DeceptionGrid 7.3 Administration Guide [PDF]
v. 7.3 Administration Guide TrapX® Security, February 2022 trapx.com Contents Contents Preface .....................
30 0 3MB
Papiere empfehlen
![DeceptionGrid 7.3 Administration Guide [PDF]](https://vdoc.tips/img/200x200/deceptiongrid-73-administration-guide.jpg)
- Author / Uploaded
- Jonathan Puentes Rivero
Datei wird geladen, bitte warten...
Zitiervorschau
v. 7.3 Administration Guide
TrapX® Security, February 2022 trapx.com
Contents
Contents Preface ......................................................................................... 4 Overview: DeceptionGrid System Architecture ........................ 5 Appliance...............................................................................................................5 Full OS Trap ..........................................................................................................6 TSOC......................................................................................................................7 Deception Tokens .................................................................................................7
Getting Started ............................................................................ 8 Logging into TSOC for the First Time..................................................................8 Securing DeceptionGrid .......................................................................................8 Signing the TSOC Certificate ...............................................................................9 Configuring TSOC Timeout ................................................................................10 Controlling TSOC Access ..................................................................................10 Setting the Management Framework .................................................................11 Managing Companies or Departments ..............................................................11 Licensing .............................................................................................................13 Configuring Proxy...............................................................................................15 Configuring Email ...............................................................................................16 Configuring TSOC's Clock .................................................................................16
DeceptionGrid Administration ................................................. 18 Integrating with Third-Party IT Systems ............................................................18 User Authentication and Authorization .............................................................24 Setting Up DeceptionGrid Appliances ...............................................................28 Integrating with Third-Party Security Systems .................................................30 Updating DeceptionGrid .....................................................................................48 Enabling CLI / SDK / API .....................................................................................51 Enabling Attack Intelligence ..............................................................................51 Whitelisting Legitimate Connections: Event Exceptions .................................52 Asset Inventory ...................................................................................................54 Suppressing Repeat Events ...............................................................................55
Network Intelligence Sensor Administration .......................... 56 Deploying Network Intelligence Sensor ............................................................56
DeceptionGrid Administration Guide, © TrapX
2
Preface Updating NIS Intelligence Feeds ........................................................................57
Full OS Trap Administration ..................................................... 59 Setting Up Full OS Trap ......................................................................................59 Maintaining Full OS Trap ....................................................................................66 Upgrading a Full OS Trap ...................................................................................67 Removing a Full OS Trap ...................................................................................67
DeceptionGrid in Kubernetes ................................................... 69 DeceptionGrid in Kubernetes Overview ............................................................69 DeceptionGrid Appliance in Docker (evaluation) .............................................69 Setting Up DeceptionGrid in Kubernetes ..........................................................70 Deploying Appliances in Kubernetes ................................................................72
Troubleshooting and Maintenance .......................................... 74 Enabling Remote Support Access .....................................................................74 Managing Appliance Routing .............................................................................74 Backup & Restore ...............................................................................................75 Stopping or Restarting the Trap Service ...........................................................76 Administration Menus ........................................................................................76 Repairing or Reconfiguring a Full OS Trap .......................................................82 Viewing TSOC Logs ............................................................................................83 Obtaining Diagnostics ........................................................................................84 Testing Communications ...................................................................................84
DeceptionGrid Administration Guide, © TrapX
3
Preface
Preface This Administration Guide is about initial DeceptionGrid™ setup and system administration. After installing DeceptionGrid main components (TSOC and Appliances) as in the DeceptionGrid Installation Guide, it is recommended to go over the sections in this guide and configure as needed. For understanding DeceptionGrid, and for deploying emulation and deception in your organizational network, see the DeceptionGrid Security Deployment Guide. For event management and security analysis, see the DeceptionGrid Security Handling & Analysis Guide.
DeceptionGrid Administration Guide, © TrapX
4
Overview: DeceptionGrid System Architecture
Overview: DeceptionGrid System Architecture For deployment throughout an organization, TrapX Security® DeceptionGrid includes a multitiered set of tools for deception, emulation, and interception. For an understanding of these tools' functions and deployment in an organizational network see the DeceptionGrid Security Deployment Guide. Here we'll describe the software components that enable these functional tools. The various DeceptionGrid tools are realized through the combination of several separatelyinstalled software components:
In This Section Appliance ...........................................................................................5 Full OS Trap ........................................................................................6 TSOC ...................................................................................................7 Deception Tokens ..............................................................................7
Appliance
DeceptionGrid's main component is the DeceptionGrid Appliance, which hosts emulation traps and the (optional) Network Intelligence Sensor (NIS). The Appliance includes a hardened, closed OS, on a physical or virtual device (or, in Kubernetes pods (see DeceptionGrid in Kubernetes on page 69) - see the DeceptionGrid Administration Guide). To enable emulation traps, Appliance network interfaces are connected to organizational network switches and to organizational networks:
DeceptionGrid Administration Guide, © TrapX
5
Overview: DeceptionGrid System Architecture Appliances' virtual child interfaces have addresses throughout organizational networks and perform relevant emulation. When attackers connect to these emulation traps, the Appliance responds deceptively according to emulation type and configuration, and records an Event alert.
An Appliance supports up to 512 traps across up to 200 networks (including VLANs). To deploy more than 512 traps or to more than 200 networks, or to deploy traps in separate locations, deploy multiple Appliances. For NIS, another of the Appliance's network interfaces is connected to a relevant network device such as the firewall.
Full OS Trap
DeceptionGrid Administration Guide, © TrapX
6
Overview: DeceptionGrid System Architecture For a higher level of realistic interaction and of attack monitoring, install the TrapX Full OS Trap agent on a full (virtual) computer. The host computer can be configured with any software, data, and settings. Full OS traps are independently deployed (see Full OS Trap Administration on page 59)( see the DeceptionGrid Administration Guide). Emulation traps' emulated services can be proxied to a full OS trap, so the full OS trap's real service will respond to emulation trap attackers, providing optimal realism and fuller monitoring of those attacks. For some architectural purposes, Full OS traps are treated as Appliances.
TSOC The TrapX Security Operations Console (TSOC) manages Appliances and traps, including Full OS traps. TSOC serves a web user interface, through which administrators and security personnel can administer Appliances, deploy and manage traps, and monitor security events.
All common deployment, administration, and security event handling tasks are performed in TSOC's web interface.
Deception Tokens Produced and distributed from TSOC, deception tokens are various types of static records on existing organizational endpoints, that lure and direct attackers to emulation traps. Communications between components are secured.
DeceptionGrid Administration Guide, © TrapX
7
Getting Started
Getting Started This section describes initial tasks that should be performed before further configuration and deployment tasks.
In This Section Logging into TSOC for the First Time ..................................................8 Securing DeceptionGrid .....................................................................8 Signing the TSOC Certificate ...............................................................9 Configuring TSOC Timeout ...............................................................10 Controlling TSOC Access ...................................................................10 Setting the Management Framework ..............................................11 Managing Companies or Departments ............................................11 Licensing ...........................................................................................13 Configuring Proxy .............................................................................15 Configuring Email .............................................................................16 Configuring TSOC's Clock ..................................................................16
Logging into TSOC for the First Time Once TSOC is set up (see the DeceptionGrid Installation Guide), to log in and change the initial password, point any browser to: https://:8443 TSOC initially has a single user account, with Super Admin role and permissions: Username: super_admin Initial password: L0g2tsoc (case sensitive) Upon first login, change the password:
Passwords must contain at least six characters including at least one upper-case character and one numerical character.
Securing DeceptionGrid In production environments, the following steps are recommended to harden security:
DeceptionGrid Administration Guide, © TrapX
8
Getting Started 1. For TSOC: a. In the TSOC server's console, log in as mng (with the password defined at setup), and: i.
Make sure to have a strong password for access to this Administration Menu. To change the password, go to Global Settings > Change ‘mng’ User Password.
ii. Go to Global Settings > Enable/Disable SSH, and disable SSH. Note that as a result, access to TSOC's Administration Menu will be only from the server's direct console. b. Log into TSOC's web interface (see Logging into TSOC for the First Time on page 8) as super_admin, and: i.
Sign the TSOC certificate (see Signing the TSOC Certificate below).
ii. Make sure to have a strong password. To change the password, go to Settings > Users > User info > Change password. iii. Control TSOC access (see Controlling TSOC Access on page 10). iv. Set a session timeout (see Configuring TSOC Timeout on page 10). 2. For each DeceptionGrid Appliance: a. In the Appliance's console, log in as sensor (default password: Log2sensor ), and: i.
Go to Global Appliance Settings > Change setup Password, and set a strong password for the setup user.
ii. Go to Global Appliance Settings > Change sensor Password, and set a strong password for access to this Administration Menu. b. In TSOC, go to Appliances > select Appliance > Configuration > Settings, and set SSH Service to Disabled (prevents starting upon future reboots) and Stopped (immediate stop). Note that as a result, access to the Appliance's Administration Menu will be only from its direct console.
Signing the TSOC Certificate You can sign TSOC's certificate with your organization's or other recognized Certificate Authority (CA). This will prevent your browser from warning you every time you connect to TSOC, and will enable the deception token installer and/or CLI/SDK/API commands and scripts to require validation of TSOC. To sign the TSOC certificate:
•
In TSOC, go to Settings > General > SSL:
DeceptionGrid Administration Guide, © TrapX
9
Getting Started
•
Provide your organizational information, and click Generate and Download.
•
Once the certificate is signed, under Upload click in each relevant field to upload and then click Save.
Configuring TSOC Timeout Session timeout causes user login to expire after a specified time of inactivity. To configure TSOC session timeout, in TSOC go to Settings > General > Login > Login settings:
Controlling TSOC Access You can limit login to TSOC (Local / LDAP; not SSO (see Enabling TSOC SAML Authentication (SSO) on page 25)) to be only from a specified Access Control List (ACL) of source IP addresses or IP ranges. To configure TSOC ACL, in TSOC go to Settings > General > ACL, and select Allow TSOC access only from the following addresses:
DeceptionGrid Administration Guide, © TrapX
10
Getting Started
To add an item to the list, click Add IPs.
Setting the Management Framework The DeceptionGrid deployment can be managed in either of two modes (Frameworks): 1. MSSP: Appliances and their traps are assigned to separate Companies. 2. On Premise: Appliances and their traps are assigned to separate Departments. Appliance assignment is defined at its initialization to TSOC. The separation between companies or between departments affect various aspects of TSOC, including user and Appliance assignment and event visibility. Some management aspects are separated only in MSSP mode for greater security. User separation depends on user role (see Overview of User Authentication and Authorization on page 24). User assignment to company or department is part of the user's settings. To define the framework (MSSP / On Premise), in TSOC go to Settings > License Manager > Framework:
You can select to White label TSOC pages and email messages, so they will use company or department branding (see Managing Companies or Departments below) rather than TrapX branding.
Managing Companies or Departments To manage companies or departments depending on the management framework (see Setting the Management Framework above), in TSOC go to Settings > Companies / Departments:
DeceptionGrid Administration Guide, © TrapX
11
Getting Started
To add a company or department, click Add. To view or edit an existing one's details, click
.
In details Info, you can upload a logo for branding of some TSOC pages and email messages. If you selected to white label (see Setting the Management Framework on page 11), make sure to go to the Logos tab and provide the all the needed types of logs. Note that the required resolution and graphic format of each is specified:
Details include a Status of Enabled / Disabled; it is also possible to suspend a company or department. When enabled but suspended, events continue to be recorded (just not displayed); when disabled, no events are recorded. To change a company's or department's Status (Enabled / Disabled), edit its details: . To suspend or delete it, first remove its license (see Licensing on page 13); Then click to suspend, or to delete. To view a company’s or department's assigned traps and users, from its details page go to the Resources tab:
DeceptionGrid Administration Guide, © TrapX
12
Getting Started
Licensing TrapX provides a global license specifically for your system. The global license defines expiration and total allowed numbers of traps for the entire system. After uploading the global license file (.lic) to TSOC, you need to allocate those allowances to your companies or departments depending on your management framework (see Setting the Management Framework on page 11).
In This Section Global License...................................................................................13 Allocating Licenses ...........................................................................14 Global License TrapX provides a global license specifically for your system. The global license defines expiration and total allowed numbers of traps for the entire system. To obtain and upload a global license, in TSOC go to Settings > License Manager > Global license:
DeceptionGrid Administration Guide, © TrapX
13
Getting Started
Copy the Unique System Key and send it to TrapX or to your reseller. Once you receive a license file for your system, Upload it.
