We are happy to release today the Joe Sandbox - Carbon Black connector! With the connector, Carbon Black Response users benefit from automated deep malware analysis with Joe Sandbox. The connector will submit suspicious files detected by Carbon Black to Joe Sandbox for deeper analysis and will import the generated threat intelligence data into Carbon Black.
You find our Carbon Black connector as well as the installation guide in our Github repository: https://github.com/joesecurity/carbonblack-connector.
Deep Threat Intelligence
Once you have completed the installation you can search for malicious detections via the Binary Search. Click on Add Criteria and then select Joe Sandbox Score:
The Joe Sandbox Score is an indicator of how the behavior has been rated by Joe Sandbox. 0 means no malicious behavior while 100 is very malicious. In the new form, you can define if you would like to search for all binaries with e.g. a Joe Sandbox Score higher or equal than X:
A score bigger or equal to 50 means the sample shows malicious behavior. For our current example Carbon Black found a binary with a score higher or equal than 50 on one endpoint:
Clicking on the hash link provides us with more information on the binary:
We have the Joe Sandbox Score of 100 at the top right. Via the View on joesandbox link we can open up the analysis report:
Since we know now that this is Agent Tesla we can easily block the binary thanks to Carbon Black on all our endpoints with a single click:
Wouldn't it be nice to automatically be alerted as soon as Carbon Black detects a new binary on the endpoint and Joe Sandbox detects it as malicious? This you can achieve by creating a Watchlist. To create one, open Watchlists on the main menu and then use the query "cb.q.alliance_score_joesandbox=[50 TO *]":
Finally, select how you would like to get alerted.
Joe Sandbox and Carbon Black - a powerful combination
Thanks to the Joe Sandbox Carbon Black connector, cyber security analysts using Carbon Black benefit from deep malware analysis done by Joe Sandbox. This enables to detect and block zero-day and targeted attacks.