Cybereason Blog | Cybersecurity News and Analysis

Cybereason advances prevention, data collection, investigation, and management capabilities

Written by Justin Buchanan | Feb 6, 2023 5:41:48 PM

The latest release of the Cybereason Defense Platform is packed with new innovations to ensure that our customers have an advantage over attackers. The latest enhancements include improvements to prevention, data collection, investigation, and management capabilities. 

For this post, we’ll focus on the recent improvements in prevention, data collection, investigation, and management. Customers can read the complete release notes on The Nest.

Prevention

VACCINATE AGAINST MALICIOUS PAYLOADS WITH VARIANT PAYLOAD PREVENTION

Variant Payload Prevention monitors the code being loaded into memory and uses Binary Similarity Analysis to identify previously unknown (obfuscated) malware based on its similarities to existing malware payloads such as a Cobalt Strike Beacon or Metasploit Meterpreter.

Watch the video below to see Variant Payload Prevention in action:

 

Learn more about Variant Payload Protection (VPP) here.

DECREASE THE ATTACK SURFACE ON MAC DEVICES WITH CYBEREASON DEVICE CONTROLS

The Cybereason Device Controls are highly effective at reducing the overall attack surface and preventing threats that would be propagated through these vectors. 

We’ve expanded this functionality to Mac, enabling the enforcement of block permissions on USB storage devices.

Learn more about Cybereason Endpoint Controls here.

EMPOWER END USERS TO BE A PROACTIVE LINE OF DEFENSE WITH ON-DEMAND ENDPOINT SCANS

If you see something, scan something. As end users perform their daily tasks, on some occasions, they will come across files that seem just a little odd. 

With this release, end users can proactively scan directories for (and, as appropriate, clean or quarantine) malicious content. These scans can be initiated on-demand by right-clicking on a folder or from the command line. 

To initiate a scan, in Windows File Explorer, right-click the relevant folder, file, or drive you want to scan and select Scan with Cybereason.

Or from the command line, the following command initiates a full scan:

C:\\Program Files\\Cybereason ActiveProbe> CrScanTool.exe scan full

And the following command scans a specific path

C:\\Program Files\\Cybereason ActiveProbe> CrScanTool.exe scan path  C:\\Users\\john.doe\\Documents\\

Learn more about Cybereason NGAV here.

USE A WIDER VARIETY OF THREAT INTELLIGENCE SOURCES TO BLOCK UNDESIRED APPLICATIONS WITH SHA-1 AND SHA-256 BASED PREVENTION

Threat intelligence will frequently include hashes of known malicious files. Previously this intelligence could be explicitly added to Cybereason using an MD5 file hash. 

With this release, SHA-1 and SHA-256 hashes can now be added to the Cybereason blocklist via the UI or CSV, enabling you to prevent the execution of these file hash values with Application Control.

Learn more about Cybereason Application Control and NGAV here.

Data Collection Improvements

IMPROVE VISIBILITY ON MAC DEVICES WITH ENDPOINT SECURITY FRAMEWORK (ESF) SUPPORT

ESF is built into the macOS operating system and monitors system events for potentially malicious activity.

With this release, Cybereason can leverage this native capability to augment other data collection, ensuring you always have the most comprehensive understanding of what is happening on your endpoints. 

FILE EVENTS AND REGISTRY COLLECTION ENCOURAGES ADOPTION OF BEST PRACTICES

With this release, both File events and Registry events collection are available by default, so you no longer need to contact Technical Support to enable these options in your environment.

Furthermore, the approach to File Event collection has been tuned to improve data collection performance. 

Customers can learn more about configuring additional endpoint data collections here

Investigation and DFIR Improvements

UNCOVER NEW IOCs BY REVIEWING ACTIVITY ON A MACHINE AROUND DETECTED MALICIOUS ACTIVITY WITH MACHINE TIMELINE

Machine Timeline has been improved in this release further streamlining investigation workflows by showing a unified timeline of events on a machine of interest around the time of a key or lead event. Events can be starred so the analyst can seamlessly transition between the high-level review and deeper investigation phases. Three new filters can now be applied to results, surfacing activity related to Suspicions and MalOps.

Learn more about Cybereason Machine Timeline here

FIND THE DETAILS FASTER WITH IMPROVED FILTERING FOR QUERY BUILDING

When you build a query, if you have multiple values for the selected filter Feature in your query, you can now join the values with the AND operator. For example, you can add Command line contains ‘abc’ AND Command line does not contain ‘xyz’ to the same filter to return items whose command line contains the string ‘abc’ but not the string ‘xyz.’

Additionally, the timeline filter is now applied to all Elements in the query chain that have time-based components (such as Connection, Logon Session, Detection Events, Malop Process, and Process) instead of the last Element in the query chain.

Customers should visit the Understanding query parts documentation for details on the operator changes. 

COMPLETE INCIDENT RESPONSE ENGAGEMENTS FASTER WITH IR AND FORENSIC TOOLS MANAGEMENT WITH THE IR TOOLS SCREEN

With this release, users can now upload Incident Response (IR) or Forensic Data Integration (FDI) tools to the Cybereason IR Tools screen without the need to use API requests or scripts.

The IR Tools functionality enables you to deploy tools to selected machines, run tools as needed on selected machines, and retrieve and upload tool execution results to your own GCP bucket. These capabilities reduce the management burden of Incident Response engagements, enabling you to complete these time-sensitive tasks quickly.

Learn more about the Cybereason DFIR module here

Management Enhancements

REDUCE THE INFRASTRUCTURE MANAGEMENT BURDEN WITH SENSOR UPGRADE MONITORING AND REMOTE UNINSTALL

With this release, users can remotely uninstall sensors from Windows machines directly from the Sensors screen.

Furthermore, we’ve updated the “Last Update status” column on the Sensors screen to simplify monitoring the progress of sensor upgrade operations.

And finally, we’ve added sensor upgrade prerequisite checking. Now before installation proceeds, the system will check to ensure the target machine:

  • Is running a supported OS
  • Has supported architecture
  • Has the required certificates
  • Is running an older version of the sensor necessitating an upgrade


Any failures will be noted in the “Last Update status” column on the Sensors screen.

IMPROVE YOUR IMPLEMENTATION OF LEAST PRIVILEGE WITH THE SYSTEM VIEWER ROLE

To provide greater visibility into system settings without the risk of unauthorized configuration changes, Cybereason added a new System Viewer user role. Users with the System Viewer role have read-only permissions for screens to which the users with the System Admin role have access. While users with the System viewer role can view the Cybereason platform’s system and sensor settings, they cannot change any settings or perform actions.

Customers can learn more about the System Viewer role and other roles by viewing the User roles documentation.

EXTEND COVERAGE WITH NEW OS SUPPORT

  • Windows 10 22H2
  • Windows 11 22H2
  • macOS Monterey 12.3 - 12.6
  • macOS Ventura
  • Apple Silicon Mac native (M2), M2 Max, and M2 Pro
  • Rocky Linux 8 and 9
  • Ubuntu 22.04
  • RHEL 9


Customers can view the complete list of support operating systems here.

Prevention, Data Collection, Investigation, and Management

This latest release is our next step to empowering defenders and reversing the adversary's advantage. Customers can read the complete release notes in The Nest

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise, and everywhere the battle takes place.

Schedule a demo today to learn how your organization can benefit from Cybereason’s unique innovations.