D3FEND Top Ten – #4

This week, we’re looking at the real meat and potatoes of front line security work – proces eviction. When the adversary has managed to get through your defences, you need someone to sort it out. That’s what you’re there for: killing the problem before it can cause damage.

What is Process Eviction?

Process eviction in cybersecurity refers to the act of terminating or suspending malicious or unauthorized processes within computer systems. This article provides an overview of process eviction, including its significance and two primary concepts: process suspension and process termination. Additionally, it highlights various tools and technologies commonly used for process eviction in cybersecurity.

How does Process Eviction work?

Process eviction can be broken up into two “sub-techniques”: process suspension and process termination.

Process suspension

Process suspension, as a concept in process eviction, involves temporarily pausing the execution of a process without terminating it completely. The primary purpose of process suspension is to gain more insights into the behavior of the process or to conduct further analysis and investigation.

When a process is suspended, it is put on hold, and its resources are frozen. This allows cybersecurity professionals to study the process in a controlled environment, gather additional information about its activities, and potentially extract valuable data for forensic purposes. Process suspension offers the advantage of preserving the state of the process, allowing for a detailed examination without losing any potential evidence.

However, process suspension should be approached with caution. Suspending a process means it can potentially resume execution if the suspension is lifted, which may not be desirable if the process is determined to be malicious. Therefore, process suspension is typically used as a preliminary step before making a final decision on whether to terminate the process.

Process termination

Process termination is the act of forcefully ending the execution of a process. When a process is terminated, it is immediately stopped, and all the resources associated with it are released. Process termination is a decisive action taken when a process is identified as malicious, unauthorized, or posing a significant security risk.

The primary purpose of process termination is to prevent the process from causing further damage or accessing sensitive information. By terminating the process, cybersecurity professionals can effectively neutralize the threat and protect the integrity and security of the system or network.

It is important to consider the potential impact of process termination. While it effectively halts the malicious activity, it can also result in the loss of any unsaved data or disrupt legitimate processes if not executed judiciously. Therefore, process termination should be carried out with careful consideration, ensuring that the identified process is indeed malicious or unauthorized.

How should I approach process eviction?

Don’t worry – you’re not alone in process eviction. You won’t have to manually use Task Manager for everything (although that’s not a bad place to start!). Here are some tool suggestions to get you started…

  1. Endpoint Detection and Response (EDR) Tools:
    • CrowdStrike Falcon
    • Carbon Black
    • SentinelOne
  2. Intrusion Detection/Prevention Systems (IDS/IPS):
    • Snort
    • Suricata
    • Cisco Firepower
  3. Security Information and Event Management (SIEM) Systems:
    • Splunk Enterprise Security
    • IBM QRadar
    • LogRhythm
  4. Sandboxing Tools:
    • Cuckoo Sandbox
    • FireEye Sandbox
    • Joe Sandbox
  5. Security Orchestration, Automation, and Response (SOAR) Platforms:
    • Demisto (now Palo Alto Networks Cortex XSOAR)
    • Phantom (now Splunk Phantom)
    • Siemplify

How important is process eviction?

Process eviction is an essential practice in cybersecurity to mitigate the risks posed by malicious processes. Process suspension and process termination are two common approaches employed in this regard. By utilizing various tools and technologies, such as Task Manager, antivirus software, EDR tools, SIEM systems, IDS/IPS, sandboxing tools, and SOAR platforms, organizations can effectively identify, isolate, and remove malicious or unauthorized processes from their systems. The selection of tools depends on factors like organizational requirements, compatibility, and budget. By leveraging these tools and techniques, cybersecurity professionals can safeguard their systems and networks against potential threats, ensuring the integrity and security of their digital environments.

Stay up to date with the latest threats

Our newsletter is packed with analysis of trending threats and attacks, practical tutorials, hands-on labs, and actionable content. No spam. No jibber jabber.