The objective of this use case is to demonstrate the incident response capabilities and data held within the TIE server. Successful completion of this use case should demonstrate how to identify when a file first entered your environment as well as how widespread the file is being executed. You will also be able to take action by triggering a VSE clean on a known malicious file.
Remote Desktop into the client system and run Hackit.exe
Click on Menu | Systems Section | TIE Reputations
In the File Search tab Enter Hackit.exe in the search field and click Find Files.
*Note hitting enter will not search. You must use the mouse to click the Apply Button.
Click the checkbox next Hackit.exe
Click Actions | Where Has File Run
The number of systems this file was run on will appear as well as the First Reference Date.
Sort the First Reference Date column to identify patient zero
The Management features of ePO allow the user to take appropriate action at the client when an incident arises. Click into the endpoint to show system information.
The Actions button allows the user to modify the System Health settings, Tag the system, change the policy etc.
In the begining of this use case hackit.exe was executed. On the endpoint you will see the Hack-It interface
The Hack-It application running in Task Manager
As well as the Hack-It icon running in the system tray
When TIE module for VSE policy has the Clean feature enabled and a file’s Enterprise reputation is set to Known Malicious a reputation change DXL event goes out immediately
Note: This feature can be disabled by unchecking the Clean at feature in the TIE module for VSE policy
Based on this policy setting the TIE module for VSE triggers a VSE clean.
A VSE clean includes looking for running processes associated with the file and terminating them.
Let’s pretend for this demo that Hackit.exe has become a known immediate threat to our environment. Setting the file to File Known Malicious will trigger a VSE clean.
In the TIE Reputations page check the box next to Hackit.exe
Click Actions | File Known Malicious
Return to the endpoint and observe the Hack-It interface, the Hack-It application running in Task Manager, as well as the Hack-It icon running in the system tray disappear.
When a compromise does occur, the knowledge gathered by the TIE server empowers admins to respond swiftly and accurately. By setting a file to known malicious the administrator can trigger a VSE clean across the entire environment while simultaneously ensuring all future encounters are cleaned.