Tips From the Trenches: Enhancing Phishing Response Investigations

In an earlier blog post, I explained how the Code42 security team is using security orchestration, automation and response (SOAR) tools to make our team more efficient. Today, I’d like to dive a little deeper and give you an example of how we’re combining a SOAR tool with the Code42 Forensic File Search API — part of the Code42 Next-Gen Data Loss Protection (DLP) product —  to streamline phishing response investigations.

A typical phishing response playbook — with a boost

Below is a screenshot of a relatively simple phishing response playbook that we created using Phantom (a SOAR tool) and the Code42 Forensic File Search API:

We based this playbook on a phishing template built into the Phantom solution. It includes many of the actions that would normally be applied as a response to a suspicious email — actions that investigate and geolocate IP addresses, and conduct reputation searches for IPs and domains. We added a couple of helper actions (“deproofpoint url” and “domain reputation”) to normalize URLs and assist with case management.

You may have noticed one unusual action. We added “hunt file” via the Code42 Forensic File Search API. If a suspicious email has an attachment, this action will search our entire environment by file hash for other copies of that attachment.

“ Combining the speed of Code42 Next-Gen DLP with the automation of SOAR tools can cut response times significantly. ”

What Code42 Next-Gen DLP can tell us

Applying Code42 Next-Gen DLP to our playbook shortens investigation time. The “hunt file” action allows us to quickly see if there are multiple copies of a malicious file in our environment. If that proves to be true, it is quick evidence that there may be a widespread email campaign against our users. On the other hand, the search may show that the file has a long internal history in file locations and on endpoints. This history would suggest that the file exists as part of normal operating procedure and that we may be dealing with a false alarm. Either way, together the Code42 Next-Gen DLP API and its investigation capability give us additional file context so our security team can make smarter, and more informed and confident decisions about what to do next.

Applying Code42 Next-Gen DLP to other threat investigations

This type of “hunt file” action does not need to be limited to investigating suspected phishing emails. In fact, it could be applied to any security event that involves a file — such as an anti-virus alert, an EDR alert or even IDS/IPS alerts that trigger on file events. Using Code42 Next-Gen DLP, security staff can determine in seconds where else that file exists in the environment and if any further action is necessary.

Combining the speed of Code42 Next-Gen DLP with the automation of SOAR tools can cut response times significantly. That’s something any security team can appreciate.

As always, happy threat hunting!


Tips From the Trenches: Searching Files in the Cloud

In a few of my previous blogs, I shared some examples of ways the Code42 security team uses Code42 Forensic File Search to find interesting files — macro-enabled Microsoft Office files, known malicious MD5 hashes and so on. Now that the search capabilities of our newest product have been extended beyond endpoints to include cloud services, such as Google Drive and Microsoft OneDrive, I’d like to look at how we’re using this broadened visibility in our investigations.

“ Because we can now use Code42 Forensic File Search to search for files and file activity across both endpoints and Google Drive, we can be more certain of the locations of sensitive files when we are doing file movement investigations. ”

Finding files – and tracking file movement – in the cloud

Code42 uses Google Drive as a cloud collaboration platform. Because we can now use Code42 Forensic File Search to search for files and file activity across both endpoints and Google Drive, we can be more certain of the locations of sensitive files when we are doing file movement investigations. We combine Code42 Forensic File Search with the Code42 File Exfiltration Detection solution to execute an advanced search — using a given MD5 hash — to find files that have been moved to a USB drive. This allows us to quickly build a complete picture of where a file exists in our environment — and how it may have moved from someone’s laptop to the cloud and back.

What files are shared externally?

Using the latest version of Code42 Forensic File Search, we can also search files based on their sharing status. For example, in a matter of a few seconds, we can search for all Google Drive documents that are shared with non-Code42 users. This shows us all documents that have been intentionally or inadvertently shared outside of the company. A deeper look at this list helps us identify any information that has been shared inappropriately. As with all searches within Code42 Forensic File Search, these investigations take only a few seconds to complete.

Here’s a hypothetical example: Let’s say the organization was pursuing an M&A opportunity and we wanted to make sure that confidential evaluation documents weren’t being shared improperly. We could use Code42 Forensic File Search to pull up a list of all documents shared externally. Should that list contain one of the confidential M&A evaluation documents, we could look more closely to determine if any inappropriate sharing occurred.

Continually finding new use cases

Code42’s ffs-tools repository on GitHub now includes several new searches that take advantage of our new cloud capabilities. You can find them all here.

Like most organizations, we use many cloud services to perform our day-to-day work. That’s why in the near future, we plan to expand the search capabilities of Code42 Forensic File Search across even more cloud services — giving you even greater visibility into the ideas and data your organization creates, no matter where they live and move.

Happy threat hunting!

7 Steps to Real-Time File Exfiltration Detection (Video)

This year’s Verizon Data Breach Investigations Report (DBIR) came out a few weeks ago, and — surprise, surprise — insider threat remains one of the biggest problems for enterprise data security. Looking at the DBIR, there are all the usual data exfiltration suspects: Most are so-called “inadvertent insiders” and a few are malicious insiders or malicious outsiders using stolen credentials. All of these attackers are acting with complete authorization, so their activities tend to fly under the radar — not tripping any of the traditional data security alarms — until it’s far too late. In fact, Verizon found that the vast majority (68 percent) of insider data loss events take a month or more for the organization to discover.

See file exfiltration in real-time

With Code42 deployed in your environment, you have a powerful tool for recognizing suspicious file exfiltration activity by authorized users. Code42’s File Exfiltration Detection solution enables you to set a threshold to alert you if users move more than a typical amount of files to an external location — whether copying them to a removable storage device or uploading them to a cloud service.

Code42’s File Exfiltration Detection solution in action

Here’s how File Exfiltration Detection could help you detect and respond to a disgruntled employee’s malicious attempt to steal your IP:

  1. Set the threshold. From the Code42 web console, set the File Exfiltration Detection threshold at 10 files or 50 MB.
  2. Alert! An email notification tells you that a user recently moved more than 200 MB of data to a third-party cloud service account, such as Microsoft OneDrive or Google Drive.
  3. Confirm. Clicking the email link brings you back to the Code42 web console, where you can see the details of the user’s suspicious activity. For example, you can view a historical perspective of the user’s cloud service activity to see that, yes, this is a highly unusual event.
  4. Investigate. Dig deeper by exporting a CSV file that shows detailed information on all the files included in this mass exfiltration. The CSV includes each file’s name and MD5 hash as well as details on where the files were moved and when.
  5. Unzip the zip. Let’s say the malicious insider attempted to hide photos and videos of proprietary manufacturing processes in a large, innocent-sounding zip file: “cat” You can use the Code42 Backup + Restore solution to download that zip file and reveal its true contents.
  6. Track the source. What if the malicious actor tried to hide his tracks by renaming and/or modifying the original files? Because File Exfiltration Detection provides the MD5 hash of all the exfiltrated files, you can use Code42 Forensic File Search to search your entire environment for the MD5 hashes. This lets you track the modified or renamed file back to its source.
  7. Take action — faster. Between the real-time alert from File Exfiltration Detection, the complete data visibility from Code42 Backup + Restore and the instant file search capabilities of Code42 Forensic File Search, this entire investigation took less than an hour. You know the event happened. You know who did it. And you have a huge head start on stopping the malicious actor before more sensitive data gets out of your control.
Code42 13 Tips for Situational Awareness

Tips From the Trenches: 13 Situational Awareness Questions

A key aspect of responding to security events is situational awareness: knowing what is happening in your environment and why. Standard data security tools like firewalls, proxies, email filters, anti-virus reports and SIEM alerts are all common sources of data for situational awareness. However, it’s also important to have visibility into business operations. Only with a holistic view of your entire organization can you have true situational awareness.

For example, as a software company, writing and deploying software is a significant and complex part of our business operations. Naturally, this work is supported by development, test and staging environments, which are used by our engineers to create and test product features. Security teams need to be aware of all non-production environments in their organizations. Open non-production environments (or environments that re-use credentials between production and non-production systems) can be a vulnerability that attackers can exploit.

“ No matter what business your organization is in, you should know where your important data can be found as well as what activities are normal and what is not normal. ”

Asking questions is the key to knowledge. Here are 13 questions I have used to help paint a full view of internal operations at Code42. They are divided into four separate categories based on major categories of concern for most organizations. I hope they will help you improve your situational awareness and overall data security.

Development Environments:

  1. Where are your development environments?
  2. Do you have the appropriate level of logging in those environments?
  3. How is access handled and are there controls that prevent the reuse of credentials across environments?
  4. Are there forgotten dev environments that need to be cleaned up?

Build Process:

  1. Where is your code built?
  2. Where is your code stored?
  3. If somebody maliciously inserted code into your environment, would you be able to detect who, when and what?
  4. Where are your build/CICD servers?


  1. Do you know what your typical deploy schedule is?
  2. Are you involved in the change management process and other governance bodies so you know when major changes are occurring in your environment?


  1. What systems and environments are going away?
  2. Is there a plan to keep information such as logs from those environments after the environment itself goes away, in accordance with your data retention policies?
  3. Will any infrastructure be reused, and if so, has it been processed properly?

While these questions are specific to software development and deployment, the data security issues they raise are relevant to businesses of all types. No matter what business your organization is in, you should know where your important data can be found as well as what activities are normal and what is not normal. Ensuring that tools are in place to answer these questions is vital.

Here’s one tool I use to answer these questions in our environment: Code42 Forensic File Search. It provides the visibility I need into all activity in our organization. With it, we can quickly and accurately take stock of data movement, data security risks and countless other activities. It makes it easier and faster to know what is happening in our environment and why. It provides the situational awareness that is critical for any modern organization.

Until next time, happy threat hunting!

Tips From the Trenches: Choosing a Security Orchestration Tool

Tips From the Trenches: Choosing a Security Orchestration Tool

Like most of our customers, we here at Code42 are constantly looking to enhance our efficiencies when it comes to security. As we use more technology in our environment, that means more log sources, more events and potentially more alerts. It also means we have more opportunities to gather information from disparate sources and put together a more complete picture of the events we do investigate.

Five ways security orchestration tools can help

To help simplify and automate those activities, we are turning towards security orchestration tools. There are many reasons to invest in an orchestration tool. But for us, the following five items are the most important:

  1. Case management: As our team has grown, delegating work and tracking who is working on what becomes increasingly important. An orchestration tool can ideally function as that single workspace for assigning, managing and closing tasks.
  2. Metrics: Closely related to the first item on our list, better management of workload can improve visibility into key metrics like SLAs, as well as make it easier to identify bottlenecks and improve efficiency in analyst workflows.
  3. Integration: We’re constantly testing and adding new security tools, so it’s critically important that an orchestration tool easily integrates with tools we not only are using now but also may add in the future. The less time we have to spend developing integrations, the more time we have for investigating anomalies.
  4. Automation: Of course, automation is the name of the game when it comes to an orchestration tool. Automation allows our team to dream up new ways to streamline data collection and enrichment. Automation also can find connections that we may miss when manually reviewing data.
  5. Value: Analyst time is always in short supply. When a tool does the first four things on this list well, it means our security team can spend less time on low-value work—and more time on important analysis tasks. The more a tool allows us to focus on analysis, the more value it brings to our team.

A page out of the Code42 security orchestration playbook

The right orchestration tool also will allow us to leverage our own Code42 application in exciting new ways. Here’s just one example from the Code42 orchestration playbook:

  • Step 1 – Automatically locate files: To determine the scope of an event and show us how many endpoints have a suspicious attachment, we can search for a specific MD5 hash using Code42 Forensic File Search.
  • Step 2 – Restore deleted files: In situations in which the original file has already been deleted, Code42 Backup + Restore allows us to automatically restore that file.
  • Step 3 – Investigate suspicious files: With all the suspicious files identified (and restored, if necessary), we can now conduct analysis via an orchestration tool—such as running it in a sandbox. Best of all, because we didn’t spend hours or days manually locating and restoring files, we can focus all our time on the critical analysis.

This really is just the tip of the iceberg when it comes to use cases for security orchestration tools—whether it’s leveraging Code42 functionality or any of our many other security tools. As we continue our investigation into security orchestration tools, we’ll share more useful integrations and some automation playbook ideas.

Stay tuned for more updates—and as always, happy threat hunting!

Code42 Tips From the Trenches: Automating File Scans and Alerts

Tips From the Trenches: Automating File Scans and Alerts

Welcome to the first post of our Tips from the Trenches blog series. Authored by the Code42 security team, the series will explore some of the industry’s latest data security tools and tricks.

One of the best parts of working on the Code42 security operations team is that we’re facing (and solving) many of the exact same challenges as our customers. That means we get to share our experiences and trade tools, tips and tactics for what works—and what doesn’t. With that in mind, here are a few of the cool new ways we’re using search to identify hidden threats before they turn into big problems.

Better criteria for automated scanning and alerting

We’ve got a couple of tools set up to constantly scan our digital environments for risks. Recently, I created a new tool in Python that helps us go deeper with that scanning and alerting—searching via MD5 hash, hostname and filename, to name a few. This scriptable interface to the Code42 Forensic File Search API also allows for use of the full API by accepting raw JavaScript Object Notation (JSON) search payloads, meaning searches are only limited by the imagination of the user.

“ The scriptable interface to the Code42 Forensic File Search API also allows for use of the full API by accepting raw JavaScript Object Notation (JSON) search payloads, meaning searches are only limited by the imagination of the user. ”

Identifying macro-enabled Office files—a common malware source

One sample JSON search payload is the repo searches for macro-enabled Office files in users’ Downloads directories, such as *.docm and *.xlsm files—some of the most common vectors for malware. With the new tool, an automatic search alerts us when new files arrive on endpoints, so we can take action—such as sending the MD5 hash to a service like Virus Total to get a report, or even retrieving the file and sending it to a malware analysis sandbox if necessary.

Snuffing out WannaCry threats

We’ve done some early integration work to test combining Code42 Forensic File Search with a threat intel feed. This will allow us to search and detect malicious files based on MD5 hashes sourced from paid or open-source intel services.

Sharing new threat search tools and tactics

Like you, we’re dealing with new and evolving threats on a daily basis here on the Code42 Security Operations team. We’re constantly looking for new ways to use the tools we have to search and detect threats in smarter, better ways. All of the new search tools I mentioned above are available on our public Github site:

Live Q&A

Have questions about using Code42 Forensic File Search? Senior Product Manager Matthias Wollnik and I will be fielding questions live on Tuesday, July 24 from 10:30-11:30 am US Central time in the Code42 community.

Keep an eye out for more Tips from the Trenches coming soon—until then, happy threat hunting!

Facebook Twitter Google LinkedIn YouTube