VMware Carbon Black Configuration
Cb Response Cloud Backend Version: 188.8.131.52809.1703
Cb Response Sensor Version: 184.108.40.206722
Cb Response (CbR) is a lightweight, passive sensor that acts as a surveillance camera on your endpoints. CbR will capture all parent/child process relationships, file modifications, registry modifications, network connections, module loads, and cross-process behaviors (i.e. Process injection). All of this data is captured and streamed live to your cloud or on-prem instance for searching and alerting. This allows for both real-time and historical threat hunting across your environment. CbR also keeps track of every process and its metadata that has been executed in your environment, as well as keeping a copy of that binary for forensics purposes. These features enable our customers and IR partners the ability to:
- Receive threat report updates deployed by Carbon Black to detect the latest attack techniques focused on behavioral attributes in seconds
- Rapidly deploy custom detections in the form of threat intelligence reports/watchlists focusing on the same behavioral attributes
- Mapping alerts and detection techniques directly to MITRE ATT&CK
- Search for binary prevalence, process masquerading, binary signing issuers, and forensic capture for post analysis.
- Robust and highly extensible API. Some examples of 3rd party API integrations are:
- SIEM/Orchestration Tooling
- Binary Detonation and Sandboxing Connectors
- Network security/service appliances (DNS, IDS, IPS, DHCP)
- File integrity monitoring - CbR can alert anytime files, file paths, registry keys, and registry hives are modified
- All Threat Intelligence Feeds enabled and configured to alert. Used CbR email notifications to integrate with Slack for immediate coordination of incoming alerts between blue team. (Note: Although we enabled alerting for all our Threat Intelligence feeds, most customers do not do this. Instead, customers will take the queries from these feeds, tune them to their environments and configure watchlists to enable alerting/detection.)
- The following Threat Intelligence Feeds provided all of the alerting and detections during the evaluation:
- MITRE ATT&CK
- Cb Advanced Threats
- Cb Community
- SANS DFIR
Additional Notes from Vendor
To baseline an environment, each of the threat reports/watchlists contains a query (along with contextual information about the technique ID in question) users can click to run a search across their data. The results page will provide a quick, environmental-wide summary of the query results (usernames, process names, sensor group names, hostnames, parent processes, process paths and hashes) in the form of dynamic facets, which can be used to narrow down a search. Depending on the specific technique, this may provide sufficient information to tune a query as a watchlist. Otherwise, users on the results page can navigate to a specific process event to get detailed information (e.g. file and registry modifications, network connections, module loads, process/binary metadata, cross-process, command line, etc), exclude on any field/value they confirm is normal in their environment, and create a watchlist using this information, instead.
Some users may also prefer leaving certain threat reports/watchlists off until there is some other indication of an incident. In this case they may turn on additional watchlists for more data and context during an IR activity, but run in a more data collection-oriented mode in typical operation. This is a highlight of exposing the query in the watchlist. A user can use the queries to search retrospectively throughout the dataset for "previous" hits to the watchlist, as well.