Allocating Licenses After uploading the global license file (.lic) to TSOC as above, you need to allocate those allowances to your companies or departments. To manage license allocation to companies or to departments, go to Licenses:
The bottom of the page lists companies or departments with allocated licenses; from above, you can Search to filter the list. To allocate a license:
DeceptionGrid Administration Guide, © TrapX
14
Getting Started 1. Click Add license. 2. Select license details and click Create:
3. Click Apply license (otherwise the license is still disabled!):
Configuring Proxy If TSOC is deployed behind your organizational proxy server, you need to provide TSOC with the organizational proxy settings, so TSOC can pull updates and intelligence feeds from TrapX, and so configured integrations will work properly. To configure proxy settings, in TSOC go to Settings > General > Proxy:
DeceptionGrid Administration Guide, © TrapX
15
Getting Started
Only Basic Authentication is supported (not NTLM / Kerberos).
Configuring Email To enable TSOC users to receive emails with reports and alerts, provide TSOC with your organizational email server details. In TSOC, go to Settings > General > Mail:
By Relay Server provide the mail server address, and provide its connection details. To customize email message text fields, select Use Custom info. You can Test Mail. Make sure to Save.
Configuring TSOC's Clock Appliance clocks must be synchronized with TSOC's clock. To facilitate this, TSOC should either have an accurate time and time zone from its underlying virtualization environment, or you can connect it directly to an NTP server.
DeceptionGrid Administration Guide, © TrapX
16
Getting Started To connect TSOC to NTP, in TSOC go to Settings > General > Time & Date:
DeceptionGrid Administration Guide, © TrapX
17
DeceptionGrid Administration
DeceptionGrid Administration This section describes additional configuration and setup tasks. These are in addition to initial basic configuration (see Getting Started on page 8).
In This Section Integrating with Third-Party IT Systems ...........................................18 User Authentication and Authorization ...........................................24 Setting Up DeceptionGrid Appliances ..............................................28 Integrating with Third-Party Security Systems .................................30 Updating DeceptionGrid ..................................................................48 Enabling CLI / SDK / API ....................................................................51 Enabling Attack Intelligence .............................................................51 Whitelisting Legitimate Connections: Event Exceptions ..................52 Asset Inventory.................................................................................54 Suppressing Repeat Events ..............................................................55
Integrating with Third-Party IT Systems Some of TSOC’s functionality is dependent upon integration with the following organizational systems.
In This Section Enabling SMB Signing Support .........................................................18 Integrating with Full OS Trap Infrastructure ....................................20 Monitoring Appliance Health ...........................................................21 Monitoring TSOC Health...................................................................23 Enabling SMB Signing Support SMB is a common communication protocol between endpoints and servers that an attacker may use to try to connect from a compromised endpoint to the emulated SMB service of a Windows emulation trap. SMB is secured by SMB signing; on properly-patched endpoints, SMB signing is enforced. For traps to be able to properly authenticate and respond to these signed connections, and to improve traps' ability to report additional information on attackers, integrate your DeceptionGrid Appliances with your organizational domain controller (DC) as below. If your network uses multiple DCs, integrate each Appliance with the DC that could be used in the network segments in which its traps are deployed.
DeceptionGrid Administration Guide, © TrapX
18
DeceptionGrid Administration Note: With the DC integration configured, make sure that traps' emulated SMB services (see the DeceptionGrid Security Deployment Guide) are set to Automatic authentication; otherwise, credential lists provided there will override the domain. From non-signing endpoints (SMB1), Automatic authentication will accept all credentials. To integrate, you’ll need to perform some configuration on both sides: on the DC define a computer object to represent the Appliance, and in TSOC configure each Appliance’s connection to the DC and the details of the same computer object, as which the Appliance will represent itself to the DC. Multiple Appliances can use the same computer object. The DC details you configure in TSOC can also be automatically used for external AD / SIEM configuration. To integrate DeceptionGrid Appliances with one or more DCs: 1. On each relevant DC, configure a computer object by running: net computer \\ /add net user $ *
where is a name for the new object. At the prompt, provide a new password for the computer object. 2. For each relevant Appliance: a. In TSOC, go to Appliances > Appliance > Configuration > Settings, scroll down to Configure SMB Domain and click :
b. Select Enable SMB Domain, provide details of the DC (Domain name, FQDN, DC IP address and host name), and the details of the above configured computer object (name and password):
DeceptionGrid Administration Guide, © TrapX
19
DeceptionGrid Administration
c. For these details to be used for external AD / SIEM configuration (for Active Directory tokens and Cached Credential tokens), provide the location in the organizational AD Schema where the token should be recorded and select Use this information for external AD / SIEM configuration. d. Click Apply.
Integrating with Full OS Trap Infrastructure To enable maintaining full OS traps via TSOC (see Maintaining Full OS Trap on page 66), TSOC must be integrated with your organizational virtual infrastructure. This requires providing TSOC with connection details and relevant credentials to the virtual infrastructure. To integrate TSOC with your organizational VMWare vCenter Server: 1. Obtain connection details to the vCenter Server (not directly to ESX!), including a user account with the VM Administrator role (or another role with privileges for creating VM templates and deploying VMs from them) for all full OS trap host ESX servers. 2. In TSOC, go to Settings > General > Eco System > Infrastructure > VMWare ESX, and provide the connection and credential details:
DeceptionGrid Administration Guide, © TrapX
20
DeceptionGrid Administration
Save.
Monitoring Appliance Health DeceptionGrid Appliances monitor system health and performance, and log results internally. Optionally, you can also have Appliances send some logged information via syslog. Specifically, you can configure Appliances to send either or both of: 1. Alerts: By specified minimum severity level of current status 2. Periodic reports: Sent regardless of current status, at configurable intervals, containing detailed health and performance information Monitored indicators include:
•
System resources such as CPU, RAM, and disk utilization, and network interfaces
•
Essential processes related to Appliance and trap operation
•
Control and data connectivity between the Appliance and TSOC
These system health syslogs do not include security events and usually should not be sent to a SIEM. The syslogs are sent via the local4 facility and use standard syslog severity levels:
•
Emergency: System is unusable
•
Alert: Action must be taken immediately
•
Critical: Critical conditions
•
Error: Error conditions
•
Warning: Warning conditions
•
Notice: Normal but significant conditions
•
Informational: Informational messages
Sent logs may increase in severity as time goes on without resolution. Here's an example of sent alerts:
DeceptionGrid Administration Guide, © TrapX
21
DeceptionGrid Administration May 2 07:45:01 localhost service_watchdog: [172.16.1.99WARNING] - service: mwtrap is DOWN ... May 2 07:45:05 localhost service_watchdog: [172.16.1.99WARNING] - service: mwtrap failed to restart and is DOWN ... May 2 08:00:01 localhost service_watchdog: [172.16.1.99-CRIT] - service: mwtrap is DOWN ... May 2 08:00:04 localhost service_watchdog: [172.16.1.99-CRIT] - service: mwtrap failed to restart and is DOWN Upon any log of level Warning or above, please contact TrapX support. To configure Appliance health syslog alerting and/or reporting:
•
In TSOC, go to Appliances > Appliance > Configuration > Settings, and by Syslog server (monitoring) click :
•
Select to Send and provide the syslog server's address:
•
Configure as follows: Select interfaces whose status to monitor. Select minimum severity level that should trigger an alert. By Report every, set the interval for periodic reports. To disable periodic reports (leaving only alerts), enter 0.
•
Click Apply.
DeceptionGrid Administration Guide, © TrapX
22
DeceptionGrid Administration Monitoring TSOC Health TSOC monitors its own system health and performance, and log results internally. Optionally, you can also have TSOC send the following over syslog:
1. Alerts: By specified minimum severity level of current status 2. Periodic reports: Sent regardless of current status, at configurable intervals, containing detailed health and performance information Monitored indicators include: 1. System resources such as CPU, RAM, and disk utilization, and network interfaces 2. Essential processes related to Appliance and trap operation 3. Control and data connectivity between the Appliance and TSOC These system health syslogs do not include security events and usually should not be sent to a SIEM. The syslogs are sent via the local4 facility and use standard syslog severity levels: 1. Emergency: System is unusable 2. Alert: Action must be taken immediately 3. Critical: Critical conditions 4. Error: Error conditions 5. Warning: Warning conditions 6. Notice: Normal but significant conditions 7. Informational: Informational messages Sent logs may increase in severity as time goes on without resolution. Here's an example of sent alerts: Oct 13 07:00:02 192.168.180.50 monitor: [192.168.180.50-EMERG] - disk: sar timestamp: 07:00:02: used space(%): 100.00, used space(MB): 97, free space(MB): 0 disk: sar timestamp: Summary:: used space(%): 40.91, used space(MB): 35.74, free space(MB): 8959 disk: sar timestamp: Summary:: used space(%): 100.00, used space(MB): 100.00, free space(MB): 97 disk: sar timestamp: Summary:: used space(%): 5.57, used space(MB): 0.48, free space(MB): 2417 disk: sar timestamp: Summary:: used space(%): 5.58, used space(MB): 0.49, free space(MB): 2458 Upon any log of level Warning or above, please contact TrapX support. To configure TSOC health syslog alerting and/or reporting: 1. In TSOC, go to Settings > General > Eco System > Monitoring, select to Send and provide the syslog server's address:
DeceptionGrid Administration Guide, © TrapX
23
DeceptionGrid Administration
2. Select minimum severity level which should trigger an alert. Select interval for periodic reports. To disable periodic reports (leaving only alerts), enter 0. 3. Click Apply.
User Authentication and Authorization In This Section Overview of User Authentication and Authorization.......................24 Enabling TSOC SAML Authentication (SSO)......................................25 Enabling TSOC LDAP / Active Directory Authentication...................26 Configuring Users .............................................................................27 Overview of User Authentication and Authorization TSOC can be configured to authenticate users in one of the following modes: 1. Local and LDAP: All users submit their credentials directly in TSOC. Each user's credentials can either be stored locally in TSOC, or, if TSOC has been integrated with organizational LDAP / Active Directory (see Enabling TSOC LDAP / Active Directory Authentication on page 26), the user can be configured for LDAP / Active Directory authentication. In this case, when the user tries to log into TSOC, TSOC queries the organizational LDAP / Active Directory server for authentication. 2. SAML (single sign-on): Upon attempting to connect to TSOC, users are redirected to the organizational SAML-based Identity Provider (IdP) system (for example, PingFederate or OneLogin) for authentication. Users log into the organizational system, according to whatever security protocols are organizationally required (for example, multifactor authentication), and are then automatically redirected back to TSOC, where they are automatically authorized according to TSOC user configuration. Depending on IdP configuration, users who are already logged into the organizational system (for example, when they accessed another integrated organizational application) may be immediately authorized without needing to log in specifically for TSOC. In either case, authenticated users are authorized for accessing TSOC as configured in their user details in TSOC. Each configured user has one of the following Roles:
DeceptionGrid Administration Guide, © TrapX
24
DeceptionGrid Administration 1. Global roles - no limitation by Appliance or trap: a. Super Admin: Full permissions over entire system. b. Global Analyst: Read-only view of Dashboard, Analysis (including workflow actions), and Intelligence. 2. Scoped roles: Users with the following roles are limited to assigned Appliances and Full OS Traps: a. Administrator: All highest-level tabs except for Coverage. Deception is limited to Tokens (for campaign assignment); Settings are limited to Users (for the Administrator’s own company or department), Logs (just Audit), and Updates. An Administrator cannot initialize or shut down Appliances. b. Trap Manager: Similar to an Administrator, but the Settings tab is not available. A Trap Manager also cannot configure Reports, delete Forensics, remove an Appliance from TSOC, or assign Appliance users. c. Read-Only User: Read-only view of Dashboard, Analysis (including workflow actions), and Intelligence.
