Cyphort Integration with Carbon Black

Similar documents
Carbon Black QRadar App User Guide

ForeScout Extended Module for Carbon Black

Forescout. eyeextend for Carbon Black. Configuration Guide. Version 1.1

USM Anywhere AlienApps Guide

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

AppDefense Cb Defense Configuration Guide. AppDefense Appendix Cb Defense Integration Configuration Guide

CounterACT Check Point Threat Prevention Module

ForeScout Extended Module for Qualys VM

Comodo Unknown File Hunter Software Version 2.1

Hi rat. Comodo Valkyrie. Software Version User Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

ForeScout Extended Module for MobileIron

ForeScout Extended Module for Symantec Endpoint Protection

rat Comodo Valkyrie Software Version 1.1 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

Comodo APT Assessment Tool

ForeScout Extended Module for ArcSight

ForeScout Extended Module for VMware AirWatch MDM

Integration with McAfee DXL

ForeScout Extended Module for HPE ArcSight

Sophos Enterprise Console Help. Product version: 5.3

Integration with Tenable Security Center

SentinelOne Technical Brief

ForeScout Extended Module for MaaS360

Comodo cwatch Network Software Version 2.23

Forescout. eyeextend for ServiceNow. Configuration Guide. Version 2.0

ForeScout Extended Module for ServiceNow

Assuming you have Icinga 2 installed properly, and the API is not enabled, the commands will guide you through the basics:

Integrating Juniper Sky Advanced Threat Prevention (ATP) and ForeScout CounterACT for Infected Host Remediation

Automatically Remediating Messages in Office 365 Mailboxes

Forescout. Configuration Guide. Version 2.4

Qualys Cloud Suite 2.28

ForeScout Extended Module for Bromium Secure Platform

ForeScout Extended Module for ServiceNow

Forescout. eyeextend for MobileIron. Configuration Guide. Version 1.9

Juniper Sky Advanced Threat Prevention

File Reputation Filtering and File Analysis

Vulnerability Validation Tutorial

Comodo Unknown File Hunter Software Version 5.0

Threat Detection and Response. Deployment Guide

Deep Instinct v2.1 Extension for QRadar

Incident Response Platform Integrations BigFix Function V1.1.0 Release Date: October 2018

Viewing Capture ATP Status

Forescout. eyeextend for IBM BigFix. Configuration Guide. Version 1.2

How SMART (Secure Malware Alert and Removal Tool) Works

esendpoint Next-gen endpoint threat detection and response

Forescout. Plugin. Configuration Guide. Version 2.2.4

JUNIPER SKY ADVANCED THREAT PREVENTION

Incident Response Platform. IBM BIGFIX INTEGRATION GUIDE v1.0

Tenable for Google Cloud Platform

IBM Security SiteProtector System User Guide for Security Analysts

Trend Micro Business Support Portal

rat Comodo EDR Software Version 1.7 Administrator Guide Guide Version Comodo Security Solutions 1255 Broad Street Clifton, NJ 07013

ForeScout App for IBM QRadar

Comodo Endpoint Manager Software Version 6.25

Forescout. eyeextend for VMware AirWatch. Configuration Guide. Version 1.9

Comodo cwatch Network Software Version 1.4

ForeScout Extended Module for IBM BigFix

McAfee Advanced Threat Defense

Comodo Next Generation Security Information and Event Management Software Version 1.4

Un SOC avanzato per una efficace risposta al cybercrime

LCE Splunk Client 4.6 User Manual. Last Revised: March 27, 2018

Reducing the Cost of Incident Response


Anomali ThreatStream IBM Resilient App

Bomgar PA Integration with ServiceNow

Tanium Connect User Guide. Version 4.8.3

Comodo One Software Version 3.16

Defending Against Unkown Automation is the Key. Rajesh Kumar Juniper Networks

Control Wireless Networks

ForeScout CounterACT. Configuration Guide. Version 2.2

SOLUTION OVERVIEW. Enterprise-grade security management solution providing visibility, management and reporting across all OSes.

