EUCEUC: Advanced Integrations_PSO Session_2020 Day 4Carbon Black Threat Remediation with Intelligence

Carbon Black Threat Remediation with Intelligence

This lab is for the purposes of understanding the integration with WorkspaceOne Intelligence and VMware CarbonBlack Cloud. You will be required to do a little pre-work to setup the requirements for the integration. Once those are setup you will be able to demo carbon black policy enforce a blacklist policy virtual machine in to WorkspaceOne and push out the CarbonBlack Sensor installer and connect it to the correct org. We will look at how a threat with it's various severities can be detected by policies we create inside CarbonBlack.

Next we will see how WorkspaceOne Intelligence is ingesting this information and taking action to re-mediate an issue on that device.

There are four parts to this Lab

1. Setup CarbonBlack tenant

2. WorkspaceOne UEM & Carbon Black Sensor Integration

3. Intelligence API integration & Automation

4. Carbon Black Incident & Intelligence Automation

NOTE: Screenshot precedes Instructions in this lab

Part 1: Setup Carbon Black Tenant

  1. Open your inbox. Check for an e-mail from [email protected], this is the same email address you used to sign up for this course.

Click Confirm my Account in link the e-mail.

NOTE: If you have not received this email, please notify the instructor.

  1. You will be redirected to create password page. Set the new password to: VMware1!
    1. Now click Accept at the bottom of the page.
    2. Click Back to Sign in on the next page.
  1. You can now sign in using your e-mail address and the password VMware1!
    1. Click Sign In
    2. Click I accept on the End User Agreement page.
  1. You have now successfully logged into the CarbonBlack Cloud portal.
  1. Now switch to the ControlCenter2 Machine in your lab environment and open Firefox and Browse to https://defense-prod05.conferdeploy.net

Use the credentials created above to authenticate as administrator.

  1. Download Sensor Kit
    1. On the Carbon Black Console Navigate to ENDPOINTS on the left navigation pane
    2. Click Sensor Options
    3. From the drop down, click Download sensor kits

 NOTE: If you do not see the options on the left pane, reduce the Page Zoom by Navigating to the menu options on top right and click on minus sign.

  1. Now select 10/8/7 & Server 2008/2012/1016 (64-bit) from the Download Sensor Kits page. (NOTE: This is the Windows Sensor)
  1. Click Save File to confirm the download. (This should save the sensor to the download folder.)

 

IF you do not see the Save File as shown above, come back to the Carbon Black Cloud admin console and right-click on 10/8/7 & Server 2008/2012/1016 (64-bit) and click Save Link As... and then click Save

This concludes the setup lab you may proceed to the next section.

Part 2: WorkspaceOne UEM & Carbon Black Sensor Integration

In this lab we will create a software distribution package to install Carbon Black Sensor silently (unattended) using WorkspaceONE UEM.

The lab parts are as follows:

2.1: Create Carbon Black Sensor installation package through WorkspaceONE UEM

2.2: Change Windows 10 Name and IP Address

2.3: Observe Device behaviour in Carbon Black console

2.1: Create Carbon Black Sensor installation package through WorkspaceONE UEM

  1. On the ControlCenter2 open a new tab in Google Chrome and navigate to your Workspace ONE UEM Console ( https://dw-livefire.awmdm.com )
  1. Navigate to Apps & Books > Application > Native and click ADD APPLICATION
  1. Click Upload
    1. Then click Choose File and a new window will open, navigate to the Download Folder in the left navigation bar and click on the msi you downloaded in the previous lab.
    2. Click on the you will find the installer.....msi and click Open.
    3. Click SAVE on the final Add page this will upload the application.
  1. Click CONTINUEto verify the application file and that it is not a dependency
    1. On the Details tab change the Supported Processor Architecture  to 64-bit
    2. Click on the deployment Options tab of the next page and paste the install parameter from below into the Install Command Field (Replace the existing install command in that field already. Ensure the version of Sensor is correct)
msiexec /q /i "installer_vista_win7_win8-64-3.6.0.1791.msi" /L*vx Log.txt COMPANY_CODE=S17NA79RWX!K8OJLXA3

NOTE: If you typing in the COMPANY_CODE, the number 8 is followed by 'O' and not Zero. (Common Mistake)

c. Change the Device Restart to "DO NOT RESTART"

d. Click SAVE & ASSIGN

 

NOTE: The Company Code determine the Carbon Black Cloud environment and can be retrieve from the Carbon Black admin console. In an environment where you have Super admin rights, you can verify the company code by Navigating to ENDPOINTS > SENSOR OPTIONS > COMPANY CODES in the Carbon Black portal. However, in this lab environment you have only read only access and so this option is not available.

