Watchguard Host Sensor User guide

  • Hello! I am an AI chatbot trained to assist you with the Watchguard Host Sensor User guide. I’ve already reviewed the document and can help you find the information you need or explain it in simple terms. Just ask your questions, and providing more details will help me assist you more effectively!
HostSensor,Release4.0.1
1
HawkEye G Team ([email protected])
Release 4.0.1
Copyright © WatchGuard Technologies 2017. All rights reserved.
This document is for informational purposes only. WatchGuard makes no
warranties, expressed or implied, as to the information in this document. The name
of any companies and products referenced may represent trademarks that are
herein property of their respective owners.
2
RevisionHistory
Date Version Description
2/2/2017 4.0.1 (rev-7)
Added information about how to stop and start the
host sensor service
7/12/2016 4.0.1 (rev-6)
Updated for release 4.0.1
Screenshot updates
Manual Install Documentation updates
Added Host Ransomware Prevention
Added ESM capabilities
3/08/2016 4.0 (rev-5)
Updated for release 4.0
11/30/2015
3.2 (rev-4)
Create Devices when Unknown hosts heartbeat.
Host sensor window now opens with “Installed”
selected. It can always be unselected by the
user.
Removed the Beta designation for the Linux host
sensor.
10/9/2015 3.1 (rev-3)
Changed installation instructions.
10/7/15 3.1.1 (rev-2)
Added an additional step to the installation
instructions.
9/14/2015 3.1.1 (rev-1)
No changes for 3.1.1
8/31/2015 3.1 (rev-0)
Updated some screen captures.
Added Beta version Host Sensor support for
Linux.
Added survey results actions to include Kill
Process, Quarantine File and/or Process, and
Delete Registry Value based on policy.
3
TableofContents
1. HawkEyeG 6
1.1 Introduction 6
1.2 WhatisHawkEyeG? 6
1.2.1 Features 6
1.2.2 OperationalPrinciples 7
2.HostSensorDescription 8
2.1 TaskingoftheHostSensor 8
2.2 DataReportedtoHostSensorManager 8
2.2.1 Startup 8
2.2.2 EventMonitoring 9
2.2.3 HostRansomwarePrevention 9
2.2.4 HostSurveys 9
2.2.5 HostPowerDown 10
2.2.6 HostHibernate 10
2.2.7 HostRestart 10
2.3 HostSensorActions 10
2.3.1 KillProcess 10
2.3.2 QuarantineFile 10
2.3.3 DeleteRegistryValue 11
2.3.4 HostRansomwareActions 11
2.3.5 WhitelistandExclusionList 11
2.3.5.1 Whitelist 12
2.3.5.2 Exclusions 15
3.DetailedParameters 17
3.1 DeployingHostSensor 17
3.2 DeployingtheHostSensorManually 20
3.2.1 ManuallyDownloadHostSensor 20
3.2.1.1 ManuallyDownloadHostSensorfromDevices/Hosts 21
3.2.1.2 ManuallyDownloadHostSensorfromConfiguration/HostSensor 22
3.2.2 ManualHostSensorDeployment–MicrosoftWindows 23
3.2.3 ManualHostSensorDeployment–RedHatLinux 23
3.2.4 ExtraOptions 24
3.2.4.1 ESMInstallationOption 24
3.2.5 StopandRestarttheHostSensorService 25
3.3 NetworkRequirements 25
3.3.1 CommunicationPorts 25
3.4 SystemLoad 25
4
3.5 HostSensorFilesandDefaultDirectories 25
3.6 SupportedOperatingSystems 27
4.Troubleshooting 28

5
ListofFigures
Figure 1: HawkEye G Component Diagram .................................................................................. 7
Figure 2: Whitelist screen ........................................................................................................... 12
Figure 3: Whitelist – Filter by Source .......................................................................................... 12
Figure 4: Add Mitigation Whitelist ............................................................................................... 13
Figure 5: Whitelist detail example ............................................................................................... 13
Figure 6: Mitigation Whitelist “Inspect” menu .............................................................................. 13
Figure 7: Edit Mitigation Whitelist screen .................................................................................... 14
Figure 8: Remove Mitigation Whitelist confirmation dialog ......................................................... 14
Figure 9: Exclusion screen .......................................................................................................... 15
Figure 10: Add Exclusion item .................................................................................................... 15
Figure 11: Exclusion detail example ........................................................................................... 16
Figure 12: Exclusion “Inspect” menu .......................................................................................... 1 6
Figure 13: Remove Exclusion confirmation dialog ...................................................................... 16
Figure 14: Hosts Default Window ............................................................................................... 17
Figure 15: Device Synced confirmation ...................................................................................... 17
Figure 16: Hosts View Pane with “th-win” Search filter applied .................................................. 18
Figure 17: Install Host Sensor example ...................................................................................... 19
Figure 18: Remove Host Sensor example .................................................................................. 19
Figure 19: Multiple Device Host Sensor example ....................................................................... 20
Figure 20: Hosts Default Window ............................................................................................... 21
Figure 21: Host Sensor Download window ................................................................................. 21
Figure 22: Host Sensor Configuration ......................................................................................... 2 2
Figure 23: Host Sensor Installation Instructions Information window.......................................... 22
Figure 24: Server Supported Operating Systems ....................................................................... 27
Figure 25: Workstation Supported Operating Systems ............................................................... 27
6
1. HawkEyeG
1.1 Introduction
HawkEye G began based on the need for commercial entities to be able to defend and protect
against malicious code and sophisticated adversaries, such as Advanced Persistent Threats
(APTs), within their enterprise environment. Hexis Cyber Solutions, Inc., via partnership and
relationships, discovered that numerous commercial entities were at a disadvantage for
protecting themselves against sophisticated adversaries. Unlike their government counterparts,
these commercial entities lacked the threat knowledge, personnel, training, and equipment to
successfully deal with these advanced persistent threats. Additionally, these commercial
corporations lacked the large budgets often guaranteed to government agencies.
