Cyphort Integration with Carbon Black

Size: px

Start display at page:

Download "Cyphort Integration with Carbon Black"

Lorena Elliott
6 years ago
Views:

1 SOLUTION BRIEF Cyphort Integration Carbon Black Carbon Black Enterprise Protection Carbon Black Enterprise Protection formerly known as Bit9 Security Platform, is the next-generation endpoint security solution to deliver a portfolio of threat prevention options, real-time visibility across all environments, and comprehensive compliance rule sets. Carbon Black Enterprise Protection monitors endpoints for any new binaries and sends them to Cyphort for further analysis on the binary. Cyphort Integration Carbon Black Enterprise Protection does not support File Execution. This is available only Carbon Black Enterprise Response. For the integration, another application the Cyphort-Carbon Black Endpoint Protection Connector is required. The connector can be installed on the Carbon Black Endpoint Protection server or on any other Windows/Linux server. Prerequisites for Installation of Connector: Step 1: Step 1: Install Python and required libraries Follow the Python Installation Guide to install Python on your desired OS. Install the Requests library for Python. Request Carbon Black Enterprise Protection s File Analysis License. Step 2: By default, Carbon Black Enterprise Protection only allows file monitor mode. For file analysis, a special license must be obtained from Carbon Black Enterprise Protection. Contact Carbon Black Enterprise Protection technical support for more information. Step 3: Obtain a Carbon Black Enterprise Protection File Analysis User Account. Enable permissions for a File Analysis special user account. At the Carbon Black Enterprise Protection Web UI, navigate to Administration- >Login Accounts and click on Groups on the left panel. Click on the View Details icon for the group to which the user belongs. 1

Enable the following permissions for the group Submit file for Analysis Extend connectors through APIs Step 4: Obtain a Carbon Black Enterprise Protection token.

Click on the View Details icon, and on the bottom of the page, click the Show API token button; this displays the API token to be used for Cyphort/ Carbon Black Enterprise Protection integration.

2 Enable the following permissions for the group Submit file for Analysis Extend connectors through APIs Step 4: Obtain a Carbon Black Enterprise Protection token. Navigate to Administration->Login Accounts and click on Users on the left panel. Click on the View Details icon, and on the bottom of the page, click the Show API token button; this displays the API token to be used for Cyphort/ Carbon Black Enterprise Protection integration. Use the API Token to fill in the Carbon Black Enterprise Protection token field described in the following Installation section. Step 5: Getting a Cyphort API Key. API Key can be obtained from Cyphort UI. Click on Config -> System Profiles -> Users -> cyadmin -> API Key. Installation of Connector: To install the Cyphort/Carbon Black Enterprise Protection Plugin: Step 1: Download the Carbon Black Enterprise Protectionplugin.tar.gz package and unzip it using the following command: tar zxvf Carbon Black Enterprise Protectionplugin.tar.gz 2

Step 2: Edit the Config.txt file and enter the REST API URL and Authentication tokens for Carbon Black Enterprise Protection and Cyphort. Example Config.

3 Step 2: Edit the Config.txt file and enter the REST API URL and Authentication tokens for Carbon Black Enterprise Protection and Cyphort. Example Config.txt Carbon Black Enterprise ProtectionURL $ Carbon Black Enterprise ProtectionTOKEN $45DD7C48-2CCC-452F-B8FF-9C676B cyphorturl $ cyphorttoken $7560dfb753e fc80fdefd93491 cyphortconnector $CyphortConnector Step 3: Running the Cyphort/Carbon Black Enterprise Protection Plugin python -W ignore CyphortPlugin.py Config.txt If the plugin is running correctly, it will register a connector the Carbon Black Enterprise Protection server. Under System Configuration, click the Connectors tab; find the CyphortConnector tab. Click on the Edit button and verify that the Integration Enabled and File Analysis fields are checked. The plugin is now ready to accept any files that Carbon Black Enterprise Protection potentially presumes to be malicious. The plugin will send the file to the Cyphort engine for further analysis, and the analysis results generated by Cyphort will be sent to the Carbon Black Enterprise Protection server. The Carbon Black Enterprise Protection server may decide to take appropriate remedial action based on the result. Step 4: Configuring Manual File Submission for Cyphort Analysis To submit files manually for malware analysis, use the following procedure: From the main Bit 9 Dashboard, click on Assets > Files. Chose the computer name from which to upload the file. From the left panel, and click on File Catalog. Click to select the files to be uploaded for analysis. 3