  1. On the Update Assignment page click ADD ASSIGNMENT
    1. Now select the your organisation group symbolized by the world icon in the Select Assignment Groups field
    2. Change the App Delivery Method to AUTO
    3. And click ADD at the bottom of the page
  1. On the next page click SAVE AND PUBLISH
    1. On the final page click PUBLISH

The CB sensor package will be published to any Windows devices enrolled into this UEM organisation group.

2.2: Change Windows 10 Name and IP Address

In order to uniquely identify your VM in the Carbon Black Console we will need to assign the VM a new hostname and new IP address. At this point you will need the number assigned to you by the instructor.

If the assigned name is AttendeeXXX (example: Attendee102)

The new hostname of the virtualmachine will be attendeeXXX.euc-livefire.com

(example: attendee102.euc-livefire.com)

The new IP address of the virtual Machine will be 192.168.110.XXX - example: 192.168.110.102

 

  1. On the ControlCenter2 desktop open the Remote Desktops folder and double click on W10Client01.RDP
    1. Type the password: VMware1! when prompted and click OK

 

NOTE: If you are seeing error due to other user logged in. Use the left navigate panel to access the W10Client02 Virtual Machine.

  1. On the W10Client02 VM right click the Windows Icon and click System
  1. In the About Page in Settings click Rename this PC
  1. Change the Computer name to the unique identifier given by the Instructor - for example Attendee102
    1. Click Next,

ATTENTION: At this point do not Restart your VM.

  1. Click on the Network icon in the task tray in the bottom right.
    1. Click Network & Internet settings in the pop up window
  1. On the Settings Page click Change Connection properties.
  1. Scroll down to find IP Settings. Click Edit to change the IPv4 Address.
  1. On the Edit IP settings,
    1. edit the IP address to 192.168.110.XXX example if you Assignment is Attendee101 the IP should end in 101.
    2. Click Save and you will be disconnected from the Remote Session
  1. Navigate back to the Remote Desktops folder on the desktop of the ControlCenter2 VM
    1. Right-Click on the W10Client02.RDP and click Edit

 

  1. Change the Computer name in the RDP Connection to your unique ip Address 192.168.110.xxx (Example 192.168.110.102)
    1. Click Connect on the page

NOTE: As we got disconnected, we now need to reboot to also change the hostname of the VM.

  1. Once connected again, right click Start > Shut down or sign out >  click Restart which will change the hostname to AttendeeXXX.euc-livefire.com
  1. Click Back into the Remote Desktop Folder on the Desktop and edit the W10Client02.RDP.
    1. Change it to the new hostname you have assigned the vm. (Example: attendee102.euc-livefire.com)
    2. Click Save and then Connect. Check if RDP to the AttendeeXXX.euc-livefire.com VM from the ControlCenter2 is working

2.3: Observe device behaviour in Carbon Black

WorkspaceONE UEM will push the CarbonBlack MSI package and install the Sensor with the correct company Code. 

Note: This may take up to 5 minutes. Take a break! 

1. On the ControlCenter2 machine,

  1. Sign in to dw-livefire.awmdm.com if you aren't already signed into the UEM console and navigate Devices > List View and select your device and browse to the Apps Tab.
  2. Make sure the Carbon Black Cloud Sensor 64-bit has a green Check box next to it.

If you see the status as failed or Not Installed, re-trace your steps and double check the MSI install command in the previous chapter.

  1. On the ControlCenter2 open the Carbon Black Cloud console.
    1. Open a browser and navigate to https://defense-prod05.conferdeploy.net/
    2. Sign in with your e-mail address and password set in the previous exercise.
  1. In the Carbon Black Cloud console navigate to ENDPOINTS in the left hand navigation and identify your Device with the computer name that you set. (i.e. AttendeeXXX)
    1. Click on the Check Box next to the Status
    2. Click Take Action and click Change policy
  1. Now select Zero Trust LiveFire from the dopdown and click Change. (NOTE: Ensure you have the selection set to 'Update the 1 selected devices'.
  2. This will change the Endpoint policy to Zero Trust Livefire Policy. Lets look at what exactly this policy is enforcing on our endpoints.
  1. From the left navigation panel, Navigate to ENFORCE > Policies
  1. Under the list of available policies, click on Zero Trust Livefire Policy.
  1. Click on the Prevention tab.

