Class 1 ‐ Endpoint Security - Justin-Boyd/CIT-Class GitHub Wiki
Network & Endpoint Security Introduction
What Is an Endpoint Security Solution?
- A suite of tools that helps protect workstations
- Secures end-user devices (desktops, laptops, etc.)
- Actively defends against risky activity and/or malicious attacks
- Operates as an enterprise security perimeter and is best suited for bring your own device (BYOD)
Endpoint Security Suite
- Antivirus
- Data Loss Prevention (DLP)
- Application Control/Allow Listing
- Host Intrusion Prevention/Detection System (HIPS/HIDS)
- Communications Encryption
- Email and Phishing Protection
- Logging and Monitoring
- Encrypted Communication and Hardware
Antivirus Under the Hood: Scanning
- String/byte signatures
- Hash signatures
- Heuristic detection
Common Vendors
- Symantec Endpoint Protection
- Check Point Endpoint Security
- Kaspersky Endpoint Security
- McAfee Endpoint Protection
Antivirus
- AV signatures must always be updated.
- Designed to detect and remove viruses, trojans, worms, etc.
- Can quarantine or delete files
Multi-Engine Antivirus Scanning
- Only one AV should be installed on a workstation.
- Different AVs, different methodologies, and block lists
- Scanning with multiple engines simultaneously
ClamAV Introduction
ClamAV in a Nutshell
- Open-source and cross-platform AV software
- Mainly a CLI tool, although a GUI is available
- Most features require initial configuration.
Pros & Cons
Pros
- Free
- Supports scheduled tasks
- Ease of use
- Regular virus database updates
- High virus detection rates
- Technical support
Cons
- Low processing speed
- Infrequent software updates
- 100% virus protection not guaranteed
- No host firewall
- No safe browsing capabilities
- GUI is outdated; inadequate features
ClamAV Installation
- Download - ClamAV Portable
- Move - Configuration Files
- Change - Sample configuration
- Update - Virus Database
ClamAV Configuration Files
- clamd.conf: ClamAV scan daemon settings
- freshclam.conf: Change virus database update interval.
- Clamconf: List both file configurations.
Problems & Risks
False Positives & False Negatives
False positive
- A test result falsely indicates the presence of a condition.
False negative
- A test result mistakenly negates a condition.
False Positive (F/P) Causes
- Heuristics: AVs evolve and so do viruses.
- Behavioral Analysis: Legitimate apps behaving like malicious apps
- Machine Learning: Mistakes in training data fed to software
Zero-Day
- A newly discovered flaw in a program
- Exploited before a vendor can patch it
- Zero-day flaws are highly sought after by both hackers (offense) and enterprise security teams (defense).
Antivirus Bypass Techniques
- Packing and encryption
- Code mutation
- Stealth techniques
- Disable AV updates
- Fileless attack
Endpoint Security Components
- Internal Firewall: Blocks incoming/outgoing connections to/from the workstation
- HIDS/HIPS: Detects, protects, and alerts upon malicious activity
- Sandbox: Restricted environment used to run suspicious programs and files
Device Control & BYOD
- Expand the enterprise security perimeter.
- Employees connect private devices to the company network.
- Potential of passing malware through company defenses
- BYOD = Bring Your Own Device
- Removable storage device
- Policy enforcement
- Data protection
Endpoint Detection & Response
What Is EDR?
- Originally known as ETDR
- Provides high visibility of endpoints
- Focuses on detecting and responding to malicious activity on the host
- Best use case: search manually for threats.
EDR vs. AV
- AV has a single purpose: detecting and removing malware.
- EDR includes an AV.
- EDR can protect against sophisticated threats (APT).
Visibility & Response
- Securing endpoints requires real-time visibility of all activities on the endpoint.
- Pinpoint malicious behavior.
- Act swiftly to prevent an attack from becoming a breach.
YARA Rules & Signatures
Signature Usage
- AVs rely on signatures.
- Vendors have different signature formats.
- ClamAV supports signatures written in YARA format.
Signature Types
Body-Based Signature
- Compares specific sequences of suspicious file bytes with malware models stored in a database
Hash-Based Signature
-
Compares the file hash checksums of suspicious files with malware models stored in a database
-
Besides the signature types above, ClamAV allows the addition of custom signature files based on YARA rules.
Writing a Signature
PS C:\Program Files\ClamAV> .\sigtool.exe --md5 C:\Users\johnd\Downloads\test.exe > test.hdb
PS C:\Program Files\ClamAV> .\clamscan -d test.hdb test.exe
Sigtool is used to write and inspect signatures.
- The --md5 flag generates an MD5 hash.
- Full file path
- Outputs to test.hdb
Logical Signature
- Combines multiple signatures using logical operators
- Enables more specific and flexible pattern matching
- File extensions include *.ldb, *.ldu, and *.idb
YARA Rules
- A way of describing a pattern to identify files
- Rules are written to meet specific conditions.
- Mainly used to classify particular strains or entire malware families
YARA Rule Structure
rule ExampleRule
{
strings:
$text_string = "text here"
$hex_string = { E2 34 A1 C8 23 FB }
condition:
$text_string or $hex_string
}
- The first part of the rule is its name.
- Strings can specify text and hex values to search for.
- Logical operators can be used in the condition of the rule.
YARA Rule Signature
- ClamAV accepts YARA rules with certain limitations.
- The extensions .yar and .yara are parsed as YARA rules.
- Maximum of 64 strings per rule
PhishSigs
- Database of file signatures related to phishing
- File extensions:
- *.pdb: URLs of potential phishing sites
- *.gdb: URL hashes
- *.wdb: Allow listed URLs
Allow List Databases
Allow Listing
- AVs can mistakenly identify files as malicious.
- ClamAV includes an option to allow listing applications.
Exclusions
- *.fp: MD5 signature
- *.sfp: SHA1 or SHA256 signature
- *.ign2: Specific signature
- These are allow list signature database file extensions.