Click on the Action button and select Analyze CyphortConnector : Click Submit to Cyphort Connector; at the top of the page green text displays the message: Submit to CyphortConnector scheduled for 1

4 Click on the Action button and select Analyze CyphortConnector : Click Submit to Cyphort Connector; at the top of the page green text displays the message: Submit to CyphortConnector scheduled for 1 file(s) Step 5: Configuring Automatic File Submission for Cyphort Analysis Carbon Black Enterprise Protection can automatically submit a file to the Cyphort/Carbon Black Enterprise Protection Plugin for malware analysis. When the Carbon Black Enterprise Protection server is unable to determine the malicious nature of a file, the file (or a set of files) are submitted to the plugin automatically and no user intervention is required. To enable automatic submission certain rules must be configured at the Carbon Black Enterprise Protection Web UI. Click on Rules>Event Rules and then the Create Rule button. The screenshot below shows an example of a Rule that can be configured for automatic file submission. 4

Step 6: Viewing Cyphort/Carbon Black Enterprise Protection Malware Analysis Results To view the results of Cyphort malware analysis returned to the Carbon Black Enterprise Protection server via the

Note that Status for malware analysis submissions transitions from Acquiring File > Analyzing > Analyzed To view the analysis details provided by Cyphort: from the Carbon Black Enterprise Protection

5 Step 6: Viewing Cyphort/Carbon Black Enterprise Protection Malware Analysis Results To view the results of Cyphort malware analysis returned to the Carbon Black Enterprise Protection server via the plugin: At the Carbon Black Enterprise Protection server Web UI, click Tools > Requested Files and on the left panel, click Analyzed Files. Note that Status for malware analysis submissions transitions from Acquiring File > Analyzing > Analyzed To view the analysis details provided by Cyphort: from the Carbon Black Enterprise Protection Server dashboard, click on Reports > External Notification. Click the View History icon to display a particular malware entry. On the left panel, click CyphortConnector Console to be directed to the Cyphort portal from which specific details of the malware analysis are viewed. 5

Troubleshooting the Connector: Step 1: Check the log file of the connector located at Carbon Black Enterprise Protection-plugin/ final_cyphort/cyphort.log. To keep the log file from growing too large, the plugin rotates the files when the cyphort.

To view live events, open another text editor window and enter the following command: tail f cyphort.

6 Troubleshooting the Connector: Step 1: Check the log file of the connector located at Carbon Black Enterprise Protection-plugin/ final_cyphort/cyphort.log. To keep the log file from growing too large, the plugin rotates the files when the cyphort.log grows beyond a default 1MB limit. All previous history is placed in cyphort.log.1 and all new events after the 1MB threshold are added to the cyphort.log. To view logged events on the file, you can open it using any text editor. To view live events, open another text editor window and enter the following command: tail f cyphort.log Step 2: Check if the connector cannot reach the Carbon Black Enterprise Protection/Cyphort server. The following is an example when the Carbon Black Enterprise Protection server is unreachable. Step 3: The following log statements should be seen for a working environment when a file is submitted to Cyphort for analysis :29:28 Carbon Black Enterprise ProtectionProvider INFO :29:58 Carbon Black Enterprise ProtectionProvider INFO Starting Scanner Got File For Scanning File downladed from Carbon Black Enterprise Protection server to localpath 6

7 :29:58 Carbon Black Enterprise ProtectionProvider DEBUG /home/thomas1/ test/carbon Black Enterprise Protection-plugin/final_cyphort/tempfile :29:58 Carbon Black Enterprise ProtectionProvider DEBUG Downloaded file is a zip file. Unzipping the file to path /home/thomas1/test/carbon Black Enterprise Protection-plugin/final_cyphort/users/my/documents/ malicious/exe/malware.ttt :29:58 Carbon Black Enterprise ProtectionProvider DEBUG cleaning up the extracted files after unzipping :29:58 cyphortprovider INFO Submitting binary file malware.ttt md5 f1a90278a75cf8c17ac2a43f91284bf6 to Cyphort :29:58 Carbon Black Enterprise ProtectionProvider INFO getting client details :29:58 cyphortprovider INFO file Name:::Server_Url: ,Server_Ip: ,Agent_version: ,Client_Name:WORKG ROUP\BENISON,Client_IP:fe80::b13c:8956:580:5ffd,Client_OS:Windows 8,Time:Thu_Dec_10 _13:29:58_2015,md5sum:f1a90278a75cf8c17ac2a43f91284bf :29:58 cyphortprovider INFO Submitted: f1a90278a75cf8c17ac2a43f91284bf6 HTTP CODE: :29:58 cyphortprovider INFO event id :29:58 Carbon Black Enterprise ProtectionProvider INFO pa id is :29:58 Carbon Black Enterprise ProtectionProvider INFO queue :29:58 Carbon Black Enterprise ProtectionProvider INFO File malware.ttt submitted has obtained file submit retry count for file malware. ttt Appending the event_id 1861 to the global Global queue updated Succesfully Log file events for checking results from Cyphort :30:28 Carbon Black Enterprise ProtectionProvider INFO checking result for malware.ttt :retry_count :30:28 Carbon Black Enterprise ProtectionProvider INFO Result obtained from Cyphort for event id : 1861, file malware.ttt and md5 sum : f1a90278a75cf8c17ac2a43f91284bf :30:28 Carbon Black Enterprise ProtectionProvider DEBUG { product : Cyphort, severity : critical, malwarename : u malware (WORM_LITAR.CY), malwaretype :, analysisresult : 3, externalurl : index.html?event_id=1861, type : malicious_file, fileanalysisid : 41258} :30:29 Carbon Black Enterprise ProtectionProvider DEBUG Cyphort analysis for fileanalysis completed. Cyphort result is 75). 7

