Combining Lastline and Carbon Black for End-to-End Malware Analysis

Combining Lastline and Carbon Black for End-to-End Malware Analysis

End-to-end malware analysis helps provide protection from infected objects residing on or flowing from all applications (email, websites, mobile, etc.) and all endpoint device types (Windows, Mac OS X, Android, iOS). Lastline’s proven integration with Carbon Black is assisting numerous organizations with realizing this important goal of end-to-end security.

Carbon Black and Lastline Integration

The Lastline and Carbon Black integration enables a two-way flow of threat related data that enhances both products, and significantly improves analysts’ ability to detect and prevent malware-based attacks.  Lastline ingests suspicious files from Carbon Black, analyzes them for malware, and then sends the results back so Carbon Black can block malicious files and related attacks.

Carbon Black benefits from the advanced malware analysis provided by Lastline, and Lastline is improved by the greater visibility that the additional Carbon Black files provide.

Because the integration has already been completed, organizations that wish to add Lastline to their existing Carbon Black installation can do so easily and quickly.  The reverse is also true. Existing Lastline customers that want to add Carbon Black endpoint protection will find it simple and straight forward.

Configuring Carbon Black to Use Lastline

To enable Lastline within Carbon Black, administrators simply login to the Carbon Black console, click on the Detect button, then select threat Intelligence to display a list of threat intelligence feeds. After clicking on Lastline, the plugin will immediately start analyzing files using the Lastline platform.

When Lastline has completed its analysis, it sends a risk score and supporting data back to the Carbon Black system where security staff can readily view it on the management console.

malware analysis sample 1

Figure 1 – Carbon Black Console Showing Lastline Data

Viewing Lastline Data within Carbon Black  

Once Lastline has analyzed the files, alerts will start to appear on the Carbon Black dashboard. Administrators will be able to see any malicious files that Lastline has detected.  

In addition to the alerts, security analysts can view a list of all files that Lastline has analyzed, including their scores. Lastline scores the files between zero and one hundred. Higher scores are generated by behaviors that are recognized as malicious, such as attempting to reach command and control servers or disabling security controls on the endpoint. Lastline considers any file with a score of seventy or greater to be malicious. Those high-priority files that deserve immediate attention are clearly identified in the Carbon Black UI.

Security analysts can click on each file and drill down into additional details like the file hash and related information such as the following examples:

  • The file hash 0A4937F3B17CFF342048
  • OS type Windows, 32 bit architecture
  • Virus Totals Hits 35 of the vendors on Virus Totals are aware that this file is malicious
  • Lastline Score 85
  • File Descriptor: ApacheBench command line utility
  • File version number:
  • Original filename:   ab.exe
  • Internal Name: ab.exe
  • Company Name: Apache Software Foundation
  • Product Name: Apache HTTP Server
  • Product Version: 2.2.14
  • Comments “Licensed under the Apache license…..”

By clicking on the Virus Totals link (a website that aggregates virus data from multiple sources), analysts can drill down and see what other anti-malware vendors and organizations are reporting about the file.

The Details – Link to the Lastline Console

From within the Carbon Black console, analysts can also click the “View on Lastline” link. This opens a connection to the Lastline management console, providing a view of the file’s specific behavioral details. In addition to seeing the file’s hash number and risk score, Lastline will display information like the particular malware family involved, along with virus code signatures. Analysts can also see how the malware behaves on a specific platform such as Windows 7, XP, or 10, just by clicking on the button for that platform.

Security analysts can query the Lastline Global Threat Intelligence Network for even greater details. For example, by clicking on the malware family name, Lastline will return important threat data that administrators can push back to the Carbon Black system to enhance security:  

  • All files that are related to a particular family of malware.
  • A list of command and control addresses that administrators can use to build a watchlist and monitor for hosts connecting to those destinations.
  • A list of malicious domains and addresses that administrators can push to the organization’s network infrastructure to block access—preventing the malware from infecting others.
  • The MD5 hash of all related files, not just the file downloaded through the Carbon Black endpoint, but of all files associated with it. Administrators can push these signatures back to the Carbon Black management console to enhance network protection.

Details like these are very beneficial to security analysts. The additional context and clarity simplifies and accelerates decision making, significantly improving accuracy and efficiency.

malware analysis sample 2

Figure 2 – View of Lastline Portal from Within Carbon Black

Efficient End-to-End Malware Analysis

The simple summary is that the Lastline integration with Carbon Black is easy to enable, and the returns significantly improve analysts’ ability to detect and prevent malware-based attacks.  

Learn more about the Lastline Breach Protection Platform integration with Carbon Black.

Brian Laing

Brian Laing

For more than 20 years, Brian Laing has shared his strategic business vision and technical leadership with a range of start-ups and established companies in various executive level roles. The author of “APT for Dummies,” he was previously vice president of AhnLab, where he directed the US operations of the internationally known security and software leader. Brian previously founded Hive Media where he served as CEO. He co-founded RedSeal Systems, where he conceived the overall design and features of the product and was granted two patents related to network security. He was also founder and CEO of self-funded Blade Software, who released the industry’s first commercial IPS/FW testing tool.
Brian Laing