Lastline Enterprise On-Premises Release Notes

Version 9.1

New Features

  • Support for email static detections
  • Added password protection support for analysis artifact download
  • Implement new hosts listing view
  • Enable reputation feed on sensor
  • Display network event verification outcome in portal
  • Docker IP Address Configuration
  • Display Lastline IDS signatures for detectors
  • Extend displayed analysis information for mail messages
  • Access host overview sidebar from intrusion profile
  • MITRE ATT&CK techniques and details now available in Analysis report
  • Support for analysis of artifacts extracted from HTTP uploads
  • New incident captured traffic profile
  • Participating host sidebar

SUPPORT FOR EMAIL STATIC DETECTIONS

The sensor can now identify harmful content in an email message independently from the analysis of its attachments or URLs. This allows the identification of threats that may be located in the message body or metadata. This includes failed SPF checks and other evidence of spam behavior.

This new feature was tracked internally as FEAT-3633

ADDED PASSWORD PROTECTION SUPPORT FOR ANALYSIS ARTIFACT DOWNLOAD

Users downloading malicious files for further analysis via the Analysis Overview page now have the option of downloading an encrypted (password-protected) ZIP archive of the file, so that other solutions monitoring traffic do not automatically inspect the threat.

This new feature was tracked internally as FEAT-4627

IMPLEMENT NEW HOSTS LISTING VIEW

Lastline has expanded the Host Lists to show all hosts seen on the network - expanding from just showing hosts with security incidents. Security Analysts will now be able to get complete visibility on all hosts on their network and filter the list based on host attributes such as OS, Applications seen on the hosts etc. This provides a central interface to investigate threats on hosts and investigate hosts that may not have an active security incident associated with them.

This new feature was tracked internally as FEAT-3558

ENABLE REPUTATION FEED ON SENSOR

Sensors with this release start to benefit from a new URL reputation pipeline that will be used to make prefiltering and detection decisions in all modes. The new URL reputation pipeline improves detection coverage, especially for phishing threats that can be found in email processing.

This new feature was tracked internally as SENT-2518

DISPLAY NETWORK EVENT VERIFICATION OUTCOME IN PORTAL

Lastline appliances now have the capability to infer if the activity observed within a network event was successful or not. This is made possible through the analysis of the interactions following a given detection and then assigns a verification outcome to the corresponding event. The following outcomes are supported:

  • SUCCEEDED: we have evidence that the detected interaction succeeded in its intent (e.g. a C&C communication interacted successfully with its server)
  • FAILED: we have evidence that the detected interaction did not succeed (e.g. the C&C server was not active)
  • BLOCKED: we have detected the interaction of some form of security tool that prevented the interaction from being successful.

The network events list now includes a new column that displays network event verification outcomes. Additionally, outcomes are displayed as tags under the threats tab of the host profile view.

This new feature was tracked internally as FEAT-4743

DOCKER IP ADDRESS CONFIGURATION

The lastline_register utility now prompts the user to provide a network address range to use for internal appliance services. It defaults to the 169.254.64.0/20 network. In previous releases, this address range was statically configured on a 172.16.0.0/12 network, which could cause a conflict if the range was already in use in the local network. The new default is less likely to overlap with a existing networks. If you previously configured an override to use a different network, this earlier configuration is still honored.

For details, please refer to the installation manual.

This new feature was tracked internally as FEAT-4742

DISPLAY LASTLINE IDS SIGNATURES FOR DETECTORS

The recently introduced detector documentation modal has been extended to include a new IDS Rule section. In this new section, a visually parsed representation of the relevant IDS signature is now available.

This new feature was tracked internally as FEAT-4638

EXTEND DISPLAYED ANALYSIS INFORMATION FOR MAIL MESSAGES

The displayed analysis information for a mail message now includes a table "Detections", where applicable, that outlines analysis detections associated with the messages native content (excluding attachments and URLs). Also, Email, Generic HTTP, Streaming API, and Syslog notifications for such detections can be configured in the notifications settings.

This new feature was tracked internally as FEAT-3634

ACCESS HOST OVERVIEW SIDEBAR FROM INTRUSION PROFILE

The host overview sidebar is now accessible from the Intrusion profile hosts tab. A click on a host IP opens a sidebar with summary information about the selected host and a link to the host profile.

This new feature was tracked internally as FEAT-4897

MITRE ATT&CK TECHNIQUES AND DETAILS NOW AVAILABLE IN ANALYSIS REPORT

Users are now able to see the MITRE ATT&CK techniques and details under the Analysis Overview section in the Lastline Analysis report.

