Endpoint Security with Elastic Fleet Agents

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everybody and welcome to today's meetup with ronnie watson on endpoint security with elastic fleet agents we're super excited to have ronnie here today he is an i.t security analyst and he studies threat intelligence threat detection and prevention and is actively engaged in monitoring and investigations of security incidents that arise at his job or on the internet he has a public github page and he's active on twitter so i will drop both of those links um in the bio are sorry i'll drop those links in the chat shortly sorry i was thinking about twitter bios um but um what else do i need to share so i'm i'm faith i worked elastic on the community team so does my colleague cami who's with us today she is our security advocate um yeah so thank you so much for for being here today ronnie super excited for this presentation um folks as you're joining if you guys have any questions throughout the presentations please feel free to drop those in the chat and we'll chat through them as we go so um yeah without further ado i'll hand things over to ronnie well thank you so much faith appreciate the introduction and thank you for the opportunity to be presenting on the community and uh without further ado let's just jump on into it so i'm gonna share my screen right quick and let's see i'm just gonna share the whole entire screen from the moment all right cool so let me bring out the powerpoint presentation so like i said is going to be the endpoint security with elastic fleet agents unified protection for everyone built on the elastic elk stack so the movement so the elastic security solution provides unified protection for everyone built on the elastic yellow stack elastic security solution provides detection and response to emerging threats to achieve greater visibility into your on-prem or cloud networks elastic security equips analysts to prevent detect and respond to threats as discovered so that adversaries will not have the upper hand elastic security provides a single pane of glass that analysts or stock manager will be able to investigate and learn about company endpoint threats so the elastic fleet agents and endpoints so elastic agents are a single unified agent that you can deploy to hosts or containers to collect data and send it to the elastic stack elastic agents run in the background collecting data metrics events and alerts then sends them then sends that data back to the stack elastic agents are an all-in-one solution for multiple integrations and functions from the elastic stack elastic endpoints are your servers workstations etc these systems are monitored and protected with elastic agents and are considered your endpoints endpoints are integrated and unified by policies that make it easier to add integrations for new data sources and information so this is a overview courtesy of elastic for the image picture so this is just giving a view of the fleet server and how the elastic agents integrate within the stack with the elasticsearch and cabana so the fleet server is a centralized center or component that manages your elastic agents elastic agents check in with your fleet server to get policies and integration updates elastic agents are enrolled via the fleet server so here is my um dashboard by default there will not be a security portion by itself there will be the elastic enterprise search tool the cabana lens the application monitoring performance monitoring as well and the security but for this demo i just focused on just having the security portion so in my demo i have a windows server 2016 and i have the elastic agent server enrolled so it's going to be the demo server with the fleet agent and in this policy i have for the flea server policy there are only the three integrations that i have which is going to be the fleet server which is a new thing for the elastic 7.13.1 from the previous bill 17.12 i think i did not see the fleet server so this is a new integration thing i believe with the upgraded version for the 7.13.1 which i really do like this build but we have the fleet um server we have the fleet security endpoint module and as well as the windows so the security portion will handle all of the security detection and threats or malware notifications it would act more as an antivirus as well i'm going to show that in the next slide so it gives you the security features but when you have different policies you want to integrate like the one i have now here the windows it gives use like the event logs the different metrics that will correspond with windows operating systems so this is just a demo destination of countries as after i enrolled my server for the fleet module these are just some of the destinations that were collected by the fleet server the agent elastic agent for different network connectivity country code or countries that it was connecting to so this is a overview of the endpoint security integration policy i have set up so i do have the name the integration for fleet and as you see at the bottom there's the protection type as malware so you can't enroll this with max and you can enroll just with windows but on that one i have the malware protection enabled but for my demonstration purposes i have it set to detect i don't want it to be prevent but you can set it as prevent so that in a demo environment you want to try out the prevention techniques with different malwares that you're testing out and see how the endpoint security mitigates those threats as it be as they are detected with the signature rules so also on the right hand side there's um the mac operating system there's the linux but there's one in feature that i like about the endpoint security is that you can register it as an antivirus and that's a really cool feature because you will get those notification from your endpoints when there is an infection or