Just over a year ago, Tripwire developed a security solution to address a fundamental problem that many share: how to protect critical assets against advanced threats and audit and report on security controls for compliance requirements.
These controls range from monitoring and justifying active ports and services, local users and group membership, available network shares, installed software, and more.
In response, Tripwire brought to market the compliance and security solution based on Tripwire Enterprise (TE) that offers customers the ability to immediately report on the status of the security controls, and monitor effectively for any deviations from the authorized policy or standard.
For example, if a new process was introduced on the host, Tripwire Enterprise quickly reports what the new process is, which ports it has opened, when it was installed, and if it was authorized to be installed.
This new solution provided ways to harvest that state information independent of many of the OS standard commands or approaches for gather the data. Given this new methodology around harvesting system state information, there is now a great opportunity to couple this solution with our existing Cybercrime Controls rule-sets.
Tripwire’s original Cybercrime Controls are a customized set of content geared toward detecting and preventing host-based breaches. They were originally developed to solve two challenges for our customers:
- Monitor and report the current state of a host in areas indicative of a breached host
- Assess the current state of a host to see if the host’s configuration is out of a secure state
Both of which are with respect to key hardening standards and common breach detection methods. These rules are great in their current form; however, in practice it is not uncommon to see changes related to the system undergoing a change from one authorized state to another.
For example, it is possible for some authorized service like rpc.mountd to close one ephemeral port only to open another. While this activity is correctly recorded as a change, it offers only forensic value to an organization as no action is required. With this new capability, we effectively authorize certain states or configurations, while alerting on other unauthorized changes.
At the heart of this solution is a whitelisting tool that is used by the Tripwire Enterprise agents to independently gather critical state information, and then optionally compare the results with an authorizing list or whitelist. This whitelisting tool is used on conjunction with the updated Cybercrime rules.
It is important to note that the whitelist functionality described here does not refer to process whitelisting or blocking, instead it refers to the ability to authorize certain components or configuration items, allowing a user to be alerted on deviations. The whitelisting solution collects information about certain configuration items, evaluates whether or not those configuration items are authorized for the environment, and provides an opportunity to report or alert on unauthorized items.
The Cybercrime Controls 2014 with the whitelisting capability can monitor and report unauthorized changes to the following configuration items:
- Anti-virus installation, status, and update currency
- Appinit DLLs
- Auto-Start Services and Enabled Drivers
- Backup Agent installation and status
- Boot-up execution parameters
- Local groups
- Local shares
- Local users
- Network ports and services
- Installed software
- DNS configuration
- File execution options
- Local firewall status and rules
- Logon startup items
- LSA providers
- ARP table entries
- Promiscuous network interfaces and configuration
- Scheduled tasks
- USB storage device insertion and usage
- TCP stack providers and configuration
A great example of this can be illustrated with the Ports and Services monitoring functionality of the solution. As shown below, the output from the Cybercrime Controls 2014 solution for monitoring makes it readily apparent which ports are in a “listening” state, the process name using the port, a description of the service, and any user-supplied justification information on why that port is used.
However, when we look at the output from a subsequent check, the output shows that there is now an unusual process (as394875_win32.exe), which has opened an unauthorized TCP port (8080) in addition to the System opening port 80 using IIS on the host:
While the 8080 port alone is suspicious, Tripwire Enterprise has been able to inform the security team that the port and/or process is not an authorized configuration for this host’s role, and an incident can be created immediately in order to initiate investigation.
While the same concept is applied to any of the configuration items listed above, observing the creation of an unauthorized local user can be equally troubling:
The whitelists are maintained centrally on the Tripwire Enterprise console, and follow a simple syntax. Configuration items like authorized ports, services, shares, and so on can be configured individually, by system role, and globally. This architecture allows for easy maintenance of multiple whitelist profiles based on role, location, and/or installed services.
Alerting and reporting on unauthorized changes is great, but using change information in a proactive manner is even more valuable to the security team as they can use Tripwire Enterprise to verify that the systems are hardened in an appropriate configuration to reduce or eliminate the unauthorized changes that can be made.
The Cybercrime Controls 2014 solution does not fall short in assessment. It provides a comprehensive view into the current hardening practices established and offers in-depth outlines of where improvements can be made:
Tripwire Enterprise provides very detailed reports on remediation steps required to further harden the systems in scope, as well as management views into the current status of the system’s security and configuration:
When you consider the prospect of monitoring retail POS registers and store servers, critical real-time systems, and ATM devices where the system was either built from an image or certified build standard, the value of this form of monitoring becomes clear.
Reacting just to change is a futile process as some variation is expected depending on the role of node and ensuring uniqueness; however being able to define the authorized state and reacting to deviation from that state makes this a compelling solution for any security team.
If you are interested in the Tripwire Cybercrime Controls 2014 solution, please contact your regional account manager or Tripwire Support for more information.