HawkEye G was designed as a proactive cyber defense solution that acts as a rapid detection
and containment solution. HawkEye G is a force multiplier and automates the incident response
actions of numerous personnel via controlled countermeasures. HawkEye G was designed to
be flexible by incorporating and leveraging the common and existing security technologies of
many organizations.
1.2 WhatisHawkEyeG?
HawkEye G is Hexis Cyber Solutions’ commercial network security solution founded on over 10
years of offensive security experience. HawkEye G attempts to minimize the consequences of
data breaches and penetrations through early detection and automated remediation of
advanced persistent threats.
1.2.1 Features
Hawkeye G features include:
Deep packet inspection via Hexis’ Network Sensor device
Log collection and correlation via Hexis’ Event Data Warehouse (EDW)
Botnet traffic trapping
Automated and manual countermeasures
Host interrogation for malicious indicators with persistent Host Sensors
Advanced analytics
Centrally managed and highly scalable distributions
7
1.2.2 OperationalPrinciples
HawkEye G secures an enterprise by leveraging a customer’s existing network and
management assets and by adding components such as the HawkEye G Network Sensor
(HGNS) within the network that provides for IP redirection and DNS injection. Thus, HawkEye
G was designed to be flexible enough to integrate into common infrastructure devices and
networks.
Most of the components of HawkEye G reside within their own private network that is
completely isolated from the customer’s network. The component diagram in Figure 1 depicts a
typical deployment of HawkEye G. Supported Host Sensor operating systems are listed in
Section 3.6.
Figure 1: HawkEye G Component Diagram
8
2. HostSensorDescription
This section provides a detailed description of the HawkEye G Host Sensor.
2.1 TaskingoftheHostSensor
The Host Sensor’s purpose is to collect forensic data from the host and report it back to the
Host Sensor Manager (HSM). Forensic data includes information related to files, processes,
network connections, and registry keys present on the host.
2.2 DataReportedtoHostSensorManager
2.2.1 Startup
On machine startup, or upon initial installation, the Host Sensor begins communicating with the
Host Sensor Manager. Its first task is to collect a Baseline set of information from the host,
including:
A list of Registry keys and values present on the host within a limited set of locations
commonly used to provide malware persistence
A list of files present on the host within a limited set of directories commonly used by
malware to drop payloads
A list of all network connections to and from the host
A list of all processes executing on the host
A set of system information pertaining to the host, such as OS version and network adapter
addresses
This information is collected by the Host Sensor and, once complete, reported to the Host
Sensor Manager as part of its regular heartbeat cycle. The Host Sensor sends heartbeats to the
HSM once every 30 seconds while active.
9
2.2.2 EventMonitoring
After gathering a Baseline, the Host Sensor begins monitoring the host for changes in real time
and reports them to the HSM as part of its regular heartbeat cycle. The Host Sensor will monitor
and report on:
Creation and deletion events for executable files
Process execution and termination events
Changes to the registry within the baseline locations
Changes to the host configuration such as network adapter addresses
HawkEye G has the ability to halt Event Monitoring on the Host Sensor. Contact the HSOC for
help with this function.