Comodo cwatch Network Software Version 1.4

ForeScout CounterACT. Configuration Guide. Version 3.4

Comodo Endpoint Manager Software Version 6.25

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

ForeScout Open Integration Module: Data Exchange Plugin

Comodo Endpoint Manager Software Version 6.26

CounterACT IOC Scanner Plugin

McAfee Endpoint Threat Defense and Response Family

Integration with ForeScout

Comodo cwatch Network Software Version 2.23

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.2.4

VMware AirWatch Integration with Palo Alto Networks WildFire Integrate your application reputation service with AirWatch

ForeScout Extended Module for Advanced Compliance

ForeScout Extended Module for Tenable Vulnerability Management

ClearPass and Tenable.sc Integration Guide. Tenable.sc. Integration Guide. ClearPass. ClearPass and Tenable.sc - Integration Guide 1

ForeScout Extended Module for Palo Alto Networks Next Generation Firewall

Vulnerability Scan Service. User Guide. Issue 20 Date HUAWEI TECHNOLOGIES CO., LTD.

Cisco AMP Solution. Rene Straube CSE, Cisco Germany January 2017

ForeScout CounterACT. Plugin. Configuration Guide. Version 2.1

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

ForeScout Extended Module for Splunk

Forescout. eyeextend for IBM MaaS360. Configuration Guide. Version 1.9

Comodo IT and Security Manager Software Version 6.4

Configure WSA to Upload Log Files to CTA System

Tanium Discover User Guide. Version 2.x.x

Symantec Advanced Threat Protection App for Splunk

Integrating Okta and Preempt Detecting and Preventing Threats With Greater Visibility and Proactive Enforcement

Forescout. Configuration Guide. Version 1.3

CounterACT VMware vsphere Plugin

Transcription:

SOLUTION BRIEF Cyphort Integration Carbon Black Carbon Black Enterprise Protection Carbon Black Enterprise Protection formerly known as Bit9 Security Platform, is the next-generation endpoint security solution to deliver a portfolio of threat prevention options, real-time visibility across all environments, and comprehensive compliance rule sets. Carbon Black Enterprise Protection monitors endpoints for any new binaries and sends them to Cyphort for further analysis on the binary. Cyphort Integration Carbon Black Enterprise Protection does not support File Execution. This is available only Carbon Black Enterprise Response. For the integration, another application the Cyphort-Carbon Black Endpoint Protection Connector is required. The connector can be installed on the Carbon Black Endpoint Protection server or on any other Windows/Linux server. Prerequisites for Installation of Connector: Step 1: Step 1: Install Python and required libraries Follow the Python Installation Guide to install Python on your desired OS. Install the Requests library for Python. Request Carbon Black Enterprise Protection s File Analysis License. Step 2: By default, Carbon Black Enterprise Protection only allows file monitor mode. For file analysis, a special license must be obtained from Carbon Black Enterprise Protection. Contact Carbon Black Enterprise Protection technical support for more information. Step 3: Obtain a Carbon Black Enterprise Protection File Analysis User Account. Enable permissions for a File Analysis special user account. At the Carbon Black Enterprise Protection Web UI, navigate to Administration- >Login Accounts and click on Groups on the left panel. Click on the View Details icon for the group to which the user belongs. 1 http://www.cyphort.com/resources/literature-downloads/

Enable the following permissions for the group Submit file for Analysis Extend connectors through APIs Step 4: Obtain a Carbon Black Enterprise Protection token. Navigate to Administration->Login Accounts and click on Users on the left panel. Click on the View Details icon, and on the bottom of the page, click the Show API token button; this displays the API token to be used for Cyphort/ Carbon Black Enterprise Protection integration. Use the API Token to fill in the Carbon Black Enterprise Protection token field described in the following Installation section. Step 5: Getting a Cyphort API Key. API Key can be obtained from Cyphort UI. Click on Config -> System Profiles -> Users -> cyadmin -> API Key. Installation of Connector: To install the Cyphort/Carbon Black Enterprise Protection Plugin: Step 1: Download the Carbon Black Enterprise Protectionplugin.tar.gz package and unzip it using the following command: tar zxvf Carbon Black Enterprise Protectionplugin.tar.gz 2 http://www.cyphort.com/resources/literature-downloads/