when there is um a potential malware sample that's been executed on the system and the detection policies will trigger and it will display notifications for that so i think that's a really good feature that i like about it but so far that's the presentation now i'm just gonna go to the actual system itself just gonna copy my password for my demo and let's log into it so at this version i just have the security and the cabana so i'm just going to remove the cabana and there are different ones you can't enable the enterprise observability the security the management and the analytics but i'm just going to focus on the security and then i'm going to go back to my panel so we're going to go through the security portion and i do already have some detections alerts as well that i set up so before i do that all of this is running on a vmware system that i have i have test um one and then i have a test server too so i do have various malware samples that i've downloaded from the internet and they are on this system and that's one of them right there i do have one on the desktop and another one that is extension i don't have installed but that's um an actual exploit as well but if i look in my recycle bin i should see some other ones so the server is running on ubuntu 12.4 and it's a single um deployment single server deployment just for demo purposes but you can set this up in a cluster as well but just my demonstration i just have everything built in a single deployment that is tied back to my github repository so if you want to go through my github repository and configure the same settings you will come out with the same bill that i have and displaying right now at this moment so let me go through the overview so we have the detection alert and trends external trends external alert trends so we have detections hosts network timelines cases and administrations and i do have in my recent cases some samples of different malware that i have um ran not ran but more like changed different file directories where i downloaded it to trigger the detection rules so i'm going to change my outlook to at least seven days i was trying to get everything prepped earlier so now we're looking at the detection portion as you can see i have different processes that was running like a who who unusual file creation and one of them called agent tesla then we have donna bod quackbot malware detection alert so i like the overview and the build of the dashboard and security because everything is in one single place which gives you a really good single pane of glass that you want to use to view all of your alerts and detections even if you want to look at your cases and your timelines as you can see it has your timelines there as well for different dates you have your alert panel and this way you can see different colorful graphs for different type of events and it'll also tell you how many of those events that triggered or fired off and as here i do have the endpoint security set up and i think um the system module file beat so before i do that i'm going to go back to the elastic and i need to get to the agent there about stack management uh yes it sorry just getting myself around here i think it's in here fleet so let me go back to host okay i'm gonna start off with a whole so we do have it says a total of three but this is just my test server and the windows system i installed the policy twice but i had to uninstall it as well you can see that the server is running on ubuntu 1804 and i am running a windows server 2016 and i'm gonna go back to the detections i just wanted to verify that my systems are there so with the detections they have elastic has some detection rules and the detection rules tab i just clicked on so with here i enabled um i think it's over 500 some detection rules if i'm not mistaken i think it's about 600 or 500 some detection rules i enabled all of those detection rules so i can kind of have a better coverage for my demo and testing purposes but i've also created some custom rules just for some file hashes as well so i'm just waiting for this to load up it's just going to take a little moment if it'll show up i think you're trying to load all of those rules there you go so yeah it's showing 538 rules and i do have the other three which are the custom ones i created so i'm gonna click on those and that's one of the things that i like about elastic you could create your custom rules so if there were just advances your company had its own internal incident response team or is um malware reverse engineering team so different type of artifacts or samples that you will collect with your threads hunting or your investigations you can write custom detection rules for those different type of signatures or it could be a hash file it could be an actual artifact itself or it could be different type of indicators you could write those detection rules for it and you can integrate that into your elastic security product and you will be able to use those for future detections so in this one i had created one that said agent tesla i had downloaded that ran on that malware from a website and i created this rule that if it found a custom query with this hash value it will let me know that it is the actual agent tesla so if i was to take this hash and search online and this pulls up which right is where i got the malware sample from it will show that it's agent tesla and these are all the sample where i downloaded it from different hash files and it'll just give you a full analysis but i also put in there my url references for as well because you can create your own resource links for your different artifacts to reference different type of integration whether it is virus total whether it's your own company page that you want to send it to so that they can have case notes for it so with this one i labeled it as a critical and given a risk score of 100 and as we see right here i do