Watchguard Host Sensor User guide

Brand: Watchguard

Model: Host Sensor

Type: User guide

Watchguard Host Sensor is a powerful tool for detecting and preventing advanced threats on your network. It continuously monitors your system for suspicious activity and provides automated countermeasures to contain and eliminate threats. With features like Host Ransomware Prevention, Host Surveys, and integration with Watchguard's HawkEye G platform, the Host Sensor offers comprehensive protection against sophisticated attacks.

HostSensor,Release4.0.1

HawkEye G Team ([email protected])

Release 4.0.1

This document is for informational purposes only. WatchGuard makes no

warranties, expressed or implied, as to the information in this document. The name

of any companies and products referenced may represent trademarks that are

herein property of their respective owners.

RevisionHistory

Date Version Description

2/2/2017 4.0.1 (rev-7)



Added information about how to stop and start the

host sensor service

7/12/2016 4.0.1 (rev-6)



Updated for release 4.0.1

 Screenshot updates

 Manual Install Documentation updates

 Added Host Ransomware Prevention

 Added ESM capabilities

3/08/2016 4.0 (rev-5)



Updated for release 4.0

11/30/2015

3.2 (rev-4)



Create Devices when Unknown hosts heartbeat.

 Host sensor window now opens with “Installed”

selected. It can always be unselected by the

user.

 Removed the Beta designation for the Linux host

sensor.

10/9/2015 3.1 (rev-3)



Changed installation instructions.

10/7/15 3.1.1 (rev-2)



Added an additional step to the installation

instructions.

9/14/2015 3.1.1 (rev-1)



No changes for 3.1.1

8/31/2015 3.1 (rev-0)



Updated some screen captures.

 Added Beta version Host Sensor support for

Linux.

 Added survey results actions to include Kill

Process, Quarantine File and/or Process, and

Delete Registry Value based on policy.



TableofContents

1. HawkEyeG 6

1.1 Introduction 6

1.2 WhatisHawkEyeG? 6

1.2.1 Features 6

1.2.2 OperationalPrinciples 7

2. HostSensorDescription 8

2.1 TaskingoftheHostSensor 8

2.2 DataReportedtoHostSensorManager 8

2.2.1 Startup 8

2.2.2 EventMonitoring 9

2.2.3 HostRansomwarePrevention 9

2.2.4 HostSurveys 9

2.2.5 HostPowerDown 10

2.2.6 HostHibernate 10

2.2.7 HostRestart 10

2.3 HostSensorActions 10

2.3.1 KillProcess 10

2.3.2 QuarantineFile 10

2.3.3 DeleteRegistryValue 11

2.3.4 HostRansomwareActions 11

2.3.5 WhitelistandExclusionList 11

2.3.5.1 Whitelist 12

2.3.5.2 Exclusions 15

3. DetailedParameters 17

3.1 DeployingHostSensor 17

3.2 DeployingtheHostSensorManually 20

3.2.1 ManuallyDownloadHostSensor 20

3.2.1.1 ManuallyDownloadHostSensorfromDevices/Hosts 21

3.2.1.2 ManuallyDownloadHostSensorfromConfiguration/HostSensor 22

3.2.2 ManualHostSensorDeployment–MicrosoftWindows 23

3.2.3 ManualHostSensorDeployment–RedHatLinux 23

3.2.4 ExtraOptions 24

3.2.4.1 ESMInstallationOption 24

3.2.5 StopandRestarttheHostSensorService 25

3.3 NetworkRequirements 25

3.3.1 CommunicationPorts 25

3.4 SystemLoad 25

3.5 HostSensorFilesandDefaultDirectories 25

3.6 SupportedOperatingSystems 27

4. Troubleshooting 28



ListofFigures

Figure 1: HawkEye G Component Diagram .................................................................................. 7

Figure 2: Whitelist screen ........................................................................................................... 12

Figure 3: Whitelist – Filter by Source .......................................................................................... 12

Figure 4: Add Mitigation Whitelist ............................................................................................... 13

Figure 5: Whitelist detail example ............................................................................................... 13

Figure 6: Mitigation Whitelist “Inspect” menu .............................................................................. 13

Figure 7: Edit Mitigation Whitelist screen .................................................................................... 14

Figure 8: Remove Mitigation Whitelist confirmation dialog ......................................................... 14

Figure 9: Exclusion screen .......................................................................................................... 15

Figure 10: Add Exclusion item .................................................................................................... 15

Figure 11: Exclusion detail example ........................................................................................... 16

Figure 12: Exclusion “Inspect” menu .......................................................................................... 1 6 

Figure 13: Remove Exclusion confirmation dialog ...................................................................... 16

Figure 14: Hosts Default Window ............................................................................................... 17

