Bad actors go to great lengths to evade detection and gain access to your network. Once attackers establish a foothold on the endpoint, they can persist on the endpoint, even if some of the attacker’s artifacts are blocked by a security tool. Incident responders have long struggled to fully revert all persistent mechanisms, leading to reoccurring malware on the endpoints, with potential lateral movement and exfiltration to follow.
With the introduction of Remote Scripts powered by Orbital, a search and response feature of Cisco Secure Endpoint in either the Advantage or the Premier tier, incident responders can respond to sophisticated threats with minimal business disruption, and administrators can provide an overall safer and better user experience.
Remote scripts harness the power of Orbital Advanced Search capabilities, which provides hundreds of prepared queries curated by Cisco’s Talos threat intelligence group, allowing you to quickly run complex queries on any endpoint.
Consider the Talos Incident Response Trends Report for Q2 2023, which states the top persistence mechanism observed was the abuse of Windows Task Scheduler to create scheduled tasks, allowing adversaries to execute programs or commands at scheduled times or at system startup.
The release of Remote Scripts can help with exactly this kind of threat, by allowing you to eliminate persistent threats while avoiding business disruption. For instance, re-imaging an infected workstation takes time and costs organizations valuable resources; remote scripts provide granular response actions needed to eliminate persistence (such as removing scheduled Windows tasks) so that the endpoint can be brought back to a known good state.
Secure Endpoint and Remote Scripts stand above the rest of the pack
You don’t need to be a scripting expert to use this new feature. Remote Scripts offers a unique catalog-based approach curated by Talos, which makes scripting easy to use for every level of practitioner. Talos maintains a catalog of hundreds of script actions that are easy to choose from and can be run across multiple endpoints with a few clicks. Examples of catalog scripts include removing Windows start up items, terminating a process, or even mitigating a Windows Search Remote Code Execution Vulnerability (CVE-2023-36884).
For an experienced incident responder, there is freedom to run or schedule your own custom scripts, with minimal to no restrictions on what can be done. This approach allows incident responders to create sophisticated incident response (IR) playbooks and powerful automation workflows. Remote Scripts can be used in combination with Secure Endpoint’s isolation feature, which cuts off lateral movement and exfiltration by only allowing an endpoint to communicate with Secure Endpoint and blocking all other traffic. Remote Scripts can also be used in combination with Cisco’s XDR for extensive Security Orchestration, Automation, and Response (SOAR) workflows, allowing for much shorter incident response times.
Prevent and respond to attackers before they gain access or move laterally
The current threat landscape emboldens bad actors to use weapons that have a diverse set of capabilities to achieve their goals. With this new feature, Cisco provides a scripting environment that security operations centers (SOC) can use to craft countermeasures to respond to different actions based on the tactics, techniques, and procedures (TTP) associated to the malicious activity seen.
Remote Scripts reduces incident response times and allows the creation of countermeasures tailored to the specific endpoint ecosystem, based on the type of business the incident responder is acting upon. Having targeted countermeasures tied to response playbooks increase the probability of defeating the attacker’s operation.
Bad actors also frequently use tools that persist in the system and leverage remote desktop protocol (RDP) connections for lateral movement. Such attacks can be counteracted with Remote Scripts by executing a script to ‘Remove a Registry key’ or ‘Disable RDP’ for the suspicious machine, and shutdown the endpoint remotely until the it can be analyzed properly.
Remote Scripts delivers on Cisco Security Cloud drivers that focus on protecting security ecosystems
Organizations continue to migrate applications to the cloud, which has increased the number of targeted attacks on those devices and applications. This expanded threat landscape has added pressure on SOC analysts to monitor not only on-premises devices, but cloud stored devices and applications as well.
This feature enhancement to Secure Endpoint and our Security Cloud feature will provide practitioners the ability to:
- Reduce friction by placing security closer to users, their data, and their applications — and simplify how they interact with all these things.
- Improve visibility and threat protection with actionable insights across networks, clouds, endpoints, and applications to help SecOps teams hunt, investigate and remediate threats.
- Provide single-pane-of-glass visibility, monitoring, and reporting: Unified management will enable policy to be set in one place and replicated to all networks, end points, and systems — even third-party.
Where to get Remote Scripts powered by Orbital?
Remote scripts are available if you currently have Cisco Secure Endpoint in either the Advantage or the Premier tier. If you do not currently have either of those packages, you can speak with your account representative to discuss the best option to upgrade your Cisco Secure Endpoint instance to gain access to this robust feature.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels