Getting more value from your endpoint security tool #1: Querying Tips for security and IT operations

As the son of an automotive mechanic, I was always in awe of the tools in my father’s toolbox. The range of sizes, types, and capabilities was fascinating to me and I was constantly underfoot; wanting to know the application for each. Some had multiple purposes, while others were for very specific applications. He always took the time to explain their use and would demonstrate it. Once I had learned and had hands-on experience, my life changed forever.

The same holds true for security tools today. Vendors release new products, add new features and your “toolbox” keeps expanding. Without understanding the application of the tools, having a set of step-by-step instructions, or knowing what outcome is supposed to occur, let alone what to do with the outcome, most of these tools turn into “shelfware”.

In January 2020, we added a new endpoint detection & response (EDR) capability, Orbital Advanced Search to the AMP for Endpoints Advantage offering. It’s a powerful tool and we want to be sure you feel empowered to take advantage of its full value – the same way I felt about all of those tools in my father’s garage many years ago.

This blog will be the first in a series, with the objective of, taking you through queries that are available to you using Orbital Advanced Search tool. You can run a “Live Query” on your endpoints or schedule them to be recurring “Jobs” to identify vulnerabilities, reduce your attack surface, begin threat hunts, and in the instance that you need to mitigate a breach, gather and investigate real-time data of your endpoints. Why do you want to do all these things? It’s simple – save you time and your organization money.

Orbital Advanced Search has four use case classifications:

• Threat Hunting
• Incident Investigation
• IT Operations
• Vulnerability and Compliance

Using a crawl, walk, run methodology, lets’ start with four basic use cases that provide instant value to Security and IT Operations. With Orbital Advanced Search, the query results are returned in seconds. As you run through these use cases, imagine how much time and how many resources it would take if you had to do them without Orbital Advanced Search. Below are some quick, easy-to-understand queries that you can run daily to stay ahead of the attackers!

Let’s get started!

Threat Hunting:

YOU WANT TO: Check for suspicious activity in your endpoints.

Orbital Catalog Query to run: Process Running Without A Binary On Disk – detects a process whose original binary has been deleted or modified.

WHY THIS IS IMPORTANT: This falls under the “Defense Evasion” MITRE ATT&CK Tactic. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

STEPS:

1. Select the endpoints you wish to query
2. Search the Catalog for “Process Running Without A Binary On Disk”
3. Click the “+” to copy into your SQL query window
4. Close the Query Catalog Window
5. Click the Query button

QUERY RESULT: If there are no results, the endpoints you queried do not have any process running without a binary on disk. If there are results, you are going to have to take action on those endpoints.

Incident Investigations

YOU WANT TO: Check for suspicious programs on your endpoints / establish a timeline of when they were installed.

Orbital Catalog Query to run: Installed Programs On Windows Host – retrieves data from installed programs on the host.

WHY THIS IS IMPORTANT: This query retrieves the name, version, publisher, and install date for all installed programs on the endpoint. For a posture assessment, you are confirming that the versions installed are the latest, and from trusted publishers. For forensics, you can investigate the same information to look for any anomalies.

STEPS:

1. Select the endpoints you wish to query
2. Search the Catalog for “Installed Programs On Windows Host”
3. Click the “+” to copy into your SQL query window
4. Close the Query Catalog Window
5. Click the Query button

QUERY RESULT: If you are investigating an incident, you will want to check for any irregularities, either in software titles (a title that is not approved to be installed), any unknown publishers of software, and the installation date of approved software to see if malware is spoofing the name of approved software.

IT Operations

YOU WANT TO: Identify software update issues that may result in programs crashing on your endpoints.

Orbital Catalog Query to run: Windows Crashes Monitoring – retrieves data from Windows crash logs such as timestamp, version, etc.

WHY THIS IS IMPORTANT: It retrieves data from Windows crash logs based on the pattern provided. This query can save your organization time and money, allowing you to get ahead of a faulty patch or update that causes system crashes. These crashes can result in numerous help desk tickets all opened for the same reason.

STEPS:

1. Select the endpoints you wish to query
2. Search the Catalog for “Windows Crashes Monitoring”
3. Click the “+” to copy into your SQL query window
4. Close the Query Catalog Window
5. Click the Query button

QUERY RESULT: The data returned is a listing of all the endpoints selected for the query, and either “No results for this host”, or extended detail about the crash including date, time, module, path, PID, TID, and version.

Vulnerability and Compliance

YOU WANT TO: Ensure hosts’ operating systems are the most recent versions to avoid vulnerabilities to malicious attacks.

Orbital Catalog Query to run: Operating System Attributes – retrieves host’s Operating System Platform, Product Name, Build, etc.

WHY THIS IS IMPORTANT: Ensuring that a host’s operating system is current is critical in the reduction of vulnerabilities on that host. Additionally, for compliance with regulation guidelines: PCI-DSS, GDPR, HIPAA, and others, require that hosts’ operating systems are secure.

STEPS:

1. Select the endpoints you wish to query
2. Search the Catalog for “Operating System Attributes”
3. Click the “+” to copy into your SQL query window
4. Close the Query Catalog Window
5. Click the Query button

QUERY RESULT: Review the data returned from the query, confirm OS Platform or ID, distribution or product name, both major and minor release versions, and optional build-specific or variant strings. Identify any hosts that need updating and act on those hosts.

After working through these use cases and you discover that you might like to run a query on a scheduled basis, with the results sent to an application or data store of your choice, you may want to create a scheduled job in Orbital Advanced Search. To learn how to schedule a “Job”, click https://orbital.amp.cisco.com/help/jobs/.

That’s it! Easy enough to get you started on your understanding of some of the capabilities, outcomes, and value of Cisco’s Orbital Advanced Search.

If you don’t already have Cisco AMP for Endpoints and are interested in trying out Orbital Advanced Search, sign up for our virtual Threat Hunting Workshop, or request a free trial.

Stay tuned, the next blog contains a set of queries that will cover threat hunting and how you can use Orbital Advanced Search to hunt based on atomic indicators (intelligence-driven), behavior and compound indicators (tactic- and technique-driven), and generic behaviors (anomaly-driven).