This time, we will step through all the technical details of how to combat unknown malware threats in a typical enterprise environment. Let us look at an organization that has just gone through an addition. As a result of the addition, employees are being required to use a lot of new applications. One of the employees accidentally clicks a link in an email for an application that appeared quite legitimate but is, in fact, very malicious and installs a keylogger that captures keystrokes of the user.
Here is how the integrated ecosystem of McAfee approach to security rapidly responds to multiple unknown files of this particular kind and prevents them from executing and doing quite damage across the organization.
Threat Intelligence Exchange of McAfee discovers the keylogger on endpoints and completely blocks the file from executing. The client of Threat Intelligence Exchange then queries the Threat Intelligence Exchange server of McAfee on file reputation and simultaneously queries the Global Threat Intelligence of McAfee, which gathers file reputation intelligence from the countless number of sensors all over the world. The file is then cached on the server while the Threat Intelligence Exchange of McAfee checks its whitelist and blacklist. After this process of query-response, The threat Intelligence of McAfee can update the reputation as bad or good. However, in this case, the file is unknown and needs a little further analysis.
Through REST API, Threat Intelligence of McAfee communicates with Advanced Threat Defense of McAfee, where the completely unknown file is sent for further analysis through sandboxing. Advanced Threat Defense of McAfee spins up a virtual machine (VM) to detonate the file through dynamic analysis, which enables the complete examination of any behavior that is malicious. At the same time, Advanced Threat Defense of McAfee will perform static code analysis by unpacking the respective file and reverse engineering the entire code, allowing comparison to known malware families leveraging reuse of the code and identifying any code that is potentially malicious. Metamorphic and Obfuscated code, which can be highly ambiguous, can be displayed through the combination of static and dynamic code analysis. If any malicious intent is being identified, Advanced Threat Defense of McAfee then convicts the file and after that, updates the reputation, applying a rating that is of high-severity, in this particular case. This process reveals a lot of indicators of compromise (IoCs) about the particular file, it generally attempts to bypass controls of the security, it installs a keylogger, and it makes connections to quite risky websites. The file is then sent back to the Threat Intelligence Exchange server of McAfee, which updates its repository that is quite local and any integrated vector is taken from endpoint to network. Advanced Threat Defense of McAfee software program will also publish IoCs across the McAfee Data Exchange Layer (McAfee DXL), to any particular subscriber.
Data Exchange Layer of McAfee, that enables sharing of threat information and data across security components of McAfee and third-party security products, publishes these IoCs (indicators of compromise) for ingestion by other various solutions in the particular environment.
Robert Williams is a self-professed security expert; he has been making the people aware of the security threats. His passion is to write about Cybersecurity, malware, social engineering, Games, internet and new media. He writes for McAfee products at mcafee.com/activate or www.mcafee.com/activate .