12-10 13:30:29 Carbon Black Enterprise ProtectionProvider DEBUG Found Virus Step 4: Check the Carbon Black Enterprise Protection Server Web UI for any errors.

8 :30:29 Carbon Black Enterprise ProtectionProvider DEBUG Found Virus Step 4: Check the Carbon Black Enterprise Protection Server Web UI for any errors. From the Carbon Black Enterprise Protection server Web UI, you can view error events under Reports > Events, as shown below. Carbon Black Enterprise Response Carbon Black Enterprise Response, formerly known as Carbon Black is an endpoint detection and response solution that records all endpoint activity and correlates data unified intelligence to pinpoint the attack root cause. Cyphort integrates Carbon Black Enterprise Response in two ways: File Analysis: Any new binary seen at an endpoint is submitted to Cyphort for analysis. File Execution: Cyphort checks Carbon Black if a binary download seen on the network has been executed on the endpoint. 1. File Analysis: Carbon Black integrates Cyphort for inspection, analysis and correlation of suspicious binaries discovered at the endpoint. Carbon Black submits unknown or suspicious binaries to Cyphort Core - a secure threat analysis engine, which leverages Cyphort s multi-method behavioral detection technology and threat intelligence to deliver threat scores used in Carbon Black to enhance detection, response and remediation efforts. For the integration, another application the Cyphort-Carbon Black Endpoint Response Connector is required. The connector can be installed on the Carbon Black Endpoint Response server or on any other Red Hat server. The Cyphort connector submits binaries collected by Carbon Black to a Cyphort appliance for binary analysis. The results are collected and placed into an Intelligence Feed on Carbon Black server. The feed will then tag any binaries executed on your endpoints identified as malware by Cyphort. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed. Installation of Connector: Step 1: Download the Cyphort Carbon Black Connector from Git 8

Login to Carbon Black server as root. You can also use any other RPM based 64-bit Linux distribution server that has access to the Carbon Black server. cd /etc/yum.repos.d curl -O https://opensource.

9 Login to Carbon Black server as root. You can also use any other RPM based 64-bit Linux distribution server that has access to the Carbon Black server. cd /etc/yum.repos.d curl -O Step 2: Install the Cyphort Carbon Black Connector using yum yum install python-cb-cyphort-connector Step 3: Modify the config file to enter the Carbon Black Server Url, Carbon Black Server Token, Cyphort Url and Cyphort API Key cp /etc/cb/integrations/cyphort/connector.conf.example /etc/cb/integrations/ cyphort/connector.conf Make the following changes in the file: cyphort_api_key=<cyphort API Key for user cyadmin> (API Key can be obtained from Cyphort UI. Click on Config -> System Profiles -> Users -> cyadmin -> API Key) cyphort_url= IP Address> carbonblack_server_url= Black Server IP Address> carbonblack_server_token=<carbon Black Server API token> (API Token can be obtained from Carbon Black Server UI. Click on Username found on the top right corner -> Profile Info -> API token) Step 4: Start the service service cb-cyphort-connector start Troubleshooting the Connector: Check the connector log /var/log/cb/integrations/cyphort/cyphort.log for any errors. Note: If connector gets 401 Unauthorized Error from Cyphort, check if the Cyphort API Key is correct and the API key is not disabled. Adding Cyphort to Carbon Black Intelligence Feed: Step 1: Click on Add New Feed from the Threat Intelligence Feeds Page. Threat Intelligence Feeds Page can be reached from Detect -> Threat Intelligence. Step 2: Add the feed url. The feed url is generally Address of connector>:7000/feed.json. If the connector is installed on the Carbon Black server, then the feed url is json. 9

