Lastline Defender and Analyst Hosted Release Notes

Version 7.13

New features

  • Lastline Knowledge Base clustering
  • Improved workflow in Incident Console
  • Display country information for network events
  • "Bump in the wire" improvements to the inline Sensor
  • Bugfixes and improvements

Lastline Knowledge Base clustering

The Knowledge Base now offers clustering services in order to group analyzed executables into families of programs or threats. The service supports multiple clustering perspectives by considering different approaches to compare samples and determine their similarity:

  • Similarity based on runtime activity: Dynamic clusters identify malware families sharing a common C&C infrastructure, reusing the same persistency mechanisms, or targeting and tampering with the same system components.

  • Similarity based on code structure: Code-hashes clusters identify malware families sharing important portions of their code base. These clusters are less influenced by dynamic environment and configuration to rely on stricter functionality terms.

The clustering results provided by the service are leveraged to attribute samples to known threat families. Attribution helps Incident Response (IR) and Security Operations Center (SOC) teams in their processes of remediation and recovery.

Samples are automatically clustered after analysis and the clustering results can be accessed as part of the analysis report. Associated clusters are displayed in the analysis overview within a new section called 'Analysis Attribution'. Clusters can also be searched directly from the dedicated intelligence search interface.

Improved workflow in Incident Console

The Console tab of the Lastline Portal has been redesigned to improve the workflow and make key functionality more visible. Navigation between the views of this tab has been improved, and now relies on navpills at the top of the page.

The default view of this tab is now the Incidents Console, which displays information about Incidents that Lastline detected. Incidents provide a higher level view of security events in a protected network and can avoid the need to investigate individual network events, as they can consist of several network events that have been correlated together.

The Infections view on the other hand displays information for potentially infected hosts in the protected network.

Both views now can show key additional information by expanding individual table rows.

Display country information for network events

The Lastline Portal now displays a flag icon next to IP addresses showing the country that address is located in. This functionality is available:

  • In the Network events table, which is displayed in the Network events tab and in other parts of the portal.

  • In the table displaying network traffic capture, which is shows in several parts of the portal such as when showing details about a single infected host.

"Bump in the wire" improvements to the inline Sensor

When deployed inline, the Sensor so far acted as a learning bridge, meaning it would only forward packets if the bridge believed the intended destination to be reachable via forwarding. This could cause problems in setups where source and destination addresses intentionally reside on a single side of the bridge. In inline mode the Sensor now relays any packets received between the inline interface pair, making it act more transparently.

Bugfixes and improvements

  • Analysis reports for executable now show the file name of each analysis subject instead of just naming subjects "Subject 1", "Subject 2", etc.

  • The Downloads tab has been improved to make navigation between the "unique" and "all" views more intuitive by using a dropdown menu at the top of the page.

  • Several fixes and robustness improvements to configuration updates that take the Sensor in/out of inline mode.

  • Detection of Microsoft Installer files extracted from traffic is now more robust.

  • The Monitoring Logs section in the web UI could in the past show erroneous warnings about PF_RING packet capture module lockups. This has been resolved.

Deprecation of API methods

No additional methods of the legacy API (/ll_api/ll_api) are being deprecated or removed in this version.

The Lastline API documentation includes a deprecation schedule for methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

  • Lastline Sensor version 710
7.12 7.14