Join BoxWorks in San Francisco Nov 12-13! Keynotes, product demos, and Box Master Classes. Reserve your spot!

Box Status
Print

Triaging and Remediating Shield Threat Detection Alerts

Admin , Shield , Box Shield , Article , Product Utilization , Established , Instruction , P6

This topic explains, at a high level, processes and best practices to identify and manage Shield Threat Detection alerts. The topic focuses on Malicious Content rules because it is this rule type that protects against threats in files. It contains the following sections:

You may be part of a large enterprise team of security professionals led by a CISO (Chief Information Security Officer), a member of a smaller company's IT (Information Technology) team tasked with using Box's Shield tools to keep your company secure, or a lone admin responsible for managing all of Box within your company. This topic will not—and cannot—give specific tool recommendations, but it will guide you through some necessary security basics.

Threat Detection Alerts

When you receive a Shield Threat Detection alert, you have to decide which alerts represent real threats, which alerts represent no threats, and everything in between. There are 4 threat cases, but only 2 cases trigger Threat Detection alerts:

  • No threat, no alert: This is what you hope to see 100% of the time. Unfortunately, it is not representative of the real world.
  • Threat, no alert: This is what you want never to happen because this means a threat slipped through your security measures somehow.
  • No threat, alert: This is a false positive, and when you discover one, you want to take steps to receive less of them, while not allowing any increased risk of threats to your organization. You also want to minimize the time it takes to deal with false positives. Shield Threat Detection gives you information that will help make this task take less time.
  • Threat, alert: This is a threat to your enterprise that has been caught, and you should analyze and remediate the threat. Shield Threat Detection gives you information that can help you in the analysis and remediation process, increasing your security efficiency.

False Positives

There are two primary issues with false positives:

  • Your IT security has to spend time investigating the alert.
    • Productivity in your organization is affected because files that do not contain threats are blocked from access until they are specifically released.

One of the ongoing challenges of security software such as Shield Threat Detection, especially in an ever-evolving threat environment,  is differentiating between a false positive and a real threat. The tuning of security software such as Shield Threat Detection occurs through a variety of technologies, including

  • Artificial Intelligence (AI)
  • Machine Learning (ML)
  • Reputation-based scanning
  • Human threat intelligence gathering

The fundamental reason why false positives exist is because threat detection is probabilistic, not absolute. In malware detection, part of how Deep Scan looks for threats in files is by what are called threat indicators. But in some file types, those threat indicators are not clear-cut. For example:

  • Microsoft Office documents can contain actions, such as macros and relational objects, and have OLE (object linking and embedding) capabilities. This functionality is designed to add power to the applications that host these documents (Excel even has a flight simulator that can be activated by inputting specific formulas), but with great power comes great responsibility, and threat actors do abuse that power. Through OLE and other technologies, Office documents can technically import from external resources, resources that you may not control or even know exist.
  • Potentially Unwanted Applications are applications that get installed when you try to install another application. Some installers don't even give you control over these "rider" applications. 
  • Dual-use tools are applications that can be used for good purposes and for evil purposes. Perfectly legitimate applications can be abused, which means that if an application is blocked, you cannot assume it is legitimate by name only and should investigate its use.

While all of this must be considered when you are investigating threats. false positives still tend to be rare. Security software, including Shield and Shield Threat Detection, generally does a good job in keeping up with the ever-shifting threat landscape. But you should be aware that false positives are a possibility, even if a rare and unlikely one.

Threat Triage

The triage process is where you decide what threat alerts are important and indicate attacks, what alerts are not attacks at all, including false positives, and everything in between. Triaging is also where you determine the order in which you will investigate threats. The considerations you would make to determine the severity of a malware detection alert include:

  • Is the threat reported from Reputation Scan, Deep Scan, or both?
  • What is the reported priority?
  • What type of file?
  • Where did the file come from?
  • Was the user expecting the file?
  • Do you know the file sender?

Threat Investigation

The information provided in Shield Threat Detection can help you in your malware detection alert investigation. If either Reputation Scan or Deep Scan reported a threat, any details about that threat will appear in the respective sections on the alert details page. This information can include 

  • The cryptographic SHA-1 (secure hash algorithm) file hash, which produces a theoretically unique value based on a file's contents.
  • Any anomalous characteristics of the file (script, macro, OLE object, ActiveX object, etc.) found.
  • The malware family of the threat.

Here is a sample alert:

malware_alert_example_annotated2.png
Components of this malware alert example:
  1. Click Mark File Safe if your investigation finds that there is no threat. This releases any restriction on the file.
  2. The type of rule that triggered the alert, in this case, a Malicious Content rule.
  3. The alert priority, which can help you triage the alert.
  4. The uploader of the file that the threat was found in. 
  5. Click Preview to safely view the file. This will not trigger any macros or other active code in the file, but will allow you to review its contents.
  6. The name of the file that the threat was found in. There can also be a version indicator, if there are multiple file versions, to specify which version of the file the threat was found in.
  7. The file hash, the unique value generated for the file.
  8. The family type of malware found, if a family is known.
  9. Details of the scan, which can contain specifics of what threat(s) were found in the file.

This information can help you decide how to handle the threat. Box has reports that can give you information about file, user, and other activity, and you can use Content Manager to download a suspicious file into a sandboxed environment for further analysis.

For example, The User Activity report has a File Marked Malicious Action Type (event). The report allows you to select one or more users and a date range to filter the data in the report.

Threat Remediation

Threat remediation is removing the threat from your environment. Shield Threat Detection is not a tool specifically for threat remediation, but the tools you do use to remediate a particular threat will be determined by what you learn about the threat during the investigation process. Box does have several features to help manage the potential threat in your environment, such as:

  • Shield's ability to block downloads
  • The admin's ability to log in as a managed user and trash files identified as containing threats
  • The ability to communicate with managed users directly in Box about files

Related articles