Step 2: Edit the Config.txt file and enter the REST API URL and Authentication tokens for Carbon Black Enterprise Protection and Cyphort. Example Config.txt Carbon Black Enterprise ProtectionURL $https://192.168.1.150 Carbon Black Enterprise ProtectionTOKEN $45DD7C48-2CCC-452F-B8FF-9C676B075640 cyphorturl $https://192.168.1.149 cyphorttoken $7560dfb753e1475047fc80fdefd93491 cyphortconnector $CyphortConnector Step 3: Running the Cyphort/Carbon Black Enterprise Protection Plugin python -W ignore CyphortPlugin.py Config.txt If the plugin is running correctly, it will register a connector the Carbon Black Enterprise Protection server. Under System Configuration, click the Connectors tab; find the CyphortConnector tab. Click on the Edit button and verify that the Integration Enabled and File Analysis fields are checked. The plugin is now ready to accept any files that Carbon Black Enterprise Protection potentially presumes to be malicious. The plugin will send the file to the Cyphort engine for further analysis, and the analysis results generated by Cyphort will be sent to the Carbon Black Enterprise Protection server. The Carbon Black Enterprise Protection server may decide to take appropriate remedial action based on the result. Step 4: Configuring Manual File Submission for Cyphort Analysis To submit files manually for malware analysis, use the following procedure: From the main Bit 9 Dashboard, click on Assets > Files. Chose the computer name from which to upload the file. From the left panel, and click on File Catalog. Click to select the files to be uploaded for analysis. 3 http://www.cyphort.com/resources/literature-downloads/

Click on the Action button and select Analyze CyphortConnector : Click Submit to Cyphort Connector; at the top of the page green text displays the message: Submit to CyphortConnector scheduled for 1 file(s) Step 5: Configuring Automatic File Submission for Cyphort Analysis Carbon Black Enterprise Protection can automatically submit a file to the Cyphort/Carbon Black Enterprise Protection Plugin for malware analysis. When the Carbon Black Enterprise Protection server is unable to determine the malicious nature of a file, the file (or a set of files) are submitted to the plugin automatically and no user intervention is required. To enable automatic submission certain rules must be configured at the Carbon Black Enterprise Protection Web UI. Click on Rules>Event Rules and then the Create Rule button. The screenshot below shows an example of a Rule that can be configured for automatic file submission. 4 http://www.cyphort.com/resources/literature-downloads/

Step 6: Viewing Cyphort/Carbon Black Enterprise Protection Malware Analysis Results To view the results of Cyphort malware analysis returned to the Carbon Black Enterprise Protection server via the plugin: At the Carbon Black Enterprise Protection server Web UI, click Tools > Requested Files and on the left panel, click Analyzed Files. Note that Status for malware analysis submissions transitions from Acquiring File > Analyzing > Analyzed To view the analysis details provided by Cyphort: from the Carbon Black Enterprise Protection Server dashboard, click on Reports > External Notification. Click the View History icon to display a particular malware entry. On the left panel, click CyphortConnector Console to be directed to the Cyphort portal from which specific details of the malware analysis are viewed. 5 http://www.cyphort.com/resources/literature-downloads/