Figure 15: Device Synced confirmation ...................................................................................... 17

Figure 16: Hosts View Pane with “th-win” Search filter applied .................................................. 18

Figure 17: Install Host Sensor example ...................................................................................... 19

Figure 18: Remove Host Sensor example .................................................................................. 19

Figure 19: Multiple Device Host Sensor example ....................................................................... 20

Figure 20: Hosts Default Window ............................................................................................... 21

Figure 21: Host Sensor Download window ................................................................................. 21

Figure 22: Host Sensor Configuration ......................................................................................... 2 2 

Figure 23: Host Sensor Installation Instructions Information window.......................................... 22

Figure 24: Server Supported Operating Systems ....................................................................... 27

Figure 25: Workstation Supported Operating Systems ............................................................... 27

1. HawkEyeG

1.1 Introduction

HawkEye G began based on the need for commercial entities to be able to defend and protect

against malicious code and sophisticated adversaries, such as Advanced Persistent Threats

(APTs), within their enterprise environment. Hexis Cyber Solutions, Inc., via partnership and

relationships, discovered that numerous commercial entities were at a disadvantage for

protecting themselves against sophisticated adversaries. Unlike their government counterparts,

these commercial entities lacked the threat knowledge, personnel, training, and equipment to

successfully deal with these advanced persistent threats. Additionally, these commercial

corporations lacked the large budgets often guaranteed to government agencies.

HawkEye G was designed as a proactive cyber defense solution that acts as a rapid detection

and containment solution. HawkEye G is a force multiplier and automates the incident response

actions of numerous personnel via controlled countermeasures. HawkEye G was designed to

be flexible by incorporating and leveraging the common and existing security technologies of

many organizations.

1.2 WhatisHawkEyeG?

HawkEye G is Hexis Cyber Solutions’ commercial network security solution founded on over 10

years of offensive security experience. HawkEye G attempts to minimize the consequences of

data breaches and penetrations through early detection and automated remediation of

advanced persistent threats.

1.2.1 Features

Hawkeye G features include:

 Deep packet inspection via Hexis’ Network Sensor device

 Log collection and correlation via Hexis’ Event Data Warehouse (EDW)

 Botnet traffic trapping

 Automated and manual countermeasures

 Host interrogation for malicious indicators with persistent Host Sensors

 Advanced analytics

 Centrally managed and highly scalable distributions

1.2.2 OperationalPrinciples

HawkEye G secures an enterprise by leveraging a customer’s existing network and

management assets and by adding components such as the HawkEye G Network Sensor

(HGNS) within the network that provides for IP redirection and DNS injection. Thus, HawkEye

G was designed to be flexible enough to integrate into common infrastructure devices and

networks.

Most of the components of HawkEye G reside within their own private network that is

completely isolated from the customer’s network. The component diagram in Figure 1 depicts a

typical deployment of HawkEye G. Supported Host Sensor operating systems are listed in

Section 3.6.

Figure 1: HawkEye G Component Diagram

2. HostSensorDescription

This section provides a detailed description of the HawkEye G Host Sensor.

2.1 TaskingoftheHostSensor

The Host Sensor’s purpose is to collect forensic data from the host and report it back to the

Host Sensor Manager (HSM). Forensic data includes information related to files, processes,

network connections, and registry keys present on the host.

2.2 DataReportedtoHostSensorManager

2.2.1 Startup

On machine startup, or upon initial installation, the Host Sensor begins communicating with the

Host Sensor Manager. Its first task is to collect a Baseline set of information from the host,

including:

 A list of Registry keys and values present on the host within a limited set of locations

commonly used to provide malware persistence

 A list of files present on the host within a limited set of directories commonly used by

malware to drop payloads

 A list of all network connections to and from the host

 A list of all processes executing on the host

 A set of system information pertaining to the host, such as OS version and network adapter

addresses

This information is collected by the Host Sensor and, once complete, reported to the Host

Sensor Manager as part of its regular heartbeat cycle. The Host Sensor sends heartbeats to the

HSM once every 30 seconds while active.



2.2.2 EventMonitoring

After gathering a Baseline, the Host Sensor begins monitoring the host for changes in real time

and reports them to the HSM as part of its regular heartbeat cycle. The Host Sensor will monitor

and report on:

 Creation and deletion events for executable files

 Process execution and termination events

 Changes to the registry within the baseline locations

 Changes to the host configuration such as network adapter addresses

HawkEye G has the ability to halt Event Monitoring on the Host Sensor. Contact the HSOC for

help with this function.