This new feature was tracked internally as FEAT-4590

SUPPORT FOR ANALYSIS OF ARTIFACTS EXTRACTED FROM HTTP UPLOADS

The sensor now has the ability to extract artifacts uploaded by a client towards a target server (e.g., by means of an HTTP POST) and submit them for analysis, similar to what is already supported for HTTP downloads, and file transfers on other protocols. In the UI, the "File Downloads" table now indicates when a given transfer was, in fact, an upload.

This new feature was tracked internally as FEAT-4541

NEW INCIDENT CAPTURED TRAFFIC PROFILE

A new incident based captured traffic profile view may be accessed via new contextual links added to the host profile threats tab, threat details (expansion) view. Where available, a "captured traffic" link is now revealed.

This new feature was tracked internally as FEAT-4540

PARTICIPATING HOST SIDEBAR

In the Host profile page threats view, clicking on the domain or IP of a host identified as participating in a given threat now opens a sidebar that displays contextual information about said host, including WHOIS information, and in-network hosts with whom the participating host communicated.

This new feature was tracked internally as FEAT-4405

Detection Improvements

  • FEAT-4302: Improved detection of phishing URLs. Lastline URL analysis engine performs an analysis of a rendered web page to recognize if the page is similar to a known phishing page based on image similarity.
  • TRES-928: Improved detection of evasive Microsoft Office documents using country-specific checks
  • TRES-691: Improved detection of phishing PDF files.
  • TRES-1002: Improved certificate extraction from PE samples.
  • TRES-919: Reduced false positives on benign LNK file that points to a locally installed program
  • TRES-876: Reduced false positives on benign Office documents which have a remote image on an unreachable server.
  • TRES-824: Improved detection of malware which has PowerShell script after the end of an archive to bypass detection.
  • TRES-749: Improved detection of Dridex banking trojan.
  • TRES-734: Improved detection of malware using extended attribute of the file to hide malicious payload.
  • TRES-616: Improved detection of malware which is abusing Microsoft signed script proxy execution.
  • TRES-552: Improved detection of Microsoft Office document auto-loading OLE objects.
  • FEAT-4515: Improved detection of malicious MS Office documents which use VBA code protection feature to hide malicious payload.
  • FEAT-4420: Unknown URLs extracted from MS Office documents or PDFs are analyzed in an instrumented browser to expose potential drive-by exploits or phishing pages.
  • FEAT-4088: The Lastline Analyst API can now submit URLs to the Lastline Hosted Service in order to improve detection of phishing attacks. This feature is optional, and is disabled by default.
  • TRES-843: Improved detection of malware with the ability to check the current keyboard layout.
  • SENT-2589: Improvement to the heuristics used by mail sensors to flag URLs for analysis based on the file extension of the target.
  • SENT-2545: Ensured that the email analysis component selects for analysis URLs known to belong to file sharing services.
  • FEAT-4372: Unknown URLs extracted from script or process memory during dynamic analysis in Windows sandboxes are analyzed in the instrumented browser to expose potential CnC or malicious updates.

