Endpoint Security

Threat Hunting Using Endpoint Data for a Proactive Defensive Posture

When approaching endpoint security and defense, the first thought that comes to mind for many is making sure each endpoint has an anti-virus product installed. This is certainly a necessary first step, but there are many other factors that affect endpoint security. When we talk about threat hunting here at Fidelis, we reference the importance of internal intelligence. If we don’t know what is inside our networks or we have zero visibility into the software installed on our endpoints, how can we begin to defend them?

We decided this is such an important enabler of threat hunting, that in the latest release across our platform (that includes all of our standalone products for network traffic analysis and Data Loss Prevention (DLP), endpoint detection and response, and deception) we introduced features that give users deeper insight into their overall environment. For the purposes of this blog post, however, we will focus on our endpoint detection and response and endpoint protection capabilities.

More Than Installed Software

How many tools, people, or hours does it take you to get answers about software versions correlated to CVEs across endpoints in your organization today? What if you identify malicious behavior on an endpoint and want to see what software is installed, including the version and known CVE information? If an exploit was used against that software, what information would help you know?

Fidelis Endpoint makes this easy. Our centralized list of installed software is continuously updated with data from each endpoint, and we automatically correlate the software and version information against known CVEs and Microsoft KB articles with links directly to the details. If a new CVE comes out tomorrow for software deployed in your environment, we’ll generate an alert to draw your attention to it.

Proactive Response: Example Scenario

We’ve received an alert that one of our endpoints recently installed a vulnerable version of the VLC video player software.

Digging into this endpoint, we can indeed see that VLC version 2.2.8 was installed on this endpoint and is vulnerable to the CVE listed in our alert. The alert contains a link to the CVE database, as well as the full vulnerability description to provide context and awareness. Since this is an unauthorized installation of software, we can dig into all the alerts generated by this endpoint to determine if this vulnerability was exploited.

Browsing through the list of alerts we can see a couple alerts for “Exploit: Detect Possible Crash based on werfault” fired shortly after the installation date of our vulnerable version of VLC.

Knowing that the CVE description states it could cause “denial of service” conditions, we should investigate these alerts to see if they were caused by VLC. Clicking on the first shows us that the parent process of “werfault” was “svchost.exe” which doesn’t tell us too much, however when viewing the second alert we see that indeed the parent process was “vlc.exe.”

Let’s investigate this instance of “vlc.exe” to determine if this crash caused any suspicious behavior to occur. With the Fidelis Endpoint platform we can view the children of our vlc.exe process, which shows us that not only did it spawn an instance of “werfault.exe”, but it also started “powershell.exe” which is definitely a suspicious behavior.

Since VLC shouldn’t be starting a PowerShell process, especially after it crashes, we can conclude that there is a high probability the user launched a malicious MKV file loaded with the exploit indicated by our CVE alert. We can also investigate the PowerShell process to determine what actions were taken, and by viewing the process behavior we see that it reached out to download another PowerShell script.

One other added feature in our latest release is the ability to view executed script content inside the platform. Since we know that our PowerShell process downloaded and executed another PowerShell script, we can quickly view the behavior of that process to identify the script contents. This saves us time when investigating and eliminates the need to interact with the endpoint directly to identify what occurred.

Hopefully this example demonstrates how Fidelis Endpoint gives the user a powerful capability to drive a proactive threat hunting posture. The information provided can be used in many ways:

  • Prioritize patching for key assets that are vulnerable to CVEs
  • Identify software with CVEs and a high severity, or software installed on more than X number of endpoints
  • Generate reports that can be used by other teams for reference or exceptions
  • Identify software that is against policy or needs to be updated
  • While investigating use the CVE information to get a better understanding of how a certain exploit could have been used against the endpoint

We believe that giving users easy access to this information is a crucial step in properly defending your environment. If you don’t know what is on your assets, and what they are vulnerable to, then how are you going to defend them?

Browse our blog