Isolating a Client from All Network Connectivity

Version 1

    Introduction

     

    Intel Active Management Technology (AMT) provides a unique ability to filter all network communications on the wired and 802.11 wireless networks of a platform.    This feature, called System Defense, is highly effective in isolating or restricting a client from network communications.   Since the setting is applied via the management firmware, attempting to reboot, move to a different network connection, or reimaging of the client will not affect the System Defense setting.    However, a direct and authenticated call into Intel AMT can clear the System Defense filters to restore the wired and wireless communications at the hardware layer. 

     

    One example how this feature could be used is to isolate an infected client until further analysis is complete.    The following video demonstrates this example use case:

     

     

    The remainder of the article explains “how” this was accomplished by integrating Intel vPro PowerShell Module into the McAfee ePO console environment.  The article assumes you already have McAfee ePO Deep Command working with existing beyond-the-operating-system communications and functions to Intel Active Management Technology.

     

    More information on vPro PowerShell Module

     

    The video references Intel vPro PowerShell Module (vPSM), which is available at http://communities.intel.com/docs/DOC-4800.   The vPSM User Guide included with the download package details how to setup and use the scripts.   When setting up your own environment, focus on section 3 of the document on setting up the PowerShell ExecutionPolicy and setting up a profile.

     

    All communications to Intel AMT must be authenticated and authorized.   Within McAfee ePO Deep Command, the credentials and certificate are stored in the Intel AMT credentials under the Server Settings.   In the example below, the Intel AMT admin digest account is used.   Some environments may use a Microsoft Domain account for Kerberos authentication.    Also shown in the example is the TLS root certificate used to encrypt Intel AMT communications.

    credentials.png

     

    If a digest account is used for Intel AMT communications, the account and password can be securely stored for the purposes of a PowerShell script.   If your environment is using Kerberos authentication, references to –credential and $amtcred are less relevant in the next section.

     

     

    Storing and Validating Intel AMT credentials for vPSM usage

    Using the ability to store an encrypted string within PowerShell, a cmdlet within the vPSM enables the storage of Intel AMT credentials to be used when the PowerShell environment is loaded and running.   The goal here is to match those credentials used by McAfee ePO Deep Command or other applications in your environment that are communicating with Intel AMT today.

     

    First – the Intel AMT credential must be defined to be securely stored.    This step will also ensure you have vPSM correctly installed with the correct ExecutionPolicy settings as mentioned in the Intel vPro PowerShell Module guide.

     

    Within the PowerShell window, assign the variable “amtcred” to the desired credentials by typing

     

    $amtcred = Get-Credential

     

    A windows login prompt will appear.   Type the desired Intel AMT account and password to be used.

     

    initialize credentials.png

     

    Second – Validate the credentials are working by running a simple vPSM cmdlet.   In the following example, the Get-AMTsystemdefense cmdlet is demonstrated using the $amtcred credentials to ensure correct communications.  The command used with target of “AMTclient” is:

     

    Get-AMTsystemdefense amtclient –TLS –credential $amtcred

     

    check sysdef.png

     

    The above example shows communications and credentials are correct.

     

    Third - the credentials must be saved to a secure string which can be accessed when a PowerShell session is started.   The vPSM cmdlet is Write-AMTcredential, with the full command being:

     

    Write-AMTcredential –username $amtcred.username –password $amtcred.password

     

    Fourth – create a PowerShell profile in the My Documents directory of the logged in user under  \WindowsPowerShell\Microsoft.PowerShell_profile.ps1.    At a minimum, the contents of the ps1 file should be

     

    Import-Module IntelvPro

    New-Variable -Name amtCred -Value (Read-AmtCredential) 

     

    ps1 profile.png

     

    The final step is to validate the stored credentials work with the PowerShell profile.   The following examples show loading the PowerShell environment and running the same command from a Windows command prompt.   In addition, the first command shows setting SystemDefense whereas the second command clears SystemDefense.   When systemdefense is set, attempt to communicate on the network from the target client.   All communications, except to Intel AMT in the hardware, will be blocked.  Thus far only the current status of SystemDefense was shown

     

    The PowerShell command is:

     

    Set-AMTsystemdefense amtclient –TLS –credential $amtcred

     

    The Windows command prompt used:

     

    PowerShell.exe –command “& {Clear-AMTsystemdefense amtclient –tls –credential $amtcred}”

     

    test shell script.png


    If the vPSM commands with profile and stored credentials are working correctly, you are now ready to integrate with McAfee ePO since you now know how to determine, set, and clear the systemdefense mechanism.

