Version 2020.4
New Features
- Added new intrusion contextual sidebar
- Added support for analysis of spreadsheetML files
- Added new blocking pipeline on sensor
- Added user information to host sidebar and profile
- Improved the processing of INFO events
- Added Index records summarizing RDP traffic
- Display MAC address on host sidebar and profile
ADDED NEW INTRUSION CONTEXTUAL SIDEBAR
Intrusions are designed to be detections that need immediate attention and response. To make it easier to triage the intrusion list, Lastline now introduces a new intrusion sidebar that contains key information for the intrusion without having to go through all the details. This faster access to key information will make the triage and remediation of intrusions quicker and more efficient.
This new feature was tracked internally as FEAT-4586
ADDED SUPPORT FOR ANALYSIS OF SPREADSHEETML FILES
Lastline now supports the analysis of SpreadsheetML files.
This new feature was tracked internally as TRES-537
ADDED NEW BLOCKING PIPELINE ON SENSOR
Sensor 1180 includes significant changes to the pipeline used by the sensor to perform blocking, both inline and in passive sniffing. The changes should significantly improve the reliability of blocking action, and enable additional blocking modes in future releases.
More specifically:
- Blocking based on iptables rules in inline mode is now deprecated. When using a sensor in inline mode, we recommend enabling other blocking capabilities by means of the UI (e.g. RST injection for TCP flows).
- Inline mode and passive sniffing now support and implement the same blocking strategies. Their use in inline mode on a sensor will however be more reliable.
- All blocking interaction is logged on sensors in a new logfile,
/var/log/llpsv_blocking.log
. Events where blocking was attempted will also appear accordingly in the UI.
This new feature was tracked internally as FEAT-5298
ADDED USER INFORMATION TO HOST SIDEBAR AND PROFILE
Lastline now makes user information related to a host (device) on the network more accessible in host profile pages. Both the overall host profile and the host sidebar now more prominently feature user information. Security analysts can more easily access this information and use it for more rapid remediation and response.
This new feature was tracked internally as FEAT-5671
IMPROVED TO THE PROCESSING OF INFO EVENTS
Lastline creates Informational events called INFO events based on network detections that are considered suspicious but are not considered high security risk. Contextually to a given network, Lastline has then the possibility to flag specific INFO events as suspicious and surface them in a more prominent way to the analyst.
The release updates the logic responsible for identifying INFO mode network events that are unusual in their specific context. The new logic tracks the history of each host in the network and attempts to identify hosts that are commonly associated with a given type of activity. An activity between hosts that are not typically involved in similar interactions will then be considered unusual.
The updated logic also allows the user to see the outcome of the INFO event analysis in the event details: every INFO event will be associated to an outcome that explains the reason for which the event was or was not considered unusual.
This new feature was tracked internally as FEAT-5440
ADDED INDEX RECORDS SUMMARIZING RDP TRAFFIC
Lastline collects Remote Desktop Protocol (RDP) network traffic and now stores this information for search and AI based detection. Additionally this data is indexed for search and is available for queries, visualization, and reporting using the linked Kibana interface.
This new feature was tracked internally as FEAT-5390
DISPLAY MAC ADDRESS ON HOST SIDEBAR AND PROFILE
MAC Address is an important unique identifier for each host on the network. Lastline creates a unique Host ID based on MAC Address and other host identifiers. Security analysts can now easily access MAC Address information in the central host profile screens and the host sidebar screens that provide quick context on a given host. MAC Address mappings make it easier for security analysts to identify the hosts and more precise remediation and response actions.
It is important to note that the MAC Address is derived from DHCP data seen on the network. It is critical that the sensor is placed in the path of DHCP data flow on the network
This new feature was tracked internally as FEAT-5345
Detection Improvements
- FEAT-5566: Added correlation rule that correlates high-impact network events with a successful verification outcome into intrusions.
- TRES-1438: Improved detection of Ursnif family.
- TRES-1432: Fixed false positive on benign files caused by protection remover tool.
- TRES-1423: Improved detection of viruses, searching for EXE files.