Enabling TSOC SAML Authentication (SSO) One of the ways to configure TSOC to authenticate organizational users (see Overview of User Authentication and Authorization on page 24) is via SAML integration: Upon attempting to connect to TSOC, users are redirected to the organizational SAML-based Identity Provider (IdP) system (for example, PingFederate or OneLogin) for authentication. Users log into the organizational system, according to whatever security protocols are organizationally required (for example, multifactor authentication), and are then automatically redirected back to TSOC, where they are automatically authorized according to TSOC user configuration. Depending on IdP configuration, users who are already logged into the organizational system (for example, when they accessed another integrated organizational application) may be immediately authorized without needing to log in specifically for TSOC. To configure SAML authentication: 1. In TSOC, go to Settings > General > Login > SAML Authentication:
DeceptionGrid Administration Guide, © TrapX
25
DeceptionGrid Administration Make note of the two SP URLs at the bottom of the page. 2. In your organizational IdP, configure TSOC as an Application or Service Provider. Use the above two URLs for the relevant fields. Note that field names differ among IdPs. Make note of the URLs displayed by the IdP as its identity and for SSO. The user detail fields that the IdP will pass to TSOC upon authentication must include the user's email address, which will be used to match the authenticated user with the user's configuration in TSOC, for authorization. Make note of the exact field name which will contain the email address. Make sure you have the certificate used by the IdP. 3. Back in TSOC, select Enable SAML authentication and configure the relevant URLs and certificate. If the IdP does not have an independent URL for metadata, for Metadata URL use the same URL as for ID. By Email attribute field, provide the exact name of the field that the IdP will provide containing authenticated users' email addresses. 4. Test the connection, and upon success Save the configuration. To disable SAML authentication (reverting to Local and LDAP authentication), in the above SAML Authentication page clear the main check box. If you can't access the TSOC UI (for example, there's a problem with the IdP), use the TSOC Server Administration Menu (see Administration Menus on page 76) option to Disable SAML authentication.
Enabling TSOC LDAP / Active Directory Authentication Organizational users can be authenticated for TSOC access by the organizational Active Directory or other LDAP server. Users submit their credentials directly in TSOC; each user's credentials can be configured either locally in TSOC, or, if TSOC has been integrated with organizational LDAP / Active Directory as below, the user can be configured for LDAP / Active Directory authentication. In this case, upon the user submitting credentials to TSOC, TSOC queries the organizational LDAP / Active Directory server for authentication. Active directory authentication is dependent on TSOC not being in SAML authentication mode (see User Authentication and Authorization on page 24). To enable authorizing organizational Active Directory users to access TSOC, provide TSOC with connection details to the organizational Active Directory: 1. In TSOC, go to Settings > General > Login > LDAP Authentication:
DeceptionGrid Administration Guide, © TrapX
26
DeceptionGrid Administration
2. Select Enable Active Directory / LDAP authentication, and configure connection details. 3. Optionally, Test the connection. You’ll be prompted to provide credentials to be tested. 4. Save.
Configuring Users Create and manage users at: Settings > Users:
To add a user, click Add user and configure the user's details, including authentication, role, and personal details. To view or edit an existing user's details, click . If TSOC is configured for SAML authentication (see Overview of User Authentication and Authorization on page 24), all users' authentication will be by the organizational IdP rather than as defined in user details. For authorization, the IdP authorization will be matched to TSOC user configuration by the Email address as defined in TSOC user details, so make sure to set the correct email address. User details include a Status of Enabled / Disabled. It is also possible to temporarily suspend a user: click to suspend, to resume. You can also lock ( ) or unlock ( ) a user; when a user tries unsuccessfully to log in too many times, their account is automatically locked. For users with scoped roles (see Overview of User Authentication and Authorization on page 24), assign Appliances and Full OS Traps, in Appliances > Appliance > Users > Add user:
DeceptionGrid Administration Guide, © TrapX
27
DeceptionGrid Administration
Setting Up DeceptionGrid Appliances This section describes initial and ongoing configuration tasks for DeceptionGrid Appliances.
In This Section Initializing Appliances .......................................................................28 Configuring DeceptionGrid Appliances ............................................29 Initializing Appliances Once a DeceptionGrid Appliance has been set up as in the DeceptionGrid Installation Guide, you need to initialize it to TSOC. TSOC displays the number of Appliances available for initialization:
To initialize an Appliance: 1. Either click the above number, or, in the Appliances page click See Pending:
Pending Appliances are displayed:
2. By the Appliance click Initialize, and provide Appliance details:
DeceptionGrid Administration Guide, © TrapX
28
DeceptionGrid Administration
3. Click Finish.
Configuring DeceptionGrid Appliances From TSOC, you can view and edit Appliance details and services, including enabling remote access and sending Appliance Syslogs. You can manage an Appliance’s state, including rebooting, suspending or shutting it down, and you can remove it from TSOC management. To configure or manage an Appliance: 1. In TSOC go to Appliances > Appliance > Configuration > Settings:
2. Edit the Appliance’s details and services, or perform actions, as needed:
DeceptionGrid Administration Guide, © TrapX
29
DeceptionGrid Administration
Appliance clocks must be synchronized with TSOC's clock (see Configuring TSOC's Clock on page 16), so make sure to set either the Time zone and Time, or NTP Service. SSH and NTP services can be immediately Started or Stopped; and, to affect subsequent reboots can be Enabled or Disabled. 3. When you’re done making changes, make sure to click Apply.
Integrating with Third-Party Security Systems You can integrate DeceptionGrid with the following types of organizational security systems.
DeceptionGrid Administration Guide, © TrapX
30
DeceptionGrid Administration In This Section Integrating with Forensic Analysis Systems .....................................31 Integrating with Data Analysis (SIEM / BI) .......................................32 Enabling VirusTotal Checks ..............................................................37 Integrating with Endpoint Protection ..............................................37 Integrating with Network Access Control Systems ..........................40 Integrating with Organizational Firewalls ........................................46 Integrating with Forensic Analysis Systems You can have TSOC automatically submit suspicious files to a forensic analysis system (sandbox), subsequently receive analysis results from the sandbox, and display the results. To do this, integrate TSOC with a third-party system that performs the forensic analysis on potential malware. You can integrate with an existing organizational sandbox, or TrapX can provide one. DeceptionGrid uses the third-party sandbox’s API for file submission and result retrieval. Any files uploaded in the context of trap interactions are automatically submitted for analysis (subject to sandbox file type support). Retrieved results are displayed in the TSOC Forensics page and are also available in downloadable PDFs (see the DeceptionGrid Security Handling and Analysis Guide, Forensic Analysis). You can integrate with any one of the following supported third-party sandboxes: 1. McAfee Advanced Threat Defense (ATD; available from TrapX) With ATD integration, TSOC provides the analysis results also in ATD-produced STIX and ZIP formats, in addition to the usual TSOC display and downloadable PDF. 2. Cisco Advanced Malware Protection (AMP) Threat Grid 3. Palo Alto Networks WildFire 4. ThreatTrack ThreatAnalyzer 5. Cuckoo With Cuckoo integration, automatic file submissions are not supported; you’ll need to manually activate file submission from TSOC. Note: Only one sandbox can be integrated at a time. Enabling one automatically disables all others. To configure sandbox integration: 1. From your organizational sandbox administrator, obtain the necessary connection details. These should include the sandbox’s URL and API authentication key or credentials (for cloud sandboxes) or IP address and port number (for on-premise installations). For McAfee ATD, you’ll also need the relevant Analyzer profile ID, which determines analysis details. 2. In TSOC, go to Settings > General > Eco System > Sandbox:
DeceptionGrid Administration Guide, © TrapX
31
DeceptionGrid Administration
3. Select the relevant sandbox vendor, select Enable and provide the connection details. 4. Click Apply.
Integrating with Data Analysis (SIEM / BI) TSOC trap and NIS events can be brought into organizational data analysis systems such as Security Information and Event Management (SIEM) or Business Intelligence (BI) applications, in either of two ways as in the following sections.
In This Section Sending Events via Syslog .................................................................32 Retrieving Events via ODBC ..............................................................35 Sending Events via Syslog
TSOC can send trap and NIS events to one or more SIEM or other syslog servers. Only UDP (not TCP) is supported. As an alternative, you can have DeceptionGrid Appliances directly send their events via syslog. Note: Whereas TSOC displays events aggregated by session, syslogs list each connection individually. This may cause the appearance of mismatches between TSOC display and syslogs. Send events from TSOC 1. In TSOC, go to Settings > General > Eco System > SIEM > Syslog:
DeceptionGrid Administration Guide, © TrapX
32
DeceptionGrid Administration
2. For each destination Syslog server, click , provide connection details and click Add. 3. Select which Event Types TSOC should send. 4. Click Apply. Send events from Appliance 1. In TSOC, go to Appliances > Appliance > Configuration > Settings, and by Syslog server (security) click :
2. Enable Syslog and provide the syslog server's address. Click Apply. The sent events are in CEF format, and include the following fields:
Key
Description
ArcSight Label
cat
The type of the event (reconnaissance, interaction…)
deviceEv entCateg ory
cs1
Geo location, Source Country of the malicious request
Custom String 1
cs2
Geo location, Destination Country of malicious request
Custom String 2
DeceptionGrid Administration Guide, © TrapX
33
DeceptionGrid Administration Key
Description
ArcSight Label
cs3
Attack details: List of commands used during an attack
Custom String 3
cs4
Indication whether is there a PCAP in the transaction
Custom String 4
cs5
The company or the department where the event was found
Custom String 5
cs6
Whether Full OS is proxy or not (Yes / No)
Custom String 6
cs7
Trap emulation type (for example, Linux, Windows Server; empty for NIS)
Custom String 7
cs8
Trap OS version (for example, Windows 2012 R2; empty for NIS)
Custom String 8
deviceExternalId
The ID of the emulation trap
deviceExt ernalId *
deviceFacility
The name of the appliance that produced the alert
deviceFac ility
deviceNtDomain
The emulation trap name
deviceNt Domain
devicePayloadId
Indication whether is there a payload to the specific attack
devicePa yloadId
deviceProduct
TSOC
devicePro duct
deviceVendor
TrapX
deviceVe ndor
dhost
The destination address of a malicious activity
destinati onHostNa me
dpt
The port that was being used in attack
destinati onPort
dst
The IP of the victim
destinati onAddres s
dvchost
The hostname of the attacker machine
deviceHo stName
end
Timestamp when the event ended
EndTime
externalId
The event ID in TSOC
externalI d
fileHash
The hash of the file
fileHash
fileType
The type of the file
fileType
fname
Name of a malicious file that was saved on a trap
fileName
msg
Additional information about the attack
message
DeceptionGrid Administration Guide, © TrapX
34
DeceptionGrid Administration Key
Description
ArcSight Label
proto
The port protocol used in the attack
protocol
requestURL
NIS event payload, first 1024 characters as printable
request
rt
The start time of an activity
deviceRe ceiptTime
spt
The source port of request
sourcePo rt
src
Source address of malicious activity
sourceAd dress
start
Timestamp when the event started
StartTime
The mapping for deviceExternalId may trigger a sidetable protection in ArcSight due to the number of possible emulation traps. If you encounter this, the mapping for deviceExternalId will have been automatically moved to deviceCustomString6. To prevent it from being so remapped, increase the threshold defined in the agent.properties file of the connector receiving the events, dstprotector[1].maxsize property. *
Retrieving Events via ODBC
For a data analysis application to pull TSOC trap and NIS events via ODBC: 1. In TSOC, go to Settings > General > Eco System > SIEM > ODBC:
2. Select Enable ODBC, click Add connection and provide the data analysis application’s IP address. Connections from this address will be authorized to view relevant parts of TSOC’s database. Note: If the connections to TSOC will go through a NAT gateway, provide that gateway’s IP address, as this is what will appear in the connections as source address. 3. Click Apply, and Apply. 4. Configure the data analysis application to retrieve relevant data, using the following credentials: Username: odbc_nms Password: odbc_nms88$
DeceptionGrid Administration Guide, © TrapX
35
DeceptionGrid Administration The available ODBC views are: 1. real_time_monitor : Information on Network Intelligence Sensor (NIS) events, including the following fields:
ODBC Field
TSOC Equivalent
Description
SName
Trap name
STimezone
NA
Time zone ID
sid
NA
Trap ID
cid
Event ID
timestamp
Timestamp
sig_id
NA
sig_name
Event name
sig_class_name
NA
source_ip
Source IP
destination_ip
Destination IP
ip_src_country
Source country
ip_dst_country
Destination country
tcp_dst_port
Port
tcp_src_port
Source port
Used for checking severity level
Used for checking severity level
udp_dst_port payload
NA
Payload information
2. malware_connection_monitor : Information on emulation trap Connection events, including the following fields:
ODBC Field
TSOC Equivalent
SName
Trap name
STimezone
NA
Time zone ID
SID
NA
Trap ID
ID
Event ID
local_port
Port
remote_host
Attacker IP
ip_dst_country TIMESTAMP
Description
Destination country Start
3. malware_trap_monitor : Information on emulation trap Download events, including the following fields:
ODBC Field
TSOC Equivalent
SName
Trap name
STimezone
NA
Id
DeceptionGrid Administration Guide, © TrapX
Description Time zone ID Event ID
36
DeceptionGrid Administration ODBC Field
TSOC Equivalent
download_md5_hash
MD5 hash
remote_host
Attacker IP
ip_dst_country
Description
Destination country
TIMESTAMP
Start
virus_name
Malware name
The following views appear to the ODBC connection but are not for use: dxl_malware_trap_monitor view_white_list_and_false_positive_connections_list view_white_list_and_false_positive_downloads_list
Enabling VirusTotal Checks You can enable TSOC to submit suspicious files' MD5s to the well-known VirusTotal service for malware analysis. When integrated, VirusTotal detection ratios are displayed in the TSOC Monitor and Event Workflow pages for relevant events. To integrate with VirusTotal: 1. Go to the VirusTotal website, create an account, and obtain the account's API key. 2. In TSOC, go to Settings > General > Eco System > VirusTotal:
3. Provide the API Key and click Apply.
Integrating with Endpoint Protection You can integrate with the following endpoint protection products.