have a signature that was triggered for it it was malware intrusion detection from the endpoint module for the security and if i drill down and click on the event and expand this now you're looking into the endpoint detection in the response feature that is inside of the elastic as well so if it was a computer that had the endpoint agent installed and a user was in their email they clicked on a link that took them to a website they downloaded some file a pdf file and they had some malicious code that gave somebody access to their system that would be their initial access so from whatever that application was you will see a timeline of those lateral movements from your um attacker or bad guy that was in the network adversary whatever you may call it you will see a timeline of those those events and from this one is my timeline analysis from when i had internet explorer i used to download the malware sample so this showing you different other network connections you can explore it'll show up in the left hand panel and you can click on either one of those to show like ip address information so if there was malicious software that was running on there you will see that lateral footprint moving around your system and you could possibly see what other type of systems it may try to infect as well what type of commands and codes that it may try to trigger and you will also be able to see dns information you should be able to see ip address information that's just showing my host ip address information but i'm trying to see i think it's at the top it showed a dns query for it but the one thing that's in question is my revoir application is where i downloaded the sample so if i click on file one it's gonna show that it's in my users test document and then there's a um hash pattern and if i go back and i don't want to cancel that but if i go back here the hash value started with a365 and that shows a365 so once i click on that i did not detonate or execute this malware because it's in my um system but i want to use it more as a detection so the file hash was actually the name of the application but this showing you that elastic will detect those type of malicious software or pieces of malicious code that gets executed on that system and you will have a timeline tree that will be bigger than just a internet explorer explorer window and window it would be vast depending on how far the malware was just executing and running its code but you see all type of information from that actual um detection because if i would have set this to prevent i think it probably would have erased or deleted it but i just said it to detect so you get all type of information about the system um let's see you get the event information the event id what type it was created category the user then you get the user id and i believe there is a hash value that will be created and i think that's in the other field but since this one had the actual name as dash it showed up so i'm going to show you another instance so i'm going to go back to my detections and that's why i like having everything in one single pane of glass to be able to look at everything because it gives you one stop shop of looking at all of your events so as you can see i have different type of events that was triggered on the system where you can see here i was spawning a command prompt so i'm testing elastic endpoints to see where if anybody would that's just a regular user that's probably a finance support personnel they're probably going to be messing around using command line tools that would be something like a red flag that will spawn on that system if they're using like power shell or cmd command prompt then you'll think like why are the executives running these commands on their systems and that would kind of red flag like this host name this could have been the executive computer but why do i have these kind of command line tools i know if it's not information technology or i.t support then something is kind of fishy going on with that system maybe the executive executed some malware and now it's doing a lot of movement so you could just see all the type of events that was triggered so i'm gonna exit out of the full screen and then i'm gonna go to the host in which i was just in that field it just gives you a breakdown on the authentication the fails unique i.p addresses how many destinations that were um contacted how many hosts that was actually enrolled with the fleet server as well so let's go to the network and i think some error messages might pop up which i'm still trying to work out with the map portion so this is on my side i'm just working with trying to perfect and make just configuration a little bit more better for my current configuration but you see these are some of the different locations that the um windows server had connected to in north america is heavy coupled in asia and i don't know quite what those points are but you can see the events the source ip addresses destinations and um for one of the demo purpose i'm going to click on this ip address i had integrated some reputation scores so by default this will come with virus total and tiles integration but i added a couple more that gives me some different type of information from it so if i want to check out an ip address or something this will pop up as a json file that went to another website via a api key which was a demo account i created but it'll show all type of information that i want to be able to use for reconnaissance so if it was a piece of malware that it reached out to us destination ip address i could easily look that up and you can configure these two different type of source reputations that you want to use you probably may have something in-house that you built or you can reach out to something with virus total and it will go out and give you some reputation information and see are those ip addresses malicious some great close