Bug Fixes and Improvements

  • FEAT-4053: The Analyst API supports an improved way to collect internal information about completed tasks to be used by technical support engineers for customer support.
  • SENT-2583: Fixed an issue where a mail sensor may fail at processing messages that had been received by a prior version of the software before an update.
  • SENT-2570: Fixed an issue where the sensor SMB file extraction may erroneously submit large amounts of partial file transfers for analysis.
  • SENT-2592: Fixed a bug in the sensor email logger (generating data in /var/log/llmail/email) where the logger would incorrectly log the intention to upload a URL within the MalscapeUploader section also for URLs that are believed to be prefilter-benign. The bug does not affect functionality, but may lead to confusion in the analysis of the processing data (as some URLs will appear as uploaded but will never receive a score).
  • SENT-2539: Fixed performance issues in the sensor component in charge of serving threat intelligence data. The performance issues would particularly affect the operation of the ICAP service under significant load.
  • SENT-2521: Fixed an issue in the sensor file processing pipeline where the pipeline may get stuck upon update due to a communication error with the service in charge of on-the-wire webpage inspection feature.
  • PLTF-1275: Fixed race condition that could occur under load and result in the portal returning 504 errors.
  • FEAT-4630: When an INFO mode event in a customer's network is determined to be anomalous and is promoted to DETECTION mode, we now show only the evidence for the anomalous behaviour and do not include evidence for the base base behaviour anymore
  • TRES-918: Improved scanners logic based on parent/child process relation.
  • TRES-834: Reduced false positive rate for script-based automation tools
  • TRES-722: Reduced false positive rate of benign installers
  • SENT-2607: Fixed a suricata bug where extraction of emails out of SMTP exchanges would always extract only the first message transferred within each flow.
  • SENT-2557: Fixed a problem where it would still be possible to partially enable PF_RING sniffing drivers on xenial appliances (PF_RING has been deprecated in favor of AF_PACKET on xenial appliances).
  • SENT-2544: Fixed an issue in sensors using Silicom NICs for bypass, where the appliance would not disable bypass mode after a reboot on xenial appliances.
  • SENT-2535: Fixed a bug where the sniffing tests triggered by a manual run of lastline_test_appliance may fail due to an unexpected error.
  • FEAT-4496: Improved the logic responsible for inferring the directionality of the alerts when processing custom IDS rules generated with the Lastline Custom Intelligence API. Previous sensors would not report correctly the endpoints involved in the alert if the signature was matching on packets sent by the server towards the client. This change also ensures that custom IDS rules are always associated to a snip of the network interaction that triggered them.
  • FEAT-4293: Improved analysis performance for benign web analysis file subjects, such as Javascript or HTML files.
  • USER-3833: Within the "Email" section, the tables displaying "All attachments" and "All URLs" now show the Antivirus class and Malware.
  • SENT-2511: Fixed a bug that would cause the file processing pipeline to slow down under extreme load.
  • SENT-2431: Improved the heuristics used by mail processing for flagging interesting URLs based on the file extension.
  • PLTF-1173: Status of sending messages to McAfee TIE via the OpenDXL integration is now visible in the appliance monitoring logs of the appliance.
  • PLTF-888: Intrusion notifications will now include the impact of the intrusion that triggered the notification
  • FEAT-5038: Extended the Analyst API submission helper tools to support providing password candidates.
  • FEAT-4538: The Threats view of the Host Profile lists the evidence associated with each Threat. This release extends the information presented there, providing more specific insight into the details of each piece of evidence, such as listing filenames for suspicious downloads, etc.
  • FEAT-4079: The Lastline Analyst API now allows submitting files for analysis using purely static- and AI-based analysis components. This allows trading classification performance for accuracy to detect known threats rapidly (but may have reduced detection accuracy for 0-day threats). This functionality is currently in BETA and exposed only to OEM integrations with specific, additional permissions.

Known Issues

With this release of Lastline Enterprise On-Premises 9.1, there is potential when upgrading appliances from any version pre-9.1 the status of the appliance will get stuck in a status of "In Progress". If this occurs, access the appliance console and run "service-lastline appliance-update restart", then re-trigger configuration on the appliance and the status should return to OK. If the issue persists, contact Lastline Technical Support for further assistance. A fix for this issue is included in this release for future upgrades from 9.1.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

KnowledgeBase features deprecation schedule

The following KnowledgeBase features will be deprecated in the Lastline Enterprise On-Premise 9.2 release:

  • To improve performance, the KnowledgeBase clustering service will be discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
  • All strings will remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you cannot search for strings by sub-key location (heap, stack, memory block or executable section).
  • The KnowledgeBase will no longer provide the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 1080
  • Lastline Engine version 1080
  • Lastline Sensor version 1131
  • Lastline All-in-one (Pinbox) version 1080

Released Sandbox Images Versions

The sandbox images version will remain at 2019-04-18-01.

End of Support For Dell R320 and Dell R420

Lastline is deprecating support for the Dell R320 and Dell R420 starting with the release of Lastline Enterprise On-Premises 9.3. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our (hardware support page)[https://support.lastline.com/hc/en-us/articles/224566907-Lastline-Hardware-Specifications-Dell-Hardware].

Deprecation of Lastline Checkpoint Integration

Lastline's integration with the Check Point firewall will be removed in the next release of Lastline Enterprise On-Premises, 9.2. The Check Point VPN-1 firewall product the Lastline integration supports is no longer supported by Check Point.

Lastline Supported Browsers

With this release, we will support the current versions of Google Chrome, Apple Safari, Mozilla Firefox and Microsoft Edge for Windows. Support for issues identified with versions of Internet Explorer, as well as any other unlisted browsers, will be based upon best effort, however, identified bugs will only be addressed with currently supported browsers.

Distribution Upgrade

Version 8.3.2 was the final version to support Ubuntu Trusty as our operating system distribution. In order to upgrade to 9.1, you must be running Xenial as the operating system distribution.

You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "xenial". If it is "trusty", the appliance distribution needs to be upgraded.

For help on the upgrade process, please refer to the following instructions. This update is not done automatically to prevent unexpected downtime.

9.0.1 9.1.1