Troubleshooting the Connector: Step 1: Check the log file of the connector located at Carbon Black Enterprise Protection-plugin/ final_cyphort/cyphort.log. To keep the log file from growing too large, the plugin rotates the files when the cyphort.log grows beyond a default 1MB limit. All previous history is placed in cyphort.log.1 and all new events after the 1MB threshold are added to the cyphort.log. To view logged events on the file, you can open it using any text editor. To view live events, open another text editor window and enter the following command: tail f cyphort.log Step 2: Check if the connector cannot reach the Carbon Black Enterprise Protection/Cyphort server. The following is an example when the Carbon Black Enterprise Protection server is unreachable. Step 3: The following log statements should be seen for a working environment when a file is submitted to Cyphort for analysis. 12-10 13:29:28 Carbon Black Enterprise ProtectionProvider INFO 12-10 13:29:58 Carbon Black Enterprise ProtectionProvider INFO Starting Scanner Got File For Scanning File downladed from Carbon Black Enterprise Protection server to localpath 6 http://www.cyphort.com/resources/literature-downloads/

12-10 13:29:58 Carbon Black Enterprise ProtectionProvider DEBUG /home/thomas1/ test/carbon Black Enterprise Protection-plugin/final_cyphort/tempfile 12-10 13:29:58 Carbon Black Enterprise ProtectionProvider DEBUG Downloaded file is a zip file. Unzipping the file to path /home/thomas1/test/carbon Black Enterprise Protection-plugin/final_cyphort/users/my/documents/ malicious/exe/malware.ttt 12-10 13:29:58 Carbon Black Enterprise ProtectionProvider DEBUG cleaning up the extracted files after unzipping 12-10 13:29:58 cyphortprovider INFO Submitting binary file malware.ttt md5 f1a90278a75cf8c17ac2a43f91284bf6 to Cyphort 12-10 13:29:58 Carbon Black Enterprise ProtectionProvider INFO getting client details 12-10 13:29:58 cyphortprovider INFO file Name:::Server_Url:https:// 192.168.1.150,Server_Ip:192.168.1.150,Agent_version:7.2.1.1128,Client_Name:WORKG ROUP\BENISON,Client_IP:fe80::b13c:8956:580:5ffd,Client_OS:Windows 8,Time:Thu_Dec_10 _13:29:58_2015,md5sum:f1a90278a75cf8c17ac2a43f91284bf6 12-10 13:29:58 cyphortprovider INFO Submitted: f1a90278a75cf8c17ac2a43f91284bf6 HTTP CODE: 200 12-10 13:29:58 cyphortprovider INFO event id 1861 12-10 13:29:58 Carbon Black Enterprise ProtectionProvider INFO pa id 41258 is 1 12-10 13:29:58 Carbon Black Enterprise ProtectionProvider INFO queue 12-10 13:29:58 Carbon Black Enterprise ProtectionProvider INFO File malware.ttt submitted has obtained file submit retry count for file malware. ttt Appending the event_id 1861 to the global Global queue updated Succesfully Log file events for checking results from Cyphort 12-10 13:30:28 Carbon Black Enterprise ProtectionProvider INFO checking result for malware.ttt :retry_count 0 12-10 13:30:28 Carbon Black Enterprise ProtectionProvider INFO Result obtained from Cyphort for event id : 1861, file malware.ttt and md5 sum : f1a90278a75cf8c17ac2a43f91284bf6 12-10 13:30:28 Carbon Black Enterprise ProtectionProvider DEBUG { product : Cyphort, severity : critical, malwarename : u malware (WORM_LITAR.CY), malwaretype :, analysisresult : 3, externalurl : https://192.168.1.149/cyadmin/ index.html?event_id=1861, type : malicious_file, fileanalysisid : 41258} 12-10 13:30:29 Carbon Black Enterprise ProtectionProvider DEBUG Cyphort analysis for fileanalysis completed. Cyphort result is 75). 7 http://www.cyphort.com/resources/literature-downloads/

