14_BluArmour Endpoint Protection

Enterprises are constantly improving their security strategy for responding to advanced threats and new age ransomware. Threats today are side-stepping traditional endpoint security measures and disrupting businesses, damaging productivity thereby impacting critical operations and increasing costs.

Page Archived

INTRODUCTION

It always sounded reasonable that to prevent attacks, you are supposed to protect your perimeter. Endpoint security is just another layer of Defense-in-Depth security strategy.

But this approach is falling short in a world where Targeted attacks have seen a sharp increase in complex techniques, use of legitimate software, file-less malware, use of stolen credentials, legitimate privilege use, exploitation of security policies and misconfigurations. The world around us is changing and is ready for a paradigm shift in endpoint security. Traditional Endpoint Security Tools have failed us.

Clearly a new approach is needed as many earnest attempts have not yielded results. Let’s explore them:

“The rise of the targeted attack is shredding what is left of the anti-malware market’s stubborn commitment to reactive protection techniques ... it is clear that the industry is failing in its primary goal of keeping malicious code off PCs.” -GARTNER

WHITELISTING

Allow only the programs you absolutely need to run. Sounds like a simple enough idea, right? Wrong. In practice it fails in more ways than one.

BLUARMOUR FEATURES

• STOP ZERO-DAY MALWARE & RANSOMWARE from executing on the systems and prevent them from ever gaining a foothold.

• PREVENT ADVANCED THREATS such as Memory injection, Memory hollowing, Doppel ganging, Malicious Document and Environment Aware attacks.

• PROTECT LEGACY SYSTEMS using one install package for all windows versions.

• NO PRE-REQUISITES or dependencies, resulting in quick deployment without restart. Zero interference with any legitimate application.

• ZERO MAINTENANCE overhead as there are NO updates needed.

• LOW OPEX cost model keeps the infrastructure secure while keeping your operational costs low.

• VERY LIGHTWEIGHT taking up less than 100kb in memory and less than 10mb on disk. Uses less than 1% CPU. Can be deployed on any mission critical production system without restarting. No impact on runtime performance.

Whitelisting requires constant care and feed as user’s requirements change often and keep asking for additional programs to be allowed.

This coupled with constant updates that break executions is a management nightmare. That apart, allowed programs still have vulnerabilities that can be exploited unabated and whitelisting can do nothing about it. Attackers can execute the code of their choice by manipulating content in applications like Microsoft Outlook, Word, Excel, PowerPoint and Browsers.

Attackers can introduce malicious arbitrary code and these legitimate applications will execute it for the attacker. Further, a host of legitimate applications like cmd.exe, powershell.exe can be used in attacks that cannot be detected or prevented using Whitelisting.

LAYERED DEFENSES

Robust Layered defenses viz., various cloud, network and endpoint components are only effective when the full stack is accessible to the device i.e., the device must be online and should have unhindered connectivity to the stack either via punching holes through the firewalls or through a forced VPN. Both of these are not always possible, leaving the endpoints unprotected.

“True security can only be achieved by reducing the ability of a compromised process to do damage to the host” NATIONAL SECURITY AGENCY (NSA) AND THE CENTRAL SECURITY SERVICE (CSS)

ENDPOINT DETECTION & RESPONSE

Endpoint Detection and Response (EDR) solutions detect attacks after the fact and then try to remediate the damage as quickly as possible. Most of these tools boast about relying on Machine Learning.

Machine Learning models are limited to detecting attacks that they have been trained on. They do little or nothing to prevent unknown attacks. Most, of these EDR tools also rely heavily on Threat Intelligence and sites like Virus Total to deliver value. This is good, but quickly becomes ineffective in detecting unknown threats or malicious use of legitimate executables.

They also need constant care and feed and collect very large amounts of data, acting as data recorders for all actions on the endpoints. It helps forensic investigations but does little to proactively secure endpoints against threats.

MICRO-VIRTUALIZATION

It would be a miss if we did not mention Micro-Virtualization here. Micro-Virtualization runs small micro-VMs on the hosts (endpoints) OR on a hosted VM environment that allows for safely executing malicious content without infecting the endpoint itself, i.e., sandbox.

While a great thought, this approach is not for the faint hearted and is riddled with problems. Primarily, this approach is focused on the payload delivery attack vector only. While popular with script kiddies, attackers don’t always use email or “water hole” techniques to deliver malicious files. Second, most importantly it does nothing about any existing threats in the environment. Finally, it is blind to most executions in memory outside the users’ control. Last but not the least it is blind to lateral movements in the environment using malicious OR legitimate binaries.

With these shortfalls in mind, the market is looking for a smarter new approach to protect the endpoints without destroying budgets, killing performance and/or constant care & feed.