those and one of the things i like the most as well is the timelines so i have one that says loki bot and in this timeline i have this timeline that's showing me the user the system as well as what was detected the program file the location path what application it was using i think this is going to be a process id and it's going to show you via the application name which it was apparent was going to be internet explorer explorer so this little button right here is an analyze event so if i was to click on the analyze event it takes me back to that same file and i can run and click on that and look at this event as i did with the last one the tesla agent i was looking at i could look at this one as for the loki buy which is a custom rule that i created as well a custom um detection rule and i just tied it to the actual hash value of that piece of malware so i'm gonna go back here i think i exit out too far so i have a couple of cases as well i put together for the purpose and uh who am i case i have created so when i first built the platform or built the system i ran some powershell commands and i'm gonna click on this right here and it's going to give you an overview of the actual built-in detection rule that comes with the elastic um product so it gives you different different information the severity the miter attack framework that you can use and it's just going to say system owner or user discovery the rule type and then if i scroll on down you will see the trend so how many times the property executed or gives you the timeline analysis over a different period of times of days but i'm going to drill and click on the analyze event and this is where you see that timeline again from the explorer to me launching powershell to spawning the cmd command then running powershell again and then from powershell i run a who am i command so i went to use the who am i so it told me the actual name of the system but that's how you could use it to where if malicious software is running different type of internal commands on the system you will see that lateral movement across your network so um there's another specific case file i want to look at let me exit full view go back to detections let me go to case files let's see i think it's going to be anti-malware test file probably i think this was just one of those test files i downloaded from um online and it just let me see if i could find out which one it was it was just a random test file to test your antivirus product so let me find out these are all the events that was with it correlated so it was like 13 events i downloaded this file and changed in different directions but i'm going to try to click on one of these analyze files and let's see what we have here so this is another one as you can see the timeline process with win bar and you see that i had three files and which they're all the same thing once again another malware sample i downloaded and it detected that as well which elastic detection rules are really good at detecting different type of malicious software so you can see all of those processes are different timelines of which that potential trigger was detected for that specific piece of malware so i'm gonna go back to cases one more time i think it may be a timeline so let me go to timeline so in timelines you can create a specific timeline to look for different pieces of information you want to look for so in this one i pinned this timeline which i was searching for that specific hash file so if it was a specific file name you was looking for or a specific id you can filter those ids inside of your queries and you can run those queries and you can filter that timeline to that specific point and then you can pull out those artifacts that you was looking at and you can do your reference and check those files out and this is just showing the malware sample that i had downloaded with winrar and it's just showing another one that i created as well and this is all in that loki by time line which is tied to that hash file so i don't think i have any pinned items there but let me go back to timelines and then i'm going to go to endpoint and i think end point is where i have the bulk of all of my detections come on let me go back okay cool there you go so end point well let me cancel that there i think i overloaded it now all of this is running on a local computer that i'm using so let me go back to timelines and let this load up and then i'm gonna click on endpoint so this is just a general filter that i use was endpoint i mean event dot module die endpoint and i have a couple of pinned items and as you can see this is just one of the ones i had that was doing the dns query this is just let me see this let's check this one out this one may look interesting this is just one of them showing the service host so that was just something that i look weird but it's still all normal information i'm gonna go back to pinned i'm looking for a particular one so here is a good one so this one i have showing the ping command so i'm waiting for this to load up so as when i did my initial build of this it showed um my powershell commands it showed my cmd commands and you can see why it says powershell was the application that was ran but then it also shows ping and if i scroll down i could see my arguments and i pinged 9.9.9.9 and i did a process argument of t which is going to be a continuous pain so that was a continuous connection to the um system to that ip address so if i type in quad quad9.com that is where i ping to so that is actually a dns privacy company so that was the actual ip address i pinged with inside of my windows server that is right here so it's really good how the analysis portion will go through and look at the arguments that your applications are being run so if malicious software was running different type of tools like i mentioned earlier you will see those potential arguments that i passed along with it and i think there's something else i wanted to check out um let's see if it's this one nope it's not that one nope it's not that one either but you can also see a full network connection as well from the source to the actual destination as well so it's very you know intuitive you can see a lot of details from it so i'm gonna go back to the end point and i don't think there's anything else i wanted to look in there so i'm gonna go back to security and let me go to the policies that was in here and look at the configurations again let's go back to the beginning let's see uh where was that at and data security so it has like it has a lot of integrations that you could put in there from logs metrics security and the one i was using is supposed to be the end point it may not be in here no i don't see it i'm have to go look for it here it may be under administration this is a newer version i think i know what happened my permissions that's what happened i think my permissions changed there we go that's what happened i had some of the permissions messed up that was my fault all right now i should be able to see that let's go back there we go so the um elastic agent now we're going to look at the policy so this is the fleet server so you can see the integrations the agent policies how much the data stream the agents are utilizing and you also also can see how many agents you have so i'm gonna click on integrations and then go to installed integrations and this will show you the installed integrations i have set up which is the fleet server which is in beta testing testing but um i have the endpoint security so the endpoint security is the one i had set up that was in the powerpoint slide i'm going to policies and this is where i have the demo and i'm going to look at the demo policy and you see that i have it has malware protection enabled protection levels to detect and i also have it to be registered as antivirus so that's really cool but if you have like an advanced license platform you will be able to get the ransomware integration as well and the fleet server this was already built into the system so that's real good that i believe the 7.13 integrated because this was not in the 7.12.0 version so i'm really loving the 7.13.1 elastic version so you can see the different policies i have set and when you want to enroll an agent in the policy so i'm going to click on the default policy and i'm just going to click on add agent they have enrolled in fleet or you can roll in the standalone you can download the application itself and you can run the policy but i roll through the fleet i have the default policy and you have the default enrollment token then you could generate a service token for it and see depending on the platform if you want to use linux you wanted to use windows or if you wanted to use redhead or debian those policies will change and you will have a token that you have to run on the system but in my instance i used the actual windows i had to go to the download page to download the 7.13.1 elastic so now it's two so sorry so the 17 i mean 7.13.2 and you have different options as a linux debian file or linux um zip file mac different architecture 64. or like in my case i use the windows zip file and i just extracted it to the program files and once you use that you have to run powershell and stuff like that but if you want to go to my repo for the github repository just show you how to go through and add those ages but you can run those commands on there and download it and install that agent with that policy right here and you can install that and you will have your agent installed so i'm gonna go back to my integrations nominee agents and i'm gonna show so just showing you that i downloaded the policy and everything for it and then you see that see that i have a healthy agent and you see all of this activity where the integration the fleet integration the windows the policy the health status and all um the data streams probably talking that just for one second shows you how much each data is being utilized with each one of the events but other than that i don't think there is anything else but to see if there is anything on the cases i don't know how much time i have but i probably got a couple of minutes yeah take all the time you need okay thank you so um i'm gonna view all the cases and anti-malware test file i believe this is it i was looking at so this was six days ago and this is the timeline for it let me change my filters to seven days that should help a whole lot and yeah it's just showing all of those general detections but that's not the one i'm looking for i think it's another one back to cases and malware investigation timeline this is it this is i just have it on the right name so i'm gonna scroll down to this change my timeline to seven days and i believe it's this one right here nope it's not that one is it this one yes it's this one okay so this will give you a real good look at some data so this is one of the system that i had ran at the beginning so it has a lot of commands where you seen i had notepad exe ran and explore task manager uh internet explorer when war application um the uninstall command cmd command ping so this was my whole timeline from when i first started building the server and building the system and installed the agent you could see the whole timeline so if this piece of endpoint right here was actually malware you will see the whole process tree of all of its footprints so you can just picture if it was really doing something malicious on your system you will see a lot of activity that you could drill down into and click on that and see how many events will correlate to that and look at those different events and say huh this got 40 some registries three files if i click on the files i will see that this right here was an ms-17 file and this is related to one of those um eternal blue exploits