In This Section Integrating with McAfee DXL for ePO ..............................................37 Integrating with Carbon Black Cb Response ....................................39 Integrating with McAfee DXL for ePO
TSOC can send malware infection and NIS events to McAfee Data Exchange Layer (DXL) on McAfee ePolicy Orchestrator (ePO) or on an organizational McAfee Threat Intelligence
DeceptionGrid Administration Guide, © TrapX
37
DeceptionGrid Administration Exchange (TIE) for message handling, to be used in McAfee products such as ePolicy Orchestrator (ePO), Active Response, or custom API scripts. In addition, an ePO extension is provided to bring the events into ePO and enable appropriate querying and reporting in ePO. With extension installation, some preconfigured ePO queries and a TrapX dashboard are added to ePO; you can also configure your own. To integrate TSOC with McAfee DXL: 1. Make sure organizational firewalls allow the following traffic from TSOC: a. To ePO: TCP 8443 TCP 443 b. To TIE / broker: TCP 8883 2. Make sure your organizational ePO is running the McAfee Mobile ePO (MePO) extension. For more information on this extension, see McAfee KB84824. 3. In ePO, go to Menu > User Management > Permissions Sets, and enable (Edit, select and Save) the following permissions: a. Group Admin > DXL McAfee MePO Certificate Creation > Create DXL McAfee MePO Certificates b. Group Admin > McAfee DXL Fabric > View Data Exchange Layer Fabric c. DXL MePO Authentication Permission Set > DXL McAfee MePO Certificate Creation > Create DXL McAfee MePO Certificates 4. Create an ePO user (Menu > Users > New User) with the following Manually assigned permission sets: a. Group Admin b. DXL MePO Authentication Permission Set 5. In TSOC, go to Settings > General > Eco System > Endpoint Protection > McAfee DXL, select Enable McAfee DXL, and provide:
DeceptionGrid Administration Guide, © TrapX
38
DeceptionGrid Administration a. ePO connection details (to be authenticated to the TIE agent handler, TSOC needs to first connect directly to ePO): i.
ePO IP Address or resolvable name, and its Port
ii. Username and Password of the user you created in step 4 b. TIE agent handler IP address or resolvable name, and Port 6. Enable ePO to pull the events from the TIE agent handler: a. Download the TrapX ePO extension .ZIP file from: https://share.trapx.com/fl/ZCrffNZBWA b. In ePO, go to Menu > Software > Extensions and click Install Extension:
c. Click Choose File, navigate to the TrapX extension and click OK. When the extension installation is complete, the extension will appear in ePO’s left-hand navigation menu as Third Party > TrapX DXL. Preconfigured queries appear under TrapX and in the preconfigured TrapX dashboard. You can configure additional relevant queries by going to Menu > Reporting > Queries & Reports > New Query > Others and selecting TrapX Botnet detector (for NIS events) or TrapX MD5. You can add queries to any ePO dashboard. Integrating with Carbon Black Cb Response
TSOC can send malware infection and NIS events to Carbon Black Cb Response, for manual (from Event Analyzer) and optional automatic isolation of attacking endpoints. The integration requires connectivity from TSOC to python.org . To integrate with Cb Response: 1. From the Cb Response user interface, obtain an API token. 2. In TSOC, go to Settings > General > Eco System > Endpoint Protection > Carbon Black:
3. Select Enable Cb Response integration, and provide the Cb Response server's address and the API token.
DeceptionGrid Administration Guide, © TrapX
39
DeceptionGrid Administration 4. Optionally, Enable automatic isolation upon selected events.
Integrating with Network Access Control Systems You can connect TSOC to your organizational Network Access Control (NAC) system: Cisco ISE (see Integrating with Cisco ISE below) or ForeScout CounterACT (see Integrating with ForeScout CounterACT on page 41). The integration enables: 1. Remediation actions: TSOC events or manual action in TSOC can trigger the network security system to display the event in its systems and/or automatically disconnect (divert) the infected endpoint from the network. 2. Endpoint details (Cisco integration only): The Event Analyzer displays an enriched alert, with detailed endpoint-related information.
In This Section Integrating with Cisco ISE .................................................................40 Integrating with ForeScout CounterACT ..........................................41 Integrating with Cisco ISE
You can integrate TSOC with Cisco Identity Services Engine (ISE) via the Cisco Platform Exchange Grid (pxGrid). The integration enables: 1. Remediation actions: TSOC events or manual action in TSOC can trigger the network security system to display the event in its systems and/or automatically disconnect (divert) the infected endpoint from the network. 2. Endpoint details: The Event Analyzer displays an enriched alert, with detailed endpoint-related information. Cisco ISE 2.0 or above is supported. To integrate with Cisco ISE: 1. Make sure organizational firewalls allow the following traffic from TSOC to ISE: TCP 5222 UDP 5222 ICMP HTTPS HTTP 2. In TSOC, go to Settings > General > Eco System > Network Security > Cisco ISE:
DeceptionGrid Administration Guide, © TrapX
40
DeceptionGrid Administration
3. Select Enable Cisco… and provide connection and authorization details. 4. For event-based automatic endpoint diversion, select Enable automatic Divert policy and select event types that should cause endpoints to be diverted from their networks. 5. Save. Integrating with ForeScout CounterACT
You can integrate TSOC with ForeScout CounterACT. With the integration, TSOC events or manual action in TSOC can trigger the network security system to display the event in its systems and/or automatically disconnect (divert) the infected endpoint from the network. The integration can also be used for TSOC asset inventory (see Asset Inventory on page 54). CounterACT 7.0 or above is supported. To integrate with ForeScout CounterACT: 1. Enable CounterACT to receive Syslog from TSOC. For each CounterACT appliance in your environment: a. In CounterACT, go to Tools > Options > Plugins (in CounterACT 8.x: Modules), and make sure you have the Syslog plugin (may be under Core Extensions):
DeceptionGrid Administration Guide, © TrapX
41
DeceptionGrid Administration
b. Select Syslog and click Configure:
c. Select the CounterACT appliance and click OK:
d. In the Receive from tab, configure an available syslog source with NTSyslog security log and TSOC’s IP address, and click OK:
DeceptionGrid Administration Guide, © TrapX
42
DeceptionGrid Administration Note: Due to a known CounterACT issue, you may need to make any change in another tab to be able to save the configuration. e. When configuration is complete, click Close. Repeat for each CounterACT appliance. 2. Install and configure the TrapX plugin in CounterACT: a. Download the plugin from: https://share.trapx.com/dl/CaIxMIp56C If archived, extract the plugin (.fpi file). b. In CounterACT, go to Tools > Options > Plugins (in CounterACT 8.x: Modules) and click Install:
c. Navigate to the downloaded plugin (.fpi file) and click Install. Confirm as needed. d. Still in Plugins, select TrapX and click Configure:
e. Provide TSOC’s IP address:
Note: Test is not supported. f.
To enable asset inventory retrieval: In the API tab select Enable use of TrapX API, and provide connection details to the TSOC API. The IP address and port are the same as for the TSOC web interface; get the API key (see Enabling CLI / SDK / API on page 51); the API version for the current version of TSOC is 1.5.
DeceptionGrid Administration Guide, © TrapX
43
DeceptionGrid Administration
In the Inventory tab select Collect asset inventory for TSOC. g. Click Apply. h. Click Start. i.
Select all CounterACT appliances and click OK.
3. Configure CounterACT policy for messages received from TSOC: a. In the CounterACT Policy tab, click Add:
b. Select TrapX TSOC > TrapX TSOC Threat Detection, and click Next:
c. Provide a policy Name and Description and click Next. d. In the IP Address Range window, define the scope of relevant endpoints, alerts about which should be handled by the policy. Click OK, Next. e. The Main Rule does not need to be changed – it accepts everything and passes on to subrules; so click Next. A subrule is preconfigured for each of the following TSOC directives, and its Condition does not usually need to be changed. You do need to select and Edit each subrule and configure its Actions as appropriate for your environment and needs:
DeceptionGrid Administration Guide, © TrapX
44
DeceptionGrid Administration i.
TSOC Divert: Enable and Edit the existing Assign to VLAN action and set a relevant VLAN to which to divert, and/or Add other actions as needed.
ii. TSOC Notify: Enable and Edit the existing Send Email action, and/or Add other actions as needed. iii. TSOC Restore: Not usually needed – the configured Divert actions will be automatically canceled as relevant. You can Add actions as needed. f.
Click Finish.
If you later need to edit the policy, in Policy select TrapX TSOC Threat Detection and click Edit:
4. Configure TSOC to send relevant directives to CounterACT: a. In TSOC, go to Settings > General > Eco System > Network Security > ForeScout CounterACT:
b. Select Enable ForeScount CounterACT, and provide connection details to CounterACT (default port: 514). c. For event-based automatic directives to CounterACT, select Automatic Action policy, select event types that should cause endpoints to be diverted from their networks, and for each event type whether to Divert or to Notify:
DeceptionGrid Administration Guide, © TrapX
45
DeceptionGrid Administration
d. Save. 5. For asset inventory retrieval, go to Settings > General > Inventory:
Select Retrieve asset inventory, provide connection details to the organizational ForeScout, and configure a schedule for updating the inventory. Click Save.
Integrating with Organizational Firewalls You can connect TSOC to your organizational firewall deployment. The integration enables, as a remediation action, event-based configuration of the firewalls to begin automatically tracking or blocking similar traffic.
DeceptionGrid Administration Guide, © TrapX
46
DeceptionGrid Administration In This Section Integrating with Check Point Gateways ...........................................46 Integrating with Fortinet Firewalls ...................................................47 Integrating with Check Point Gateways
You can connect TSOC to your organizational Check Point deployment. The integration enables, as a remediation action, event-based configuration of the firewalls to begin automatically tracking or blocking similar traffic. Upon an NIS or trap event, TSOC configures the Check Point management server with Suspicious Activity Monitoring (SAM) rules defined according to the event traffic: for trap events – according to source IP address; for NIS events – according to destination IP address. You can optionally configure TSOC to create rules automatically, upon specified event types; in any case, you’ll have the option to manually create rules from the Event Analyzer. Check Point R7x or above is supported. The created SAM rules are effective immediately (including for live connections) on all managed gateways and do not require Install Policy. To view and manage created rules, in Check Point SmartView Monitor go to Tools > Suspicious Activity Rules. Check Point integration cannot be configured along with any other Network Security integration (as appearing in the TSOC Network Security tab as below). To integrate with Check Point: 1. Make sure organizational firewalls allow SSH traffic (port 22) from TSOC to the organizational Check Point Security Management server(s). 2. In TSOC, go to Settings > General > Eco System > Network Security > Check Point:
3. Select Enable Check Point SAM Firewall Enforcement, and provide connection details to one or more Check Point Security Management servers, including SSH credentials with administrative permissions. 4. Optionally, Set rule expiration time. 5. Optionally, Enable automatic rule creation and specify event types. For each, set whether the created rule should be configured to Drop connections or just Log them. 6. Save. You can Test the connection (below).
DeceptionGrid Administration Guide, © TrapX
47
DeceptionGrid Administration Integrating with Fortinet Firewalls
You can connect TSOC to your organizational Fortinet FortiGate deployment. The integration enables, as a remediation action, event-based configuration of the firewalls to begin automatically blocking similar traffic. Upon an NIS or trap event, TSOC configures the firewall with rules defined according to the event traffic: for trap events – according to source IP address; for NIS events – according to destination IP address. You can optionally configure TSOC to create rules automatically, upon specified event types; in any case, you’ll have the option to manually create rules from the Event Analyzer. FortiGate VM64 version 6.0.3 or above is supported. FortiGate integration cannot be configured along with any other Network Security integration (as appearing in the TSOC Network Security tab as below). To integrate with FortiGate: 1. Make sure organizational firewalls allow API traffic (by default, port 443) from TSOC to the organizational FortiGate firewall(s). 2. In TSOC, go to Settings > General > Eco System > Network Security > FortiGate:
3. Select Enable FortiGate Firewall, and provide connection details to one or more FortiGate firewalls' API. 4. Optionally, Set rule expiration time. 5. Optionally, select event types for which rules should be automatically created. 6. Save. You can Test the connection (below).
