Full Report
Threat Tracer, a groundbreaking new feature of Carbon Black Cloud Enterprise EDR, maps connections and context that can lead to faster and more effective remediation
Analysis Summary
# Tool/Technique: Threat Tracer
## Overview
Threat Tracer is an exclusive new feature of Carbon Black Cloud Enterprise EDR designed to enhance threat investigations by visually mapping the broader web of relationships between various entities (devices, users, processes, files, registry keys, hashes, IPs, or domains) associated with a threat. Its purpose is to provide analysts with the full context and blast radius of an attack, moving beyond the limitations of traditional causal process trees to reveal hidden connections, streamline triage, and enable strategic remediation without prematurely alerting adversaries.
## Technical Details
- Type: Tool (Feature within EDR)
- Platform: Environment monitored by Carbon Black Cloud Enterprise EDR
- Capabilities: Dynamic visualization of entity relationships, interactive graph exploration, assessment of attack surface, strategic remediation planning, detailed logging, and autosaving.
- First Seen: Not explicitly specified, introduced as a new feature.
## MITRE ATT&CK Mapping
Threat Tracer itself is an analysis and visualization tool, not a threat capability. Its use directly supports the goals of the following tactics by improving visibility and response:
- **TA0008 - Lateral Movement** (By mapping related entities to understand movement paths)
- **TA0010 - Exfiltration** (By mapping associated network indicators)
- **TA0005 - Defense Evasion** (By allowing analysts to plan remediation unseen)
- **TA0003 - Persistence** (By revealing all associated components)
Mapping often focuses on the underlying data it visualizes:
- **T1083 - File and Directory Discovery** (By mapping file entities)
- **T1057 - Process Discovery** (By mapping process entities)
- **T1018 - Remote System Discovery** (By mapping IPs/Domains)
## Functionality
### Core Capabilities
- **Relationship Mapping:** Creates dynamic, visual graphs illustrating connections between entities (processes, files, users, devices, network indicators) involved in a security incident.
- **Interactive Exploration:** Allows analysts to dynamically click on entities within the graph to update details panels and explore relationships further.
- **Scope Assessment:** Enables quick assessment of the impact and blast radius of a threat across the organization.
- **Data Consolidation:** Maps and analyzes virtually all relevant data available within the Carbon Black Cloud console.
### Advanced Features
- **Strategic Remediation:** Facilitates planning remediation efforts by revealing leverage points without tipping off the attacker.
- **Entity Grouping:** Automatically groups entities sharing similar relationships to reduce visual clutter in large datasets.
- **Investigation Logging:** Logs all investigative work, allowing for inline annotations to streamline collaboration, hand-offs, and audits.
- **Session Persistence:** Autosaves progress, allowing analysts to resume complex investigations later.
## Indicators of Compromise
Threat Tracer *reveals* IoCs, but does not generate them. It handles and visualizes:
- File Hashes: [Not specified, but handles hashes]
- File Names: [Not specified, but handles file entities]
- Registry Keys: [Handles registry key entities]
- Network Indicators: [Handles IP or domain entities]
- Behavioral Indicators: [Visualizes process execution and access patterns]
## Associated Threat Actors
Threat Tracer is a defensive/investigative tool provided by Broadcom's Carbon Black, and is used by internal security teams, analysts, and threat hunters across various organizations for detection and response across all actors observed by Carbon Black EDR.
## Detection Methods
Threat Tracer is an *analysis tool* used *after* initial detection by Carbon Black Cloud EDR. Detection methods for threats analyzed by this tool would rely on the underlying EDR capabilities:
- Signature-based detection (via EDR engine components)
- Behavioral detection (monitoring process, file, and network activity)
- YARA rules (If tailored to specific threats being investigated)
## Mitigation Strategies
Mitigation strategies are determined post-analysis using Threat Tracer's insights:
- **Strategic Containment:** Identifying leverage points for stopping or containing the attack without adversary awareness.
- **Prioritized Remediation:** Focusing cleanup efforts based on the visualized scope and criticality of affected entities (e.g., identifying all devices running a malicious process).
- **Access Control Hardening:** Reviewing and blocking potentially suspicious user access patterns identified via user entity mapping.
## Related Tools/Techniques
- Traditional Process Trees/Causal Investigation Tools (Threat Tracer is positioned as superior to these)
- Other Endpoint Detection and Response (EDR) investigation interfaces
- Threat Intelligence Visualization Platforms