cancel
Showing results for 
Search instead for 
Did you mean: 

How to identify new executables and certificates running in your environment with McAfee Threat Intelligence Exchange

Introduction

McAfee Threat Intelligence Exchange brings immediate visibility into the presence of advanced targeted attacks and emerging threats by automatically assembling events and valuable context as communicated from the new intelligence-based endpoint client, gateways, and other connected security components.

table.png

Video

Prerequisites


Download the set of test samples provided here http://mcaf.ee/yiuva. For this use case, we will be using Aremis-High.exe

 

Objective


The objective of this use case is to demonstrate the ability to identify new executables and certificates that are being run in your environment using McAfee Threat Intelligence Exchange.  Successful completion of this use case demonstrates the added visibility and information that the TIE solution offers.

 

Use Case


Login to ePO.

epo.png


Click on Menu | Systems Section | TIE Reputations

 

In the File Search tab Enter * in the search field and click Find Files.

*Note hitting enter will not search.  You must use the mouse to click the Find Files button.


You will see a list of files that have been executed on your endpoints.  You may need to execute a few files before this page is populated.  Each column can be clicked to sort the information including ATD reputation, comments, hashes etc.

Clicking to sort by GTI reputation will highlight some of the more interesting files being executed.  The TIE reputations page is a collective source of threat intelligence from all security products connected to DXL allowing the user visibility and the ability to make informed decisions.

uv4.png

File details can be added to the initial search results by clicking Actions | Choose Columns.  Add columns as desired.  In the case where ATD is being used, add the ATD column for added reputation information.

uv5.png

On the endpoint run the Artemis-High.exe provided in the test samples.  The file execution will be blocked.

artemis-high2.PNG

 

In the TIE Reputations page search for Artemis.  You will see the file was blocked based off of its GTI reputation 'Might be Malicious'.  Click Artemis-High.exe to research additional information about the executable.

u1.png

 

  The File Details tab provides additional information about the file properties.

u2.png

The Additional Information tab includes data collected from the first system to execute the file.  This includes:

  • File exists in “Add or Remove Programs”
  • Registered as a Service
  • Registered for Auto-run


u3.png

The Virus Total tab allows the user to cross-reference the file against VirusTotal.  Click Retrieve VirusTotal Information.

Note:  You must configure your VirusTotal API Key for this to work.  For details on how to get a VirusTotal public API Key see https://community.mcafee.com/docs/DOC-6456

u4.png

 

The same steps apply to Certificates.  In the TIE Reputations page of ePO go to the Certificate Search tab and enter * in the search field and click Find Certificates.

*Note hitting enter will not search.  You must use the mouse to click the Find Files button.

cert.png

In this case, Dropbox had been run.  You will have several certificates to research.  Microsoft is a very common one.

Click into a certificate to research additional information.

drop.png

 

Dashboards

In order to help separate real enterprise threats from general background noise in the environment, the TIE Server Dashboard focuses in on new and notable information.

uv11.png

 

New files by GTI reputation — Shows new executable files by McAfee GTI reputation that attempted to run in your environment in the past week. This report is especially useful to quickly see the new files that were malicious or unknown in your environment.

uv12.png

Clicking into the Not Set portion of the graph narrows the files that GTI does not have a reputation for.  This makes it easy for an admin to determine where to investigate first.

uv12a.png

New files in the past 30 days — Shows new executable files that attempted to run in your environment in the past 30 days.

Once TIE has been running in your environment for a few days you will start to only see spikes when there is a possible reason for concern.

uv13.png

Clicking into a data point will show new files by day.

uv13a.png

 

Files with changed GTI reputations — Shows files whose reputations were changed in McAfee GTI in the past month.

On further research or new information received, McAfee may determine a reputation change is needed.  The administrator may want to investigate enterprise overrides further if the GTI reputation has changed.

 

uv14.png

 

 

Systems with new executable files — Shows the top 10 systems that had the newest executable files attempting to run. This report shows systems that are potentially at risk for new infections because they are accessing the newest executables.

A high new file count in on unexpected systems such as a POS device or production server might alarm the administrator of suspicious behavior.

uv15.png

uv15a.png

 

Quick file search — Allows you to search for a specific file string or hash.  Partial entries will search for all occurrences.

Any news alert or notification of compromise can be searched.  This is a quick place to easily research a specific file or hash (also good place to research results even from another security product).

 

uv16.png

 

Conclusion

By working through this use case you are now aware of the immediate visibility that the TIE solution offers.  You can now answer critical security questions:

  • What is running in my environment?
  • Where is it running?
  • When did it run?
  • Has my environment seen specific malware?  Or a recent zero-day attack?
  • Which systems are at most risk from new executables?
  • Are there systems with unanticipated change?
Labels (1)
Tags (2)
Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 01:13 PM
Updated by: