Table of contents

• Example Scenarios
  • Suspected Microsoft 365 account breach
  • Malware confirmed on a device
  • Suspected malware on a device
  • Ransomware activity detected on host
• Primary Events that Trigger a Response Action
  • Cloud-Based Response Actions
    • 1 - Suspicious Authentication Events 
    • 2 - Suspicious Inbox Rules
  • Network-Based Response Actions
    • 3 - Connections to Malicious Repose Systems
    • 4 - Suspicious Sensitive Protocol Connections (RDP, SMB, etc.)
  • Endpoint-Based Response Actions
    • 5 - Malware
    • 6 - Ransomware
    • 7 - Office Suite and Browser Malware Delivery
    • 8 - System Tampering
    • 9 - Privilege Elevation and Propagation
    • 10 - Any Action type ARO
  • Additional Endpoint-Based Response Actions
    • 11 - File Access Controls

Introduction

This article lists common threat examples, and how Active Response would remediate the threat, based on your organization’s Response Policy. Note that the following examples do not consider any custom exclusions or exceptions your organization may have added while configuring your response policy.

To learn more about Response Actions, Response Policies, and a general overview of Active Response, see our knowledge base chapter on Active Response & Active Protection.

Example Scenarios

The following sections show how each Active Response policy (without custom exclusions) would address some common example scenarios. 

Suspected Microsoft 365 account breach

Field Effect has identified that a Microsoft 365 account may be compromised. The confidence that the account is compromised is 50/50.

Malware confirmed on a device

Malware has been executed on a host. The malware has not yet begun any malicious activity (such as encrypting files) but is communicating with known command-and control hosts on the Internet.

Suspected malware on a device

At 9:00 PM on a Saturday, Field Effect identified suspicious processes on two hosts, one of which is the domain controller (a critical component). The processes are making connections to specific domains on the internet, but it can’t be confirmed that the processes are in-fact, malicious.

Ransomware activity detected on host

Ransomware behavior (active file encryption) has been identified on a device via the endpoint agent.

Primary Events that Trigger a Response Action

This article outlines the top 10 events that trigger an Active Response (AR) response action, when using the Balanced response policy. The response actions listed below would be typically triggered without manual intervention or contact. Actions that are confirmed by an analyst will involve an assessment of your organization's business impact to the proposed response action.

While the following list of response actions assumes the organization has a Balanced response policy in place, the primary differences with the Aggressive response policy is that automated endpoint-based blocking for potentially legitimate software techniques that are often abused by malware, and automated account locking for high-confidence malicious inbox rule creation. Additional automated cloud account locking can also be implemented where requested (such as locking on VPN authentication).

Admin accounts will not be locked as a safety mechanism, but all other response actions will still apply.

Top Ten Response Action Events

The following events are grouped by their monitoring category.,

Cloud-Based Response Actions

1 - Suspicious Authentication Events 

• Typically assessed based on a combination of: 
  • User location history o VPN use history
  • ISP reputation
  • Authentication protocols used
  • Possible credential compromise techniques (brute force, credential stuffing, etc.)
• AR Action: Account lock, revoking of all sessions, and rule deletion upon analyst confirmation.

2 - Suspicious Inbox Rules

• Typically assessed based on a combination of: 
  • Considerations for the related authentication event (listed above)
  • Rule contents and likelihood of legitimacy
• Note: The severity is automatically raised for indicators involving financial information, evasion attempts, or other common threat actor techniques.
• AR Action: Account lock, revoking of all sessions, and rule deletion upon analyst confirmation.

Network-Based Response Actions

In some cases, network-based detections may apply to a host that does not have a Covalence endpoint agent installed, in which case we are unable to take AR action. All other investigative and contact actions will still apply, 

3 - Connections to Malicious Repose Systems

• Examples of factors used to identify malicious systems: 
  • SSH certificates associated with known intrusion software suites and malware campaigns
  • Connections via TOR 
• AR Action: Host isolation upon analyst confirmation.

4 - Suspicious Sensitive Protocol Connections (RDP, SMB, etc.)

• Examples of factors used to identify malicious connections: 
  • Connections on newly opened ports
  • Connections from remote systems associated with past malicious activity
  • Connections associated with credential compromise attempts (brute force, credential stuffing, etc.)
• AR Action: Host isolation upon analyst confirmation.

Endpoint-Based Response Actions

5 - Malware

• Examples of detected techniques likely leading to AR action:
  • Detection of known malware variants, both by Covalence signatures and via integration with Microsoft Defender 
  • Detection of unknown or modified malware via monitoring of malware techniques – typically activities that must be conducted for any malware to be effective
• AR Action: Execution blocked and associated software terminated (automatic), followed by host isolation upon analyst confirmation.

6 - Ransomware

• Examples of detected techniques likely leading to AR action:
  • Indicators for known Ransomware variants
  • Attempts to tamper with disk backups or shadow volumes
  • Attempts to stop common services that hinder ransomware encryption
  • User of third-party file copying tools commonly abused by ransomware
• AR Action: Execution blocked and associated software terminated (automatic), followed by host isolation upon analyst confirmation.

7 - Office Suite and Browser Malware Delivery

• Examples of detected techniques likely leading to AR action:
  • Executions by office suite software (possible malicious document)
  • Executions by email clients (possible malicious email attachment)
  • Executions of software located in downloads or other temporary folders (possible malware download)
• AR Action: Execution blocked and associated software terminated (automatic), followed by host isolation upon analyst confirmation. 

8 - System Tampering

• Examples of detected techniques likely leading to AR action:
  • Adding Microsoft Defender exclusions
  • Changing local host security configurations
  • Deleting or modifying Windows Event Logs
  • Attempts to tamper with the Covalence endpoint agent
• AR Action: Execution blocked and associated software terminated (automatic), followed by host isolation upon analyst confirmation. 

9 - Privilege Elevation and Propagation

• Examples of detected techniques likely leading to AR action:
  • Attempts to bypass user account controls
  • Attempts to enumerate / modify local administrative groups
  • Attempts to abuse Active Directory via local commands
  • Attempts to execute software on a remote host
• AR Action: Execution blocked and associated software terminated (automatic), followed by host isolation upon analyst confirmation 

10 - Any Action type ARO

Note: this does not exclude investigation of other ARO types, but Action AROs are prioritized.

• All AROs produced with the Action type are highly visible to analysts and will result in an investigation where warranted.
• AR Action: Host isolation as deemed necessary by analyst initial investigation.

Additional Endpoint-Based Response Actions

 This requires the v3.2.8 endpoint agent. 

11 - File Access Controls

• Most notably, this allows:
  • Allow-listing only expected editor / viewer software attempting to write to document files
  • All other processes attempting to write to a document would be blocked (aimed at preventing the possibility of ransomware encryption)
• AR Action: Execution blocked and associated software terminated (automatic), followed by host isolation upon analyst confirmation