2.2.3 HostRansomwarePrevention
The 4.0.1 release introduces the functionality to detect and prevent ransomware with the Host
Sensor. A Hawkeye G system has three configuration options available to an Administrator:
OFF
Completely turn the feature off
DETECT
Note processes and files that exhibit malicious behavior and report them to the
user interface for manual intervention
NOTE: "DETECT" can still leave the machine vulnerable to these threats, since
it may be too late to manually intervene
PREVENT
"DETECT" and then kill processes and quarantine files automatically
When in DETECT or PREVENT modes, the Host Sensor will report any ransomware events to
the Host Sensor Manager so they can be displayed in the user interface.
NOTE: Host Ransomware Prevention will only work if Event Monitoring (Section 2.2.2) is on. In
addition, it is strongly recommended that event monitoring be conducted in Driver mode.
Contact the HSOC for help with this function.
2.2.4 HostSurveys
In addition to monitoring for real-time events, the Host Sensor can respond to direct requests for
information from the HSM. These requests include:
A list of Registry keys and values present on the host within a specified set of locations
A list of files present on the host within a specified set of directories
A list of all network connections to/from the host
A list of all processes executing on the host
10
The results of these requests are reported to the HSM as part of the Host Sensor’s regular
heartbeat cycle.
2.2.5 HostPowerDown
When the host powers down, the Host Sensor sends a message to the HSM communicating
that it is shutting down and it then proceeds to terminate.
2.2.6 HostHibernate
When a device goes into hibernation, the Host Sensor effectively also goes into hibernation. It
will no longer respond to requests or heartbeat to HSM.
2.2.7 HostRestart
When the device restarts, it goes through the same process as described in Section 2.2.1-
Startup on page 8.
2.3 HostSensorActions
The following sections describe the actions taken by the Host Sensor when commanded by the
HSM.
2.3.1 KillProcess
When a potentially destructive process is detected, the Host Sensor can kill the process if
allowed by policy.
2.3.2 QuarantineFile
When a potentially destructive process or file is detected, the Host Sensor can quarantine the
file. If allowed by policy, the Host Sensor will also kill any processes that have the file open.
Note: Any antivirus (AV) program(s) installed on the host will require that they are set up to
exclude the HawkEye G quarantine folder:
%PROGRAMFILES%\Hexis Cyber Solutions\Hawkeye G Host Sensor\quarantine
This will avoid interference of the antivirus program and HawkEye G both trying to quarantine a
file.
11
2.3.3 DeleteRegistryValue
When a potentially destructive Registry value is detected, the Host Sensor can delete it if
allowed by policy.
2.3.4 HostRansomwareActions
If a Hawkeye G system is configured to be in PREVENT mode for host ransomware (see
Section 2.2.3), the Host Sensor will automatically kill processes and quarantine files that exhibit
characteristics of ransomware. These actions will occur automatically and then will be reported
to the Host Sensor Manager since these types of threats can require immediate action to protect
the end host.
These actions will be reported to the user interface and displayed so that Operators can see
what occurred.
2.3.5 WhitelistandExclusionList
Exceptions to the Threat List can be modified by the Operator in either a Whitelist or Exclusion
list. The difference between a Whitelist and Exclusion is defined as:
Whitelist—The Host Sensor sends the event even for whitelisted files/processes to the
HawkEye G Manager. The heuristics process then identifies them as whitelisted and does
not list them as an incident or indicator.
Exclusion—The Host Sensor ignores exclusion manually identified paths for files and/or
processes and does not send events to the HawkEye G Manager.
12
2.3.5.1 Whitelist
HawkEye G provides a Whitelist in order to prevent certain executables and processes from
ever being mitigated (killed and/or quarantined) by HawkEye G. The Mitigation Whitelist can
be accessed from the menu by selecting ThreatSync > Whitelist.
Figure 2: Whitelist screen
New mitigation exceptions can be added manually from this page or can be “learned” by
undoing a mitigation (for example, unquarantining a file) or by selecting Adding to the
Whitelist from the Incidents Machine Guided Actions page. Therefore, the filtering buttons
allow this page to be filtered by User, Learned, NIST, or Hexis, as shown in Figure 3.
Figure 3: Whitelist – Filter by Source
13
To manually add a Mitigation Whitelist entry, click the Add Mitigation Whitelist button, which
presents the screen shown in Figure 4. Mitigation exceptions can be specified either by MD5
hash or absolute path.
Figure 4: Add Mitigation Whitelist
The user can view the details of a Whitelist item by clicking its Expand button, which will
expand the window as shown in Figure 5.
Figure 5: Whitelist detail example
While viewing the Mitigation Whitelist, the user can click the Actions button next to the
desired Whitelist item and select either Edit Mitigation Whitelist (this option is available ONLY
to User added items) or Remove Mitigation Whitelist.
