We want to detect and block abnormal network traffic with the host firewall.
Especially we think about use cases of ransomware that infects other endpoints in the local subnet by lateral movement.
Did anybody already define such a policy with ENS Firewall?
How should such a policy look like to achieve the blocking of lateral movement in the local subnet?
Does anybody have recommendations how to approach a “monitoring” (just reporting) and a “production” (reporting and blocking) phase for the rule implementation?
As ENS Firewall is a little bit limited with selective event forwarding of allowed traffic to ePO, we also appreciate any recommendations how get just this monitored traffic to the central management.
Thanks a lot in advance!
So a quick and not 100% way would be to block traffic from unsigned processes in temp locations. If it is signed of course, that is more difficult.
Or just create an allow list of anything in the temp locations, so only those defined things can talk. This should mitigate the vast majority of it. There are a lot of complexities though, and if the attacker is in your network and using something like psexec, that won't help. In that case, you'd need to use an Expert Rule to define where psexec could run from, as an example. Then you have things like PowerShell, so maybe only allow trusted EXEs to be created by it. So then lock down WMIC, and you have pretty good coverage.
Thank you for this recommendation.
Do you have a sample configuration on hand for testing?
Would you block the SMB protocol in case of client to client communication within the same subnet?
Do you know which network protocols are used by the most popular ransomware types for lateral movement?
I am aware that lateral movement detection is a combination of process execution and network activities. With this request I want to focus on the network part.
Shouldn't the predefined firewall rule "Allow outbound System application" within the "McAfee core networking" group be more precise to avoid lateral movements, if a process has gained privileged permissions and runs as SYSTEM now?
McAfee core networking > Allow outbound System application - Allow - Out - All types (Wired,Wireless,Virtual) - All Protocols/Any - SYSTEM