SOLUTION BRIEFSandboxing and the SOCPlace McAfee Advanced Threat Defense at the center of your investigation workflowWhy We Analyze MalwareAs you strive to further enable your security operations center (SOC), you wantyour analysts and threat hunters to do their best detective work to pinpoint truepositives so that triage and remediation efforts are properly prioritized and actedon. While threat hunting is a human-centric activity that relies on clues, intuitivehunches, and knowledge of adversaries’ tactics, techniques, and procedures (TTPs),automation can greatly improve the efficacy of SOC team members focused on thisactivity. When analysts and threat hunters have multiple tools at their disposal—tools that are coordinated by integration, threat sharing, and automation—they’ll bemore successful. Our study, Disrupting the Disruptors, Art or Science?,1 reveals that, forthe majority of investigations—61% to 80% across SOCs of all maturity levels—anadvanced sandbox solution like McAfee Advanced Threat Defense is essential.As we evaluate advancedtechnologies that help us improveour threat-hunting capabilities, let’snot lose sight of why we analyzemalware in the first place: Determine the nature of anunknown file—is it benign ormalicious?Get a better understanding ofwhat a malicious file is actuallydoingAssess the impact of a malwareinfectionEnhance detection by looking forindicators of compromise (IoCs)Make more informed choices andcommunicate this information tomanagementConnect With Us1Sandboxing and the SOC
SOLUTION BRIEFWhy an Advanced Sandbox Is Integral to aSuccessful SOCSandboxing is a foundational tool for SOC analysts andthreat hunters across every level of maturity. In moremature organizations, sandboxing is complemented bya mix of other tools, including security information andevent management (SIEM) solutions.McAfee Advanced Threat Defense provides not onlystatic and dynamic malware analysis but also othercapabilities that place it at the core of a comprehensivethreat hunting and intelligence-sharing ecosystem.Providing more than basic behavioral analysis with fileexecution or sandboxing, McAfee Advanced ThreatDefense also features in-depth static code analysis andadditional detection capabilities powered by machinelearning. Automation is enabled by tight integration withsolutions in the McAfee product portfolio, along withpartner products; support for open standards; and aREST application programming interface (API).Serving as the nexus of the threat-hunting workflow,McAfee Advanced Threat Defense can collect andanalyze samples from multiple sources, including manualsubmission, and provide indicators of compromise(IoC) information to any technology that is capable ofingesting it and using it in an actionable and intelligentmanner for remediation. Technologies that make useof the IoCs range from perimeter intrusion preventionsystems to threat intelligence platforms (TIPS) andsecurity automation and orchestration platforms.McAfee Network Security PlatformMcAfee Web GatewayMcAfee Threat Intelligence Exchange—Senior Manager, SecurityEngineering, Large SoftwareCompanySTIXMcAfee Any third-party secure email gatewayAdvancedThreat DefenseShare McAfee Advanced ThreatDefense IoCs with any productthat consumes TAXIIDXLBro IDS SensorFigure 1. A collaborative security ecosystem with McAfee Advance Threat Defense at the coreincreases the efficacy, efficiency, and accuracy of SOC investigations.2Sandboxing and the SOC“If McAfee AdvancedThreat Defense deemsthe file to be malicious,its reputation is thenautomatically broadcastvia McAfee ThreatIntelligence Exchangeto all the endpointsconnected to DXL. Thisautomatic distributionof threat reputationinformation helps usblock zero-day threatsbefore they can harmour environment.”McAfee EnterpriseSecurity Manager
SOLUTION BRIEFCollect, Ingest, and AnalyzeLet’s take a deeper look at how McAfee AdvancedThreat Defense enables automation and supports SOCinvestigation processes.The first step in the process involves collecting andingesting threat data. Suspicious samples can bemanually uploaded by SOC analysts or automaticallydelivered through tight integration between McAfeeAdvanced Threat Defense and security devices—fromthe network edge through the endpoint.McAfee Advanced Threat Defense then uses a variety ofanalysis techniques to uncover malware—from lowerintensity methods like file reputation and signaturesto more sophisticated methods like dynamic analysisto analyze malware behavior and in-depth static codeanalysis to help classify samples. McAfee AdvancedThreat Defense also uses machine learning to helpuncover patterns in code to identify emerging threats,analyze behavioral patterns to identify maliciousness,and assess code to determine similarity to othermalware families.Interoperability with McAfee productsMcAfee Advanced Threat Defense integrates withmultiple products from the McAfee security portfolio—currently McAfee Network Security Platform, McAfeeWeb Gateway, and McAfee Threat Intelligence Exchange.McAfee Threat Intelligence Exchange integrationswith McAfee Application Control, McAfee EndpointSecurity solutions, McAfee Server Security Suite, and3Sandboxing and the SOCMcAfee Security for Microsoft Exchange further extendinteroperability. Ingesting malware samples from thesevectors, McAfee Advanced Threat Defense then appliesits sandboxing analysis capabilities to arrive at usablethreat data.Interoperability with non-McAfee technologies:email gateways and Bro sensorsIn addition to integrating with McAfee technologies,McAfee Advanced Threat Defense is also compatiblewith third-party security tools such as email gateways.SMTP traffic can be forwarded into any secure emailgateway, such as Cisco ESA and Proofpoint, andthose email gateways, in turn, can forward an emailattachment to McAfee Advanced Threat Defense foranalysis.On the network side, McAfee Advanced Threat Defenseis interoperable with open source Bro Network SecurityMonitor (bro.org). While Bro is an intrusion detectionsystem (IDS) and not a replacement for a robustintrusion prevention system (IPS), like McAfee NetworkSecurity Platform, Bro sensors are often used by SOCsand deployed as a temporary IDS to a suspectednetwork segment to monitor and capture traffic. Brocarves files from network traffic and places them in a filedirectory. McAfee Advanced Threat Defense integrateswith this directory and can read those files. Bro usesscripts that can automatically extract a file from networktraffic in milliseconds and, through the use of a Pythonscript and the McAfee Advanced Threat Defense RESTdaemon, Bro sends it to McAfee Advanced ThreatMcAfee Advanced Threat Defenseoffers numerous advancedcapabilities that can supportinvestigations, including: Comprehensive OS support thatcovers the most widely usedoperating systems for endpoint,servers, and mobile devicesDetailed reports that providecritical information forinvestigation—assembly output,network packet captures (pcaps),graphical function call diagrams,and memory dumpsUser interactive mode, whichenables analysts and threathunters to interact directly withmalware samplesDeeper sample analysis by forcingadditional execution paths thatremain dormant in typical sandboxenvironmentsSample submission to multiplevirtual environments to speedinvestigation by determining whichenvironment variables are neededfor file executionExtensive unpacking capabilities,which reduce investigation timefrom days to minutes
SOLUTION BRIEFDefense for analysis. By using more network sensors toget a second look at potentially malicious traffic, yourinvestigators can gain greater confidence that they aregetting a true positive. It also provides your SOC teamwith a better understanding of threat behavior and adeeper analysis of what’s happening on your network.Features that Support Deeper, More AccurateInvestigationsX-Mode or interactive modeHunters and analysts alike can leverage McAfeeAdvanced Threat Defense X-Mode, or Interactive Mode,to find useful clues about threats that piggyback onlegitimate applications. This is particularly applicableto large organizations, which are often the targets ofadvanced persistent threats (APTs).As a result of reconnaissance missions, bad actorsgain insights into whitelisted applications used bythe targeted organization on a daily basis. Fromthere, they create threats wrapped into the code of aknown whitelisted application and embed maliciouspayloads, like keyloggers. The user can’t see the threat.However, on the back end, if your analyst or threathunter interacts with the malicious code in the McAfeeAdvance Threat Defense sandbox—which is constantlyon the lookout for anomalous or malicious activity—itwill identify malicious activity. Once a suspicious file isuploaded, the analyst can interact with the sample andgain a better understanding of the user experiencesince they actually see what the user would see. Forexample, within an isolated sandbox, your analyst canclick through features of the whitelisted application and4Sandboxing and the SOCexecute various operations, like running an embeddedmacro. Your analysts and threat hunters now havefree reign to do deeper manual investigation withoutworrying about lateral propagation to other assets inyour network and causing harm.X-mode is especially helpful when it comes to extremelyevasive malware that requires human interaction inorder to execute. For example, let’s say a bad actorsends an email with a password-protected spreadsheetattachment along with the password. If the user opensthe spreadsheet and enters the password, the hiddenmalware is triggered, and it infects the system. InX-mode, analysts can interact with the malware withinthe sandbox, such as entering a password to unlock thesample and trigger the malware so that they can betterunderstand how such evasive threats work and theassociated user experience. X-mode is also a great toolfor training junior analysts.Customize for your unique operating systemThreats targeted at a specific organization based on useractivity, authorized applications, and the predominantoperating system in use have become an overridingpoint of focus for many enterprises. If a malware authorknows the specific version of Microsoft Windows OSthat an enterprise uses, for example, they can leveragethat information to optimize the malware and make itas damaging as possible, but less obvious than malwarerunning on a completely different operating system.They can also tailor the malware according to variousOS versions in order to infiltrate as many systems aspossible.
SOLUTION BRIEFAnother mechanism to help analysts and threat hunterstrack down and thwart these APTs is the ability tocustomize the analysis environment in McAfee AdvancedThreat Defense. You can analyze potential threats inan environment with a specific OS version or specificapplications. Malware samples can then be safelydetonated inside the customized analysis VMs. This is agreat boon for your threat-hunting efforts, as it mirrorsyour own environment and helps your team extractIoCs that will accelerate the remediation process andmaximize its effectiveness.Share and PublishAfter rigorous analysis using a variety of methods,McAfee Advanced Threat Defense can share its IoCsand convictions. Outputs include critical investigationinformation, such as disassembly, function calldiagrams, dropped file detail, processes, and registrychanges. McAfee Advanced Threat Defense becomesthe publisher—sharing metadata and results with threatintelligence platforms, machine data analysis solutions,and SIEMs.Data Exchange Layer and Open Data ExchangeLayerBy leveraging the bi-directional communication fabricData Exchange Layer (DXL), McAfee Advanced ThreatDefense can publish its threat intelligence to McAfeeThreat Intelligence Exchange, which instantly sharesthis information across your entire security ecosystem,enabling your solutions—both McAfee products andcompatible third-party products—to work together to5Sandboxing and the SOCadapt their policies and more quickly address threatswith appropriate protection and remediation.Open Data Exchange Layer (OpenDXL), the open sourceversion of DXL, further extends the playing field byproviding simple open source tools, expertise, anda supportive community. Any application, whetherinternally developed or vendor supplied, can tap into thereal-time capabilities of the DXL communications fabric,and thereby take advantage of the rich store of threatintelligence made available by McAfee Advanced ThreatDefense.STIX/OpenTAXIIMcAfee Advanced Threat Defense further demonstratesour ability to create, support, and expand a collaborativesecurity ecosystem by embracing widely used standardsthat enable sharing of cyberthreat intelligence. Itpublishes the information in Open Source format,notably Structured Threat Information Expression (STIX)formatted threat information via Trusted AutomatedeXchange of Indicator Information (TAXII), a transportmechanism for sharing threat intelligence.As a STIX/TAXII publisher, McAfee Advanced ThreatDefense allows solutions that are not directly integratedwith it to easily consume IoCs with details like hashes,malicious IPs, and user IDs. Information of this kindallows SOC analysts and threat hunters to get a clearerunderstanding of the intent of a file or action. Supportfor STIX/TAXII open standards has real value in thatthe information generated by McAfee AdvancedThreat Defense can be parsed and correlated through
SOLUTION BRIEFvirtually any SIEM solution that supports TAXII. Analystsand threat hunters can then get a more holisticunderstanding of what’s happening in their environment,both historically and in real time.Detailed analysis reportsRich and thorough analysis reports from McAfeeAdvanced Threat Defense provide meaningful data thatenables analysts and threat hunters to pivot into actionquickly. These easy-to-understand reports provide valueacross the entire organization—from the SOC to theC-suite. Mapping directly to the MITRE ATT&CK framework:The MITRE Adversarial Tactics, Techniques, and CommonKnowledge (ATT&CK ) framework can help analysts gaina better understanding of adversaries and their work. Byincluding the ATT&CK framework in McAfee AdvancedThreat Defense, McAfee has made it easier for analyststo more quickly understand the techniques, tactics,and procedures (TTPs) of a given threat. Once theyhave this information, they can act faster to implementcorresponding defenses or discovery methods.Some of the most significant and useful informationpresented in the McAfee Advanced Threat Defensereport includes the following: Behavior classification: This high-level indicatorof the classification of malware offers a great dealof value to analysts and threat hunters by providingimmediate insights into the intent of files that havebeen analyzed.Figure 3. Detailed McAfee Advanced Threat Defense reports providecritical information for investigation including MITRE ATT&CK framework mapping.Figure 2. Sample of behavior classification and severity level reporting.Figure 4. A filtered view of the MITRE ATT&CK report focuses onidentified techniques.6Sandboxing and the SOC
SOLUTION BRIEF Detailed information and IoCs: McAfee AdvancedThreat Defense produces in-depth threat intelligencefor investigation, including disassembly output,memory dumps, graphical function call diagrams,embedded or dropped file information, user API logs,and PCAP information. Threat time lines help visualizeattack execution steps.Figure 6. The Timeline Activity report visualizes execution steps of theanalyzed threat.Figure 5. Assembly code, graph analysis, and IoCs.7Sandboxing and the SOC
SOLUTION BRIEFConclusion McAfee Advanced Threat Defense offers numerousadvanced capabilities that can support securityoperations teams, analyst investigations, and threathunting, including: Comprehensive OS support that covers the mostwidely used operating systems for endpoint, servers,and mobile devicesDetailed reports that provide critical information forinvestigation—from assembly output, network packetcaptures (pcaps), graphical function call diagrams, andmemory dumps Deeper sample analysis by forcing additionalexecution paths that remain dormant in typicalsandbox environmentsSample submission to multiple virtual environments tospeed investigation by determining which environmentvariables are needed for file executionExtensive unpacking capabilities, which reduceinvestigation time from days to minutesTo learn more about what Advanced Threat Defense cando for your team, visit http://www.mcafee.com/atdUser interactive mode, which enables analysts andthreat hunters to interact directly with malwaresamples1. cience.pdfMcAfee technologies’ features and benefits depend on system configuration and may require enabled hardware, software, or service activation.Learn more at mcafee.com. No computer system can be absolutely secure.2821 Mission College Blvd.Santa Clara, CA 95054888.847.8766www.mcafee.com8Sandboxing and the SOCMcAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Othermarks and brands may be claimed as the property of others. MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation.Copyright 2019 McAfee, LLC. 44226 0119JANUARY 2019