2.2.3 HostRansomwarePrevention

The 4.0.1 release introduces the functionality to detect and prevent ransomware with the Host

Sensor. A Hawkeye G system has three configuration options available to an Administrator:

OFF

Completely turn the feature off

DETECT

Note processes and files that exhibit malicious behavior and report them to the

user interface for manual intervention

NOTE: "DETECT" can still leave the machine vulnerable to these threats, since

it may be too late to manually intervene

PREVENT

"DETECT" and then kill processes and quarantine files automatically

When in DETECT or PREVENT modes, the Host Sensor will report any ransomware events to

the Host Sensor Manager so they can be displayed in the user interface.

NOTE: Host Ransomware Prevention will only work if Event Monitoring (Section 2.2.2) is on. In

addition, it is strongly recommended that event monitoring be conducted in Driver mode.

Contact the HSOC for help with this function.

2.2.4 HostSurveys

In addition to monitoring for real-time events, the Host Sensor can respond to direct requests for

information from the HSM. These requests include:

 A list of Registry keys and values present on the host within a specified set of locations

 A list of files present on the host within a specified set of directories

 A list of all network connections to/from the host

 A list of all processes executing on the host

The results of these requests are reported to the HSM as part of the Host Sensor’s regular

heartbeat cycle.

2.2.5 HostPowerDown

When the host powers down, the Host Sensor sends a message to the HSM communicating

that it is shutting down and it then proceeds to terminate.

2.2.6 HostHibernate

When a device goes into hibernation, the Host Sensor effectively also goes into hibernation. It

will no longer respond to requests or heartbeat to HSM.

2.2.7 HostRestart

When the device restarts, it goes through the same process as described in Section 2.2.1-

Startup on page 8.

2.3 HostSensorActions

The following sections describe the actions taken by the Host Sensor when commanded by the

HSM.

2.3.1 KillProcess

When a potentially destructive process is detected, the Host Sensor can kill the process if

allowed by policy.

2.3.2 QuarantineFile

When a potentially destructive process or file is detected, the Host Sensor can quarantine the

file. If allowed by policy, the Host Sensor will also kill any processes that have the file open.

Note: Any antivirus (AV) program(s) installed on the host will require that they are set up to

exclude the HawkEye G quarantine folder:

%PROGRAMFILES%\Hexis Cyber Solutions\Hawkeye G Host Sensor\quarantine

This will avoid interference of the antivirus program and HawkEye G both trying to quarantine a

file.

2.3.3 DeleteRegistryValue

When a potentially destructive Registry value is detected, the Host Sensor can delete it if

allowed by policy.

2.3.4 HostRansomwareActions

If a Hawkeye G system is configured to be in PREVENT mode for host ransomware (see

Section 2.2.3), the Host Sensor will automatically kill processes and quarantine files that exhibit

characteristics of ransomware. These actions will occur automatically and then will be reported

to the Host Sensor Manager since these types of threats can require immediate action to protect

the end host.

These actions will be reported to the user interface and displayed so that Operators can see

what occurred.

2.3.5 WhitelistandExclusionList

Exceptions to the Threat List can be modified by the Operator in either a Whitelist or Exclusion

list. The difference between a Whitelist and Exclusion is defined as:

 Whitelist—The Host Sensor sends the event even for whitelisted files/processes to the

HawkEye G Manager. The heuristics process then identifies them as whitelisted and does

not list them as an incident or indicator.

 Exclusion—The Host Sensor ignores exclusion manually identified paths for files and/or

processes and does not send events to the HawkEye G Manager.



2.3.5.1 Whitelist

HawkEye G provides a Whitelist in order to prevent certain executables and processes from

ever being mitigated (killed and/or quarantined) by HawkEye G. The Mitigation Whitelist can

be accessed from the menu by selecting ThreatSync > Whitelist.

Figure 2: Whitelist screen

New mitigation exceptions can be added manually from this page or can be “learned” by

undoing a mitigation (for example, unquarantining a file) or by selecting Adding to the

Whitelist from the Incidents Machine Guided Actions page. Therefore, the filtering buttons

allow this page to be filtered by User, Learned, NIST, or Hexis, as shown in Figure 3.

Figure 3: Whitelist – Filter by Source

To manually add a Mitigation Whitelist entry, click the Add Mitigation Whitelist button, which

presents the screen shown in Figure 4. Mitigation exceptions can be specified either by MD5

hash or absolute path.

Figure 4: Add Mitigation Whitelist

The user can view the details of a Whitelist item by clicking its Expand button, which will

expand the window as shown in Figure 5.

Figure 5: Whitelist detail example

While viewing the Mitigation Whitelist, the user can click the Actions button next to the

desired Whitelist item and select either Edit Mitigation Whitelist (this option is available ONLY

to User added items) or Remove Mitigation Whitelist.

