevention works in their environment. 

Each endpoint with a sensor installed will belong to a single policy. A policy defines how the sensor should behave on the endpoint, blocking/preventative rules, exclusions and allowances, and other configurations. 

The Standard policy group comes OOTB (alongside the Monitored and Advanced policies) and is meant to act as a day-one, production viable policy that gives additional preventative layers beyond a traditional AV. 

CBC Policies – Prevention Rules| Carbon Black offers OOTB production viable policies for day-one use while giving admins visibility and customizability into what is prevented and allowed.

To view information about Policies and the Standard Policy Rules, navigate using the main left-hand menu to Enforce -> Policies. On the ‘Prevention’ tab you can see rules associated with the selected policy group. 

Notice 'Core Prevention' rules which are crafted by the Carbon Black Threat Analysis Unit and which protect assets from a variety of high-impact attacks without having to change any policy configurations.

Review the rules within the Standard policy before proceeding. In this lab, the attacks ran will be prevented by rules within this policy including rules for: 

• Process: Known Malware 
• Process (At Path): Excel, Invokes a command interpreter
• Process: Not Listed, Performs ransomware-like behavior