Updating DeceptionGrid This section describes several tasks related to updating and upgrading various DeceptionGrid components.
DeceptionGrid Administration Guide, © TrapX
48
DeceptionGrid Administration In This Section Upgrading DeceptionGrid Components ...........................................48 Checking for Software Upgrades ......................................................49 Upgrading in a Closed Environment .................................................49 Updating NIS Intelligence Feeds.......................................................50 Upgrading DeceptionGrid Components TSOC periodically checks with the TrapX update server for available software updates to TSOC itself and to managed DeceptionGrid components. If TSOC isn't displaying a notification about a software update but you have reason to believe there may be one, you can have TSOC check for updates (see Checking for Software Upgrades on page 49). If in your environment TSOC can't access the TrapX update server, you can still upgrade in a closed environment (see Upgrading in a Closed Environment on page 49). When a software update for any component is available, a notification appears:
In addition, notifications of available Appliance and Full OS trap updates appear in the Appliances page, and non-updated items are marked:
If a software update to Deception Tokens is provided independently of TSOC itself, a notification appears also in Settings > Updates > Deception Tokens:
Note: Before updating, if at any point in the past any DeceptionGrid component was restored from a snapshot, restart that component. Note: For extra security, it is recommended to save a snapshot of the TSOC server. If your Appliances are also virtual, save snapshots of them as well. Note: Before upgrading an Appliance, it is recommended to go to Appliances > Appliance > Configuration > Settings, and confirm that the Platform was correctly detected. To update, click a notification and follow instructions. The upgrade process may include a restart.
DeceptionGrid Administration Guide, © TrapX
49
DeceptionGrid Administration If during a TSOC upgrade TSOC did not have general internet access, and the new version of TSOC requires updating OS components, temporarily enable internet access and use the Administration Menu (see TSOC Server Administration Menu Items on page 77) to Upgrade packages. If this is not an option, please contact TrapX support. After updating a full OS trap, return the trap to Active mode (see Setting Maintenance Mode on page 66) and create a new baseline snapshot (see Setting Baseline and Reverting on page 67).
Checking for Software Upgrades If TSOC isn't displaying a notification about a software update but you have reason to believe there may be one, you can have TSOC check for updates. To check for updates: 1. Open the TSOC server's console, or, using PuTTY or another client, connect to the TSOC server via SSH over port 222. 2. Log in as user mng, and from the Administration Menu select Check for Updates. TSOC checks for updates, and if available displays a notification (in the TSOC UI).
Upgrading in a Closed Environment In environments where TSOC cannot connect to TrapX to download product updates, you’ll need to obtain upgrade packages from TrapX and manually upload them to TSOC. To upload an upgrade package to TSOC: 1. Open the TSOC server's console, or, using PuTTY or another client, connect to the TSOC server via SSH over port 222. 2. Log in as user mng, and from the Administration Menu select Manage Custom Updates Source. 3. Select 1 to Enable User. The upload user account is enabled for 24 hours, and a temporary password is displayed. 4. Using WinSCP or a similar client, connect to the TSOC server via SFTP over port 222, with user upload and the above temporary password. 5. Copy any upgrade package(s) and their respective associated MD5 file(s) into the TSOC Updates directory. 6. Back in the Administration Menu, select 3 to Move Uploaded Updates. Wait for the process to be finished. For security purposes, in the Administration Menu select 2 to Disable User. The upgrade package will appear in TSOC (see Upgrading DeceptionGrid Components on page 48). To avoid waiting for it to show up, you can have TSOC check for updates (see Checking for Software Upgrades on page 49).
DeceptionGrid Administration Guide, © TrapX
50
DeceptionGrid Administration Updating NIS Intelligence Feeds Typically, TSOC automatically retrieves intelligence feeds from the TrapX knowledge base center and distributes them to Appliances. If in your environment TSOC can't access the TrapX update server, you'll need to obtain feeds packages from TrapX and manually upload them to TSOC. To update feeds: 1. Go to Settings > Updates > Feeds:
2. Click Update and navigate to and upload the feeds file. 3. When the upload is complete, verify the size, modification, and MD5 Hash. The NIS intelligence will be distributed to Appliances within a few hours. If in any case you need to immediately distribute intelligence from TSOC to Appliances, in TSOC go to Appliances > Appliance > Configuration > Network Intelligence Sensor and click Update now.
Enabling CLI / SDK / API If your organization uses CLI / SDK / API commands or client scripts, those commands or scripts will to need to be authenticated and authorized by TSOC for API (the API is used internally also by CLI / SDK). To enable this, a single user with the Super Admin role (by default: the super_admin user account) may be enabled for API. To enable a Super Admin user for API, in TSOC go to Settings > Users, and by the user click . In the user's details page, select Use for API:
Click Apply. The Main API Key is now available; you can Copy it to clipboard. In cases where you need to Regenerate the key, note that this will impact existing client scripts.
DeceptionGrid Administration Guide, © TrapX
51
DeceptionGrid Administration Here you can also Copy or Regenerate the Token API Key, used by Deception Token packages to perform connected execution and for TSOC to display installation status.
Enabling Attack Intelligence You can receive updates on newly-discovered threats, from TrapX analysis experts. The posts appear directly in TSOC, as long as you've selected to share your sanitized trap event data with TrapX analysts. Analysts correlate event details to detect new threats and attack patterns, providing cutting-edge cyber intelligence to participating customers. Event IP addresses, hostnames, and user credentials are not shared with TrapX in identifiable form (they are encoded with only internal relative consistency, and no mapping or decryption key is stored even locally). Event packet captures (PCAPs) are not shared. To enable Attack Intelligence: 1. In TSOC go to Settings > Attack Intelligence, and select Send and receive data and analysis:
2. Optionally, select to display the Blotter - a ticker-style notification area with links to latest unread articles. 3. Save.
Whitelisting Legitimate Connections: Event Exceptions To prevent DeceptionGrid from recording events for known legitimate activity, you can configure exceptions defined by specified values of various parameters. Depending on trap type, these parameters may include network connection, files, registry settings, and processes. For example, you'll probably want to configure an exception for inbound connections matching organizational network scanners’ source IP ranges. Exceptions prevent relevant events from being created, and do not apply to already-recorded events. Exception criteria, when matching a connection, cause the entire session to be excepted. You can manage Exceptions from Appliance Settings, where frequently-detected connections are also recommended for exceptions, or base an Exception on an existing false-positive event, from the Event Analyzer.
DeceptionGrid Administration Guide, © TrapX
52
DeceptionGrid Administration In This Section Manage Exceptions from Appliance Settings ...................................52 Base an Exception on an Existing Event ...........................................53 Manage Exceptions from Appliance Settings Exceptions are configured per-Appliance, including Full OS traps. To manage exceptions, in TSOC go to Appliances > Appliance > Exceptions > Exceptions:
To copy all of another Appliance's existing exceptions to the current Appliance, by Copy exceptions from select the source and click Copy. You can also Export this Appliance's Exceptions to another Appliance. To add an exception, click , set the exception parameters, and click Apply. For the Exception to suppress only Scan-stage events including Ping, select Filter Only Scan. To except SMB connections to emulation traps, click , select Emulation Trap > SMB False Positive, and by Pattern matching provide a value that if found in an SMB connection should cause the event to be excepted. If you include a command prefix (as when the Exception is created from the Event Analyzer; for example, Logon: or Dir:), to have the exception defined for its value regardless of the specific command in which the value appears, select Filter all command prefixes. You can Delete all of the Appliance's configured Exceptions. To view automatic recommendations, go to Appliances > Appliance > Exceptions > Exception recommendations.:
Recommendations are listed with the most recently active connections at the top. For each recommendation, you can leave it to be bumped up on future connections, or you can choose to confirm as an exception, or to Keep to bottom of the list and not be bumped up. To configure the connection frequency thresholds for creating a recommendation, go to Recommendation settings. To whitelist ICMP (ping) connections (to prevent events of ping scans) from all sources to an Appliance, go to Appliances > Appliance > Configuration > Settings, and enable Filter PING events.
DeceptionGrid Administration Guide, © TrapX
53
DeceptionGrid Administration To whitelist ARP connections from all sources to an Appliance, go to Appliances > Appliance > Configuration > Settings, and configure filtering ARP events. Optionally, you can select to show only scans to multiple traps per subnet. To avoid false-positive alerts from organizational scanners, you can enable dark mode, so emulation traps will not respond at all to TCP connections from IP addresses for which a regular Exception is configured for all ports. Go to Appliances > Appliance > Configuration > Settings, and enable Exceptions Dark Mode.
Base an Exception on an Existing Event To except activity similar to an existing false-positive event, locate the event in the Event Analyzer, and in its Attack Details, hover over the specific action to be excepted and click :
Configure or confirm the exception details and trap scope, and click Apply:
Asset Inventory TSOC can maintain an inventory of organizational endpoint assets. The inventory can be used for automatic emulation profile, and/ or for coverage analysis (see the DeceptionGrid Security Deployment Guide). Asset inventory can be provided to TSOC in any of the following ways: 1. Via API / CLI / SDK (see relevant guides), provide one of: a. Connection details to the organizational Active Directory, from which TSOC will retrieve endpoint information b. A CSV list of endpoints
DeceptionGrid Administration Guide, © TrapX
54
DeceptionGrid Administration 2. ForeScout CounterACT integration (see Integrating with ForeScout CounterACT on page 41) 3. Tenable.sc integration (see Integrating with Tenable.sc for Asset Inventory below) A single inventory is maintained; providing an inventory in any of the above ways will overwrite the existing one, even if provided differently.
In This Section Integrating with Tenable.sc for Asset Inventory ..............................54 Integrating with Tenable.sc for Asset Inventory You can integrate TSOC with Tenable.sc, for TSOC asset inventory (see Asset Inventory above). Tenable.sc 5.19 is supported. To integrate with Tenable.sc: 1. Make sure organizational firewalls allow traffic from TSOC to the organizational Tenable.sc server. 2. In TSOC, go to Settings > General > Inventory > Tenable:
3. Select Enable service, provide connection details and set a retrieval schedule. 4. Click Save. 5. To avoid waiting for the first scheduled time, you can Retrieve now.
Suppressing Repeat Events To avoid large numbers of events from repeated attacks, you can suppress events that seem to represent continued repeat attacks (by same source and destination). This includes both trap events and NIS events. You can separately set to suppress events representing attacks from internal and/or external sources. Note: Suppressing repeat events from external sources may suppress events from different external sources. You can set the interval, in hours, between sending events for repeat events.
DeceptionGrid Administration Guide, © TrapX
55
DeceptionGrid Administration To suppress repeat events from an Appliance, in TSOC go to Appliances > Appliance > Configuration > Settings > Suppress repeat events and edit the configuration:
DeceptionGrid Administration Guide, © TrapX
56
Network Intelligence Sensor Administration
Network Intelligence Sensor Administration This section describes Network Intelligence Sensor (NIS) setup and administration tasks.
In This Section Deploying Network Intelligence Sensor ...........................................56 Updating NIS Intelligence Feeds.......................................................57
Deploying Network Intelligence Sensor Network Intelligence Sensor (NIS) monitors and analyzes organizational network traffic to detect suspicious outbound traffic. NIS is configured on a DeceptionGrid Appliance interface that is connected to organizational systems. By default, Appliance interface eth1 is usually dedicated to NIS. Note: NIS is not supported on Hyper-V or in cloud environments such as Azure and AWS. Note: NIS is not supported in 10 GbE networks. For NIS to work, an Appliance interface needs to be connected to a network device port mirroring traffic exiting the organization. The connected device can be the organizational perimeter firewall, or, if organizational traffic exits through a proxy, that proxy server. In the latter case, if some organizational traffic circumvents the proxy, connect another interface to the firewall as well. The organizational device port must be configured to mirror outbound traffic. The connected Appliance interface or interfaces need to have NIS Enabled and to be configured for Promiscuous mode, to monitor traffic; if connected to a proxy server, the Appliance interface needs to be additionally configured for Proxy mode, so NIS can correctly interpret the traffic. When the Appliance is connected to both a proxy and a firewall, the interface connected to the firewall needs to be additionally configured for Upstream mode, so that NIS will correlate firewall traffic with proxy traffic. On new DeceptionGrid appliances, eth1 already has NIS enabled. Known legitimate traffic can be whitelisted, in TSOC (see Whitelisting Legitimate Connections: Event Exceptions on page 52) or as below. NIS intelligence is periodically updated (see Updating NIS Intelligence Feeds on page 57). For other NIS configuration, use the Appliance’s Administration Menu: Either connect to the Appliance's direct console, or, using PuTTY or another client connect via SSH over port 222. Log in as user sensor, and select from the NIS Settings category, which includes the following commands:
Menu Item Description sniff/scan commands
For troubleshooting scenarios, these commands provide the ability to disable NIS monitoring (sniff) or to enable the discontinued legacy NIS scan detection (scan). Affects all interfaces.
