Version 8.1
New features
- Show Message-ID header in email details
- Expose intrusions to all enterprise customers
- Life-cycle support for intrusions
- Add timeline view to intrusion details to display timeline of infections on hosts involved in the intrusion
- Logging improvements to sensor-generated email logs
- Intrusion correlation rule linking malicious attachments to network detection
- Notifications for intrusions
- Promote unusual INFO events to detection events
- Intrusion correlation rule for detecting lateral movement
- Disable SHA-1 for SSH daemon appliances
- Mail API for 3rd Party Integration
- Use the local threat intelligence cache to rate-limit data to upload
- Support for changing FQDN of an installed appliance
- Configuring pop3/imap polling interval via web UI
- Support exporting of historical data in Excel-friendly format
Show Message-ID header in email details
Portal UI now shows the Message-ID header in emails listing.
This change was tracked internally as USER-2145
Expose intrusions to all enterprise customers
Intrusions tab is now accessible to all the enterprise users. Security Analysts typically have to triage multiple events and incidents that in some cases are part of the same threat and attack. Lastline has innovated to provide a "connect the dots" functionality called Intrusions that intelligently combines several events and incidents across one or multiple hosts that represent the same threat and require a coordinated response. The new easy to navigate interface provides a graph of the attack that shows the relationships between internal and external hosts and the attack method/malware used. Intrusions provides the benefit of reduced time to remediation, higher fidelity alerts, and ultimately reduced risk by connecting the dots.
This change was tracked internally as FEAT-3114
Life-cycle support for intrusions
To support the workflow of analysts who need to triage and respond to intrusions in their network, the intrusions functionality of the Lastline Portal has been extended with support for life-cycle actions. Specifically, analysts will be able to:
- assign an intrusion to a specific analyst, or unassign it
- change the state of the intrusion. New intrusions start in "Open" state, and can be moved to "In Progress" when an analyst is working on the issue, and to "Done" when work is completed.
- filter the intrusions listing view by status or assignee
A new permission "can be workflow assignee" has been introduced, to control which portal users can be assigned intrusions. As with the other permissions, administrators automatically have this permission, and are able to grant it to other accounts.
Intrusions in the "Done" state will be automatically re-opened and transitioned to the "updated" state if the intrusion is updated with significant new information, such as a new detection.
This change was tracked internally as FEAT-3113
Add timeline view to intrusion details to display timeline of infections on hosts involved in the intrusion
In portal UI, a new tab "Timeline" is introduced on the Intrusions detail page. This tab uses a card-based timeline widget to show which host was infected by which malware and when.
Clicking on the individual card shows a full-page summary of the malware and host involved, and displays the available evidence that the host is indeed affected by that malware.
This change was tracked internally as FEAT-3095
Logging improvements to sensor-generated email logs
More information is provided in the email logs generated by the sensor and optionally streamed via syslog. The newly generated information contains more email headers, parsed "Received" headers and information on the prefiltering decision performed on each detected URL.
This change was tracked internally as FEAT-3046
Intrusion correlation rule linking malicious attachments to network detection
An intrusion correlation rule was introduced that can associate a mail containing a malicious attachment with network traffic detected after that mail that matches network Indicators of Compromise for the attachment. That is, we link the attachment with network behavior consistent with what we would expect from a host where the malicious attachment is opened.
This change was tracked internally as FEAT-3022
Notifications for intrusions
Syslog (SIEM) notifications, generic HTTP notifications, streaming notifications, and email notifications now also support notification for events related to intrusions.
Specifically, a notification is generated:
- when a new intrusion object is created by the correlation logic
- when an intrusion object is updated, such as when a new host or malware is detected to be part of the intrusion
The notification messages include a link for viewing the full details of the intrusion in the Lastline portal, as well as some summary information about the intrusion.
Note that existing notification configurations are not being automatically updated to include this new type of message. If you have an existing notification configuration, you will have to enable intrusion event triggers in your configurations to start receiving these messages.
The syslog notification format version that includes these new messages is version 8.1. The formats of intrusion event syslog, HTTP, and streaming API messages are described in the integration guides available on the manuals page.
This change was tracked internally as FEAT-3002
Promote unusual INFO events to detection events
Lastline detects a number of activities in a protected network that may be interesting to an analyst, but are not per-se malicious. These detections generate "INFO" events, which can be viewed in the Lastline Portal Network Events view by setting an appropriate value of the "event outcome" filter.
A challenge with these detections is that the same "INFO" event activity may be completely normal or highly suspicious, depending on the network in which it is detected. As an example, use of the remote desktop protocol (RDP) may be normal in an environment where this protocol is used for legitimate administrative purposes, but can otherwise be a highly suspicious indication that an attacker may be attempting to remote-control a victim host.