12-10 13:30:29 Carbon Black Enterprise ProtectionProvider DEBUG Found Virus Step 4: Check the Carbon Black Enterprise Protection Server Web UI for any errors. From the Carbon Black Enterprise Protection server Web UI, you can view error events under Reports > Events, as shown below. Carbon Black Enterprise Response Carbon Black Enterprise Response, formerly known as Carbon Black is an endpoint detection and response solution that records all endpoint activity and correlates data unified intelligence to pinpoint the attack root cause. Cyphort integrates Carbon Black Enterprise Response in two ways: File Analysis: Any new binary seen at an endpoint is submitted to Cyphort for analysis. File Execution: Cyphort checks Carbon Black if a binary download seen on the network has been executed on the endpoint. 1. File Analysis: Carbon Black integrates Cyphort for inspection, analysis and correlation of suspicious binaries discovered at the endpoint. Carbon Black submits unknown or suspicious binaries to Cyphort Core - a secure threat analysis engine, which leverages Cyphort s multi-method behavioral detection technology and threat intelligence to deliver threat scores used in Carbon Black to enhance detection, response and remediation efforts. For the integration, another application the Cyphort-Carbon Black Endpoint Response Connector is required. The connector can be installed on the Carbon Black Endpoint Response server or on any other Red Hat server. The Cyphort connector submits binaries collected by Carbon Black to a Cyphort appliance for binary analysis. The results are collected and placed into an Intelligence Feed on Carbon Black server. The feed will then tag any binaries executed on your endpoints identified as malware by Cyphort. Only binaries submitted by the connector for analysis will be included in the generated Intelligence Feed. Installation of Connector: Step 1: Download the Cyphort Carbon Black Connector from Git 8 http://www.cyphort.com/resources/literature-downloads/

Login to Carbon Black server as root. You can also use any other RPM based 64-bit Linux distribution server that has access to the Carbon Black server. cd /etc/yum.repos.d curl -O https://opensource.carbonblack.com/release/x86_64/cbopensource.repo Step 2: Install the Cyphort Carbon Black Connector using yum yum install python-cb-cyphort-connector Step 3: Modify the config file to enter the Carbon Black Server Url, Carbon Black Server Token, Cyphort Url and Cyphort API Key cp /etc/cb/integrations/cyphort/connector.conf.example /etc/cb/integrations/ cyphort/connector.conf Make the following changes in the file: cyphort_api_key=<cyphort API Key for user cyadmin> (API Key can be obtained from Cyphort UI. Click on Config -> System Profiles -> Users -> cyadmin -> API Key) cyphort_url=https://<cyphort IP Address> carbonblack_server_url=https://<carbon Black Server IP Address> carbonblack_server_token=<carbon Black Server API token> (API Token can be obtained from Carbon Black Server UI. Click on Username found on the top right corner -> Profile Info -> API token) Step 4: Start the service service cb-cyphort-connector start Troubleshooting the Connector: Check the connector log /var/log/cb/integrations/cyphort/cyphort.log for any errors. Note: If connector gets 401 Unauthorized Error from Cyphort, check if the Cyphort API Key is correct and the API key is not disabled. Adding Cyphort to Carbon Black Intelligence Feed: Step 1: Click on Add New Feed from the Threat Intelligence Feeds Page. Threat Intelligence Feeds Page can be reached from Detect -> Threat Intelligence. Step 2: Add the feed url. The feed url is generally http://<ip Address of connector>:7000/feed.json. If the connector is installed on the Carbon Black server, then the feed url is http://127.0.0.1:7000/feed. json. 9 http://www.cyphort.com/resources/literature-downloads/

Click Save. Step 3: Once installed, you should see a message from Carbon Black Server that the Threat Feed has been added successfully. Cyphort will also show up under Threat Intelligence Feed. Check Enabled. Troubleshooting Cyphort Threat Feed: Step 1: Download an executable on the endpoint The best way to check if the Cyphort Threat Feed works is to download an executable on one of endpoints which has a Carbon Black Enterprise Sensor running. After about 10 minutes, you can check if Cyphort provided a verdict a for it. To check the verdict, click on Threat Reports on the feed. 10 http://www.cyphort.com/resources/literature-downloads/