Figure 6: Mitigation Whitelist “Inspect” menu
Selecting Edit Mitigation Whitelist provides a screen to edit the Whitelist entry fields as shown
in Figure 7. Changes made while viewing this screen can be persisted by clicking the Save &
Close button or rejected by clicking Cancel.
14
Figure 7: Edit Mitigation Whitelist screen
Selecting Remove Mitigation Whitelist presents a confirmation dialog as shown in Figure 8.
An MD5 that has been removed is automatically re-added to the Threat List.
Figure 8: Remove Mitigation Whitelist confirmation dialog
15
2.3.5.2 Exclusions
HawkEye G provides an Exclusions list for directories to be excluded from events being sent
by the Host Sensor. The Exclusions list can be accessed from the menu by selecting
ThreatSync > Exclusion.
Figure 9: Exclusion screen
To manually add an Exclusion entry:
1. Click the Add Exclusion button.
2. Enter any mitigation exceptions in the Path field.
3. To include or exclude sub-folders to this exclusion item, set the Also exclude subfolders
option appropriately.
4. Under Entities to exclude, select Files and Processes, Files only, or Processes only.
5. Enter an optional Description if desired.
Figure 10: Add Exclusion item
16
The user can view the details of an Exclusion item by clicking the Expand button to the left
of the desired item, which will expand the window as shown in Figure 11. The user can modify
the details and then select Save & Close.
Figure 11: Exclusion detail example
While viewing the Exclusion list, the user can click the Actions button next to the desired
item and then click Remove Exclusion.
Figure 12: Exclusion “Inspect” menu
A confirmation dialog for the deletion is displayed.
Figure 13: Remove Exclusion confirmation dialog
17
3. DetailedParameters
3.1 DeployingHostSensor
HawkEye G Host Sensor can be deployed by the Operator using the User Interface as
described here. A Device is defined as a computer or controller on the HawkEye G monitored
network. A Host is a device on the HawkEye G monitored network that has a Host Sensor
installed on it. HawkEye G will directly leverage the Windows Active Directory Infrastructure.
Once a Domain has been entered and credentials have been specified for the Administrator
account of that Domain, HawkEye G will regularly poll from the Active Directory a listing of the
User, Machine, and Service accounts in the Active Directory database (ntdis.dit) and use this
information to populate the Devices and Accounts sections.
The default Hosts window is shown in Figure 14. The Host sensor window opens with
Installed selected. It can always be deselected by the user. The display in the view pane is not
dynamic but a static view of the Hosts at the date/time indicated on the top right. The date and
time are updated when the screen is loaded (selected from the navigation buttons on the left) or
when the Refresh Now button is clicked. The banner shown in Figure 15 will also briefly appear
when the refresh has completed.
Figure 14: Hosts Default Window
Figure 15: Device Synced confirmation
18
The Hosts section displays the inventory of all the devices that have been added to the
HawkEye G inventory, as shown in Figure 14. It will display the hostname/IP address, the type
of device, Sensor status, and additional details regarding the device. Devices must first be
specified in the Hosts section before they will be auto-populated in other areas of HawkEye G.
HawkEye G also utilizes a Dynamic IP Sensor to perform periodic DNS lookups of a host’s
FQDN to verify its current IP address. Notice that hosts that do not have DNS entries or an
unknown IP address are shown with a by the name.
Host Sensors are deployed to protected Windows hosts by the Host Sensor Manager (HSM),
and enable HawkEye G to monitor host events, to retrieve host details through Surveys, and
perform protective actions and mitigations upon the host based on user-set policies. Host
Sensors can be deployed and removed collectively or individually from the User Interface and
can be managed via Active Directory or HawkEye G groups. The status of the devices can be
observed in the Hosts view pane at the right of each Host and is defined as:
Installed and Operational ( )
Installed and in a Trouble state or Shutdown ( )
Installed and Unavailable or error installing the host sensor ()
Shutdown - unavailable because of a normal shutdown/restart ( )
The devices are shown in Figure 16 with the “th-win” search filter applied. The protected
devices with Host Sensors installed display the version in the Sensor Version column.
Figure 16: Hosts View Pane with “th-win” Search filter applied
19
The user can attempt to install the Host Sensor on a Windows device by clicking the button
for the selected Host Sensor in the Installation State column of the Hosts view pane, as shown
in Figure 17. The user can hold the mouse pointer over the button and a pop-up box with the
details of the status will appear.
An installed sensor can be removed by clicking the button for the selected Host Sensor in
the Installation State column of Hosts view pane as shown in Figure 18.
Figure 17: Install Host Sensor example
Figure 18: Remove Host Sensor example
/