Lastline Defender and Analyst Hosted Release Notes

Version 2018.3

New features

  • Expose intrusions to all enterprise customers
  • Life-cycle support for intrusions
  • Add timeline view to intrusion details to display timeline of infections on hosts involved in the intrusion
  • Logging improvements to sensor-generated email logs
  • Intrusion correlation rule linking malicious attachments to network detection
  • Notifications for intrusions
  • Promote unusual INFO events to detection events
  • Intrusion correlation rule for detecting lateral movement
  • Use the local threat intelligence cache to rate-limit data to upload
  • Configuring pop3/imap polling interval via web UI
  • Support exporting of historical data in Excel-friendly format

Expose intrusions to all enterprise customers

Intrusions tab is now accessible to all the enterprise users. Security Analysts typically have to triage multiple events and incidents that in some cases are part of the same threat and attack. Lastline has innovated to provide a "connect the dots" functionality called Intrusions that intelligently combines several events and incidents across one or multiple hosts that represent the same threat and require a coordinated response. The new easy to navigate interface provides a graph of the attack that shows the relationships between internal and external hosts and the attack method/malware used. Intrusions provides the benefit of reduced time to remediation, higher fidelity alerts, and ultimately reduced risk by connecting the dots.

This change was tracked internally as FEAT-3114

Life-cycle support for intrusions

To support the workflow of analysts who need to triage and respond to intrusions in their network, the intrusions functionality of the Lastline Portal has been extended with support for life-cycle actions. Specifically, analysts will be able to:

  • assign an intrusion to a specific analyst, or unassign it
  • change the state of the intrusion. New intrusions start in "Open" state, and can be moved to "In Progress" when an analyst is working on the issue, and to "Done" when work is completed.
  • filter the intrusions listing view by status or assignee

A new permission "can be workflow assignee" has been introduced, to control which users of the portal intrusions can be assigned to. As with the other permissions, administrators automatically have this permission, and are able to grant it to other accounts.

Intrusions in the "Done" state will be automatically re-opened and transitioned to the "updated" state if the intrusion is updated with significant new information, such as a new detection.

This change was tracked internally as FEAT-3113

Add timeline view to intrusion details to display timeline of infections on hosts involved in the intrusion

In portal UI, a new tab "Timeline" is introduced on the Intrusions detail page. This tab uses a card-based timeline widget to show which host was infected by which malware and when.

Clicking on the individual card shows a full-page summary of the malware and host involved, and displays the available evidence that the host is indeed affected by that malware.

This change was tracked internally as FEAT-3095

Logging improvements to sensor-generated email logs

Log more information in the email logs generated by the sensor and optionally streamed via syslog. The newly generated information contains more email headers, parsed "Received" headers and information on the prefiltering decision performed on each detected URL.

This change was tracked internally as FEAT-3046

Intrusion correlation rule linking malicious attachments to network detection

An intrusion correlation rule was introduced that can associate a mail containing a malicious attachment with network traffic detected after that mail that matches network Indicators of Compromise for the attachment. That is, we link the attachment with network behavior consistent with what we would expect from a host where the malicious attachment is opened.

This change was tracked internally as FEAT-3022

Notifications for intrusions

Syslog (SIEM) notifications, generic HTTP notifications, streaming notifications, and email notifications now also support notification for events related to intrusions.

Specifically, a notification is generated:

  • when a new intrusion object is created by the correlation logic
  • when an intrusion object is updated, such as when a new host or malware is detected to be part of the intrusion

The notification messages include a link for viewing the full details of the intrusion in the Lastline portal, as well as some summary information about the intrusion.

Note that existing notification configurations are not being automatically updated to include this new type of message, so customers with existing notification configurations will have to enable intrusion event triggers in their configurations to start receiving these messages.

The syslog notification format version that includes these new messages is version 8.1. The formats of intrusion event syslog, HTTP, and streaming API messages are described in the integration guides available on the manuals page.

This change was tracked internally as FEAT-3002

Promote unusual INFO events to detection events

Lastline detects a number of activities in a protected network that may be interesting to an analyst, but are not per-se malicious. These detections generate "INFO" events, which can be viewed in the Lastline Portal Network Events view by setting an appropriate value of the "event outcome" filter.

