cancel
Showing results for 
Search instead for 
Did you mean: 

How to identify and remediate systems impacted by a new threat with McAfee Threat Intelligence Exchange

Introduction


Enterprise details collected from file execution allows administrators to track and gather additional information around where and when a file entered their enterprise.

Video

 

Prerequisites

 

 

Objective


The objective of this use case is to demonstrate the incident response capabilities and data held within the TIE server.  Successful completion of this use case should demonstrate how to identify when a file first entered your environment as well as how widespread the file is being executed.   You will also be able to take action by triggering a VSE clean on a known malicious file.


Use Case

 

Remote Desktop into the client system and run Hackit.exe

hackit.png 


Click on Menu | Systems Section | TIE Reputations 

 tie rep.png

 

In the File Search tab Enter Hackit.exe in the search field and click Find Files.

 

*Note hitting enter will not search.  You must use the mouse to click the Apply Button.

 
Click the checkbox next Hackit.exe  

Click Actions | Where Has File Run 

where has file run.PNG
The number of systems this file was run on will appear as well as the First Reference Date.

Sort the First Reference Date column to identify patient zero

ab.png


The Management features of ePO allow the user to take appropriate action at the client when an incident arises.  Click into the endpoint to show system information.

The Actions button allows the user to modify the System Health settings, Tag the system, change the policy etc.

ac.png
 
In the begining of this use case hackit.exe was executed.  On the endpoint you will see the Hack-It interface

hack1.png

The Hack-It application running in Task Manager

hack2.png

As well as the Hack-It icon running in the system tray

  hack3.png

When TIE module for VSE policy has the Clean feature enabled and a file’s Enterprise reputation is set to Known Malicious a reputation change DXL event goes out immediately

clean.PNG

Note:  This feature can be disabled by unchecking the Clean at feature in the TIE module for VSE policy

 

clean.png

Based on this policy setting the TIE module for VSE triggers a VSE clean.

A VSE clean includes looking for running processes associated with the file and terminating them.


Let’s pretend for this demo that Hackit.exe has become a known immediate threat to our environment.  Setting the file to File Known Malicious will trigger a VSE clean.

In the TIE Reputations page check the box next to Hackit.exe

Capture2.PNG

Click Actions | File Known Malicious 
hack mal.png

Return to the endpoint and observe the Hack-It interface, the Hack-It application running in Task Manager, as well as the Hack-It icon running in the system tray disappear.

hack4.png

hack5.png

 

Conclusion


When a compromise does occur, the knowledge gathered by the TIE server empowers admins to respond swiftly and accurately.  By setting a file to known malicious the administrator can trigger a VSE clean across the entire environment while simultaneously ensuring all future encounters are cleaned.

Labels (1)
Tags (2)
Contributors
Version history
Revision #:
3 of 3
Last update:
‎04-03-2018 06:25 AM
Updated by: