Compromise Overview - Lumu Portal

Compromise Overview

Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools.

In this section of the Lumu Portal, you have access to the dashboard and details on the activity and distribution of the Indicators of Compromise (IoC) that Lumu identified in your organization.

The Overview dashboard offers a general outline of the latest incidents and two data visualizations: activity and distribution. You can filter the activity and distribution overview by date, or click on each for more details and time range. It also shows active gateways, appliances, agents, and Spambox data.
Compromise Overview dashboard Figure 1 - Compromise Overview dashboard.

Activity Report

In this area, Lumu provides comprehensive and detailed visibility into the various compromise activities (IoCs) detected in your network, along with all context information for in-depth analysis. You can hover over any point of the timestamp (1) to see the breakdown of the type of compromise correlated with the traffic from that day. You can filter the threat activity by label (2) or by date, which allows you to visualize how and when your network is being compromised.

Compromise Activity - threat centered Figure 2 - Compromise Activity - threat centered.
The Activity Details show the list of IoCs grouped by domains with information regarding threat types (1), IoC details (2), the last time (3) Lumu found this threat in your network data, and the total contacts (4) between the IoC and your infrastructure.
Compromise Activity DetailsFigure 3 - Compromise Activity Details.
When you click on a domain shown in the Activity Details area, you open the Compromise Radar (1) to have a preview of the compromising behavior. Click on the magnifying glass (2) to go to the Compromise Context feature and receive deeper insights.
Compromise Radar for activity details Figure 4 - Compromise Radar for activity details.

Compromise Context

Compromise Context allows threat researchers and incident responders to enrich confirmed compromise information and understand how a particular compromise is spreading. Implement the right response to the most important compromise questions.

Compromise Context arms your security team with factual compromise data that enables them to immediately implement a precise response to threats in a timely manner.

The Compromise Context area includes Compromise Radar, Attack Distribution, Spambox correlation, threat triggers, related resources, and the automated ATT&CK Matrix.

Compromise Context -  threat detailsFigure 5 - Compromise Context - threat details.
The Compromise Radar unveils the nature of attacks and their behavior by analyzing how your assets are communicating with adversarial infrastructure, allowing security analysts to differentiate occasional contact from persistent and automated compromises.

Around the Compromise Radar (1), are displayed the hour of the day (0h to 23h) and the numbers inside the circle represent the total contacts during each hour. The colors (2) represent the day of the week, which you can click to hide or show on the radar to check for patterns. You also have context information (3) regarding timestamp, labels and endpoints affected.

Compromise Radar Figure 6 - Compromise Radar.
During incident response, prioritize compromises that have multiple contacts detected, as they have had more chances of having been successful in compromising your infrastructure.

The Attack Distribution is a dynamic visualization tool that enables Lumu Insights customers to track and measure critical environments such as SWIFT, PCI-DSS, IOTs devices to take immediate action. You can click on the zoomable chart (1) to drill deeper into your labeled threat activity, which reveals how a specific compromise is spread inside an organization’s network. Use the zoomable timeline (2) of the attack to drill down and check when the attack affected each labeled asset.

Attack Distribution Figure 7 - Attack Distribution.
The Spambox section can help you understand who adversaries are attempting to compromise in your organization, and how they are being targeted.
Spambox correlation Figure 8 - Spambox correlation.
Consult our Spambox documentation to learn more about this feature.

Within the Context tab, you can learn more about why Lumu classified the event as a compromise by reviewing the Threat Triggers and Related Files (1) and download these resources (2) to facilitate the configuration of policies that address these compromises using your current cybersecurity strategy.

This section also offers actionable steps for responding to each incident with integrated links (3) to related articles by leading security researchers covering a particular threat. We also offer Lumu Incident Response Playbooks(4) based on the National Institute of Standards and Technology (NIST) Framework, which includes best practices for how to use Lumu to respond to specific attacks.

Compromise Context Figure 9 - Compromise Context.
Lumu automates and operationalizes the MITRE ATT&CK® Matrix framework by presenting it for each compromise found on the portal, helping organizations spot gaps in defenses, identifying priorities, and making more accurate decisions about impending risks. The automated ATT&CK Matrix is included with Lumu Insights.
Figure 10 - ATT&CK Matrix.

Distribution

In this section, you have a comprehensive view of your compromise level through the distribution of malicious activities (1) detected in your organization according to the assigned labels. You also have the option to zoom (2) into the chart and filter (3) the compromise information displayed by label or date, which allows you to have visibility into how compromises spread among your assets , allowing you to focus efforts on what an organization considers critical for a successful cyberdefense strategy.

Compromise Distribution Figure 11 - Compromise Distribution.
Remember to assign labels to your traffic to help easily identify the compromise distribution across your infrastructure, and prioritize incidents in a way that makes sense for your organization.
If you are a Lumu Free customer and have added on Spambox as an additional feature, this distribution area will display the limited correlation between IoCs and DNS queries collected using Gateways and Spambox (add-on).
To take full advantage of Lumu’s Continuous Compromise Assessment, correlating diverse sources such as netflows and firewall logs, upgrade to Lumu Insights, and set up unlimited Virtual Appliances and Collectors for detailed collection with your premise, cloud, and remote environments.

Distribution Details how the total contacts between IoCs and your infrastructure grouped by endpoints. This includes information regarding its sources such as Gateways and Virtual Appliances. You also have trend visualizations that show the distribution of the IoCs found on each endpoint by threat type (Malware, Spam, Phishing, etc) and the labels set to each endpoint. You can filter (5) the compromise information by endpoint or threat type.

When you click on an endpoint on the list, you can see the distribution details, such as when and how often this endpoint was attacked along with the type of attacks and adversary information.

Compromise Distribution details Figure 12 - Compromise Distribution details.

Incident Response

We recommend being familiar with Lumu’s Incident Response Playbooks that are based on the National Institute of Standards and Technology (NIST) Framework and include best practices for how to use Lumu to respond to specific attacks.

To know more about Lumu Portal:
  1. Incident Management
  2. Collectors
  3. Labels
        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Spambox

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Incidents

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • MITRE ATT&CK Matrix

          The MITRE Corporation is a nonprofit organization founded in 1958 that supports various U.S. government agencies at the highest levels. MITRE ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a comprehensive matrix ...
        • Labels

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Labels ...