Skip to main content

Can Your Organization Accept the Risk of Being First?

November 14, 2017

Optiv recently completed our 2017 endpoint security solution evaluation. For this year’s review, we constructed several use cases that would model threats to enterprise user workstations. The attack scenarios began with exploiting well-known vulnerabilities, such as CVE-2015-0313, and escalated to assumed targeted phishing attacks using custom binaries. 

The majority of the basic attack scenarios were easily detected and prevented by the endpoint security solutions. As we ramped up the sophistication of the attacker’s technique, things got interesting. Across several of the solutions tested, we were successful at connecting back to our command-and-control server and obtaining a shell on the endpoint with executables developed that used unmanaged PowerShell. The files were disguised as OUTLOOK.exe and POWERPNT.exe and delivered to the endpoint assuming the user clicked the file. An overview of our unmanaged PowerShell test is discussed by Dan Kiraly in his Unmanaged PowerShell Binaries and Endpoint Protection blog post.

The initial maliciousness of the file itself is low. It’s an executable that makes a network connection. In our testing, after gaining a shell, we began to act maliciously, which for some solutions started to trigger detections.  

Taking a defensive look at the issue, we wanted a method to stop the attack earlier in the cyber kill chain, using only controls present in endpoint security solutions. A file reputation check, or in this case, a lack of a file reputation, proved to be the best method to stop the attack as soon as the user made the poor decision to click the file. Within Carbon Black’s Cb Defense, McAfee’s ENS and Symantec’s SEP14, we were able to create policies that would prevent unknown files from executing. 

Organizations should evaluate their current endpoint security policies to determine if their solution is capable of performing file reputation checks and the impact of enforcing this restriction across the user base. In cases where the impact is limited, adding this policy is an effective control to stop files with little or no collective intelligence from running in the environment. A simple way to look at the issue is, “Does your organization or sub-segment of organizational users have a risk tolerance so high that an individual should be the first person to execute an unknown file in the environment?” With the vast databases of file reputations maintained by security vendors, organizations are advised to put that knowledge to the best use. 

Within Cb Defense a security administrator can add a rule to a policy to either deny operation or terminate the process of an unknown application or a not listed application. Unknown application rules work when the endpoint is offline and isn’t able to check Carbon Black’s reputation database. For online endpoints, the Cb Defense sensor will request a reputation from Cb Defense intelligence feeds and upload the file to the cloud for static analysis. If no reputation information for the application is available, it will be classified as “not listed.”

Cb Defense provides several levels of granularity in how the policy will be enforced. The most restrictive being to terminate the process of unknown applications when the application tries to run. A more lenient rule would be to deny the operation of the application if it tried to inject code into another process.

For a “not listed” application, rules within Cb Defense can be set to deny operation or terminate a process which attempts to create a network connection, scrape memory, invoke a command interpreter like PowerShell, perform ransomware-like behavior and other potentially malicious operations.

File Rep 1
Figure 1 – Cb Defense policy creation

Within ENS, a security administrator can add an Adaptive Threat Protection (ATP) rule to a policy to trigger Dynamic Application Containment (DAC) for files with unknown reputations. This setting immediately kicks DAC in for new binaries that haven’t been assessed by McAfee. DAC lets the file run, but it is automatically flagged as a suspicious file. With DAC monitoring the file it will block subsequent malicious behaviors such as registry changes and writing files to temporary directories.  

File Rep 2
Figure 2 – McAfee ENS policy creation

Within SEP14, a security administrator can add a download protection rule to a virus and spyware policy to enable Download Insight. Download Insight is Symantec’s file reputation database built from the company’s global intelligence network. When Download Insight determines that the file is unknown, or in Symantec’s vernacular, unproven, the file can be quarantined. 

File Rep 3
Figure 3 – SEP14 policy creation

McAfee and Symantec both allow user override options when file reputation is enabled. Considering this rule runs because a user decided to click the file, this option should not be granted. 

    Woodrow Brown

By: Woodrow Brown

Director, Partner Research and Strategy

See More

Related Blogs

October 22, 2014

How to Reduce Attack Surface

An effective strategy to help protect your organization is to reduce the noise, allowing for easier detection of an exploit; while at the same time in...

See Details

February 15, 2018

Security Simplified

It's no secret that data breaches are an ugly reality for businesses today, and despite ever increasing investments, organizations seem unable to stem...

See Details

October 15, 2015

Accessible Threat Intelligence

Threat intelligence is a term that has entered our vocabulary as security practitioners over the last couple of years. According to Gartner, threat in...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.