A challenge with these detections is that the same "INFO" event activity may be completely normal or highly suspicious, depending on the network in which it is detected. As an example, use of the remote desktop protocol (RDP) may be normal in an environment where this protocol is used for legitimate administrative purposes, but can otherwise be a highly suspicious indication that an attacker may be attempting to remote-control a victim host.

With this release, we introduce anomaly detection functionality that is able to detect when certain kinds of INFO detections are unusual for the monitored network and for the specific source and destination hosts involved. When Lastline determines that an INFO detection is unusual, the event is promoted to "detection" mode.

This change was tracked internally as FEAT-2856

Intrusion correlation rule for detecting lateral movement

Once attackers have established a "beachhead" in a network by compromising some hosts, they may attempt to move laterally within the network to compromise additional hosts. This release improves our detection of such lateral movement activity.

When lateral movement activity is detected, an intrusion object will be generated for that lateral movement. Our correlation logic will include in that intrusion:

  • detections that indicate compromise of the source host of the lateral movement prior to performing lateral movement
  • detections that indicate that the destination host was infected after the incoming lateral movement

This correlation logic will only trigger for hosts within the configured "home network", and will not be activated unless a home network is configured.

Please note that our ability to detect lateral movement in a protected network may be limited by what traffic our network sensors can inspect, based on where they are deployed. Detection of lateral movement activity requires visibility into network traffic within the organization, not just towards the internet.

This change was tracked internally as FEAT-2855

Use the local threat intelligence cache to rate-limit data to upload

Smarter filtering of log data generated by the sensor for Breach Defender detection. Filtering now takes into account the popularity of specific endpoints or hostnames to better prioritize potential anomalies.

This change was tracked internally as FEAT-2693

Configuring pop3/imap polling interval via web UI

In POP3/IMAP mode, an administrator can now configure the POP3/IMAP polling interval for email analysis from the portal UI.

This change was tracked internally as FEAT-1797

Support exporting of historical data in Excel-friendly format

We have added the ability to export data records collected by Breach Defender in CSV format. The functionality can be accessed from the "web requests" and "network flows" tables in the Network Analysis page. The resulting file can be imported, for example, into Excel and other spreadsheet programs.

This change was tracked internally as FEAT-1210

Detection Improvements

  • LLMAIL-444: Correctly handle basestriker URLs in mail analysis.
  • LLADOC-576: Improved analysis of Microsoft Powerpoint files using embedded Packager Shell objects.
  • LLADOC-580: Better detection of DDE links in Microsoft Office documents.
  • LLADOC-582: Better detection of Microsoft Office documents triggering behavior via on-close macros.
  • LLADOC-583: More robust classification of embedded remote-objects in Microsoft Office documents.
  • MALS-2632, MALS-2634: More robust file-type detection for archives and files within archives.
  • MALS-2643: Improved handling of write-protected Microsoft Office documents.
  • SIGLOGSCAN-171: Better classification of malware attempting to crash the operating system.
  • SIGLOGSCAN-249: Better classification of malware disabling active Windows services.
  • SIGLOGSCAN-259: Better detection of code injection via debugging APIs.
  • SIGLOGSCAN-272: Better detection of malware abusing USB devices history.
  • SIGLOGSCAN-274: Better classification of malware trying to hide threads from debuggers.
  • SIGLOGSCAN-293: Better detection of vCalendar files embedded within documents.
  • SIGLOGSCAN-294: Better detection of malware searching for AV products on macOS.
  • SIGLOGSCAN-299: Improved detection for Durandal backdoor.
  • SIGLOGSCAN-301: Better classification of DLL-remapping techniques.
  • SIGREPSCAN-205: Better detection of deletion of Zone:Identifier information.
  • SIGREPSCAN-404: More robust detection of COM hijacking.
  • SIGREPSCAN-477: Better detection of malware faking Microsoft Office popup windows.
  • SIGREPSCAN-487: Better detection of evasion via USB device (vendor) information.
  • SIGREPSCAN-489: Better classification of evasion via stalling code.
  • SIGREPSCAN-490: Better classification of abusing geolocation services.
  • SIGREPSCAN-491: Better classification of accessing browser stored credentials.
  • FEAT-3161: Improved analysis of Internet Inquiry/Microsoft Excel Web Query data files.
  • FEAT-3147: Add support for analyzing XSL containing embedded commands.
  • FEAT-3123: Improved extraction of data from TNEF-encoded attachments of emails submitted to Analyst API.

