TIE Case Study: Blocking Malware Dropped by Infected Microsoft Office Documents

Version 2

     

    Introduction

     

    During a recent POC for McAfee Threat Intelligence Exchange (TIE), a prospect sent us some 0-Day malware and challenged us to show what TIE and ATD would do with these samples. The story board below shows how TIE and ATD identified the malware, protected the enterprise and helped with visibility and remediation.

     

    See what happened

     

    1. A user receives an Excel document (in this case via targeted spear phishing) which uses an exploit to download and execute malware. TIE identifies this file as "Unknown" and notifies the user with a prompt (Note:in this example, prompting is enabled but TIE can also be configured to simply block the execution of unknown files).

    01-user-opens.png

     

    2. In addition to the user prompt (and independently from the users decision) TIE also submits the unknown file to McAfee Advanced Threat Defense (ATD) for analysis.

     

    02-atd-scan.png

     

    3. At this point, "ATD reputation" is not available and the "Enterprise reputation" has not been set.

     

    03-epo-result.png

     

    4. The end user decides to ignore the warning prompt and run the exetuable (Note, in this example, prompting is enabled but TIE can also be configured to simply block the execution of unknown files).

     

    04-process-running.png

     

    5. ATD finishes its analysis and convicts this file as malicious. This is the first time that this 0-Day has been identified and now TIE can go ahead and immunize your environment.

     

    05-atd-conviction.png

     

    6. The "ATD Reputation" in TIE gets updated immediately. This changes the overall reputation for the executable to be malicious.

     

    06-epo-rep-change.png

     

    7. When another user receives the same Excel document and opens it, TIE blocks the execution of the malware and prevents an infection.

     

    07-tie-block.png

     

    8. Now that we know that this executable is malicious, we can step up the game and set the "Enterprise Reputation" to "Known Malicious".

     

    08-epo-ent-rep.png

     

    9. TIE immediately sends an update to the endpoints and triggers a "clean", meaning the running process is killed and the file is removed from the system.

     

    09-process-cleaned.png

     

    10. If another user opens the Excel document, the TIE block message changes to reflect the changed "Enterprise Reputation".

     

    10-tie-block.png

     

    11. On top of the actual protection, TIE also offers visibility for Incident Response personell. For example, you can utilize TIE to see where a file ran in your environment.

     

    11-investigate-file.png

     

     

    Conclusion

     

    As you can see in this real world case study, TIE brings a totally new level of protection and visibility to your environment.

    To learn more about TIE and how to get your own POC started, visit the TIE Expertcenter page and get in touch with us today.