Version 2020.8
Distribution Upgrade
Lastline Sensor version 1220 will be the final version that supports Ubuntu Xenial as the operating system distribution. In all future releases, Ubuntu Bionic will be required. To support this distribution upgrade, Sensor 1220 will support both Ubuntu Xenial and Ubuntu Bionic. Before upgrading to any future Sensor version, appliances on Ubuntu Xenial must be upgraded to Ubuntu Bionic while running Sensor 1220. The upgrade of the distribution will require a reboot and may take up to an hour to complete.
You can check the distribution in use by an appliance in the Appliance Status view of the portal. The "Base Distribution" listed should be "bionic". If it is "xenial", the appliance distribution needs to be upgraded.
For instructions and support regarding the upgrade, please refer here. The distribution upgrade is not done automatically to prevent unexpected downtime.
New Features
- Added capability to modify the impact for specific events
- Added integration of RAPID in ICAP
- Added support for collecting cloud asset data
- Added reputation evidence sidebar
- Added integration to provide a feed of Network IoCs to Carbon Black Enterprise EDR
- Added details for user-defined rules in event evidence
ADDED CAPABILITY TO MODIFY THE IMPACT FOR SPECIFIC EVENTS
Added the ability to configure threat impact for network events by defining rules for matching network events and indicating what the new impact range or absolute value should be. Details on how to configure a custom impact range or value are documented here.
This new feature was tracked internally as FEAT-5990
ADDED INTEGRATION OF RAPID IN ICAP
The ICAP daemon has been updated to be able to take advantage of the RAPID file processing pipeline similarly to mail processing and sniffing. Files processed by ICAP are still handled by the llfd daemon that now acts as a simple frontend to the RAPID API.
This new feature was tracked internally as FEAT-6090
ADDED SUPPORT FOR COLLECTING CLOUD ASSET DATA
Defender now supports collecting information about assets present in AWS. Sensors can be configured to query the assets available in the cloud (for example, EC2 instances, S3 buckets); the discovered assets are listed in the Network Explorer page.
This new feature was tracked internally as FEAT-5885
ADDED REPUTATION EVIDENCE SIDEBAR
Sidebar evidence details have been added for the following types of reputation and local reputation evidence: IP, domain, and URL.
This new feature was tracked internally as FEAT-5749
ADDED INTEGRATION TO PROVIDE A FEED OF NETWORK IOCS TO CARBON BLACK ENTERPRISE EDR
This feature enables customers to share Network IOCs identified within the environment to a watchlist within Carbon Black EDR. From there, administrators can decide what actions to take when connections to these known-malicious sites occur. To setup this integration, please read the instructions here.
This new feature was tracked internally as FEAT-6040
ADDED DETAILS FOR USER-DEFINED RULES IN EVENT EVIDENCE
For events that are triggered by user-defined custom rules, there will be an event summary that indicates the details of the matching user-defined rule in the event evidence.
This new feature was tracked internally as FEAT-6020
Detection Improvements
- TRES-1279: Improved detection of Shell.Explorer Objects in OLEs.
- FEAT-5968: Added two correlation rules that correlate events for transfers of malicious files into intrusions. One rule correlates events based on the files' SHA-1 hashes, while the other rule correlates events based on the malware and antivirus family labels associated to the files' analysis tasks.
- TRES-1884: Improved detection of Cobalt Strike implant.
Bug Fixes and Improvements
- FEAT-6089: The suricata daemon in charge of the sensor IDS capabilities is now running as a docker container. The associated logs on the sensor have consequently changed slightly. The main suricata log is now located at /var/log/suricata/suricata-lastline-daemon.log.
- SENT-2952: Prior sensors were affected by an issue where non-inline sensor processing modes (such as passive sniffing) would still enforce a default maximum processing time of 1 hour on messages. This could cause messages extracted by sniffing to not be processed correctly under high load situations. This problem is now fixed and the maximum processing time is enforced only in MTA mode.
- SENT-2943: Improved robustness of the TLS NTA processing in case of issues at extracting a full ja3s fingerprint.
- SENT-2922: Improved file extraction logic for sniffing sensors by implementing additional checks to minimize the likelihood of over-extraction of partial or irrelevant files, which led in the past to excessive load on large installations.
- PLTF-1361: Fixed issue that could lead to excessive memory usage in the "session-tracker-daemon" causing it to no longer be able to retrieve user login events from Active Directory servers.
- FEAT-6396: The version of Kibana has been upgraded to 7.9.1.
End of Support for McAfee Threat Intel Exchange
Starting with the next release, 2020.9, support for the McAfee Threat Intel Exchange integration will be removed from the product offering. Additional details will be provided on alternative methods for exchanging data with McAfee Threat Exchange at that time.
Changes to MacOS Support
In the next release, 2020.9, we will be changing the way in which we analyze macOS and android files. We still continue to analyze the macOS files that are likely to compromise systems, as well as PDF and Word documents that can impact both macOS and Windows operating systems, however android and some macOS file types are no longer analyzed. For additional details please contact Lastline Support.
Deprecation of API Methods
The Lastline API documentation includes a deprecation schedule for deprecated Portal API methods, as well as information on how to replace usage of these deprecated methods with supported methods.
Released Appliance Versions
As part of this release, we are making available the following versions of Lastline appliances for use with Lastline Defender Hosted:
Lastline Sensor version 1220