Lastline Enterprise On-Premises Release Notes

Version 9.2

COVID-19 Announcement

For more information on Lastline preparedness and response during the COVID-19 outbreak visit this page.

New Features

  • Support for Bulk Host Tagging
  • Email Quarantine Support
  • Update to suricata 5.0.1 upstream
  • Support for online DB migrations
  • Support for URL reputation in sniffing sensors
  • Display detected threats stats in portal
  • Add host tag filter to alert suppression
  • Host Listing and Sidebar Improvements

SUPPORT FOR BULK HOST TAGGING

Security analysts can now provide the same host tag for multiple hosts from the listing page. Additionally, security analysts can also update existing tags or delete these tags for multiple hosts with a single operation

This new feature was tracked internally as FEAT-4714

EMAIL QUARANTINE SUPPORT

Lastline now supports displaying detailed information related to emails quarantined on Lastline Sensors. Security teams can now easily inspect emails and have information on which emails have been quarantines from the email triage functionality in the portal. Security teams can also perform the action of releasing blocked emails or deleting blocked emails from the email page in the portal. Configuration options are also available for administrators to specify the number of days emails should be held in quarantine before automatically releasing them.

This new feature was tracked internally as FEAT-4974

UPDATE TO SURICATA 5.0.1 UPSTREAM

The sensor IDS service has been updated to Suricata 5.0.1. This includes a number of performance and stability improvements. A full list of changes can be found on the Suricata website: https://suricata-ids.org/2019/12/13/suricata-5-0-1-released/

This new feature was tracked internally as FEAT-4958

SUPPORT FOR ONLINE DB MIGRATIONS

During the upgrade of Lastline appliances, any required database schema migrations will now happen at the start of the upgrade process via an online schema migration process, which avoids locking database tables. This reduces the potential for downtime during the upgrade process on installations with large amounts of data to be migrated.

This new feature was tracked internally as FEAT-4950

SUPPORT FOR URL REPUTATION IN SNIFFING SENSORS

This release enables support for a new type of reputation event, URL reputation. On top of inspecting DNS resolutions and connections to known malicious hosts, sensors will now inspect HTTP activity and flag HTTP transactions with low reputation URIs. This ability to evaluate URL locations in addition to hosts is particularly important when dealing with threats that leverage benign or compromised infrastructure for their distribution (e.g. phishing pages hosted on otherwise benign domains that have been compromised).

This new feature was tracked internally as FEAT-4611

DISPLAY DETECTED THREATS STATS IN PORTAL

Lastline has introduced new visualization in the events view that provides event counts by threat class and supports drill-down to specific threats within the threat class. With this new visualization, security analysts can more easily triage specific events of interest and also get an aggregated count of events across various threat classes.

This new feature was tracked internally as FEAT-5148

ADD HOST TAG FILTER TO ALERT SUPPRESSION

Alert suppression now supports specifying additional criteria based on host tags. With this functionality, security analysts can suppress events for example to hosts tagged as "public domain guest machine" or any such host tag that is relevant for that network

This new feature was tracked internally as FEAT-4902

HOST LISTING AND SIDEBAR IMPROVEMENTS

Lastline has provided additional enhancements for security analysts interacting with Host Listing. Information on OS and device type is provided in the host sidebar that provides detailed information on each host selected from the list. Additional improvements include search for IP ranges and support for CIDR blocks.

This new feature was tracked internally as FEAT-4894

Detection Improvements

  • FEAT-4855: Improved coverage of MITRE ATT&CK Tactics and Techniques in Lastline Sandbox.
  • TRES-1214: Improved detection of CVE-2020-0601.
  • TRES-935: Improved phishing document prefilters.
  • TRES-890: Improved detection of office phishing documents.
  • TRES-1308: Improved coverage of MITRE ATT&CK Tactics and Techniques in Lastline Sandbox.
  • TRES-1237: Improved detection of malicious MS Office document that is abusing subDocument tags to load an external document.
  • TRES-1171: Improved detection of Mansabo trojan.
  • TRES-1166: Improved detection of malicious URLs in documents.
  • TRES-1103: Improved detection of CVE-2015-1701.
  • TRES-1038: Improved detection of macro-based XLS ursnif downloader that is using multiple macro-modules for evasion.
  • TRES-1023: Improved detection of Padodor malware family.
  • TRES-999: Improved detection of batch files, spawning Visual Basic Script files.
  • TRES-975: Improved detection of Turla malware family.
  • TRES-901: Improved More_eggs backdoor detection.
  • TRES-547: Reduced false positives on benign files that were affected by privilege escalation signatures.
  • TRES-1234: Improved detection on phishing pages pretending to be Microsoft login.
  • TRES-1092: Improved detection of macro-based XLS ursnif downloader that is using filename check for evasion.
  • TRES-1041: Improved scanners to include MITRE ATT&CK information
  • TRES-1032: Improved detection of malicious binary file that is packed with a custom packer.
  • TRES-948: Improved detection of malware abusing remote XLS files using WMI queries.

