Update 2024-06-19: We will be enabling the Accepted Behavior feature globally from 26 June 2024. Please see the section below "Accepted Behavior after 26 June 2024" for more information
With the introduction of Accepted Behavior, it is now possible to create suppression rules which can accept the behavior of a user or a process. This can significantly aid in silencing BCDs for expected behavior.
This is required by many partners and customers as WithSecure creates an EDR solution that is suited to many different environments, which means there may be specific detection uses cases where, due to your environment, you want to 'allow' or accept behavior. i.e. you may use a software called “ABC” and you can confidently trust that process “XYZ” is legitimate and therefore want to suppress the detection so a similar BCD is not generated.
For a period of time, we have accepted ad-hoc request for allow listing but now we have created a wizard in Elements Security Center where you can self-serve the suppression rules.
How does Accepted Behavior work?
A "Broad Context Detection" (BCD) is a collection of detections that highlight malicious or suspicious behavior. Each BCD has one or more "key detections". A "Key detection" is in stand-alone detection that would, on their own, produce a new BCD. In order to prevent similar BCDs from recurring, each key detection in a BCD must be suppressed. One suppression rule is created per key detection.
Accepted Behavior is required if your organisation’s specific circumstances mean a detection should be suppressed. Elements users should be careful when suppressing detections, to ensure they don't suppress too broadly and silence behavior that, although common, might also be part of a legitimate attack.
What limitations of the first release?
- We will enable “accepted behavior” for a small group of partners initially, to collect feedback and improve the suppression mechanisms.
- At launch, this feature will be available for BCDs with up to 5 key detections. We are working to make it available to all BCDs, by reducing the overall number of key detections without removing any unique information from the BCD.
- There may be cases where identical rules are created due to repeating key detection with the same parameters, this will be addressed in upcoming weeks.
How to tell if you are over-suppressing BCDs?
When you apply a suppression rule, any new BCD created will be automatically closed with the resolution “Auto Accepted Behavior”. To provide you of an indication of how many BCDs are silenced, the detection engine will generate at most one new BCD every 24 hours per suppression rule, if the suppression criteria are met. After 24 hours have elapsed, a new BCD will be generated if the supression rule is triggered. WithSecure recommend that partners regularly review the suppressed BCDs to ensure malicious activity is not suppressed.
Note: Accepted behavior is required in cases where BCDs are causing reoccurring false positives have similar but not identical BCD fingerprints. If a BCD has been closed with “False Positive”, identical BCDs, with an identical fingerprint are automatically closed with the resolution “Auto-False Positive”.
How do I silence a BCD?
First step, would be to find a BCD you want to silence.
When the investigation is finished, change the status to closed, and set the resolution to 'Accepted Behavior', a pop-up window will ask you whether you would like to create an 'suppression rule'.
Click yes, to be taken to the Suppression Rule Wizard, and then you can choose what endpoints should be affected.
There are 7 different parameters that can be used for BCD suppression. The parameters are pre-filled with data collected from the BCD. Those suppression parameters are explained below.
WithSecure has enforced the use of at least 2 parameters for each key detection, to ensure the 'accepted scope' is minimized.
Parameters that are enabled by default have a green toggle indicating the parameter will be used in the rule. Click ‘show more’ to view further parameters, these will be disabled by default i.e. those parameters that are not used within the existing rule. You can choose to disable/enable them by toggling off the parameter. Most parameters are pre-populated from the information from the BCD.
For BCDs with multiple key detections, there will be an accordion and set of parameters for each key detection. Each key detection in a BCD must be suppressed by a rule, to silence the BCD.
The table below shows the parameters that could be used
Accepted Behavior Parameter | Example | Description |
---|
exe_path | c:\path\admin\support_service.exe | This will suppress the key detection & named executable combination. |
exe_name | support_service.exe | This will suppress this key detection & process combination. |
cmdl | "c:\windows\system32\net localgroup group_name /add /domain | The will suppress the executable only when the exact arguments are matched for this key detection.. |
parent_exe_path | c:\path\admin\\support.exe | This will suppress this key detection and parent combination. Take care when suppressing a parent process only. It is recommended this is used with another non parent parameter. |
parent_exe_name | support.exe | This will suppress this key detection and parent combination. |
parent_cmdl | c:\windows\system32\net localgroup group_name /add /domain | This will suppress the key detection being created from any process that is created from the exact match of this parent command line. WithSecure recommend this is used in additional to the child parameters. Accepting the behavior from the parent alone (without other parameters) means the scope of the suppression is much wider, potentially dangerously. |
username | john_doe | This will suppress the key detection and username combination. Any process for that would triggered the key detection will be silenced for the given username. WithSecure strongly advise that is used alongside other parameters. |
Which operators can I use when configuring parameters in a key detection?