With this release, we introduce anomaly detection functionality that is able to detect when certain kinds of INFO detections are unusual for the monitored network and for the specific source and destination hosts involved. When Lastline determines that an INFO detection is unusual, the event is promoted to "detection" mode.
This change was tracked internally as FEAT-2856
Intrusion correlation rule for detecting lateral movement
Once attackers have established a "beachhead" in a network by compromising some hosts, they may attempt to move laterally within the network to compromise additional hosts. This release improves our detection of such lateral movement activity.
When lateral movement activity is detected, an intrusion object will be generated for that lateral movement. Our correlation logic will include in that intrusion:
- detections that indicate compromise of the source host of the lateral movement prior to performing lateral movement
- detections that indicate that the destination host was infected after the incoming lateral movement
This correlation logic will only trigger for hosts within the configured "home network", and will not be activated unless a home network is configured.
Please note that our ability to detect lateral movement in a protected network may be limited by what traffic our network sensors can inspect, based on where they are deployed. Detection of lateral movement activity requires visibility into network traffic within the organization, not just towards the internet.
This change was tracked internally as FEAT-2855
Disable SHA-1 for SSH daemon appliances
This feature disables SHA-1 family of hashing algorithms on Lastline appliances. It would ensure that ssh communications to the appliances use more secure hashing algorithms such as SHA-2 or SHA-3.
This change was tracked internally as FEAT-2759
Mail API for 3rd Party Integration
This release introduces a new API method push_mail, that can be used to submit meta-data for mail messages that were analyzed using the Lastline Analyst API. This information will then be processed and appear in the Lastline Portal just like mail messages analyzed by a Lastline mail sensor.
More information and a sample API client can be found in the API documentation.
This change was tracked internally as FEAT-2707
Use the local threat intelligence cache to rate-limit data to upload
Smarter filtering of log data generated by the sensor for Breach Defender detection. Filtering now takes into account the popularity of specific endpoints or hostnames to better prioritize potential anomalies.
This change was tracked internally as FEAT-2693
Support for changing FQDN of an installed appliance
Allow you to change the FQDN of your installed appliances by using the lastline_register utility. Instructions for this new process can be found in the appliance installation manuals.
This change was tracked internally as FEAT-2171
Configuring pop3/imap polling interval via web UI
In POP3/IMAP mode, an administrator can now configure the POP3/IMAP polling interval for email analysis from the portal UI.
This change was tracked internally as FEAT-1797
Support exporting of historical data in Excel-friendly format
We have added the ability to export data records collected by Breach Defender in CSV format. The functionality can be accessed from the "web requests" and "network flows" tables in the Network Analysis page. The resulting file can be imported, for example, into Excel and other spreadsheet programs.
This change was tracked internally as FEAT-1210
Detection Improvements
- SENT-949: Fixes to the sensor capability to extract and inspect XZ archive out of the wire and in ICAP/explicit proxy mode.
- LLMAIL-444: Correctly handle basestriker URLs in mail analysis. Basestiker is an evasion technique that was developed to hide malicious URLs to security vendors by setting up a base URL by means of the
tag. - LLAM-3473: Improved analysis of applications dropped during the dynamic analysis and that are not directly spawned as part of the analysis run.
- LLADOC-576: Improved analysis of Microsoft PowerPoint files using embedded Packager Shell objects.
- LLADOC-580: Better detection of DDE links in Microsoft Office documents.
- LLADOC-582: Better detection of Microsoft Office documents triggering behavior via on-close macros.
- LLADOC-583: More robust classification of embedded remote-objects in Microsoft Office documents.
- MALS-2632, MALS-2634: More robust file-type detection for archives and files within archives.
- MALS-2643: Improved handling of write-protected Microsoft Office documents.
- SIGLOGSCAN-171: Better classification of malware attempting to crash the operating system.
- SIGLOGSCAN-249: Better classification of malware disabling active Windows services.
- SIGLOGSCAN-259: Better detection of code injection via debugging APIs.
- SIGLOGSCAN-272: Better detection of malware abusing USB devices history.
- SIGLOGSCAN-274: Better classification of malware trying to hide threads from debuggers.
- SIGLOGSCAN-293: Better detection of vCalendar files embedded within documents.
- SIGLOGSCAN-294: Better detection of malware searching for AV products on macOS.
- SIGLOGSCAN-299: Improved detection for Durandal backdoor.
- SIGLOGSCAN-301: Better classification of DLL-remapping techniques.
- SIGREPSCAN-205: Better detection of deletion of Zone:Identifier information.
- SIGREPSCAN-404: More robust detection of COM hijacking.