DeceptionGrid Administration Guide, © TrapX
57
Network Intelligence Sensor Administration Menu Item Description Show NIS Displays per-interface NIS configuration (only interfaces for which NIS is enabled Configuration appear – see below). Configure NIS Enables configuring per-interface (available only for interfaces for which NIS is enabled – see below):
1.
Promiscuous mode: Whether to perform monitoring
2. Proxy mode (If Promiscuous mode = yes): One of: a. Legacy: No longer supported for new deployments. b. Proxy: Interface is connected to proxy. c. Off: Interface is connected to firewall, traffic to which does not go through proxy. d. Upstream: Interface is connected to firewall, some traffic to which goes through proxy. 3. Downstream IP and ports (if proxy mode = proxy or upstream): For filtering and correlation purposes, the proxy’s IP address and ports that organizational endpoints connect to. After configuration changes, Restart NIS (below). NIS Opens a menu for various options relating to NIS whitelisting: Whitelisting 1. Privileged source ports: Outbound traffic from source port numbers 0Configuration
1023, which likely are public server responses to inbound connections. Ignore to whitelist, Alert to disable whitelisting, Are Ignored? to display current status.
2. Scans on port 445: SMB connections on Appliance interfaces that may generate false-positives, especially if an SMB token is configured for a trap on one of the interfaces. Ignore to whitelist, Alert to disable whitelisting, Are Ignored? to display current status. 3. Botnet white list: Presents whitelisting options for each of scan (discontinued legacy NIS scan) and sniff (NIS monitoring): Show current whitelisted traffic, Add a traffic pattern to be whitelisted, or Remove one. Enable / Disable NIS
Specify an interface for which to enable / disable NIS. If enabled, still depends on configuration as above.
Stop / Start / Stop, start, or restart the NIS service (monitoring and scan detection) on the Restart NIS Appliance (affects all interfaces).
Updating NIS Intelligence Feeds Typically, TSOC automatically retrieves intelligence feeds from the TrapX knowledge base center and distributes them to Appliances. If in your environment TSOC can't access the TrapX update server, you'll need to obtain feeds packages from TrapX and manually upload them to TSOC. To update feeds:
DeceptionGrid Administration Guide, © TrapX
58
Network Intelligence Sensor Administration 1. Go to Settings > Updates > Feeds:
2. Click Update and navigate to and upload the feeds file. 3. When the upload is complete, verify the size, modification, and MD5 Hash. The NIS intelligence will be distributed to Appliances within a few hours. If in any case you need to immediately distribute intelligence from TSOC to Appliances, in TSOC go to Appliances > Appliance > Configuration > Network Intelligence Sensor and click Update now.
DeceptionGrid Administration Guide, © TrapX
59
Full OS Trap Administration
Full OS Trap Administration This section describes setup and administration tasks for Full OS traps.
In This Section Setting Up Full OS Trap .....................................................................59 Maintaining Full OS Trap ..................................................................66 Upgrading a Full OS Trap ..................................................................67 Removing a Full OS Trap...................................................................67
Setting Up Full OS Trap You can perform a local attended installation (see Attended Full OS Trap Installation below), or use standard distribution systems or scripts to perform unattended command-line installation (see Unattended Full OS Trap Installation on page 62).
In This Section Attended Full OS Trap Installation ...................................................59 Unattended Full OS Trap Installation ...............................................62 Attended Full OS Trap Installation This section describes local, attended installation; an alternative is unattended installation (see Unattended Full OS Trap Installation on page 62). To set up a full OS trap (attended): 1. Prepare the following prerequisites: a. Fully deployed and configured DeceptionGrid TSOC of the current version; specifically, make sure that TSOC has been properly integrated with your organizational virtual infrastructure (see Integrating with Full OS Trap Infrastructure on page 20) – otherwise, you won’t be able to configure Host connection (as below), and so won’t be able to set a trap baseline snapshot or to revert (see Setting Baseline and Reverting on page 67). b. A host virtual machine in the above virtualized environment, meeting the following minimum requirements: i.
Latest available VM version (for example, for ESX 6.0: VM version 11)
ii. OS: Windows 7 / 10 / Server 2008 R2 SP1 / 2012 R2 / 2016 / 2019 Note: The Full OS agent does not support host upgrade to Windows 10 20H2 while the agent is running. Before such upgrade, do the following: Upgrading Full OS host to Windows 10 20H2 1.
Set the Full OS trap to maintenance mode (see Setting Maintenance Mode on page 66).
DeceptionGrid Administration Guide, © TrapX
60
Full OS Trap Administration 2.
In Windows, open the Services application and locate the Full OS agent service. Its name is according to the obfuscation that was selected when it was installed; its publisher is NCIA Tool.
Right-click the service and select Properties. Change its Startup type to Manual, Apply, and Stop the service.
i.
3.
Restart the host, and confirm that the service is not running.
4.
Upgrade Windows to 20H2. Complete the process, including restarting at least twice.
5.
In the Windows Services application, return the Full OS agent service Startup type to Automatic.
6.
Restart the host, and confirm that the service is running.
7.
Set the Full OS trap back to active mode (see Setting Maintenance Mode on page 66).
RAM: 4 GB
ii. Virtual hardware meeting Microsoft requirements for the operating system iii. Computer clock exactly synchronized with TSOC’s clock (see Configuring TSOC's Clock on page 16) iv. Secure Boot must be disabled in the host BIOS / firmware. v. Any services to be monitored, as supported (see the DeceptionGrid Security Deployment Guide) The host can have any additional installed or running software, and any data and configuration as relevant to your network. You can use an organizational image. c. Make sure the following ports are open on organizational network devices:
Source
Destination
Port
Full OS trap
TSOC
7443 8443 9443
2. If the host computer previously had the full OS Trap agent installed and then uninstalled, restart the computer. 3. On the prepared host computer, from a local drive (not a network share or removable media) run as an Administrator the provided agent installer (named NCIAInstaller.msi, for obfuscation). 4. Go through the wizard pages. In the TSOC Integration page, configure how the trap will appear in TSOC, and the trap’s connection to TSOC:
The agent name must be 5-15 alphanumeric characters. 5. In the CryptoTrap Configuration page, select whether to install a CryptoTrap network share, and its location:
DeceptionGrid Administration Guide, © TrapX
61
Full OS Trap Administration
6. In the Agent Obfuscation page, select how the agent should appear on the computer to a potential attacker. For example, if the trap is meant to appear as an IT server, you might select Sysinternals Package:
7. Complete the wizard. 8. When installation is complete, to prevent user actions in existing sessions from being missed by the full OS trap (for example, an open SMB session, or the RDP session from which you’re performing the installation), restart the host computer. 9. Log into TSOC with administrative permissions, and click the Pending notification:
10. By the relevant full OS trap, click Initialize:
DeceptionGrid Administration Guide, © TrapX
62
Full OS Trap Administration
11. Configure trap details, and click Finish:
12. Create a baseline snapshot (see Setting Baseline and Reverting on page 67). 13. Configure services to be monitored, and optionally their tokens, as in the DeceptionGrid Security Deployment Guide. 14. If you know of legitimate organizational network traffic that will be affecting the trap, configure relevant exceptions (see Whitelisting Legitimate Connections: Event Exceptions on page 52) as in the DeceptionGrid Security Handling & Analysis Guide. The full OS trap appears in the Appliances page, and relevant events will be displayed for analysis.
Unattended Full OS Trap Installation This section describes using standard distribution systems or scripts to perform unattended command-line installation; an alternative is attended installation (see Attended Full OS Trap Installation on page 59). To set up a full OS trap (unattended): 1. Prepare the following prerequisites:
DeceptionGrid Administration Guide, © TrapX
63
Full OS Trap Administration a. Fully deployed and configured DeceptionGrid TSOC of the current version; specifically, make sure that TSOC has been properly integrated with your organizational virtual infrastructure (see Integrating with Full OS Trap Infrastructure on page 20) – otherwise, you won’t be able to configure Host connection (as below), and so won’t be able to set a trap baseline snapshot or to revert (see Setting Baseline and Reverting on page 67). b. A host virtual machine in the above virtualized environment, meeting the following minimum requirements: i.
Latest available VM version (for example, for ESX 6.0: VM version 11)
ii. OS: Windows 7 / 10 / Server 2008 R2 SP1 / 2012 R2 / 2016 / 2019 Note: The Full OS agent does not support host upgrade to Windows 10 20H2 while the agent is running. Before such upgrade, do the following: Upgrading Full OS host to Windows 10 20H2 1.
Set the Full OS trap to maintenance mode (see Setting Maintenance Mode on page 66).
2.
In Windows, open the Services application and locate the Full OS agent service. Its name is according to the obfuscation that was selected when it was installed; its publisher is NCIA Tool.
Right-click the service and select Properties. Change its Startup type to Manual, Apply, and Stop the service.
i.
3.
Restart the host, and confirm that the service is not running.
4.
Upgrade Windows to 20H2. Complete the process, including restarting at least twice.
5.
In the Windows Services application, return the Full OS agent service Startup type to Automatic.
6.
Restart the host, and confirm that the service is running.
7.
Set the Full OS trap back to active mode (see Setting Maintenance Mode on page 66).
RAM: 4 GB
ii. Virtual hardware meeting Microsoft requirements for the operating system iii. Computer clock exactly synchronized with TSOC’s clock (see Configuring TSOC's Clock on page 16) iv. Secure Boot must be disabled in the host BIOS / firmware. v. Any services to be monitored, as supported (see the DeceptionGrid Security Deployment Guide) The host can have any additional installed or running software, and any data and configuration as relevant to your network. You can use an organizational image. c. Make sure the following ports are open on organizational network devices:
Source
Destination
Port
Full OS trap
TSOC
7443 8443 9443
DeceptionGrid Administration Guide, © TrapX
64
Full OS Trap Administration 2. If the host computer previously had the full OS Trap agent installed and then uninstalled, restart the computer. 3. On the prepared host computer, from a local drive (not a network share or removable media) run as an Administrator the provided agent installer (named NCIAInstaller.msi, for obfuscation) as follows: msiexec /i NCIAInstaller.msi /quiet TSOC_ADDRESS= TSOC_TRAP_ID= [FULL_OS_OBFUSCATION_PROFILE=] [MSBUILD_INSTALLLOCATION=""] The above arguments are: a. TSOC_ADDRESS : TSOC’s IP address b. TSOC_TRAP_ID : Trap name to appear in TSOC. Must be 5-15 alphanumeric characters c. (required): One of: i.
/forcerestart (recommended): Restart when complete
ii. /norestart (not recommended): Don’t restart d. FULL_OS_OBFUSCATION_PROFILE (optional): Defines the program name and other associated settings, for agent obfuscation. The is one of the following numbers, according to the desired profile. For example, if the trap is meant to appear as an IT server, for Sysinternals Package specify FULL_OS_OBFUSCATION_PROFILE=5 . If the argument is omitted, one of the available profiles will be randomly selected. Asset Manager Service
1
Driver Manager
2
Device Scanner
3
Network Monitor Control
4
Sysinternals Package
5
Control Panel Monitor
6
Management Network Service
7
Driver Loader
8
Asset Server Configurator
9
IIS Manager
10
Service Remover
11
Server Handler
12
Packet Tracer PRO
13
Packet Sniffer
14
Traffic Controller
15
Outbound Monitor
16
DeceptionGrid Administration Guide, © TrapX
65
Full OS Trap Administration e. MSBUILD_INSTALLLOCATION (optional): Installation directory. If omitted, the agent will be installed in a profile-appropriate directory inside C:\Program Files\ . 4. Log into TSOC with administrative permissions, and click the Pending notification:
5. By the relevant full OS trap, click Initialize:
6. Configure trap details, and click Finish:
7. Create a baseline snapshot (see Setting Baseline and Reverting on page 67). 8. Configure services to be monitored, and optionally their tokens, as in the DeceptionGrid Security Deployment Guide. 9. If you know of legitimate organizational network traffic that will be affecting the trap, configure relevant exceptions (see Whitelisting Legitimate Connections: Event Exceptions on page 52) as in the DeceptionGrid Security Handling & Analysis Guide.
DeceptionGrid Administration Guide, © TrapX
66
Full OS Trap Administration The full OS trap appears in the Appliances page, and relevant events will be displayed for analysis.
Maintaining Full OS Trap You can change the details that you configured when adding the full OS trap (see Setting Up Full OS Trap on page 59). In the TSOC Appliances page select the trap and in its Settings tab configure details as relevant. When you’re done, click Save. To be able to install, change and edit the trap host without generating unnecessary events, you can put the trap into maintenance mode (see Setting Maintenance Mode below). The trap agent will continue running and remain connected to TSOC, but event monitoring will be paused. If a full OS trap becomes infected, you can revert the trap host computer to a baseline snapshot. To enable this, upon changes update the baseline snapshot (see Setting Baseline and Reverting on page 67).
In This Section Setting Maintenance Mode ..............................................................66 Setting Baseline and Reverting.........................................................67 Setting Maintenance Mode To be able to install, change and edit the trap host without generating unnecessary events, you can put the trap into maintenance mode. To put a full OS trap into maintenance mode, in the TSOC Appliances page select the trap and in its Maintenance tab click :
The trap agent will continue running and remain connected to TSOC, but event monitoring will be paused. To resume event monitoring, click
.
DeceptionGrid Administration Guide, © TrapX
67
Full OS Trap Administration Setting Baseline and Reverting If a full OS trap becomes infected, you can revert the trap host computer to a baseline snapshot. To enable this, upon changes update the baseline snapshot. To be able to manage a full OS trap’s baseline snapshot and to revert, TSOC must be integrated with trap infrastructure (see Integrating with Full OS Trap Infrastructure on page 20). To set a new baseline snapshot, in the TSOC Appliances page select the trap (which must be Active, not in Maintenance mode) and in its Maintenance tab click To subsequently revert to the latest baseline, click
.
:
Upgrading a Full OS Trap Full OS traps are upgraded from TSOC, in a similar manner to DeceptionGrid Appliances (see Upgrading DeceptionGrid Components on page 48). After updating a full OS trap, return the trap to Active mode (see Setting Maintenance Mode on page 66) and create a new baseline snapshot (see Setting Baseline and Reverting above).
Removing a Full OS Trap To remove a full OS trap: 1. Set the trap to Maintenance mode (see Setting Maintenance Mode on page 66). 2. On the agent host computer, do one of the following: a. Run the installer and select the option to remove. A copy of the installer is located on the host computer, at: \Data\ where is the full OS agent's installation directory, named according to the selected obfuscation profile.
DeceptionGrid Administration Guide, © TrapX
68
Full OS Trap Administration Note: If for some reason you cannot set the trap to maintenance mode, the agent will not allow remote removal. In this case open a direct console to the agent host and run the installer and you’ll be presented with an option for maintenance mode. Select it, click Submit, and then remove. b. Run the installer via the following command line: msiexec /x /quiet NCIAInstaller.msi
(required) is one of: i.
/forcerestart (recommended): Restart when complete
ii. /norestart (not recommended): Don’t restart Note: If for some reason you cannot set the trap to maintenance mode, the agent will not allow remote removal. In this case you must run the command from a direct console to the agent host. 3. If CryptoTrap is present, to remove it use Windows’ Add/Remove Programs. 4. In the TSOC Appliances page select the trap and in its Settings tab click Remove now.
DeceptionGrid Administration Guide, © TrapX
69
DeceptionGrid in Kubernetes
DeceptionGrid in Kubernetes Deploying DeceptionGrid in a Kubernetes environment enables quickly raising multiple Appliances as needed, increases stealth in an organizational containerized servers environment, and may help in trapping attackers' lateral movements between pods, such as from rogue pods.
In This Section DeceptionGrid in Kubernetes Overview...........................................69 DeceptionGrid Appliance in Docker (evaluation) .............................69 Setting Up DeceptionGrid in Kubernetes .........................................70 Deploying Appliances in Kubernetes ................................................72
DeceptionGrid in Kubernetes Overview TrapX provides DeceptionGrid Appliances as Kubernetes pods for deployment in a Kubernetes environment. Each pod contains a single Appliance, with a single, customizable trap. The Appliance has a single network interface (eth0), preconfigured with a Linux Server emulation trap. You can subsequently change the trap's emulation; you cannot add more interfaces or traps. NIS, high-interaction Linux, osfingerprint and scan events are not supported. For security reasons, the Appliance is not run as root. Once running, each Appliance and trap is managed and configured centrally from your organizational TSOC, which must be deployed on another platform. Once installed in the environment (see Setting Up DeceptionGrid in Kubernetes on page 70), you can manage pods (see Deploying Appliances in Kubernetes on page 72). For evaluation purposes, even without a full Kubernetes environment, you can deploy a DeceptionGrid Appliance with just Docker (see DeceptionGrid Appliance in Docker (evaluation) below).
DeceptionGrid Appliance in Docker (evaluation) You can deploy TrapX DeceptionGrid traps in Kubernetes (see DeceptionGrid in Kubernetes Overview above). For evaluation purposes, even without a full Kubernetes environment, you can deploy a single DeceptionGrid Appliance with just Docker. To deploy a single DeceptionGrid Appliance with Docker: 1. Copy the provided Trap Container package ZIP archive to a computer with Docker Engine client, and extract it. 2. Create directory: /tmp/docker_trap_config
3. Copy the following file from the extracted package to the new directory:
DeceptionGrid Administration Guide, © TrapX
70
DeceptionGrid in Kubernetes trap_config_run.json
4. In the above .json file, set the tsoc_ip parameter's value to the IP address of your organizational TSOC. 5. Run: docker run -d --rm -e "CLIENT_NAME=" -e "USE_PERSISTENT_VOL=false" -v /tmp/docker_trap_config:/config --name trapx/trap -p :
where a. will be the Appliance name in TSOC b. will be the Container name c. -p : is repeated for each emulation service port that should be opened, with the port number. For example: docker run -d --rm -e "CLIENT_NAME=docker_trap" -e "USE_PERSISTENT_VOL=false" -v /tmp/docker_trap_config:/config --name trap_container trapx/trap -p 80:80 -p 22:22
6. When complete, in TSOC initialize the Appliance (see Initializing Appliances on page 28). You can then configure the trap emulation (see the DeceptionGrid Administration Guide).
Setting Up DeceptionGrid in Kubernetes You can deploy TrapX DeceptionGrid traps in Kubernetes (see DeceptionGrid in Kubernetes Overview on page 69). Before you can manage pods, you need to set up DeceptionGrid in Kubernetes as below. Before starting setup, decide whether to use Kubernetes persistent volumes. Persistent volumes enable maintaining trap configuration and logs upon recovery from pod failure, and through relevant commands for stopping and starting trap containers. If your Kubernetes Pod Security Policy (PSP) setting of readOnlyRootFilesystem is true, you must use persistent volumes. To set up DeceptionGrid in a Kubernetes environment: 1. Make sure you have a fully configured Kubernetes environment, and have dockerengine and kubectl set up. 2. Make sure your Kubernetes environment has a namespace for the Appliance pods. You can create one by running: kubectl create namespace
3. To use persistent volumes, best practice in most cases is to create the volumes in Kubernetes; alternatively, such as for testing purposes, you can have them be created with the DeceptionGrid Appliance container image (specified in k8s_config configuration file as below).
DeceptionGrid Administration Guide, © TrapX
71
DeceptionGrid in Kubernetes If you're creating the volumes in Kubernetes, also make sure to have a user group with read/write access to the volumes. To create the required volumes in Kubernetes: a. If your Kubernetes Pod Security Policy (PSP) setting of readOnlyRootFilesystem is false, create three persistent volumes, each with a storage claim of 0.5 GB, with the following names: i.
opt-trapx-etc-claim
ii.
var-opt-trapx-log-claim
iii.
var-opt-trapx-mwtrap-claim
a. If your Kubernetes Pod Security Policy (PSP) setting of readOnlyRootFilesystem is true, create the above three volumes (same as if false), and in addition create four more volumes, each with a storage claim of at least 10 MB, with the following names: i.
tmp-claim
ii.
var-tmp-claim
iii.
etc-network-claim
iv.
var-opt-trapx-run-claim
1. The host network needs to be mapped to trap ports, to enable the trap to listen on all ports. Generally, this is done by using a Kubernetes service (specified in k8s_config configuration file as below) and making sure that the service listens on all ports. For example, to make sure that the service listens on all ports, in a microk8s environment: a. Open for editing: /var/snap/microk8s/current/args/kube-apiserver b.
Append to the file: --service-node-port-range 1-65000
c. Run: microk8s.stop microk8s.start
2. Copy the provided Trap Container package ZIP archive to a computer configured for your Kubernetes environment (with kubectl and Docker Engine client), and extract it. 3. If you'll be using persistent volumes, you'll need to prepare a Kubernetes Storage Class. If you don't already have one, to create one, from the extracted package folder, call: kubectl apply -f k8s/trap/sc_manual.yaml
4. In the extracted trap container package directory, open for editing: trap_config_run.json Set the tsoc_ip parameter's value to the IP address of your organizational TSOC. If the pods will need to traverse an organizational proxy to reach TSOC, set enabled to true, and provide the proxy's details.
DeceptionGrid Administration Guide, © TrapX
72
DeceptionGrid in Kubernetes 5. Open for editing: k8s_config Set the following values: a. TRAPS_NAMESPACE: Kubernetes namespace for Appliance pods, as above. b. TRAP_GID: Group ID for Appliances, to appear in TSOC. c. TRAP_NAME_PREFIX: Appliance and trap names in TSOC will begin with this prefix. d. IMAGE_URL: URL of your private Docker registry. e. USE_K8S_SERVICE (boolean): Whether to use a Kubernetes service object to map the host network to trap ports to enable the trap to listen on all ports. Should generally be true, unless you're using another method for this. f.
CPU_REQUEST, container.
MEMORY_REQUEST: Resource
allocation
per
Appliance
g. READ_ONLY_FS (boolean; default = false): Must be the same as your Kubernetes Pod Security Policy (PSP) setting of readOnlyRootFilesystem h. USE_PERSISTENT_VOL (boolean): Whether to use Kubernetes persistent volumes (see above). If true, specify also: i.
CREATE_PV (boolean): Whether (true) to automatically create persistent volumes, such as for testing purposes, or (false) the volumes have been created in Kubernetes as above. If USE_PERSISTENT_VOL = true and CREATE_PV = false, specify also: 1.
VOLUMES_PATH: Location of persistent volumes on host
2.
STORAGECLASS: Kubernetes storage class object for persistent volumes, as above
3.
PERSISTENCE_USER_GROUP: A Kubernetes user group with read/write access to the volumes
If USE_PERSISTENT_VOL = true and CREATE_PV = true, specify also: 1.
NODE_NAME: The node in which to create the volumes
6. In the extracted trap container package directory, run: ./load_trap_image.sh
A container image is pushed to your Kubernetes and is now available from which to run trap Appliance pod instances (see Deploying Appliances in Kubernetes below).
Deploying Appliances in Kubernetes You can deploy TrapX DeceptionGrid traps in Kubernetes (see DeceptionGrid in Kubernetes Overview on page 69). Once set up in the environment (see Setting Up DeceptionGrid in Kubernetes on page 70), you can manage pods as follows. The command for creating pods specifies s. Pods are then named: -
DeceptionGrid Administration Guide, © TrapX
73
DeceptionGrid in Kubernetes In TSOC, the Appliances will appear as: :_k8s where and are as defined in setup (see Setting Up DeceptionGrid in Kubernetes on page 70), and is as defined in the pod creation command. Commands are available as scripts in the extracted package from setup, for manual use (run with ./) or programmatic use. The following commands apply to one or more new traps, by specified trap number(s). You can specify a single trap number, a space-separated list of trap numbers, or, if Python is installed, a range. 7. create_trap.sh 8. delete_trap.sh 9. recreate_trap.sh : Delete and then create new with same trap number(s). For example: create_trap.sh 4-6 delete_trap.sh 1 2 4 7 The following commands are available only if persistent volumes were enabled at setup (see Setting Up DeceptionGrid in Kubernetes on page 70). A stopped trap (unlike a deleted trap as above) maintains trap configuration and logs, when subsequently started. Each of these commands applies only to a single, already-existing trap, by trap number. 1. stop_trap_pv.sh 2. start_trap_pv.sh 3. restart_trap_pv.sh : Stop and then start. You can check status with: kubectl get pods -n where is the Kubernetes namespace assigned at setup. Upon creating a pod, in TSOC initialize the Appliance (see Initializing Appliances on page 28). You can then configure the trap emulation. These can be done programmatically (see the TSOC API Developers Guide and the DeceptionGrid CLI - SDK Developers Guide).