Bug Fixes and Improvements

  • TRES-927: Improved detection of malicious JAR files.
  • CINF-389: Fixed the upload of appliance-monitoring data when using an HTTPS proxy.
  • SENT-2764: Fixed a bug in the llmail CompletionManager that could cause mail processing to miss information on completion of dynamic analysis of attachments. This would cause MTA mail sensors to sporadically timeout waiting for dynamic analysis reports.
  • SENT-2722: Upgraded to version 5.2.0.41 of the silicom NIC drivers, enabling correct support for linux kernel 4.15.
  • SENT-2703: Fixed an issue where performing any action on a quarantined message processed in a previous calendar month would cause the generation of a duplicate event in the UI.
  • SENT-2673: Fixed an issue that could cause the sniffer service to crash under certain packet tunneling configurations.
  • SENT-2643: Fixed an issue where particularly nested chains of email forwards could cause unreasonable processing slowdowns to our mail processing.
  • MALS-3091: Fixed a bug in the Analyst API utilities "submit_files.exe" and "submit_files.py" that would truncate files when uploaded from a Microsoft Windows system.
  • FEAT-5217: The Lastline Analyst API now reports errors found during a sandbox dynamic analysis when all the sandbox analysis runs have failed. This is intended to aid troubleshooting when submissions are not able to be analyzed.
  • FEAT-4636: Revised logic for the extraction of network traces upon IDS alerts. The new logic carries a number of improvements:
  • Ability to handle cases where multiple alerts trigger on different segments of the same flow.
  • Ability to extract pcap traces for alerts that have triggered "deep" in the flow
  • USER-3993: Fixed an issue in the Alert Suppression wizard where the outcome Action needed to be capitalized.
  • TRES-1282: Improved URL extraction during PDF analysis.
  • TRES-1125: Improved URLs extraction from documents.
  • TRES-1105: Improved PE authenticode certificate blacklisting capabilities.
  • SENT-2685: Fixed an issue where the sensor may upload conflicting verification information on network events. More specifically, the issue would cause inconsistent associations with correct verification outcomes with incorrect verifier names.
  • PLTF-1142: The lastline_test_appliance utility can now check syslog for evidence of processes killed by OOM (out of memory).
  • FEAT-5165: Additional protocol identifiers for tagging application level protocol types in netflow NTA data. The improvement includes identifiers for modbus, SOCKS, and RPC interactions.
  • FEAT-4941: Analyst API now accepts ELF binaries for analysis. The analysis of ELF binaries will be limited to static detection of internal structure.
  • FEAT-4829: Suppression rules for network events can now include constraints on what host tags are defined for the affected hosts.

New Linux kernel: Reboot Recommended

Lastline has upgraded the Linux kernel running on each appliance from 4.4.0 to 4.15.0, which improves support for more recent hardware. A reboot is recommended on each appliance after the upgrade.

When running the appliance in a VMware virtual machine, you may experience a kernel boot lockup under the following conditions:

  • In the VM settings, hypervisor.cpuid.v0 = FALSE (this is not the default)
  • VMware version 6.5 or 5.5 on Intel Xeon CPU E5-2620 v2/v4

If this issue is encountered while upgrading, steps for a workaround can be found here.

Deprecation of API Methods

No additional API methods are being deprecated or discontinued in this release.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released Appliance Versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise On-Premises:

  • Lastline Manager version 1090.1
  • Lastline Engine version 1090.1
  • Lastline Sensor version 1151
  • Lastline All-in-one (Pinbox) version 1090.1

Released Sandbox Images Versions

The sandbox images version will remain at 2019-04-18-01.

Knowledgebase Feature Deprecation

The following KnowledgeBase features are have been deprecated with this release:

  • To improve performance, the KnowledgeBase clustering service is discontinued. This only changes some Intelligence search capabilities: the clustering tab is no longer available and you cannot search by cluster. Static clustering-based detection remains operational.
  • All strings remain indexed across the entire process space. You retain the ability to search by string independently of location using the existing top-level keyword. However you can no longer search for strings by sub-key location (heap, stack, memory block or executable section).
  • The KnowledgeBase no longer provides the analysis subject location within its search results. In the Intelligence page, under the Report tab, the subjects column is removed from the table of results.

Removal of Lastline Checkpoint Integration

Lastline's integration with the Check Point firewall has been removed from this release. The Check Point VPN-1 firewall product the Lastline integration supports is no longer supported by Check Point. Please contact technical support if you have questions regarding this integration.

End of Support For Dell R320 and Dell R420

Lastline is deprecating support for the Dell R320 and Dell R420 starting with the release of On-Premises 9.3. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our (hardware support page)[https://support.lastline.com/hc/en-us/articles/224566907-Lastline-Hardware-Specifications-Dell-Hardware].

9.1.2 9.2.1