On those slides I will show you 7 simple steps to test different McAfee ENS protection mechanism.
And as a bonus I will show you how to use MVISION Insights to react on SunBurst threat.
List of tests:
- OAS AMCore detection
- OAS GTI detection
- Access Protection
- Exploit Prevention
- Real Protect (ATP-RP)
- Dynamic Application Containment (ATP-DAC)
- Credential Theft Protection (ATP-RP-CTP)
All tests made for built-in rules and conducted without using real malware, so it is safe to repeat those steps in your environment.
#McAfee #MVISION #Insights #SunBurst #SolarWinds #supplychain
2. I work at OptiData LLC (Ukraine).
I do dynamic malware analysis.
I also write analytics and choose news for our Facebook page.
Conduct IS training for users and technical stuff.
My job is all about presenting, implementing and supporting
various security solutions (including McAfee).
vr@optidata.com.ua
radetskiy.wordpress.com
pastebin.com/u/VRad
VR
#whoami
3. 1. MVISION Insights (brief)
2. ENS modules (short theory)
3. Testing ENS without risk for hosts (simple steps)
4. Dealing with SunBurst IOC`s (FireEye, SolarWinds intrusions)
5. Links (URL) for valuable technical moments
#agenda
5. • McAfee Cloud check telemetry from your hosts with ENS
• Insights provide you triage for all IOC`s from your hosts
• You get clean picture of what was detected on your systems (our video)
MVISION Insights – get additional analytics for ENS detection
* 662 for August, today is over ~780
6. ✓ ENS Platform - GUI
✓ ENS Threat Prevention - OAS, ODS, AP, ExploitPrev
✓ ENS Firewall - FW
✓ ENS Web Control - Client Web Filtering (IE, Chr, FF, Edge)
✓ ENS ATP - Adaptive (GTI, TIE, ATD, DAC, RP … )
McAfee ENS – the tools of the trade
7. ✓ ENS Platform - GUI
✓ ENS Threat Prevention - OAS, ODS, AP, ExploitPrev
✓ ENS Firewall - FW
✓ ENS Web Control - Client Web Filtering (IE, Chr, FF, Edge)
✓ ENS ATP - Adaptive (GTI, TIE, ATD, DAC, RP … )
McAfee ENS – the tools of the trade
8. • Adaptive Threat Protection:
✓ Dynamic Application Containment [DAC]
✓ Real Protect (cloud / offline)
✓ Submit unknown executables to McAfee ATD (sandbox)
✓ Rollback changes made by Ransomware (our video - Enhanced Remediation)
✓ Credential Theft Protection (LSASS.EXE)
* ATP did not replace Threat Prevention (AP an EP), only expands !
McAfee ENS ATP functions
9. 1. ENS has to be updated at least once (AMCore 0.5 – bad idea)
2. You need update not only AMCore but Exploit Prevention too
3. Efficiency of ATP is depends on reputation source availability (TIE / GTI)
! https://kc.mcafee.com/corporate/index?page=content&id=KB93324
Attention!
38. SolarWinds > FireEye intrusion (brief)
• There is still ongoing investigation in progress …
• It was supply chain through SolarWinds Orion Platform
• Victims are: U.S. Department of the Treasury, Department of State,
Department of Homeland Security, Department of Energy and even
National Nuclear Security Administration…
• Low profile, long term intrusion in about 18K different orgs..
• To be protected you`d have to deal with tons of IOC as quick as possible