NOTE: This article was originally published to the F-Secure Community, and has now been migrated to the WithSecure Community
Update: A blog post has been made with more technical examples, together with associated videos. Take a look!
We have added many new response actions to the Microsoft Windows version of the Elements Endpoint Detection and Response product. A common issue encountered by incident response is the ability to rapidly respond to an incident and mitigate the risk once it has been identified. Reducing the time the attacker can operate in your infrastructure also reduces the damage the attacker can cause.
When talking to our customers and partners it has become clear that there is a need to automate certain response actions, and a need to execute certain actions for multiple endpoints simultaneously to increase productivity.
We are happy to announce several new response actions that can be remotely triggered for one or multiple endpoints at the same time. These powerful new response actions are now available globally.
We will be adding support for Mac and Linux at a later date. Unfortunately we cannot give a timeline for this at the moment.
The importance of “R”
The Response capability provides defenders with capability to enrich forensic artefacts from endpoints and to fight back against attackers. It also provides responders the ability to slow down or stop an attacker from achieving their objectives – for example, by degrading command and control communications – and/or rapidly contain threats as they are discovered and blocking them immediately. This can be done per endpoint or organization-wide if necessary.
Response capability can be divided into three parts:
· Investigative actions
· Containing actions
· Remediating actions
Investigative actions
· Collect Forensics Package
· Enumerate Process
· Enumerate Scheduled Task
· Enumerate Services
· Full Memory Dump
· Map File System
· Map Registry
· Netstat
· Retrieve Anti-Virus Log Files
· Retrieve Event Log Files
· Retrieve Files
· Retrieve Folders
· Retrieve Master Boot Record
· Retrieve Master File Table
· Retrieve PowerShell history
· Retrieve Process Memory Dump
· Retrieve Registry Hives
The incident investigation consists of many activities that can be performed to get more content to support incident investigation and incident response but also to collect forensics evidence about the attack. Investigation phase can also be used in Threat Hunting which is not necessarily triggered by the Broad Context Detection.
The investigation phase typically includes retrieving more data from the endpoints, such as logs, task lists, process lists, registry entries, files and folders, memory contents, and list of network connections. Event search tool can be used to further search data that has already been sent to the EDR Backend related to the Broad Context Detection. In a typical case, raw event data is only sent to the F-Secure’s EDR Backend that is related to the Broad Context Detections. In case the customer or partner wants to perform Threat Hunting activities an additional Threat Hunting option is available.
Please note that retrieving data can be done for multiple endpoints with a single action increasing productivity of the IT admin or your security operations team. Additionally, in case the endpoint is not online when the request for additional information is made the endpoint agent will immediately deliver the information as soon as it becomes online.
Containment actions
· Control Applications
· Kill Process
· Kill Thread
· Network Isolation
After the incident investigation phase IT admin or WithSecure Partner managing the detection and response service can contain the attack and prevent the attacker from continuing their objective. It allows a responder to proactively carry out actions on selected endpoints and in case of a real-time attack, thwart an attacker’s actions and stop them from achieving their goal. Please note that these response actions can be done for multiple endpoints with a single action, similarly to investigation phase.
Isolating a device from network is powerful action to contain the attack. This action can both protect the customer’s assets and give incident response team more time to analyze the activity and stop the threat. When issued, it isolates the target endpoint from the network and blocks all communications except to WithSecure’s EDR Backend and other customized locations allowing the incident response team to continue performing defensive and investigative actions. Network isolation can also be set automatically e.g in case the Broad Context Detection happens outside office hours. Network isolation displays a message at end-user screen.
Kill processes containment action ensures that specified processes are terminated remotely on specific endpoints.
Application control in Elements Endpoint Protection software can be used in cases where there is known malicious binary on a target endpoint and want to prevent from it being run again. Application control is part of Elements Endpoint Protection’s device profile so the rule is typically applied to a larger group of devices within the environment.
Remediation actions
· Delete File
· Delete Folder
· Delete Registry Key
· Delete Registry Value
· Delete Scheduled Task
· Delete Service
· Inform users
· Scan host
These actions are meant to ensure that the attacker does not achieve persistency on an already compromised system:
Scan host action initiates full system scan and removal of malware and other harmful content with WithSecure Elements Endpoint Protection. Elements Endpoint Protection does have always-on scanning but in this case this action provides a convenient an quick way to ensure the target system is clean from malicious files.
The response team can also remotely delete files, folders, registry keys and values, scheduled tasks and services in the selected endpoints.
Finally, Inform Users can be used to compose and send an alert email to users of the affected hosts.
For further documentation on the Response Actions, please see the Help Center documentation on the feature.