Bug Fixes and Improvements

  • USER-2895: Global search now shows results for mail URLs.
  • USER-2878: The widget that is used throughout the portal for displaying network packet captures now persists its table settings, such as columns to show/hide and column widths.
  • SURI-714: Correct handling of HTTP strings containing invalid characters throughout the sniffing processing pipeline.
  • SQUID-22: Change to the default SSL protocol policy used by the sensor when doing TLS inspection in explicit proxy. TLSv1 protocols are now permitted by the sensor.
  • SQUID-21: Added support for additional intermediate certificates when performing SSL inspection in explicit proxy.
  • SENT-923: Fixes to the processing of HTA files on the sensor for files that have been extracted by the sniffing service or ICAP/explicit proxy.
  • SENT-899: Ensure that the sensor has the capability to automatically recover from unexpected error states of the sniffing service.
  • SENT-887: Ensure the correct configuration of TCP offloading on sniffing sensors that are configured to sniff on a bonded interface.
  • SENT-856: Improvement to the handling of local callbacks on sensor appliances.
  • SENT-837: Prevent an appliance update or reconfiguration to needlessly reinitialize correctly configured bridges when running the sensor in inline mode.
  • SENT-679: Prevent crashes of the plymouth-upstart-bridge service during the appliance boot sequence.
  • PLTF-202: Improved performance of session log API.
  • LLMAIL-438: Fix to a bug that would incorrectly attempt to deliver blocked attachments if the first delivery attempt to the MTA next hop was unsuccessful.
  • FEAT-3132: The Network IoCs tab after a search in the Intelligence portal now includes additional network class reputation tags for IP addresses. These tags help the user to quickly identify IP ranges that support certain classes of infrastructure such as corporate networks, institution networks, content delivery networks or cloud service providers.
  • FEAT-3111: Perform more light-weight analysis of URLs detected as benign.
  • FEAT-3051: Improvements to ICAP compatibility with Symantec ProxySG appliances. This addresses previously known issues associated with the analysis of artifacts transferred by means of HTTP chunk encoding.
  • FEAT-3047: More reliable streaming of email logs generated by mail sensors. This fixes a previously known issue that was affecting sensors configured to stream logs to external SIEMs using the TCP protocol.

Deprecation of API methods

The following methods of the Lastline Knowledgebase API are being deprecated in this version:

  • getlist
  • validateinput
  • analyse
  • search
  • export_tasks_domains
  • export_tasks_ips

The Lastline API documentation includes a deprecation schedule for deprecated Lastline API methods, as well as information on how to replace usage of these deprecated methods with supported methods.

Since release 7.24, all methods of the legacy API (/ll_api/ll_api) are deprecated. The deprecation schedule also includes methods in the legacy API, as well as information on how to replace usage of these deprecated methods with supported methods.

Released appliance versions

As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Enterprise Hosted:

Lastline Sensor version 1010

Deprecation of appliance versions

Since release 7.28, sensor versions before 720 are no longer compatible with Lastline backend.

Since release 7.24, sensor versions before 717 are no longer compatible with Lastline backend.

Distribution Upgrade

Sensor version 1010, which is being made available as part of this release, does not support Ubuntu Precise as the underlying operating system distribution. Before upgrading to the latest sensor versions, sensors that are still on Ubuntu Precise must be upgraded to Ubuntu Trusty.

Users can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "trusty". If it is "precise", the appliance distribution needs to be upgraded.

For complete information regarding the upgrade process please refer to the Lastline Support Knowledge Base.

2018.2 2018.3.1