cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 8
Report Inappropriate Content
Message 1 of 4

Block lateral movements by ENS Firewall

Hi all!

We want to detect and block abnormal network traffic with the host firewall.

Especially we think about use cases of ransomware that infects other endpoints in the local subnet by lateral movement.

Did anybody already define such a policy with ENS Firewall?

How should such a policy look like to achieve the blocking of lateral movement in the local subnet?

Does anybody have recommendations how to approach a “monitoring” (just reporting) and a “production” (reporting and blocking) phase for the rule implementation?

As ENS Firewall is a little bit limited with selective event forwarding of allowed traffic to ePO, we also appreciate any recommendations how get just this monitored traffic to the central management.

Thanks a lot in advance!

3 Replies
Highlighted
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 2 of 4

Re: Block lateral movements by ENS Firewall

So a quick and not 100% way would be to block traffic from unsigned processes in temp locations.  If it is signed of course, that is more difficult. 

Or just create an allow list of anything in the temp locations, so only those defined things can talk.  This should mitigate the vast majority of it.  There are a lot of complexities though, and if the attacker is in your network and using something like psexec, that won't help.  In that case, you'd need to use an Expert Rule to define where psexec could run from, as an example.  Then you have things like PowerShell, so maybe only allow trusted EXEs to be created by it.   So then lock down WMIC, and you have pretty good coverage.

Dave 

Highlighted
Level 8
Report Inappropriate Content
Message 3 of 4

Re: Block lateral movements by ENS Firewall

Thank you for this recommendation.

Do you have a sample configuration on hand for testing?

Would you block the SMB protocol in case of client to client communication within the same subnet?

Do you know which network protocols are used by the most popular ransomware types for lateral movement?

I am aware that lateral movement detection is a combination of process execution and network activities. With this request I want to focus on the network part.

 

Highlighted
Level 8
Report Inappropriate Content
Message 4 of 4

Re: Block lateral movements by ENS Firewall

Shouldn't the predefined firewall rule "Allow outbound System application" within the "McAfee core networking" group be more precise to avoid lateral movements, if a process has gained privileged permissions and runs as SYSTEM now?

McAfee core networking > Allow outbound System application - Allow - Out - All types (Wired,Wireless,Virtual) - All Protocols/Any - SYSTEM

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community