You will see Permission, blocking & isolation and uploads rules to configure how sensors controls our endpoints.

  1. Under Permissions, you will notice, an application C:\Program Files\dfndr.exe is set to bypass for any operation. (You can expand it by Expand Permissions by clicking on the + Sign. )

This can be an example of an internal application which needs to be excluded from any sensor actions.

  1. Next, under the Blocking and Isolation Rule,

Notice it list down all the processes, their operation attempt and the actions this policy will take to prevent any attack. In our policy example, we have added NOTEPAD++.exe & Powershell.exe as blacklisted applications we want to TERMINATE if it is running or attempts to run.

In our LAB environment, you only have read only access and hence cannot make any changes to the policy. In real world, you can choose to perform a deny operation or terminate operation depending upon the use case.

You have successfully completed this section. Please proceed to the next section.

Part 3. Intelligence API integration & Automation

In this lab you will create the integration between Carbon Black Cloud and WorkspaceONE Intelligence.

3.1: Create API  & SIEM Notifications

3.2: Create Carbon Black & UEM Connectors

3.3: Create Dashboard and Widget

3.4: Create Automation

3.1: Create API & Notifications

  1. Add an API Key
    1. Navigate to Settings and API Keys (API  Access) on the left hand navigation pane.
    2. Click Add API Key at the top right hand
  1. Enter the below information,
    1. Name the API key your unique attendee Identifier. EXAMPLE: Attendee101
    2. Select SIEM in the Access Level
    3. Click Save at the bottom of the window.
  1. You will now be shown the API Credentials.
    1. Copy both the API ID and the API Secret Key to Notepad.
    2. Close out of the API Credentials windows by clicking X

NOTE: We will use these values later for integration with WorkspaceONE Intelligence

  1. In the left hand navigation panel,
    1. Navigate to Settings > Notifications
    2. Click + Add Notification
  1. Enter the below information,
    1. Give the Notification policy your unique identifier as a name, for example: Attendee101
    2. Then put a check in the Threat and Observed tick boxes and lower the alert severity to 1
    3. At the bottom under API Keys find the SIEM Api key you just created. It should be your unique identifier. (example: Attendee101)
    4. Click Add to create the notification end point

3.2: Create Carbon Black Connector & UEM Connector

In order to send Alerts received in Carbon Black portal to Intelligence, we will be adding a Carbon Black connector in Intelligence. This requires us to use both Carbon Black console API Key & SIEM API Key. Security Information and Event Management (SIEM) API allows you to capture security events generated on the Carbon Black platform in your Intelligence console.

  1. Open the Workspace ONE UEM console,
    1. Open the Chrome browser on the ControlCenter2 VM and navigate to https://cn-livefire.awmdm.com. (if not already open)
    2. Sign in using your admin credentials (E-mail used to attend the course)
    3. In the top right corner click on the 9 squares forming a square and click Workspace ONE Intelligence
  1. On the landing page for Workspace ONE Intelligence click Settings > Integrations
  1. Click on SET UP in the Carbon Black connector
  1. Expand the Provide Credentials dropdown. Fill in the following information

Base URL: https://api-prod05.conferdeploy.net

API Key: ULRWHUK27YECTWV5497WVGS6

SIEM Key: paste SIEM Key from Notepad. (This is the same API Credentials you the key you created in Carbon Black console.)

API Connector ID: EMDZ52ZLL3

SIEM Connector ID: paste SIEM Connector ID from Notepad. (This is the same API Credentials you the key you created in Carbon Black console.)

Click AUTHORIZE to authorize the Carbon Black Connector

3.3: Create Dashboard & Widget

We will now create a Dashboard and a Widget for Carbon Black

  1. In the WorkspaceONE Intelligence Console navigate to Dashboard > My Dashboards
    1. Click ADD DASHBOARD
  1. Name the Dashboard Carbon Black and click SAVE
  1. Click ADD WIDGET
  1. In the first "Add Widget" screen select Custom Widget and click START
    1. From the Select widget template select Carbon Black > Carbon Black Threats
  1. In the Add Widget screen,
    1. Set a name for the Widget such as Low & Medium Severity
    2. Under Data Visualization > Chart Type, Select TABLE.
    3. Fill in the following fields:

Measure: Count of Carbon Black Device ID. (Choose from drop down)

Group by: Carbon Black Device Email, Carbon Black External IP Address, Carbon Black Incident ID (ADD SUBGROUP and then choose from drop down)

Note: These are mere suggestions, any given attribute coming from Carbon Black could be selected to be displayed

  1. Under Filter,

In the first field select Threat > Threat Attribute > Threat Severity

In the second drop down set Equals

In the third drop down type Medium and hit ENTER.  