Figure 6: Mitigation Whitelist “Inspect” menu

Selecting Edit Mitigation Whitelist provides a screen to edit the Whitelist entry fields as shown

in Figure 7. Changes made while viewing this screen can be persisted by clicking the Save &

Close button or rejected by clicking Cancel.

Figure 7: Edit Mitigation Whitelist screen

Selecting Remove Mitigation Whitelist presents a confirmation dialog as shown in Figure 8.

An MD5 that has been removed is automatically re-added to the Threat List.

Figure 8: Remove Mitigation Whitelist confirmation dialog



2.3.5.2 Exclusions

HawkEye G provides an Exclusions list for directories to be excluded from events being sent

by the Host Sensor. The Exclusions list can be accessed from the menu by selecting

ThreatSync > Exclusion.

Figure 9: Exclusion screen

To manually add an Exclusion entry:

1. Click the Add Exclusion button.

2. Enter any mitigation exceptions in the Path field.

3. To include or exclude sub-folders to this exclusion item, set the Also exclude subfolders

option appropriately.

4. Under Entities to exclude, select Files and Processes, Files only, or Processes only.

5. Enter an optional Description if desired.

Figure 10: Add Exclusion item

The user can view the details of an Exclusion item by clicking the Expand button to the left

of the desired item, which will expand the window as shown in Figure 11. The user can modify

the details and then select Save & Close.

Figure 11: Exclusion detail example

While viewing the Exclusion list, the user can click the Actions button next to the desired

item and then click Remove Exclusion.

Figure 12: Exclusion “Inspect” menu

A confirmation dialog for the deletion is displayed.

Figure 13: Remove Exclusion confirmation dialog

3. DetailedParameters

3.1 DeployingHostSensor

HawkEye G Host Sensor can be deployed by the Operator using the User Interface as

described here. A Device is defined as a computer or controller on the HawkEye G monitored

network. A Host is a device on the HawkEye G monitored network that has a Host Sensor

installed on it. HawkEye G will directly leverage the Windows Active Directory Infrastructure.

Once a Domain has been entered and credentials have been specified for the Administrator

account of that Domain, HawkEye G will regularly poll from the Active Directory a listing of the

User, Machine, and Service accounts in the Active Directory database (ntdis.dit) and use this

information to populate the Devices and Accounts sections.

The default Hosts window is shown in Figure 14. The Host sensor window opens with

Installed selected. It can always be deselected by the user. The display in the view pane is not

dynamic but a static view of the Hosts at the date/time indicated on the top right. The date and

time are updated when the screen is loaded (selected from the navigation buttons on the left) or

when the Refresh Now button is clicked. The banner shown in Figure 15 will also briefly appear

when the refresh has completed.

Figure 14: Hosts Default Window

Figure 15: Device Synced confirmation

The Hosts section displays the inventory of all the devices that have been added to the

HawkEye G inventory, as shown in Figure 14. It will display the hostname/IP address, the type

of device, Sensor status, and additional details regarding the device. Devices must first be

specified in the Hosts section before they will be auto-populated in other areas of HawkEye G.

HawkEye G also utilizes a Dynamic IP Sensor to perform periodic DNS lookups of a host’s

FQDN to verify its current IP address. Notice that hosts that do not have DNS entries or an

unknown IP address are shown with a by the name.

Host Sensors are deployed to protected Windows hosts by the Host Sensor Manager (HSM),

and enable HawkEye G to monitor host events, to retrieve host details through Surveys, and

perform protective actions and mitigations upon the host based on user-set policies. Host

Sensors can be deployed and removed collectively or individually from the User Interface and

can be managed via Active Directory or HawkEye G groups. The status of the devices can be

observed in the Hosts view pane at the right of each Host and is defined as:

 Installed and Operational ( )

 Installed and in a Trouble state or Shutdown ( )

 Installed and Unavailable or error installing the host sensor ()

 Shutdown - unavailable because of a normal shutdown/restart ( )

The devices are shown in Figure 16 with the “th-win” search filter applied. The protected

devices with Host Sensors installed display the version in the Sensor Version column.

Figure 16: Hosts View Pane with “th-win” Search filter applied

The user can attempt to install the Host Sensor on a Windows device by clicking the button

for the selected Host Sensor in the Installation State column of the Hosts view pane, as shown

in Figure 17. The user can hold the mouse pointer over the button and a pop-up box with the

details of the status will appear.

An installed sensor can be removed by clicking the button for the selected Host Sensor in

the Installation State column of Hosts view pane as shown in Figure 18.

Figure 17: Install Host Sensor example

Figure 18: Remove Host Sensor example

Page is loading ...

Watchguard Host Sensor User guide

Watchguard Host Sensor User guide

Watchguard Host Sensor User guide

Related papers

Other documents