Suppression rules allow you to set up two operators: “Equals,” which applies to all parameters when their length is less than 1024 characters, and “Contains,” which is applicable to all parameters. Please note, the Contains operator does not support wildcard characters (*).
Does the allow listing take effect immediately?
You can check suppression rules on the Automated Actions area, see the ‘Suppression Rules’ tab.
You can click on the rule, and click on count of BCDs that have been silenced, this will take you to the BCD view, where corresponding BCDs that have been silenced by this rule will be listed.
We will not close pre-existing BCDs when a new rule is implemented. Any new BCDs will be created after the rule is implemented will be closed with “Auto Accepted Behavior” resolution.
NOTE: Our partners/customers will be able to create a suppression rule, for newly created BCD after the feature is released.
Why can't I see rules that align to my existing allow-listing requests?
The WithSecure Detection and Response Team (DRT) have implemented allow-listing on a different level in the WithSecure detection engine, which means BCDs are not created for allow-listing performed by the DRT. Therefore rules are not available in the 'Suppression Rules' view.
What are WithSecure doing from to reduce false positives?
We are currently working on improving detection quality by increasing our True Positive to Total Reported Incidents ratio. The solution has three parts, which we have had promising results from a simulation to suggest BCD volumes could reduce by 40%.
The three parts detailed below, will result in fewer Medium, High and Severe BCDs being created with a more accurate risk rating;
- Improvement of noise suppression mechanisms - We are redesigning our mechanism to suppress detections that are from usual behavior.
- Enhanced BCD risk scoring algorithm - We are implementing a new algorithm that will calculate a risk score of a BCD based on the distribution of severities across the detections contained within the BCD as well as using past and present data to improve the accuracy of the scoring.
- Integration of the BCD clustering ML model - This model will cluster together incidents based on their similarity to others that have already been assessed as FPs or confirmed by customers and partners.
Who can edit the suppression rules?
If you are a read-only user should not be allowed to add or edit rules.
If you are a user with Full Access, to a company, you are able to;
- Create Rules
- Edit rules created for your company.
If you are a partner with Full Access, you should be able to:
- Create Rules
- Edit the rules created at the partner level by yourself or your colleagues.
- Edit the rules created by your customers in the companies you manage.
Are the rules company specific?
Yes, currently one rule can apply to one company only. We have received feedback that partners would like rules to apply to multiple companies, so have added this to our roadmap.
Whose responsibility is it to validate suppression rules?
The partner is responsible for ensuring their analysts and end users understand and able to configure and manage suppression rules. The partner must accept they understand that rules that are overly suppressive may result in missed compromises as BCDs are hidden. Therefore, we recommend the partner/end user regular review the rules and their effectiveness.
Resolution codes new
- Accepted Behavior - The incident has been closed and is no longer monitored. The detection was confirmed as acceptable behavior.
- Auto Accepted Behavior - The incident has been closed automatically as accepted behavior based on the existing suppression rules.
Note: closing a BCD as Accepted Behavior doesn’t silence similar BCDs, a rule must be created.
Accepted Behavior after 26 June 2024
From 26 June 2024, ‘Accepted Behavior’ will be available globally to all customers.
It will be possible to create suppression rules that accept the behavior of a user or process. This feature aids in silencing "Broad Context Detections" (BCDs) for expected behavior. Partners and customers using WithSecure’s EDR solution can utilize this functionality to allow specific behavior in their environments. For example, if you trust a process called ‘XYZ’ associated with software ‘ABC,’ you can suppress similar BCDs to avoid unnecessary alerts.
Accepted Behavior works by suppressing key detections within a BCD. Each BCD contains one or more key detections that highlight suspicious behavior. Organizations can create suppression rules based on their specific circumstances. However, users should be cautious not to suppress too broadly, as legitimate behavior might also be affected.
The limitations of this release include enabling ‘accepted behavior’ on BCDs with up to 5 key detections. We will soon address cases where identical rules are created due to repeating key detections.
Additionally, a partner can create a suppression rule which applies to all the companies they manage. At this time there is a limitation that they can apply the rule to one organization, or all organizations they manage. We hope to enable more fine-grained control of this in the future.