Home >
Enterprise >
Participants >
VMware Carbon Black > Carbanak+FIN7 Configuration
|
VMware Carbon Black Configuration
Product Versions
VMware Carbon Black Cloud with NSX Advanced Threat Prevention
The following Carbon Black Cloud modules were leveraged for the test:
- Next-gen AV
- Behavioral EDR
- Audit & Remediation
- Enterprise EDR
VMware Carbon Black Cloud Linux Sensor version: 2.9.0.312585
Product Description
VMware Carbon Black Cloud™ is a cloud native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay. VMware’s offering provides deep network data visibility and detection with NSX Advanced Threat Protection. The cloud native protection platform enables customers to utilise different modular capabilities to identify risk, prevent, detect and respond to known and unknown threats using a single lightweight agent and an easy-to-use console. Its universal, lightweight sensor serves as both a continuous event recorder and preventive action agent. For detection and response purposes, the VMware Carbon Black Cloud captures all process executions and associated metadata, file modifications, registry modifications, network connections, module loads, fileless script executions, and cross-process behaviors (i.e. Process injection). All this behavioral activity is captured and streamed live to your cloud instance for visualization, searching, alerting, and blocking. This allows for both real-time and historical threat hunting across your environment. The VMware Carbon Black Cloud also keeps track of every application executed in your environment and its metadata, including a copy of that binary for forensics purposes.
These features enable customers, MSSP, and IR partners to:
- Receive threat prevention updates deployed by Carbon Black to prevent the latest attack techniques focused on behavioral attributes in seconds
- Rapidly deploy custom detections in the form of threat intelligence indicators focusing on the same behavioral attributes
- Map alerts and detection techniques directly to MITRE ATT&CK
- Search for binary prevalence, process masquerading, binary signing issuers, and forensic capture for post analysis
- Robust and highly extensible API. Some examples of 3rd party API integrations are:
- YARA
- Out of the box SIEM and SOAR API integrations
- Binary Detonation and Sandboxing Uploads
- Network security/service appliances (DNS, IDS, IPS, DHCP)
- File integrity monitoring – VMware Carbon Black Cloud can alert any time files, file paths, registry keys, and registry hives are modified
Product Configuration
Next-gen AV, Behavioral EDR, and NSX Advanced Threat Prevention detection capabilities are all configured as “out of the box”
The following Watchlist Feeds were enabled for Enterprise EDR:
- MITRE ATT&CK
- Advanced Threats
- Carbon Black Community
- Endpoint Visibility
- AMSI Threat Intelligence
- Carbon Black Suspicious Indicators
Carbon Black Cloud Audit & Remediation was used to perform various host interrogation tasks when needed, through the built-in recommended queries that ship with the product.
Note: Carbon Black Next-gen AV prevention capabilities were disabled as part of the MITRE testing. Although prevention was turned off, the Carbon Black sensor machine learning and heuristics engines was still enabled and set to alert only.