10 Click Save. Step 3: Once installed, you should see a message from Carbon Black Server that the Threat Feed has been added successfully. Cyphort will also show up under Threat Intelligence Feed. Check Enabled. Troubleshooting Cyphort Threat Feed: Step 1: Download an executable on the endpoint The best way to check if the Cyphort Threat Feed works is to download an executable on one of endpoints which has a Carbon Black Enterprise Sensor running. After about 10 minutes, you can check if Cyphort provided a verdict a for it. To check the verdict, click on Threat Reports on the feed. 10

Step 2: Sort by Most Recent and you should see a verdict for the executable that was downloaded on the endpoint. You can click on Details for more info.

11 Step 2: Sort by Most Recent and you should see a verdict for the executable that was downloaded on the endpoint. You can click on Details for more info. If you don t see the exe under Threat Reports, check if Carbon Black server received the object from the Carbon Black sensor running on the endpoint. You can do this by clicking on Respond -> Binary Search and search using the md5sum of the executable. If the exe is not seen, then there s an issue the Carbon Black sensor talking to the Carbon Black server. If you do see the executable, then the communication between Carbon Black server and Cyphort is not working correctly. 11

12 2. File Execution: Cyphort can query Carbon Black Enterprise Response to determine if a malicious file was executed. By querying endpoints, the Cyphort Platform can better determine exactly where an attack sits in the kill chain and if a download progressed to infection by determining if the endpoint detonated the malware object, expediting targeted and accurate remediation. Carbon Black Enterprise Response Configuration: Step 1: From the Cyphort UI, configure the Carbon Black Enterprise Response details. Click on Config -> Environmental Settings -> Carbon Black Configuration. Provide the Carbon Black Enterprise Response Server IP address and API Key. Troubleshooting File Execution: The best way to check if File execution works correctly is to download and run the executable on an endpoint Step 1: Check the Carbon Black Server IP address and API key configured on Cyphort to see if the details are correct and Carbon Black is enabled. Step 2: Download a malware on an endpoint say Step 3: Execute the malware on endpoint

13 Step 4: When Cyphort sees the download, it checks Carbon Black server if the download md5sum m1 was detonated on endpoint The logs for this on the Cyphort side are / var/log/cyos/3rdpartyconnector/connector_carbon Black Enterprise Protection.log. This shows the requests and responses between Cyphort and CB server. Cyphort requests for the md5sum 340c860492c5ee5f708dfee57f650cd3 on sensor 1 which is endpoint : :08: (get) request url: ess?cb.q.md5=340c860492c5ee5f708dfee57f650cd3&cb.q.sensor_id=1&sort=start%20desc :08: (get) request headers: { X-Auth-Token : u 8f7d3e7c4b8d 1d8eee0a69a659e91f26562f6fd0 } :08: (get) response: { terms : [ ], md5:340c860492c5ee5f708dfee57f650cd3, sensor_id:1 total_results : 2, facets : {}, results : [ { process_md5 : eea63b8cf19e59c4a51ad2d9a59dda25, sensor_id : 1, modload_count : 116, parent_unique_id :, cmdline : \ C:\\Program Files (x86)\\internet Explorer\\IEXPLORE.EXE\ SCODEF:2928 CREDAT: /prefetch:2, filemod_count : 48, id : c0-01d1-7ee785cfd832, parent_name : (unknown), The number of results for the md5 query should be greater than 0 meaning the executable was actually executed on the endpoint) Step 5: On the Cyphort UI under Incidents, the kill chain DL + EX should show up. 13

14 Step 6: If you don t see any results returned from CB for that md5, you need to check if: a. The binary md5 m1 is present on CB server b. The binary has some related processes (indicating it was executed). Click on the magnifying glass next to the sample. c. The related processes should be more than 1. CYPHORT, Inc Great America Parkway Suite 225 Santa Clara, CA P: (408) F: (408) Sales/Customer Support (tel) MALWARE (tel) (fax) support@cyphort. com 2016 Cyphort, Inc. All rights reserved. 14

Carbon Black QRadar App User Guide

Carbon Black QRadar App User Guide Table of Contents Carbon Black QRadar App User Guide... 1 Cb Event Forwarder... 2 Overview...2 Requirements...2 Install Cb Event Forwarder RPM...2 Configure Cb Event