- SIGREPSCAN-477: Better detection of malware faking Microsoft Office popup windows.
- SIGREPSCAN-487: Better detection of evasion via USB device (vendor) information.
- SIGREPSCAN-489: Better classification of evasion via stalling code.
- SIGREPSCAN-490: Better classification of abusing geo-location services.
- SIGREPSCAN-491: Better classification of accessing browser stored credentials.
- ANREV-4803: Improved detection of InstallCore PUA.
- LLADOC-566: Extend rules for triggering dynamic analysis of Microsoft Office documents in macOS.
- LLADOC-585: Improved detection of Equation Editor COM objects embedded in Microsoft Office documents.
- LLADOC-622: More robust classification of external resources embedded in Microsoft Office documents.
- LLADOC-596: More robust classification of commented-out suspicious code in Microsoft Office macros.
- LLAM-3547: More aggressive classification of failing requests from suspicious iframes embedded in web pages.
- LLAM-3849: More robust classification of wscript use in the context of activeX objects in browsers.
- LLWEB-1064: More aggressive classification of encoded files embedded in SWF files.
- SIGLOGSCAN-238: More aggressive detection of POS malware process memory scanning.
- SIGLOGSCAN-254: Improved detection of Demiguise malware.
- SIGLOGSCAN-263: Improved detection of persistence via Group Policy Objects.
- SIGLOGSCAN-269: More aggressive classification of of stalling code using IcmpSendEcho.
- SIGLOGSCAN-270, SIGLOGSCAN-280: Improved handling of detection code module enumeration.
- SIGLOGSCAN-275: Improved detection of OSX/LoseLose malware.
- SIGLOGSCAN-277: Improved detection of b374k shells.
- SIGLOGSCAN-278: Improved detection of changing access rights for Microsoft Windows objects.
- SIGLOGSCAN-279, SIGLOGSCAN-290: Improved detection of position-independent shellcode.
- SIGLOGSCAN-281: More aggressive detection of accessing remote files.
- SIGLOGSCAN-282: Improved detection of mouse event simulation.
- SIGLOGSCAN-284: Improved detection of malware checking for the Microsoft Windows Firewall status.
- SIGLOGSCAN-286, SIGREPSCAN-264: Improved detection of OS fingerprinting using video capture driver enumeration.
- SIGLOGSCAN-289: More robust classification of Windows kernel to user-mode code injections.
- SIGLOGSCAN-312: Improved labeling of Mimikatz tools.
- SIGREPSCAN-388: Improved detection of using Microsoft Office for persistence.
- SIGREPSCAN-425, SIGREPSCAN-476: Improved detection of memory-hollowing.
- SIGREPSCAN-459: More robust detection of WebCompanionInstaller.
- SIGREPSCAN-467: Improved detection of retrieving Microsoft Windows Event Log information via WMI.
- SIGREPSCAN-470: Improved detection of capturing macOS screen / using screen capture utilities.
- SIGREPSCAN-471: Improved detection of malware querying macOS network routing information.
- SIGREPSCAN-473: Improved detection of fingerprinting via the presence of macOS security products.
- SIGREPSCAN-474: Improved detection of terminating processes via killall utility.
- SIGREPSCAN-475, SIGREPSCAN-478: More robust classification of system changes done by standard OS utilities.
- SIGREPSCAN-479: Improved detection of retrieving CPU temperature via WMI.
- SIGREPSCAN-481: More robust classification of ransomware.
- SIGREPSCAN-484: Improved classification of programs accessing bitcoin domains.
- SIGREPSCAN-486: More robust classification of programs interacting with Winlogon.
- FEAT-3161: Improved analysis of Internet Inquiry/Microsoft Excel Web Query data files.
- FEAT-3147: Add support for analyzing XSL containing embedded commands.
- FEAT-3123: Improved extraction of data from TNEF-encoded attachments of emails submitted to Analyst API.
Bug Fixes and Improvements
- USER-2878: The widget that is used throughout the portal for displaying network packet captures now persists its table settings, such as columns to show/hide and column widths.
- USER-2834: Improve user interaction with some popovers, that can now be closed by clicking anywhere outside of the popover.
- SURI-717: Fix to a sensor issue that may cause prevent us from correctly extracting files out of SMB2 interactions.
- SURI-714: Correct handling of HTTP strings containing invalid characters throughout the sniffing processing pipeline.
- SQUID-23: Prevent the explicit proxy from performing SSL inspection on benign SSL locations that are known to be disrupted by the operation. For instance, several applications and operating systems components perform certificate pinning and do not operate correctly when performing SSL inspection. Additional locations can always be added to the sensor by acting on /etc/lastline/customer_whitelist_domains_ssl_noinspection.txt .