- TRES-1200: Improved detection of End of game malware.
- TRES-1169: Added detection of C# compiler, being invoked from non-powershell processes.
- TRES-1149: Improved detection of Regasm/Regsvcs Abuse - Mitre ID: T1121.
- TRES-1051: Detected third-party files that claim Microsoft authorship.
- TRES-1046: Improved detection of scripts, executing themselves multiple times.
- SENT-2773: Fixed a problem in the file extraction rules for POSIX tar files in sniffing sensors. Transfers of such files are now consistently extracted by the appliance.
- FEAT-5723: Improved intrusion correlation involving outgoing lateral movement activity.
Bug Fixes and Improvements
- FEAT-4021: The network analysis rules language was extended to support writing rules that take into account the tags associated to a host. This extension enables analysts to add rules that apply to specific hosts or groups of hosts.
- USER-4422: Fixed an issue with password verification when editing an account.
- USER-4414: On the Intrusion Profile page, the 'Attack stages' list now shows mail messages associated with specific attack stages.
- SENT-2764: Fixed a bug in the mail processing pipeline that could cause us to miss information on completion of dynamic analysis of attachments. This would cause MTA mail sensors to sporadically timeout waiting for dynamic analysis reports that had instead been generated.
- USER-4423: Input fields expecting IP addresses no longer force the addresses to be in CIDR format.
- USER-4320: Fixed an issue that was preventing the showing of logged in user records in the details section of an event.
- USER-4006: Fixed an issue on the email notification edit page that was preventing the update of the custom intrusion subject on save.
- TRES-1435: Fixed a bug involving the proper invocation of EQNEDT32.exe.
- FEAT-5763: The sensor implements further DHCP logging capabilities, including the ability to log DHCP fingerprints and vendor-specific fields.
- FEAT-5243: The sensor now takes into account global reputation information in making decisions on the reputation of extracted files by factoring in the download location.
- FEAT-5235: Fixed an issue where the network traces associated to IDS alerts triggering on the same flow and close in time (within the same second) would not be exposed correctly by the UI.
- TRES-1501: Improved Dropbox URL analysis.
- SENT-2758: The sensor introduces a simplification of the process required to setup inline monitoring on an appliance: configuring inline interfaces in the
lastline_setup
utility is sufficient to enable inline mode, without any need to explicitly enable the functionality in the sensor configuration UI. - SENT-2757: Fixed a minor configuration issue where the lljsd daemon would log a large amount of warnings in the appliance syslog. The problem did not affect the detection capabilities.
- FEAT-5741: Dynamic analysis of Flash files is no longer performed. This file type is less prevalent in most environments and static analysis covers these cases.
- FEAT-5318: If the contents of an archive submitted for analysis is only able to be partially analyzed due to an error in unpacking, then the Lastline analyst API will now return an error describing the unpacking error.
- FEAT-5095: NTA records stored in Elasticsearch are now enriched with homenet information. More precisely, two new fields src.homenet and dst.homenet contain the information of whether the source and destination hosts respectively belong to the home network, as configured in the user portal.
- FEAT-4940: Lastline now supports the submission of ELF (Linux) executables for static analysis.
- FEAT-4271: Host Tags have been available in Lastline in previous releases and allow security analysts to apply business or other critical context for each host on the network. Network traffic records stored in Elasticsearch are now enriched with host tags defined by the security analysts. Two new fields src.host_tags and dst.host_tags contain the host tags defined for the source and destination hosts respectively.
End of support for TLS 1.1
Starting with the next release, 2020.5, all requests to the Lastline user portal and APIs must use HTTPS with support for TLS 1.2 or above. TLS 1.1 will no longer be supported. All client applications that send data to the Lastline portal or APIs will be required to support TLS 1.2 or above. More details are here.
Deprecation of API Methods
The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:
Lastline Sensor version 1180
End of Support For Dell R320 and Dell R420
Lastline is deprecating support for the Dell R320 and Dell R420 on June 30, 2020. Our software will no longer be certified for use on these platforms. For information on the hardware we will continue to support, visit our hardware support page.