Steps for Orchestrated Cryptojacking Response
Step 1: When D3 is alerted to a potential cryptojacking event, the analyst can trigger an incident-specific cryptojacking playbook.
Step 2: D3 investigates the IOCs, determining the reputation of the URLs and IPs, and blocks them if necessary.
Step 3: Simultaneously, D3 retrieves logs from Datadog or another integrated tool and also retrieves the details of the affected instance.
Step 4: D3 retrieves the security group details of the affected instance and the analyst decides if the EC2 or hosts need to be quarantined. D3 then quarantines the EC instance and takes a volume snapshot.
Step 5: Simultaneously, D3 queries the mapping list to get the McAfee ePO system name, groups, and system details.
Step 6: D3 then orchestrates a scan of the EC2 instance via ePO.
Step 7: Finally, D3 generates a summary report of the incident.
Benefits of Cryptojacking Protection
✔ Full Investigation of Incidents
D3 acts as a bridge between application performance monitoring (APM) tools and security tools, enabling users to turn evidence of cryptojacking into end-to-end, automation-powered investigation and response.
✔ Hybrid Security
D3 integrates with cloud and on-premise tools, empowering incident response that can leverage the entire security stack and span across environments.
✔ Automatic Escalation
Users of Datadog or another APM tool can set up filters to automatically escalate signs of cryptojacking to D3 for investigation.
✔ Act Quickly and Efficiently
By automating cryptojacking response, you can rapidly minimize the damage of attacks with minimal resources used on each incident.