Can Your Organization Accept the Risk of Being First?

Optiv recently completed our 2017 endpoint security solution evaluation. For this year’s review, we constructed several use cases that would model threats to enterprise user workstations. The attack scenarios began with exploiting well-known vulnerabilities, such as CVE-2015-0313, and escalated to assumed targeted phishing attacks using custom binaries. 

The majority of the basic attack scenarios were easily detected and prevented by the endpoint security solutions. As we ramped up the sophistication of the attacker’s technique, things got interesting. Across several of the solutions tested, we were successful at connecting back to our command-and-control server and obtaining a shell on the endpoint with executables developed that used unmanaged PowerShell. The files were disguised as OUTLOOK.exe and POWERPNT.exe and delivered to the endpoint assuming the user clicked the file. An overview of our unmanaged PowerShell test is discussed by Dan Kiraly in his Unmanaged PowerShell Binaries and Endpoint Protection blog post.

The initial maliciousness of the file itself is low. It’s an executable that makes a network connection. In our testing, after gaining a shell, we began to act maliciously, which for some solutions started to trigger detections.  

Taking a defensive look at the issue, we wanted a method to stop the attack earlier in the cyber kill chain, using only controls present in endpoint security solutions. A file reputation check, or in this case, a lack of a file reputation, proved to be the best method to stop the attack as soon as the user made the poor decision to click the file. Within Carbon Black’s Cb Defense, McAfee’s ENS and Symantec’s SEP14, we were able to create policies that would prevent unknown files from executing. 

Organizations should evaluate their current endpoint security policies to determine if their solution is capable of performing file reputation checks and the impact of enforcing this restriction across the user base. In cases where the impact is limited, adding this policy is an effective control to stop files with little or no collective intelligence from running in the environment. A simple way to look at the issue is, “Does your organization or sub-segment of organizational users have a risk tolerance so high that an individual should be the first person to execute an unknown file in the environment?” With the vast databases of file reputations maintained by security vendors, organizations are advised to put that knowledge to the best use. 

Within Cb Defense a security administrator can add a rule to a policy to either deny operation or terminate the process of an unknown application or a not listed application. Unknown application rules work when the endpoint is offline and isn’t able to check Carbon Black’s reputation database. For online endpoints, the Cb Defense sensor will request a reputation from Cb Defense intelligence feeds and upload the file to the cloud for static analysis. If no reputation information for the application is available, it will be classified as “not listed.”

Cb Defense provides several levels of granularity in how the policy will be enforced. The most restrictive being to terminate the process of unknown applications when the application tries to run. A more lenient rule would be to deny the operation of the application if it tried to inject code into another process.

For a “not listed” application, rules within Cb Defense can be set to deny operation or terminate a process which attempts to create a network connection, scrape memory, invoke a command interpreter like PowerShell, perform ransomware-like behavior and other potentially malicious operations.

Figure 1 – Cb Defense policy creation

Within ENS, a security administrator can add an Adaptive Threat Protection (ATP) rule to a policy to trigger Dynamic Application Containment (DAC) for files with unknown reputations. This setting immediately kicks DAC in for new binaries that haven’t been assessed by McAfee. DAC lets the file run, but it is automatically flagged as a suspicious file. With DAC monitoring the file it will block subsequent malicious behaviors such as registry changes and writing files to temporary directories.  

Figure 2 – McAfee ENS policy creation

Within SEP14, a security administrator can add a download protection rule to a virus and spyware policy to enable Download Insight. Download Insight is Symantec’s file reputation database built from the company’s global intelligence network. When Download Insight determines that the file is unknown, or in Symantec’s vernacular, unproven, the file can be quarantined. 

Figure 3 – SEP14 policy creation

McAfee and Symantec both allow user override options when file reputation is enabled. Considering this rule runs because a user decided to click the file, this option should not be granted.