A NEW APPROACH TO ENDPOINT SECURITY

BluSapphire Endpoint Agent - BLUARMOUR is a lightweight agent for windows endpoints that is independent of the AV engine installed. Its unique design philosophy allows it work on air-gapped network, ICS control system networks and traditional IT environments.

Our patented behavior design system enables BluArmour to protect endpoints against current and future advanced threats, malware and ransomware without any constant updates.

These capabilities are augmented by our state-of-the-art Machine Learning and AI models to help STOP threats dead in their tracks.

With its unique ~100kb footprint, it easily scales to thousands of systems with zero performance impact.

Given that today’s modern attacks specialize in evading basic defense and are targeted, BluArmour arms security teams with the tool needed to not just defend but protect against these advanced threats.

Apart from Behavior Monitoring BluArmour also provides:

- Process Blocking

- Intelligent Process Behavior Tracking and Blocking

- Exploit Prevention

- In-Memory only Process Execution Blocking

- File-less Malware Prevention

- Ransomware Prevention

- Malware Prevention

- Inoculation™

- Device Control (optional)

Inoculation™

Inoculation pro-actively protects your endpoints against malware and ransomware execution by creating a virtual armor that prevents active exploitation.

It borrows from the worlds of virtual patching and real-world sleuths and builds on it, altering the attackers’ perception of reality. This inhibits the attacker’s capability to carry out a successful attack on his victim. The best part of this is that, CEA does not need any updates or patches and can still continue to protect endpoints.

Since there are no signature updates needed, BluArmour manages to be very lightweight (about 100KB), quick to install, deploy and has no management overhead.

BLUARMOUR USE CASE 1

A major manufacturing organization has a tough time battling malware and ransomware. Though only a limited portion of their network was exposed to these attacks, it impacted the high availability required in their plant and operational networks. Traditional Endpoint Protection tools existed, but the team had a tough time keeping them patched and up to date. Additionally, their endpoint systems performance was taking a hit due to high CPU utilization. This is a concern, as most systems in the organization do not have very high memory and CPU.

This meant that the Infrastructure team was constantly in a rebuild mode, rebuilding systems for end users.

BluArmour solves this tough security problem for the client(s). BluArmour, with its light footprint (~100KB in memory) Prevents and STOPs these constant attacks. BluArmour uses less than 1% CPU, so it has almost zero impact on the endpoint systems.

The Client was able to regain and meet their uptime requirements, thereby saving the expensive hardware refresh and network architecture redesign that alternative solutions would have required.

Videos

BLUARMOUR TROUBLESHOOTING

Basic Phase

Step 1:

Open services.msc and check for BluArmour & BluEvent service status as running.

Step 2:

Open taskmanager and check for process BluArmour.exe, BluEvent_Run.exe.

Step 3:

Open Bluarmour EndPoint Security console from start and execute the faulting application and view the threat history page for an entry.

Step 4:

Open regedit.exe from start and move to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluArmour

In the right side windows verify keys with name: update_central , update_status, version_hash

Note:

1: update_central: 1 (Communication with master is established and white list update is working) otherwise error in communication with master (Need to be reported).

2: update_status: 1 (Communication with master is established and white list update is working in periodic manner) otherwise error in communication with master (Need to be reported).

3: update_status: not empty (Communication with master is established and white list update is working in periodic manner) otherwise error in communication with master (Need to be reported).

Step 5:

Check the time stamp of file White_List.txt and spd.txt this will show last update time for the file (Last update time).

Advance Phase

Previous section deals with basic steps for verification of bluarmour instance status.In this stage of information gathering, we are going follow the below steps to collect required data (logs) which will be forwarded to the concern person.

Step 1:

Open regedit.exe from start and move to the registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BluArmour

Create a key with Name: Debug Type: DWORD and set value to 1 which will enable Bluarmour to log data to “C:\ProgramData\BluArmour\Logs”.

Step 2: Gather the full path of the target executable and name of the process.

Step 3: Run a debugger I.e. DebugView.exe as administrator, select Capture Global Win32 in the capture menu.

Step 4: Open BluArmour EndPoint Security console.

Step 5: Open Event Viewer from start open Windows logs then move to Application folder clear the previous logs. Open

Step 6: Run the target application 2 to 3 times.

Step 7: Collect the PID of the target process from threat history page. Move to “C:\ProgramData\BluArmour\Logs” folder and collect logs with that PID.

Step 8: Open Event Viewer from start open Windows logs then move to Application folder and save logs to a *.evtx file.

Important note: Though BluArmour supports all versions of Windows. Currently Microsoft does not support Windows 2008, 2012, 2012 R2 and windows 7. Microsoft stopped signing drivers for these out-of-support operating systems. BluArmour works on all versions of Windows, with limited support on out-of-support operating systems.