cancel
Showing results for 
Search instead for 
Did you mean: 

How to control the execution of new files and certificates in your environment with McAfee Threat Intelligence Exchange

Introduction

McAfee Threat Intelligence gives complete visibility of new executables and certificates running in your environment with added and endpoint protection that takes local, enterprise and global context into account when determining risky behavior.  Let’s take action and apply our new Threat Intelligence to make smarter security decisions.

pain point.png

McAfee Threat Intelligence Exchange makes it possible for administrators to easily tailor comprehensive threat intelligence from global intelligence data sources. These can be McAfee Global Threat Intelligence (McAfee GTI) or third-party feeds, with local threat intelligence sourced from real-time and historical event data delivered via endpoints, gateways, and other security components. Customers are empowered to assemble, override, augment, and tune the intelligence source information so that they can customize data for their environment and organization (for example, blacklists and whitelists of files and certificates or certificates assigned to and used by the organization).

 

Video

 

 

Prerequisites

 

Objective

The objective of this use case is to demonstrate the informed control that we are giving to the administrator.  Successful completion of this use case will demonstrate the added control that TIE offers against current and future threats.

Use Case

In ePO click on Menu | Systems Section | TIE Reputations 

 

TIE.png

Log in to the Client system and attempt to run Artemis-Unknown-AllSL.exe.  You will not be able to execute this file as it is unknown and without a reputation.  If the file is not blocked take a look at the prerequisites section of this document.  The TIE module for VSE policy should be set to Enforce and block on Unknown.

bb.png

For this demo, let’s pretend that you have researched Artemis-Unknown-AllSL.exe further and decided it is not malicious. If you would like it to be allowed to run in your environment, you need to override its current reputation.

In the File Search tab enter Artemis-Unknown in the search field and click Find Files.  Click the checkbox next to Artemis-Unknown-AllSL.exe and click Actions

bc.png

 

Mark Artemis-Unknown-AllSL.exe as File Known Trusted.

Note: Setting the reputation to Most Likely Trusted will also work

This sets the Enterprise Reputation which overrides the current block based on unknown.

  bd.PNG

You will be prompted to Add Comment

Click OK after adding a comment

be.png
Log in to the Client system and attempt to run Artemis-Unknown-AllSL.exe.

bb.png

You will now be able to execute this file.

bg.png

 

Note: The reputation update happens immediately and does not require the McAfee Agent to wait for an Agent to Server Communication Interval (ASCI).

 

Let’s now pretend that you have discovered several different Wireshark versions in your environment, some of which are being used to capture network traffic that you are concerned might be for malicious intent.

Download, Install and Run Wireshark on your endpoint as instructed on wireshark.org https://www.wireshark.org/download.html
bh.png
To prevent all tools signed with this certificate from executing you would like to block all executables that are signed by the Wireshark certificate.

To do this you need to set its reputation at the enterprise level.

 

In ePO go to TIE Reputations | Certificate Search tab enter Wire in the search field and click Find Certificates.

Click the checkbox next to the Wireshark Certificate and click Actions and set the certificate to Most Likely Malicious

bi.png

You will be prompted to Add Comment

Click OK after adding a comment

bk.png

 

Any file signed with the Wireshark certificate will be blocked from executing immediately 
Note: The reputation update happens immediately and does not require the McAfee Agent to wait for an Agent to Server Communication Interval (ASCI).

 

bl.png
 
You also have the ability to immunize your environment before a threat occurs. You can get this intelligence from third party threat feeds, the media, or other security products.

In ePO click on Menu | Systems Section | TIE Reputations | File Overrides

Click Actions | Import Reputations

bm.png

 

Enter
Filename: MORPH.EXE

 

SHA-1 Hash:
0x13ECDDA4F45CD028221AF300EEBB207B60CB5C6C

MD5 Hash:
0xFB36DE68696BC60D9A51B537F97BDAD3

 

Set to Most Likely Malicious

bn.png

Click OK and OK on the confirmation screen

**Reputations can also be imported via xml or ePO API

Note:  There is no specified limit in the file size that can be imported but be aware that every definition will trigger a reputation change event.

 

Hash tool
Determining the hash of a file allows the administrator to import a reputation before the file ever enters the environment.  As referenced in the Content section a free Hash tool can be found at  http://www.keir.net/hash.html

 

Log in to the Client system and attempt to run Morph.exe.

morph.png

The file is blocked immediately because we set its reputation to Most Likely Malicious in the previous step. This reputation was immediately known by the endpoint because TIE and the DXL operate in real time.

morph block.png

 

Reports

 

Click Menu | Reporting | TIE Module for VSE Events for additional event details

For Example:  Select Pivot Point: Pivot by Rule to view the number of blocks based on specific TIE Rules.

report vse event.png

 

Conclusion


The TIE solution gives the administrator immediate control over files and associated certificates executing in their environment as well as the ability to immunize the enterprise with imported threat intelligence.

Labels (1)
Tags (2)
Contributors
Version history
Revision #:
3 of 3
Last update:
‎03-15-2018 01:15 PM
Updated by: