A cyberattack that wasn’t detected on time results in financial and reputation damages. Such incidents happen to many companies, and they require a lot of time to investigate the attack and eliminate the consequences.

The classic infrastructure security comprises tools that respond to emerged threats, such as an antivirus, IPS, and sandbox. This reactive approach has shown success over the years, but why wait for an attack if you can prepare for it in advance?

This is where a new proactive approach comes in.

What is the proactive approach? 

The proactive approach helps investigate and prepare for the most dangerous cyberattacks, without directly encountering them. We can also call it "Shift to Left", since we are shifting focus to the left – from the moment of attack to its planning stage.

The proactive approach elements include:
● Studying the latest cyberattacks; ● Updating security solutions’ configuration; ● Threat Hunting.

But how do you find out about the attacks that haven’t happened yet?

Typical approaches to proactive security 

You can find out about the newest threats from news and topical articles; for example, from CERT-UA (Computer Emergency Response Team of Ukraine), that gives a brief overview of every new attack on Ukraine and provides compromise indicators.

This way of acquiring Threat Intelligence is, of course, crucial and valuable, but isn’t exhaustive.

For example, IoC stated in articles aren’t updated over time, which doesn’t allow catching modified versions of the same threat. The articles also lack data on attack techniques and tactics based on the MITRE ATT&CK framework, which significantly simplifies the process of studying the threat.

Another option for obtaining threat information is integration with "Threat Intelligence Feeds". They automatically saturate security tools (AV, IPS, SIEM, etc.) with the latest compromise indicators, keeping signature databases up to date.
An example of such resources is misp.gov.ua (Malware Information Sharing Platform "Ukrainian Advantage").
This way of obtaining Threat Intelligence already allows you to protect against the latest known threats, but the blank IoC don’t provide any context.
For example, what do these domain names on the IoC list tell you?
● Gdsfkjlaskd532.onion ● Kdowodkve12353.com ● 123igkfklas0or.org
Nothing special. Instead, you’d want to see which hacker group is behind the IoC, which countries and industries (the public domain, banking, etc.) were affected. At the very least, what additional security measure you need to undertake to successfully fend off the attacks behind the domain names.
It’s also essential that the information about each attack is analysed, stored and distributed to improve the skills of information security specialists around the world.

Proactive protection with Trellix Insights

Trellix (previously McAfee) combined both approaches into a single solution that has no substitutes, arming it with a clear graphical interface, a variety of useful integrations and cyberattack analytics. It's called Trellix Insights.

Trellix Insights provides a proactive approach to security with real-time analytics. Comprehensive intelligence, analysed by AI and experts, prioritizes threats that are most likely to affect your company. Trellix Insights predicts exactly how a threat will affect your security and makes recommendations for improving your security.

Key advantages of Trellix Insights 

Global treat database

The Insights database includes more than 2000 attack campaigns and 70 hacker groups. The data about them is collected from more than a billion sensors around the world, and after McAfee and FireEye merger there’s even more of them.
Every attack campaign page includes everything the previous examples lacked:
● Brief description of a threat with links to full investigation; ● Countries under attack; ● Discovery data for your organization, sector, country; ● Continuously updated compromise indicators; ● Comparison of attacker tactics and techniques with MITER ATT&CK.

Trellix ENS and SkyHigh policy audit 

Trellix Insights provides another tool to prepare for potential attacks — Trellix Endpoint Security and SkyHigh policy audit. Audit results in a 1 to 100-score evaluation with recommendations for increasing it.
Here are a few examples of what can give a better score:
● Updating Endpoint Security signature to the latest version; ● Activating system recovery after threat detection; ● Connecting to a reputation cloud service; ● Eliminating detected threats.

This tool often helps detect workstations with temporarily disabled protection — for instance, someone wanted to install seemingly free software.

It also includes convenient security improvement suggestions and Actions button that navigates to the ePolicy Orchestrator policy catalogue (endpoint management console). Thanks to these features, you can make the required changes and increase organisation security in just a few clicks.

Threat Hunting 

An attacker can spend months inside an organization stealthily collecting data and searching for sensitive material. Threat Hunting allows you to identify such criminals by constantly monitoring the organization's systems for certain IoC.

In our case, Threat Hunting will require another tool – Trellix EDR. It allows you to search for certain files, processes and registry keys on workstations in real time and delete them, if needed.

The Threat Hunting process can look like this:

1. Create a search for the most widespread attack campaigns in Ukraine.

2. Select a campaign, go to its page and open the Indicators of Compromise (IoCs) tab.

3. Choose the IoC of interest and click the Real-Time Search in Trellix EDR button. Then, EDR will automatically create a search query for the selected IoC in all your workstations.

If you detect any indicators of compromise, you have the options to delete, block, or investigate them right at this page (image below): choose the required IoC and relevant option in the Actions menu.

Let’s see how Insights can automatically detect traces of attack campaigns.

Trellix Insights as an investigation tool

Let's say there's been an attack. The antivirus software detected a malicious file "ghost.doc", which it classifies as "W97M/Downloader.dvh".

Blocking it is good, but an antivirus-aided investigation usually stops at this point.

Next, we navigate to the ePolicy Orchestrator console where we see a notification about attack campaign detection — GhostWriter Espionage Operation.

Clicking the More Info link opens Trellix Insights on the campaign’s page with its brief description.

Let’s dig deeper. The map shows that the most attacked country in this campaign is Ukraine.

Below the map, it says that attacks are still happening, so you need to take preventive measures as soon as possible.

On the same page, we see the detected IoC, highlighted with red. Export all indicators of compromise for further import to other solutions.

Next, the description of detected techniques allows you to see the full picture of intruders’ activities and take action immediately. You can also see that GhostWritter is delivered via Spear Phishing, uses mshta.exe for executing malicious scripts and secretly captures keystrokes.

Using the MITRE ATT&CK matrix, the solution organises all techniques in table form, where you can see step-by-step actions of GhostWritter.

Eliminating the threat 

To remove the threat, go to "Indicators of Compromise IoCs," choose the previously highlighted IoC and click the Real-Time Search in Trellix EDR button.

The hash was detected on two workstations.

Then, we tick the boxes beside all systems and go to Actions>> Contain>> Quarantine Device. The quarantine function will block all network connections of the workstations beside Trellix. This will secure the system and give us more time to investigate.

Now, let’s delete the detected malware along with the process it may have created: Actions>> Mitigate>> Stop And Remove File Safe; enter the hash into the sha256 field and click Confirm.