Click SAVE at the bottom of the page. 

You will have to SAVE your My Dashboards from top right again for the widget to show up in your dashboard.

NOTE: If you are not seeing Medium in the dropdown, it means Intelligence has not yet received any Medium Alerts from Carbon Black Portal. You can simply type in medium and hit enter.

Part 4: Create Automation

We now will create an automation from the widget we have just created.

 

  1. In the Carbon Black Dashboard, find the widget you have just created and select the more options icon (three horizontal dots).

a. Then click Automate

NOTE: if you don't see the three dots, you may not have saved the dashboard at the top of the page

  1. Give the automation the title: Tag Malware Device & Notify Admin

 

  1. Scroll down the Action (Then)
    1. Click the + icon
    2. Click Workspace ONE UEM from the Available Connectors
    3. Click Add Tag to Device
  1. Type 10003 as the Tag - Which sets the Tag  "Quarantine" on the device
  1. Now customize your email action using the following information,

To Address: your e-mail address

Subject: Malware detected

Message : (USE THE LOOKUP OPTION TO POPULATE THE BELOW INFORMATION OR MANUALLY TYPE IT IN)

DEVICE ID - ${deviceinfo_uemid}

DEVICE NAME - ${deviceinfo_devicename}

Threat - ${_threat_family}

Threat Severity - ${_threat_severity}

Threat Time - ${eventtime}

Platform - ${_device_platform}

  1. Enable the automation
    1. and click SAVE at the bottom right corner.
  1. On the pop-up windows click SAVE & ENABLE

Your automation should now be live. Let's trigger an event on your device to see this take effect.

Part 4. Carbon Black Incident & Intelligence Automation

You are now ready to demo threat remediation using Workspace ONE intelligence and Carbon Black. This section had two parts:

4.1: Incident

4.2: Notification

4.1: Incident

We will now create an incident. As we don't have the means to infect this vm with malware we will use Notepad++ as an example of a malicious application.

  1. On the ControlCenter2 open the Remote Desktop folder and connect to your W10client02 virtual machine with your new hostname.
  1. On the Start Menu, Search Powershell. Double click on Windows Powershell to open.  

 

  1. On your Windows Desktop
    • Select Start > Run
    • Enter the following UNC Path \\cs1-pd1\software\Applications\Lab3.2_Only(App Volumes)\notepad
    • Copy the Notepad++ msi to your Desktop
    • Attempt to execute this MSI.
      • Notice the installation of Notepad++ is blocked
      • Note that this is not a standard Notepad++ msi package but a ThinApp package that offers application isolation and even with this, the sensor is able to block the installation and execution on the device.
    • Attempt to rename the MSI and re-execute see what happens

 

4.2: Alert & Automation

  1. Log into the Carbon Black Cloud Admin console
    1. Navigate to Alerts from the left menu bar.
    2. Under FILTERS menu, expand DEVICE and select your endpoint i.e. AttendeeXXX. 
    3. Observe the Status of  Alert as a Deny Policy Action and it has an Alert Severity 3. 

NOTE: Ensure GROUP ALERTS is set to OFF. If not, ensure to set it to OFF to view your specific endpoint alert. 

  1. Switch to the Workspace ONE intelligence console. If you have not logged in or are signed out. Login to cn-livefire.awmdm.com with your admin credentials.
    1. Navigate to Monitoring > Intelligence.
    2. Click Launch.  
  1. In the WorkspaceONE Intelligence Console,
    1. click Automations
    2. Then select your VIEW on your CarbonBlack automation
    3. Then navigate the Activity tab you should see the events, the tag being assigned and the e-mail being sent to the admin.
  1. Inside the WorkspaceONE UEM console,
    1. Navigate to Devices > List View
    2. You will notice the enrolled device has the QUARANTINE tag assigned to it
  1. Now navigate to your e-mail and notice you have an e-mail from AirWatch that has the information for the device that has been compromised.

This ends the lab for Carbon Black Integration with WorkspaceONE Intelligence.

0 Comments

Add your comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.