- SQUID-22: Change to the default SSL protocol policy used by the sensor when doing TLS inspection in explicit proxy. TLSv1 protocols are now permitted by the sensor.
- SQUID-21: Added support for additional intermediate certificates when performing SSL inspection in explicit proxy.
- SENT-947: Fix to a rare race condition in the sensor threat intelligence daemon where the expiration of an entry could cause unexpected crashes.
- SENT-946: Allow components to recover from issues related to access to threat intelligence information.
- SENT-923: Fixes to the processing of HTA files on the sensor for files that have been extracted by the sniffing service or ICAP/explicit proxy.
- SENT-899: Ensure that the sensor has the capability to automatically recover from unexpected error states of the sniffing service.
- SENT-887: Ensure the correct configuration of TCP offloading on sniffing sensors that are configured to sniff on a bonded interface.
- SENT-856: Improvement to the handling of local callbacks on sensor appliances.
- SENT-837: Prevent an appliance update or reconfiguration to needlessly reinitialize correctly configured bridges when running the sensor in inline mode.
- SENT-679: Prevent crashes of the plymouth-upstart-bridge service during the appliance boot sequence.
- PLTF-202: Improved performance of session log API.
- PLTF-174: Active Directory integration improvement: Limit WMI queries to remove unnecessary load (and timeouts) when there are no recent login events to retrieve
- MALS-2652: More robust identification of script analysis subject type in Lastline application bundles.
- MALS-2608: Allow custom Yara rules suppress detections in the analysis pipeline.
- MALS-2606: Improve documentation of Analyst API method "get_analysis_tags".
- MALS-2363: Expose server UTC timestamp in submission calls to Analyst API.
- LLMAIL-438: Fix to a bug that would incorrectly attempt to deliver blocked attachments if the first delivery attempt to the MTA next hop was unsuccessful.
- LLFILE-415: More robust handling of non-ascii characters uses as filenames in archives.
- FEAT-3272: Fix for the issue caused by recent Ubuntu Security Update.
- FEAT-3197: Support for Windows Server 2016 domain controller in Lastline Active Directory integration.
- FEAT-3139: Improved monitoring of analysis traffic-routing (AnonVPN) and alerting on invalid configurations.
- FEAT-3132: The Network IoCs tab after a search in the Intelligence portal now includes additional network class reputation tags for IP addresses. These tags help the user to quickly identify IP ranges that support certain classes of infrastructure such as corporate networks, institution networks, content delivery networks or cloud service providers.
- FEAT-3051: Improvements to ICAP compatibility with Symantec ProxySG appliances. This addresses previously known issues associated with the analysis of artifacts transferred by means of HTTP chunk encoding.
- FEAT-3047: More reliable streaming of email logs generated by mail sensors. This fixes a previously known issue that was affecting sensors configured to stream logs to external SIEMs using the TCP protocol.
- FEAT-2867: The Network IoCs tab after a search in the Intelligence portal now includes an additional 'age' reputation tag for domains. This tag helps the user to quickly identify domains that were registered recently from older domains, older domains being less likely to be harmful.
- FEAT-2844: Disable X-Lastline Headers in processes email messages to obfuscate customers' internal infrastructure to external or internal recipients. This can now be done in the portal UI.
- FEAT-2824: Fix to specify the logical subnet mask for HOME_NET config in the popup help text.
Deprecation of API methods
The following methods of the Lastline Knowledgebase API are being deprecated in this version: - getlist - validateinput - analyse - search - export_tasks_domains - export_tasks_ips
The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
With this release, we are deprecating using HTTP GET requests for authentication to the Lastline API. The Lastline API currently supports providing authentication parameters in the URL of a GET request. Upcoming On-Premises release 8.2 will no longer support this. Providing authentication parameters in a GET request is discouraged by security best practices, as it can leads to sensitive credentials being stored in logs and caches.
An authenticated GET request can instead be performed by first establishing a session with a call to login. An example is provided in the Lastline API documentation that can be found at Lastline API Overview page.
Also note that the sample python client provided by Lastline for our API is already compatible with this change.
Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.
Released appliance versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:
- Lastline Manager version 950
- Lastline Engine version 950
- Lastline Sensor version 1012
- Lastline All-in-one (Pinbox) version 950
Released sandbox images versions
The sandbox images version remains at 2018-03-02-01.
Distribution Upgrade
As of version 7.16, support for Ubuntu Precise as the underlying operating system distribution has been discontinued. Before upgrading to version 7.16 or later, appliances that are still on Ubuntu Precise will need to be upgraded to Ubuntu Trusty.
Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.
For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.