- Attackers are using ways to evade traditional security technologies
- Outlook
- MS Word
- GitHub
- Windows built in tools - arp, ipconfig, systeminfo, hostname etc.
- Outbound HTTPS (port 443) connections
- Without deep telemetry data, context provided by Watchlist hits and process tree visualization. It is difficult to replay the attack stages and formulate what happened at the device level.
- Binary details can be useful to search the blast radius and even contain it by simply adding it to the banned list.
"Threat hunting is an exercise of finding anomaly across normal looking patterns."
Note: Carbon Black is set to Detection only policy for demonstration purposes. Initial stages of this attack could have been prevented leveraging Carbon Black prevention policies.