     

    Define a Registered Executable

     

    On the ePO console, this is located under Menu > Configuration > Registered Executables.

     

    Register Microsoft PowerShell to run under a defined account.   The .ps1 profile defined in the previous section must be located in My Documents folder of that account if you are using digest authentication for Intel AMT communications.   If you are using Kerberos authentication, load Microsoft PowerShell in the context of an account with sufficient Intel AMT Realm access to complete the desired command.

     

    PS reg exec.png

     

    Create an Automated Response

     

    Using your Threat Event Log, identify the Event ID for situations where a complete isolation of the target endpoint is desirable.   Remember, the isolation will occur physically at the endpoint’s physical network interface.

     

    Define an Automated Response with the appropriate filters and aggregration.   For the Action, using the following example which is slightly different from what is shown in the video.

     

    auto response.png

     

    For this example, I have also added an email response to notify an associate that the event has occurred.   That associate can complete the analysis of the system according to the event that occurred.    To remove the isolation applied via System Defense, the Clear-AMTSystemDefense command must be run across a network connection.

     

    Validate the Response

    Before rolling this out to production test it.   As an example, change the Automated Response filter to an easily triggered event.   In my example, I first used a McAfee Deep Defender Installation Check.   

     

    At the next McAfee Agent connection, the event is passed to the ePO console and appears in the Threat Event Log.   The Automated Response is triggered, the vPro PowerShell command executes, and all network communications cease from the operating system of the client.   Shown below, the client was sending pings to the server with an abrupt stop due to the System Defense command.   Although I might reboot the client, reimage the client, boot from a different media, and so forth – the System Defense enforced isolation remains.

     

    blocked.png

     

    Once the System Defense command is completed, an email is generated as shown below.

     

    email notification.png

     

    After further analysis and remediation on the client is completed, the System Defense actions can be cleared from the client.  

     

    One example on how to clear the System Defense filters using Intel vPro PowerShell Module is shown below.  

    clear SysDef.png

     

    Concluding Thoughts

    Intel vPro PowerShell Module (vPSM) provides an extensive list of cmdlets which can be used in connection with Intel Active Management Technology.   The examples shared in this article demonstrate a variety of methods an Intel vPSM cmdlet can be called: directly within a PowerShell environment, from a commandline passing a target client argument, and as an automated response within the McAfee ePO console.   Intel vPSM is not a replacement to McAfee ePO Deep Command, yet can provide you a variety of additional options and usages within an environment.   This article provides only a glimpse of Intel vPSM cmdlets, focusing on the SystemDefense specific cmdlets.   For a greater understanding of the possibilities, please refer the Intel vPSM user guide.

     

    Frequently Asked Questions

    • Q: Are these features exposed via Python API\scripts in McAfee ePO Deep Command?
    • A: No. With Deep Command v1.0, the Python APIs within McAfee ePO provide access only to the Enforce AMT Policies and direct Intel AMT Power-on event.

     

    • Q: Is McAfee ePO Deep Command required to use Intel vPro PowerShell Module?
    • A: No.   These are actually independent of one another.   Intel vPro PowerShell Module exposes additional functionality and usages of Intel AMT.  However, McAfee ePO Deep Command is fully integrated with McAfee ePO and associated products.

     

    • Q: Why are there differences between the vPSM command shown in the video versus the one shared in this article?
    • A: The commands perform the same function.   The difference is how the credentials for Intel AMT are provided.   In the video, the registered executable of PowerShell is running under the context of a valid Kerberos user for Intel AMT.   In this article, a digest credential via a secured string is used in the vPSM command.

     

    • Q: Where can I learn more about Intel vPro PowerShell Module (vPSM)?
    • A: More information is posted on Intel vPro Expert Center (http://www.intel.com/go/vproexpert).   In addition, the examples provided in the vPSM documentation or command line helps include more detailed guidance.    For example, if you run Get-Help Set-AMTSystemDefense –Full a more detailed explanation is provided.

     

    The opinions expressed on this site are mine alone and do not necessarily reflect the opinions or strategies of Intel Corporation or its worldwide subsidiaries