Step 2: Sort by Most Recent and you should see a verdict for the executable that was downloaded on the endpoint. You can click on Details for more info. If you don t see the exe under Threat Reports, check if Carbon Black server received the object from the Carbon Black sensor running on the endpoint. You can do this by clicking on Respond -> Binary Search and search using the md5sum of the executable. If the exe is not seen, then there s an issue the Carbon Black sensor talking to the Carbon Black server. If you do see the executable, then the communication between Carbon Black server and Cyphort is not working correctly. 11 http://www.cyphort.com/resources/literature-downloads/

2. File Execution: Cyphort can query Carbon Black Enterprise Response to determine if a malicious file was executed. By querying endpoints, the Cyphort Platform can better determine exactly where an attack sits in the kill chain and if a download progressed to infection by determining if the endpoint detonated the malware object, expediting targeted and accurate remediation. Carbon Black Enterprise Response Configuration: Step 1: From the Cyphort UI, configure the Carbon Black Enterprise Response details. Click on Config -> Environmental Settings -> Carbon Black Configuration. Provide the Carbon Black Enterprise Response Server IP address and API Key. Troubleshooting File Execution: The best way to check if File execution works correctly is to download and run the executable on an endpoint Step 1: Check the Carbon Black Server IP address and API key configured on Cyphort to see if the details are correct and Carbon Black is enabled. Step 2: Download a malware on an endpoint say 192.168.1.2 Step 3: Execute the malware on endpoint 192.168.1.2. 12 http://www.cyphort.com/resources/literature-downloads/

Step 4: When Cyphort sees the download, it checks Carbon Black server if the download md5sum m1 was detonated on endpoint 192.168.1.2. The logs for this on the Cyphort side are / var/log/cyos/3rdpartyconnector/connector_carbon Black Enterprise Protection.log. This shows the requests and responses between Cyphort and CB server. Cyphort requests for the md5sum 340c860492c5ee5f708dfee57f650cd3 on sensor 1 which is endpoint 192.168.1.2 :- 2016-03-15 12:08:37.764291 - (get) request url: https://192.168.1.26:443/api/v1/proc ess?cb.q.md5=340c860492c5ee5f708dfee57f650cd3&cb.q.sensor_id=1&sort=start%20desc 2016-03-15 12:08:37.764428 - (get) request headers: { X-Auth-Token : u 8f7d3e7c4b8d 1d8eee0a69a659e91f26562f6fd0 } 2016-03-15 12:08:37.937878 - (get) response: { terms : [ ], md5:340c860492c5ee5f708dfee57f650cd3, sensor_id:1 total_results : 2, facets : {}, results : [ { process_md5 : eea63b8cf19e59c4a51ad2d9a59dda25, sensor_id : 1, modload_count : 116, parent_unique_id :, cmdline : \ C:\\Program Files (x86)\\internet Explorer\\IEXPLORE.EXE\ SCODEF:2928 CREDAT:464133 /prefetch:2, filemod_count : 48, id : 00000001-0000-01c0-01d1-7ee785cfd832, parent_name : (unknown), The number of results for the md5 query should be greater than 0 meaning the executable was actually executed on the endpoint) Step 5: On the Cyphort UI under Incidents, the kill chain DL + EX should show up. 13 http://www.cyphort.com/resources/literature-downloads/

Step 6: If you don t see any results returned from CB for that md5, you need to check if: a. The binary md5 m1 is present on CB server b. The binary has some related processes (indicating it was executed). Click on the magnifying glass next to the sample. c. The related processes should be more than 1. CYPHORT, Inc. 5451 Great America Parkway Suite 225 Santa Clara, CA 95054 P: (408) 841-4665 F: (408) 540-1299 Sales/Customer Support 1-855-862-5927 (tel) 1-855-8-MALWARE (tel) 1.408.540.1299 (fax) Email: support@cyphort. com 2016 Cyphort, Inc. All rights reserved. 14 http://www.cyphort.com/resources/literature-downloads/

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback