Targeted Attack Protection: A Review of Endgame’s Endgame...Targeted Attack Protection: A Review of Endgame’s Endpoint Security Platform. Testing Overview (CONTINUED) SANS ANALYST PROGRAM 3 Targeted Attack

  • Published on

  • View

  • Download


2017 SANS InstituteA SANS Product ReviewWritten by Dave ShacklefordOctober 2017Sponsored by EndgameTargeted Attack Protection: A Review of Endgames Endpoint Security PlatformThe threat landscape continues to get progressively worse. More sophisticated attacks are being spotted in the wild, and security teams are scrambling to keep up. We face many new types of issuesadvanced phishing attacks are proving all too successful, and ransomware has become a common form of malware that many seem helpless to prevent. In addition, we have many endpoints to protect, and attackers are savvy about targeting end users. Even worse, many advanced attacks dont involve malware; instead they use legitimate operating system tools, operate in memory and move laterally to accomplish their objectives and defeat traditional security programs.In the SANS Next-gen Endpoint Risks and Protections survey1 from 2017, 53 percent of respondents indicated that at least one of their endpoints had been compromised in the previous 24 months, primarily through browser exploits and social engineering. More than one-quarter (27 percent) of those who experienced a compromise noted that they discovered it via third-party notification, which suggests that many endpoint security tools and tactics in use today are inadequate. We really need better prevention and detection tools right now. Yesterdays signature-based detection tools are failing us more frequently because they are built upon reactive intelligence. Traditional antivirus signatures are proving less effective than they once were, as more advanced attackers are capable of morphing their code and indicators of compromise to evade signature-based methods. Additionally, many security teams have focused too narrowly on malware without looking enough at the vast variety of newer, more advanced methods attackers are using. Many attacks dont leverage any malware to compromise the enterprise network and move laterally from host to host. Some attacks use legitimate tools such as PowerShell to avoid detection by endpoint security platforms. Another problem is that many endpoint tools are fairly heavy-handed on system resources. SANS reviewed Endgames endpoint protection product, a lightweight agent that offers prevention, detection and response, and threat hunting capabilities to rapidly stop targeted attacks before damage and loss occur. One of the primary goals of the platform is to help overcome todays security skills gap, which many SANS surveys show is the top inhibitor to achieving respondents security and risk management goals. With its emphasis on ease of use, coverage of attacker tactics and techniques, rapid event triage and highly capable hunting methods, Endgame is a product with which SOC teams can hit the ground running.SANS ANALYST PROGRAMTargeted Attack Protection: A Review of Endgames Endpoint Security Platform1Introduction1 Next-Gen Endpoint Risks and Protections: A SANS Survey, March 2017, Differentiators Pre-execution prevention, accelerated detection and automated hunting across the breadth and depth of the MITRE ATT&CK Matrix Single, lightweight, autonomous agent providing 24/7 protection to online and offline systems Artemis, an AI-powered security mentor that elevates Tier 1 analysts and accelerates Tier 3 analysts by leveraging natural-language understanding to automate data analysis, investigation, triage and response at enterprise scale Automated threat hunting that leverages tradecraft analytics and outlier analytics to streamline workflows and surface suspicious artifacts across millions of records in minutes Automated memory forensics that detects post-injected code anywhere in memory at enterprise scale in minutesSignature-based detection is always a race against the clock, where vendor analysts need to develop signatures fast and push them out to customers before they fall victim. Testing Overview SANS ANALYST PROGRAM2For this review, Endgame hosted a platform-in-the-cloud infrastructure. We used the Version 2.4.1 environment, which includes the autonomous agents and the software management platform. Because we chose the Endgame hosted delivery model, we did not need to install the main Endgame platform. Endgame offers the platform in an on-premises model or in a cloud-hosted environment. Installation seems relatively painless, and the documentation provided by Endgame for installation and Quick Start is thorough and detailed. The review environment included a primary connection to the Endgame platform, as well as Remote Desk Protocol (RDP) connections available via jump hosts to the Windows sensors. A plethora of malware and other malicious code was available in the environment for testing, which SANS made liberal use of during the course of the review. DashboardsWe first logged into the Endgame console and explored the main dashboard. It showed us a breakdown of current alerts in the environment, endpoint agent status, and endpoint OS types. In addition, other panes in the dashboard