from a while back and it was detected by that but it just don't have the right application extension to show that it's a python script that's what the ip is going to represent is a python script i just downloaded it because it had the signatures inside of it so it was detected when i scanned the file but you could see that when war was heavy it had a lot of events i click on that had 20 6789 so if i click on file you can see that those are different malware samples that i x um that i downloaded and the endpoint security agent detected those but you see how internet explorer was leveraged as well it had 50 events 23 files and if i click on this will this yield any results for me not just something regular but um go back and just look at this whole process so this is one thing that i really love about the endpoint security you will see a whole timeline of all the type of malicious activity that will traverse on that system from ping connections to the fine connections cmd connections somewhere the uninstall button was um application was triggered to uninstall an application i mean this is like a book it's telling a story what's going on on your system so this could be real useful for anybody that was dealing with incident response they could have a timeline painted for them and they can go through and kind of map out everything and piece together what really happened on that system from the initial contact from what the application had probably used so it was explore which expand out internet explorer which i spawned down when war which also spawned out 400 and some events and i got 14 files and if i click on this one file it spawned due to a malware sample so from explorer to internet explorer visiting website to the application that could have been an initial point that ransomware malware um samples trojans worms could have been introduced into the network or onto that system and then from there it could have spawned out to do anything else so it could have been cmd commands it could have ran it could have been ping commands it could have ran it could have been anything so just like you see this little tree um branch you see right here as a um network path you'll see that under that one as well if it was executed from that process it's like it'll go all the way back to its parent process so this is really really good information to have on the endpoint which the elastic agents are still in beta testing i believe so so they're not really recommended for productions but i'm using it as a test environment and i do have this set up on my own network on my own systems and it's running just fine but i just don't know about the production environment where there's 1500 endpoints or if you just want to run this on your servers and have a digital footprint for your critical application so if they were affected at least you can know what happened with your servers from the point that they went to your domain controller they executed some malicious software so now you got a somewhat of a graph that was the software that was executed on your domain controller so it could have been a compromise account that did some other stuff so you see task manager i initiated the shutdown command to shut down the system with the flag as unexpected because this was a windows server you can see all of that from vmware tools the connection hose um task manager like i said as well so this is a real real good solid program and this is one of the hearts of it that i really like about it especially if you're doing incident response this would be a forensicator's best tool if they want to kind of use it to do some triage or find out what's going on especially a sock analyst and you see powershell was used as well i had a couple of events network traffic you can see i went out to github.com went to github.com you can see the dns name um port 53 uh let's see what else you can see the host ip address i mean you can see a lot so this is very very helpful and useful and there's also if you click on view details a little action item will pop up from the left hand right hand side and show you some table view as well so you see it as a table view or if you're just somebody just want to read javascript object notation it has that as well showing you all the different character sets for that particular event let's see let's let me try one more thing uh administration i think it just gives overview of your policies and your you know endpoints and the trusted applications you may have if you wanted to add applications into it but so far that is it you know the um elasticsim endpoint security it's a really really nice program application and i love it a whole lot so i will be using this every day every chance i get to do testing and learn more about it and do my threat intelligence and investigation purposes as well trying out different malware samples and doing my forensic investigation so it's back to you awesome well ronnie this was really great thank you so much for um this thorough demo and um thank you for your time and the presentation um folks if there aren't any uh aren't any questions i'll just highlight again that ronnie's contact information is in the chat his github profile as well as his twitter so yeah i don't see any any questions at the moment so um thank you so much ronnie again and thank you everybody for joining thank you so much thanks ronnie no problem you're welcome

Info

Channel: Official Elastic Community

Views: 2,170

Rating: undefined out of 5

Keywords: elastic, elastic stack, elasticsearch, elk, elk stack, elastic security, security, cybersecurity, fleet, fleet agent, elastic fleet agent, endpoint, endpoint security, elastic endpoint security, data, siem, elastic siem, fleet endpoints, fleet server, kibana, kibana dashboard, kibana security dashboard, detection alerts

Id: f1SItUTjuiY

Channel Id: undefined

Length: 51min 35sec (3095 seconds)

Published: Tue Jun 15 2021