Use Case: Automated Endpoint Detection & Response

By Yaelle Harel, Technical Product Marketing Manager

Only 22% of Security and IT professionals strongly believe that their organization is fully ready to respond to a cyber-attack or a data breach. What about you?

Unfortunately, no matter how comprehensive your state-of-the-art security solutions are, you really can’t assume that you won’t get hit with cyber-attack. The risk of being breached cannot be completely avoided. That’s why it’s important that you have solid post-infection remediation and recovery capabilities. When evaluating such capabilities in your next endpoint protection solution – Automation is a key. Read this blog to learn how automated detection and response can dramatically minimize the impact of the next attack against your organization’s endpoint devices.

Why Automation is a key to Endpoint Protection

Research shows that without automation, the average time to identify a data breach is 228 days and the average time to contain the attack is 80 days, a total of 308 days for the full attack lifecycle.  The average cost of breaches with a lifecycle of more than 200 days is $4.33 M [1]. The research shows that automation can significantly reduce the lifecycle time and hence the total cost of data breaches.

An Endpoint Security solution with automated detection and response capabilities can dramatically reduce the time it takes to contain attacks and minimize their impact on your business.

SandBlast Agent by Check Point is the only Endpoint Protection solution that automatically and completely remediates the entire cyber kill chain. Once an attack has been detected, the infected device can be automatically quarantined to prevent lateral infection movement and restored to a safe state.

Let’s see how it works in a real-life scenario. The below use case demonstrates how an attacker with stolen credentials can quickly execute a severe ransomware attack. We will show how SandBlast Agent automatically stops and remediates the attack within seconds.

Step #1 – Attacker Connects the Protected Server

You will be surprised to realize that many endpoints are open to remote desktop connections (RDP). Attackers can steal user credentials by running phishing attacks, using breached data or buying the credentials in the dark web. Once they have the credentials, they can run an RDP and connect to the victim’s computer without interruption. Once connected to the victim’s machine, the attacker can do pretty much anything. In this case, the attacker copies an executable file to the victim’s machine. The executable file runs Reverse TCP shell code [1] that allows the attack to run commands on the victim’s machine with administrator rights. The following screenshot shows the attacker’s machine in which he opened an RDP window with the victim’s machine. The attacker copied scvhost.exe to the victim’s machine, and he will now execute the file to establish a shell connection to the victim’s machine.

Step #2 – Attacker Runs a Ransomware Attack

Once the connection is established, the attacker can use that shell to execute a Ransomware attack on the victim’s machine. In this example, the attacker starts to encrypt and delete files, including the victim’s wallpaper. You can see below the attacker’s server (on the left) with the executed Ransomware, and the damaged victim’s server (on the right) with a replaced wallpaper and corrupted recycle bin.

Figure 2 Attacker’s Windows Machine (on the left) and victim’s machine under attack (on the right)

Step #3 – Automatic Attack Containment

Just a few seconds after the attack has started, SandBlast Agent detects the Ransomware, stops the files encryption and deletion, and alerts the user about the attack.

Figure 3 Attack Identified and Contained by SandBlast Agent

Step #4 – Automatic Remediation

Once the attack was identified and contained, SandBlast Agent start restoring the encrypted files. In just a few seconds, the victim’s machine is restored, and the damage was prevented. SandBlast Agent doesn’t rely on the built-in operating system backup (shadow copy), that could be damaged or deleted by the ransomware, but instead implement a unique snapshot of the system that includes a track of the latest versions of files and data.

Figure 4 Attack automatically remediated by SandBlast Agent

SandBlast Agent Forensics automatically monitors and records Endpoint Security events, including affected files, processes launched, system registry changes, and network activity, and creates a detailed forensic report, that will be discusses deeply in the next chapter of blog series.

When looking at the SandBlast Agent’s Forensics Report of the Maze attack, we can understand the prevented business impact and the importance of fast, automatic response.

Figure 5 Significant business impact was prevented

SandBlast Agent automatically deleted 527 malicious files, quarantined 630 malicious files, and terminated the ransomware processes. Performing all those actions manually requires a lot of time and effort and realistically it is almost impossible. Without automatic remediation and restoration, the data would have been lost. SandBlast Agent resolves this challenge by automating 90% of detection, investigation, and remediation tasks.

Figure 6 Remediation actions taken by SandBlast Agent

Summary

Today’s cyber-attacks are sophisticated, fast, and dynamic. Even Security Professionals with substantial expertise can’t identify and respond to attacks quick enough to prevent the damage without automated tools. The above use case demonstrates how SandBlast Agent’s Automatic attack containment and remediation resolves this challenge. When using SandBlast Agent, the attack is contained, and the data is restored within seconds.

Threat Hunting is a process that requires excessive domain expertise. For organizations that do not wish, or can’t afford, to hire such experts in full-time, managed detection and response services, is an excellent option. The next and last chapter of this blog series will discuss this service.

Make sure you are ready for the next cyber-security attack; try SandBlast Agent now.


[1] Cost of a Data Breach Report 2020, IBM Security

[2] Reverse TCP shell attack using Metasploit: The attack opens a connection from the victim’s machine to the attacker’s Metasploit listener. Once the connection is established, it is used by the attacker as a shell to access the victim’s machine and run the ransomware attack on it.