showed the breakdown of the top priority alerts, which could help analysts in prioritizing their day. The console dashboard is shown in Figure 1.Figure 1. Enterprise Console DashboardTargeted Attack Protection: A Review of Endgames Endpoint Security PlatformFigure 1. Enterprise Console DashboardTesting Overview (CONTINUED)SANS ANALYST PROGRAM3 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformWe explored the Endpoints dashboard next. Within this view, all deployed endpoint agents can be viewed, configured and assessed. The Endpoints dashboard is shown in Figure 2.Figure 2. Endpoints DashboardThe Endpoints dashboard was simple to use. Endpoints can be discovered with Endgames built-in network scanner, looking for systems within the environment. Endpoints that do not have Endgame agents are flagged as Unmanaged and can then have sensors deployed to them directly through the console, per policy. Configure EndpointsAnalysts can configure the endpoints with a protection policy by selecting those they want to configure or modify, then choosing Misc Actions and finally Configure. The configuration window then opens, and various protection, detection, alerting and response configurations for the chosen agent(s) can be implemented in real time. These will each be covered in the respective sections discussing the capabilities of the product. Figure 2. Endpoints DashboardTesting Overview (CONTINUED)SANS ANALYST PROGRAM4 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformInvestigate and HuntThis dashboard also allows analysts to initiate investigations by choosing assets and then clicking Create Investigation. In the pane that appears, they can name the investigation, assign a profile or create a new one, assign analysts to the investigation and add hunts to the investigation to gather and include evidence (covered later). The Investigation pane is shown in Figure 3.Figure 3. Initiating an InvestigationThe Alerts dashboard presents a list of the current and most recent alerts noted by the system. These can be selected to drill into and triage each alert, and alerts can also be selected to assign to particular users, facilitating team-based analysis, triage and incident response. The Alerts dashboard is shown in Figure 4 on the next page.Testing Overview (CONTINUED)SANS ANALYST PROGRAM5 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformFigure 4. Alerts DashboardThe Investigations dashboard is the central location that aggregates investigations in progress (once initiated). Analysts can update and finalize (archive) their investigations from this pane. Administration The final area of the console that we explored was the Administration pane. The Administration console provides the following capabilities: User managementCreate, delete and manage users and their assigned roles (levels 1-3, as well as admin) Sensor managementCreate and manage sensor profiles (version, protections in place and specific configuration of deployment attributes) Alert managementTransfer alerts to central event aggregation tools if needed Whitelist managementWhitelist alerts to prevent event overload when false positives or low-severity issues are detected Platform managementEnable multi-client activation, which provides customers a single dashboard to view the health and status of the endpoints; this is beneficial to customers who have more than 50,000 endpoints or have endpoints in various geographiesCreating a new sensor profile was simple. In the Sensor Management pane of the Administration console, an admin can click Create New Sensor Profile, name the profile and point to a transceiver (the platform it will connect back to). Then the admin selects the binary for the preferred Endgame sensor version, and thats it. Once the new sensor profile is created, the admin can configure the default protection controls in place for the sensors. These are covered in more detail in the upcoming sections. Figure 4. Alerts DashboardEndgame Prevention, Detection and Response, and Threat HuntingSANS ANALYST PROGRAM6 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformToday, an attackers goals are data access and exfiltration. Sophisticated attackers often use advanced nation-state techniques, which sometimes do not involve any malware, to aggressively pursue and compromise specific targets. These attacks often include fileless tactics, living-off-the-land techniques and malicious macros with delivery mechanisms via social engineering tactics such as spearphishing. After a compromise has occurred, attackers attempt to maintain a persistent presence within the enterprise network, escalate privileges and move laterally within to extract sensitive information to locations under the attackers control. Advanced AttacksThe Lockheed Martin Kill Chain is an industry model for an attack lifecycle that includes the stages shown in Figure 5:2 Figure 5. Lockheed Martin Kill Chain Attack Lifecycle2 Deconstructing the Cyber Kill Chain, Nov. 18, 2014, Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM7 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformWhile the widely referenced Lockheed Cyber Kill Chain created a common language to discuss sophisticated attacks, it lacks the granularity essential to make comprehensive programmatic improvement against todays targeted attacks. MITRE, a not-for-profit organization, has created that needed granularity, collecting details on the vast array of methods to build a threat model and framework called Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK).3Why are we not catching these movements today when we know so much about these patterns? In short, attacks and methods are constantly changing, but our tools and approaches arent. To understand why, its helpful to break down indicators of compromise. For organizations trying to leverage signatures and typical indicators of compromise (IOCs), security detection and prevention are a constant game of whack-a-mole if the usual simple indicators are used alone. An attacker can very easily modify code to communicate with a different IP address or domain, leverage a different local port or present a different cryptographic hash value. In contrast, behavioral aspects of attacks are by far the most valuable knowledge to have in preventing and detecting compromise scenarios, but they are much more difficult to create and describe. In turn, this makes it more difficult to automate and unify the systems, each of which holds a little information about these attacks but doesnt show the whole picture. Behavioral indicators will often include multiple indicators; for example, a certain IP address is accessed, retrieves a known ZIP file, unpacks and drops certain files, and installs software that opens a port or creates a new registry key.Full Stack ProtectionEndgame offers a number of advanced features for the prevention of targeted attacks against enterprises, and these align with the various stages of the ATT&CK model. During our review, we tested several of the zero-day-prevention capabilities offered in the product, and it successfully caught each attempt, provided us advanced intelligence that included detailed indicators of compromise and system-level aspects of the attempt, and automated remediation workflow. Endgame has advanced protections that include exploit prevention, malware prevention, fileless attack prevention, malicious macro prevention and ransomware prevention. 3 Adversarial Tactics, Techniques and Common Knowledge, By changing the name and/or value of a specific registry key on a Windows platform, attackers can easily bypass some of the endpoint detection technologies in use today.Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM8 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformEndgame has developed a unique technique it calls Hardware Assisted Control Flow Integrity (HA-CFI). This technology uses hardware features available in processors to monitor and prevent exploitation before code execution. By leveraging hardware features, Endgame prevents exploits before an attacker reaches the Post-Exploitation stage of the Kill Chain (and the beginning of the ATT&CK cycle). Another feature Endgame touts is enhanced Dynamic Binary Instrumentation (DBI), which allows for very early-stage detection of exploits. This feature allows the product to detect malicious macros through heuristics-based prevention, closely monitor fileless attacks for process injection and look at behaviors for file activity that may indicate ransomware and similar attacks. Figure 6 shows the configuration of exploit protections within the Endgame sensor configuration screen.Figure 6. Endpoint Exploit Protection and Prevention Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM9 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformThese protections are enabled by editing the Sensor configuration policy mentioned earlier. In the Exploit Protection category, analysts can enable HA-CFI and/or DBI to detect and prevent exploits and malware on each endpoint. A range of protections is available, including API filtering, monitoring for macros with heuristics, monitoring stack memory and many more.Figure 7 shows a prevention alert with a process injection and also highlights the source process and the target process infected.Figure 7. Endpoint Process Injection PreventionAccelerated Triage and Response For all of its capabilities in preventing attacks, Endgame also impressed us with its detection and triage capabilities, setting up more effective response and hunting activities for security teams. The first tool we explored in the world of detection was Endgame Artemis, which is an AI-powered security mentor that analyzes and triages alerts in simple English. Figure 7. Endpoint Process Injection PreventionEndgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM10 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformWe explored Artemis after creating all of our infections that generated attack alerts and events. The Artemis icon, which is available in all dashboards and screens within the main Endgame console, interacts with the analyst when querying the platform. To start, we entered a query to the Artemis system (not having any idea of syntax or behavior), which produced the following dialog:SANS: lsass.exeArtemis: To search process data, I need one of the following endpoint designators:- All Endpoints- Operating System (e.g. win7 endpoints)- Endpoint IP address (e.g. endpoint)SANS: all endpoints lsass.exeArtemis: Are you sure you want to run:Search process for file lsass.exe on active endpoints?SANS: yesArtemis: Created investigation: 68f09d90-ba9d-4f9e-bf10-3a458c758ef0We could then click a View the Investigation link directly within the Artemis console. This was an amazing way to get started quickly with an intuitive guidance system, one that could help junior analysts figure out what to do and where to go for more information. As we explored the product, we decided to query Artemis for more in-depth information. One of the pieces of malware we ran in the first phase of the analysis was named sekur1.exe. To get Artemis focused on a particular IOC process chain, we queried the process lineage for this executable on a particular endpoint in the test environment (shown in Figure 8).Figure 8. More Advanced Artemis QueriesFigure 8. More Advanced Artemis QueriesEndgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM11 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformArtemis dutifully created the investigation and provided in-depth results that we then reviewed in the Investigations console (see Figure 9).Figure 9. Artemis-initiated InvestigationAnother view of the investigations is the Endgame Attack Visualization. With a click of a button, an analyst can search across the entire environment for more evidence of the attack or can pivot to one of Endgames many integration partners to gather information about the overall extent of the compromise. Figure 9. Artemis-initiated InvestigationThe Investigation pane includes information about processes created, running and terminated, as well as user, system and command-line details. It was also simple to filter results by process, DNS, user or network event. Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM12 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformFigure 10 shows the guided response workflow that accelerates an analysts ability to quickly triage and respond to alerts.Figure 10. Endgame Artemis Guided Response WorkflowThis set of results provided a detailed timeline of the execution of malware/exploit code (sekur1.exe), followed by Windows services being initiated and DNS lookups being performed for local systems and external domains, as well. Take ActionFor any given alert, Endgame offers a number of responses an analyst can take directly from the console. First, we can start an investigation, much as we did with the Artemis query engine. Second, we can take a variety of actions depending on the nature of the alert. For files, we can download the file locally for analysis or delete the file. For process injection, we can suspend the process thread to minimize impact on the affected host, terminating the malicious behavior while response and forensics teams get engaged. In all cases, we can also choose to whitelist alert items, reducing false positives that may turn up from time to time in specific environments. Figure 10. Endgame Artemis Guided Response WorkflowEndgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM13 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformThe Alert Details listing also provides ample information on the entire process tree on the endpoint, as well as network activity and user accounts on the system. Within the process view, we could also choose to select processes to get hash values associated with them, and kill the process if we chose. See Figure 11.Figure 11. Details of Suspicious ProcessesBy selecting an endpoint, we could click the Respond button in the dashboard to configure more advanced response actions. Here, we could upload scripts or binaries to run for response and then run them as analysts. An example of running the Microsoft Sysinternals program handle.exe is shown in Figure 12. Figure 12. Executing the handle.exe FileWe were able to delete files, suspend processes and take other actions here, too. This process allowed us to run our own tools for response and collect the tool output data back to the console.TAKEAWAY: Endgame can help rapidly detect and respond to events in a monitored and protected environment. The intelligent tools available in the console, such as Artemis, may serve to elevate Tier 1 analysts to be more effective at initial diagnosis and triage and accelerate Tier 3 analysts who are doing deep investigations in the environment based on IOCs and other behaviors.Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM14 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformHunting with EndgameEndgame automates the hunt for malicious activity at the earliest stages of the MITRE ATT&CK matrix. Endgame hunting includes process, persistence, Registry and network searches, as shown in Figure 13.Figure 13. Automated Hunting with Endgame Endgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM15 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformEliminating Persistent Threats at the Earliest Stages of the Attack LifecycleAnother feature we explored in hunting with Endgame was attacker persistence. Endgame has many built-in analytics for finding and eliminating advanced attacker beachheads in the environment. One of Endgames advantages is its MalwareScore analytics engine, which looks for unknown malicious persistence based on behaviors and unusual indicators seen on systems that may not match any known signatures. Other persistence mechanisms look for hijacking entries in the Registry, rogue dynamic-link libraries (DLLs), filename masquerading, suspicious paths and more. Within the Investigation pane, we were then able to monitor the hunt and see what results came back. We chose the Persistence hunt type and looked at different specific indicators that came back with high scores, shown in Figure 14. Figure 14. Persistence Indicators with a High MalwareScore RatingFigure 14. Persistence Indicators with a High MalwareScore RatingEndgame Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM16 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformWe also looked at network indicators for uncommon connections or suspicious connections, shown in Figure 15. After malicious persistence is identified, an analyst can perform a variety of response actions, including uploading or executing to eliminate the malicious persistence, all with a single click. Figure 15. Suspicious Network ConnectionsDetecting Ongoing File-less Attacks at ScaleFinally, in the test environment, we drew on the Defense Evasion article on the MITRE ATT&CK wiki4 to run a range of highly sophisticated exploit code seen in the wild and get a sense of how Endgame handles advanced attacker techniques, particularly file-less attacks. These attacks may persist only in memory, making them very hard to detect. Endgames technology prevents fileless attack techniques, including shell code injection and DLL injection. Endgames automated in-memory analysis is able, in minutes, to identify techniques such as memory modification, memory injection, hidden modules, and packed and encrypted areas in memory across unlimited endpoints. Our hunt-monitoring tools made looking for these simple, because this is a category that Endgame looks for readily in the Process section. See Figure 16 on the next page.4 Defense Evasion, Prevention, Detection and Response, and Threat Hunting (CONTINUED)SANS ANALYST PROGRAM17 Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformFigure 16. A File-less Attack ProcessThis process has the following attributes:Path: C:\Windows\SysWOW64\rundll32.exeCommand Line: C:\Windows\System32\rundll32.exe "C:\Users\vagrant\AppData\Local\jlc3V7we\IZsROY7X.-MP",F1dd208Once an analyst detects a memory injection, he or she can suspend the thread, which will contain the attack without any loss of system stability. As a bonus, the analyst can download the strings to determine the malicious command-and-control and use Artemis to search across the enterprise. This example just scratches the surface of what Endgames hunting capabilities can do. The platform can perform single hunts for specific configuration aspects of systems, look for network ports, services and just about any item an analyst would want to find. In addition, if this is set to prevention mode, Endgame can block file-less attacks.Figure 16. A File-less Attack ProcessTAKEAWAY: Hunting allows analysts to leverage automation to find suspicious behavior in minutes across hundreds and thousands of systems that are managed and monitored. ConclusionSANS ANALYST PROGRAM18Endgame lived up to its promise. The platform focuses on the breadth and depth of the MITRE ATT&CK to stop known and unknown threats. It was easy to use and get started with, and the various dashboards were intuitive to navigate. Creating endpoint policies was straightforward, and communicating with sensors was fast and painless. Endgame prevention blocks known and unknown threats, at the earliest stages of the attack lifecycle. Where the product really shines, however, is in event detection, triage of events and threat hunting. The skills gap in security operations continues to grow. There just arent enough experts to go around. Endgame empowers junior analysts to find threats rapidly and effectively, analyze them and dig deeper for more evidencewhich can only help to improve the state of security incident monitoring and forensics today. At the same time, all of this needs to happen fast. When we receive IOCs from threat intelligence or sharing groups, we need to look across all endpoints rapidly. Endgame provides the tools to hunt for known and unknown files, processes, and behaviors across all endpoints very rapidly, and then take remediation actions immediately. Targeted Attack Protection: A Review of Endgames Endpoint Security PlatformDave Shackleford, a SANS analyst, instructor, course author, GIAC technical director and member of the board of directors for the SANS Technology Institute, is the founder and principal consultant with Voodoo Security. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. A VMware vExpert, Dave has extensive experience designing and configuring secure virtualized infrastructures. He previously worked as chief security officer for Configuresoft and CTO for the Center for Internet Security. Dave currently helps lead the Atlanta chapter of the Cloud Security Alliance.SANS ANALYST PROGRAM19About the AuthorSponsorSANS would like to thank this papers sponsor:Targeted Attack Protection: A Review of Endgames Endpoint Security Platform


View more >