DeceptionGrid Administration Guide, © TrapX
74
Troubleshooting and Maintenance
Troubleshooting and Maintenance This section describes several tools and options for troubleshooting and maintenance purposes.
In This Section Enabling Remote Support Access .....................................................74 Managing Appliance Routing ...........................................................74 Backup & Restore .............................................................................75 Stopping or Restarting the Trap Service ..........................................76 Administration Menus......................................................................76 Repairing or Reconfiguring a Full OS Trap ........................................82 Viewing TSOC Logs ...........................................................................83 Obtaining Diagnostics .......................................................................84 Testing Communications ..................................................................84
Enabling Remote Support Access Appliance remote access allows TrapX support personnel to access the Appliance remotely. Remote access was enabled or disabled at Appliance setup; you can subsequently change this setting from TSOC. To enable or disable remote access, in TSOC go to Appliances > Appliance > Configuration > Settings, and change the Remote Access status:
Managing Appliance Routing In most cases, Appliance routing is properly automatically configured according to network connections and interface configuration. For cases where additional routing configuration is required, routes and gateways can be configured from TSOC, at Appliances > Appliance > Configuration > Routing.
DeceptionGrid Administration Guide, © TrapX
75
Troubleshooting and Maintenance
Backup & Restore In This Section TSOC Backup & Restore....................................................................75 Appliance Backup & Restore ............................................................75 TSOC Backup & Restore You can back up all TSOC data and configuration. The most recent backup is stored in TSOC, from where you can download it. The backup can be subsequently restored to a clean, newly-installed (and licensed) TSOC. This can be used for migration as well. To back up or subsequently restore TSOC, in TSOC go to Settings > Backup:
Appliance Backup & Restore Appliances’ configurations, including their traps and tokens, are automatically backed up daily on the TSOC server, from where you can restore them as needed, as below. Note: Logs and emulations' spin data are backed up only if they do not exceed configurable size limits. To view their current sizes and/or change the limits, use the Appliance Administration Menu (see Appliance Administration Menu Items on page 80). You can change the time of day when the automatic backups take place as below. You can also manually initiate a backup of a specified Appliance’s configuration as below. The last three backups are maintained; older backups are deleted. In special troubleshooting scenarios, when it may be necessary to create a more complete backup, TrapX support may direct you to perform an Appliance Interface Configuration backup (not discussed here).
DeceptionGrid Administration Guide, © TrapX
76
Troubleshooting and Maintenance In This Section Setting the Daily Backup Time ..........................................................76 Restoring an Appliance’s Configuration ...........................................76 Manually Backing up an Appliance ..................................................76 Setting the Daily Backup Time
To change the time of the daily backup, in the TSOC server’s Administration Menu (see Administration Menus below) go to Appliance Configuration Backup and Restore > Set Mass Appliance Backup Schedule, and as prompted provide the desired time in format hh:mm . Restoring an Appliance’s Configuration
To restore an Appliance’s configuration (not Interface configuration) from a backup: 4. In the TSOC server’s Administration Menu (see Administration Menus below) go to Appliance Configuration Backup and Restore > Restore Appliance Configuration. 5. As prompted, provide the Appliance’s Unique ID (as appearing in TSOC Appliances > Appliance > Configuration > Settings > Name) and its Group ID (as appearing in that same Settings page). 6. As prompted, select from which of the listed configuration backups to restore. Manually Backing up an Appliance
To manually initiate a backup of a specified Appliance’s configuration, in the TSOC server’s Administration Menu (see Administration Menus below) go to Appliance Configuration Backup and Restore > Backup Appliance Configuration, and as prompted, provide the Appliance’s Unique ID (as appearing in TSOC Appliances > Appliance > Configuration > Settings > Name) and its Group ID (as appearing in that same Settings page).
Stopping or Restarting the Trap Service To start, stop, or restart an Appliance’s service for its emulation traps, in the Appliance’s Administration Menu (see Administration Menus below) go to Malware Trap Settings > Stop / Start / Restart Malware Trap.
Administration Menus Both the TSOC server and individual Appliances provide special administration menus for advanced commands. To access the Administration Menu: 1. Connect to the Appliance or TSOC server either at its console, or via SSH (for example, using PuTTY) over port 222. Note: In the case of Appliances, if the connection fails make sure SSH is enabled. In TSOC’s Appliances page, select the Appliance and go to Configuration > Settings > SSH Service.
DeceptionGrid Administration Guide, © TrapX
77
Troubleshooting and Maintenance 2. On the TSOC server, log in as user mng; On an Appliance, log in as user sensor (default password: Log2sensor ). Note: These users do not have full-fledged shell accounts. They are restricted sudoers and can invoke only commands available in the presented menu. At any time during configuration you can return to the main menu: On an Appliance, press Ctrl+C ; on the TSOC server, press Escape.
In This Section TSOC Server Administration Menu Items ........................................77 Appliance Administration Menu Items ............................................80 TSOC Server Administration Menu Items The following items are available in the TSOC server’s Administration Menu (see Administration Menus on page 76):
Category / Item Network Configuration
Network Information
Description Show IP Address and Subnet
Display the TSOC server’s IP and subnet as configured in setup
Show Routes
Display server routes and gateways
Ping
For maintenance and troubleshooting purposes, ping a specified host
Show netstat
For maintenance and troubleshooting purposes, display established connections
Run Packet Analyzer
For maintenance and troubleshooting purposes, displays network traffic
Configuration Set to DHCP Change IP Address
Disabled. Instead, to perform these tasks, log into TSOC as setup (default password Log2Setup )
Add / Remove Default Gateway
Appliance Configuration Backup and Restore
Add / Remove Route
Edits the TSOC server’s routing table (in case the default gateway is insufficient to reach some required destination)
Save Static IP Configuration
Disabled. Instead, to perform this task, log into TSOC as setup (default password Log2Setup )
Backup / Restore Appliance Configuration
Backup & restore Appliance configurations (see Backup & Restore on page 75)
Set Mass Appliance Backup Schedule Export / Import Appliance Interface Configuration
DeceptionGrid Administration Guide, © TrapX
Bulk-configure interfaces and traps
78
Troubleshooting and Maintenance Category / Item Middleware
Description Status
For troubleshooting scenarios, status details for support
Restart
For troubleshooting scenarios, restarts TSOC middleware
Consumers
For each Appliance and Full OS trap, lists in JSON format:
1. name: consumer__ 2. stats: Total (failed and successful) numbers of (in order): sent events; keep alive messages; and manual (see Testing Communications on page 84) or automatic tests Failed numbers of: sent events; keep alive messages; and manual (see Testing Communications on page 84) or automatic tests Waiting: Total number of events, messages or files stuck in queue 3. status: Should be Running If you find any problems, test (see Testing Communications on page 84) the Appliance and send results to TrapX support. Clients
For each Appliance and Full OS trap, displays status. All should be Active or Idle. If you find any problems, test (see Testing Communications on page 84) the Appliance and send results to TrapX support.
Queues
The Messages column indicates the number of messages stuck in queue. They should be all 0. If you find any problems, test (see Testing Communications on page 84) the Appliance and send results to TrapX support.
Test
Test communications to specified Appliance or Full OS trap, for events channel or file channel
Restore credentials
For troubleshooting purposes, reset communications with a specified Appliance or Full OS trap
Recover Rabbit
For TrapX support only
DeceptionGrid Administration Guide, © TrapX
79
Troubleshooting and Maintenance Category / Item
Description
Attack Intelligence
Enable / disable sending events to Attack Intelligence (see Enabling Attack Intelligence on page 51)
Global Settings
Reset Connector Certificates
For TrapX support only
Create CSR File
For certificate signing (see Signing the TSOC Certificate on page 9)
Services status
For troubleshooting purposes, lists current statuses of services
Restart Communication Services
For troubleshooting purposes, restarts TSOC’s control communication channel with Appliances. Note that Appliances will be disconnected for a short while
Change ‘mng’ User Password
Changes the password of the mng user that you’re logged in with now.
Manage Custom Updates Source
For closed-environment upgrade (see Upgrading in a Closed Environment on page 49)
Check for Updates
Upgrade check (see Checking for Software Upgrades on page 49)
Pull Latest Feeds
Generally should only be used for troubleshooting scenarios, otherwise do in UI (see Updating NIS Intelligence Feeds on page 57)
Enable/Disable SSH
Disable SSH access to this menu. If disabled, access will be only via console
Enable debug mode For troubleshooting purposes, causes for Deception Tokens subsequent deception token installations to record debug logs on target endpoints List last event ID sent For troubleshooting purposes, lists per-type by syslog details of last sent event syslogs, by ID (for events from Appliances) / MID (for events from Full OS traps) Disable SAML authentication
If TSOC is in SAML authentication mode (see Overview of User Authentication and Authorization on page 24), and there's a problem with the IdP so you can't access the TSOC UI, disable SAML here.
Enable/Disable TSOC ACL
Set TSOC ACL (see Controlling TSOC Access on page 10) status
Generate Privileged API Key
For high-privilege API / SDK / CLI commands
Enable/Disable Cache Generally should only be used for troubleshooting scenarios, otherwise use UI Events Suppress repeat events setting (see Suppressing Repeat Events on page 55)
DeceptionGrid Administration Guide, © TrapX
80
Troubleshooting and Maintenance Category / Item
Description Modify number of downloaded events
Customize the number of events per page in responses to API / CLI / SDK requests for events
Upgrade packages
Updates OS packages. Intended for cases where a TSOC version requires updated packages but did not have general internet access at the time of upgrade.
Reboot
Reboots the TSOC server
Shutdown
Shuts down the TSOC server
Health Check
For TrapX support only
Appliance Administration Menu Items The following items are available in DeceptionGrid Appliances' Administration Menus (see Administration Menus on page 76):
Category / Item Network Information / Configuration
Description Show Interface Settings
Generally should only be used for troubleshooting scenarios. Otherwise, in TSOC go to Appliances > Appliance > Configuration > Interfaces
Show Routes
Generally should only be used for troubleshooting scenarios. Otherwise, in TSOC go to Appliances > Appliance > Configuration > Routing
Ping
Standard well-known network tools for maintenance and troubleshooting purposes
Check Port Traceroute Show netstat
Restore Malware Trap State
Add / Remove Network / Host Route
Generally should only be used for troubleshooting scenarios. Otherwise, in TSOC go to Appliances >Appliance > Configuration > Routing
Configure VLANs
Generally should only be used for troubleshooting scenarios. Otherwise, in TSOC go to Appliances >Appliance > Configuration > Interfaces Deletes the Appliance’s configured settings and internal data, and restores them to their defaults (factory defaults). Does not delete network settings, i.e., VLANs, sub interfaces, aliases
Note: It may take some time for restoration results to appear in TSOC.
DeceptionGrid Administration Guide, © TrapX
81
Troubleshooting and Maintenance Category / Item Global Appliance Settings
Description Services Status
For troubleshooting purposes, lists current statuses of services
Run packet analyzer
For maintenance and troubleshooting purposes, displays network traffic on a specific interface
Check Connectivity to TSOC
For maintenance and troubleshooting purposes, display per-port and per-service connectivity status.
Enable / Disable Support Access
Enables / disables TrapX support remote access. Same as from TSOC (see Enabling Remote Support Access on page 74)
Change setup Password
Change the password for the setup user, used for initial Appliance configuration
Change sensor Password
Change the password for the sensor user that you’re using now
Restart Appliance Controller
For troubleshooting purposes, restarts the Appliance’s control communication channel with TSOC
Reboot Appliance
Generally should only be used for troubleshooting scenarios. Otherwise, in TSOC go to Appliances >Appliance > Configuration > Settings > Reboot the Appliance
Shutdown Appliance
Generally should only be used for troubleshooting scenarios or other special situations. Otherwise, in TSOC go to Appliances >Appliance > Configuration > Settings > Shut down the Appliance
Show Appliance Serial
Show the Appliance host serial number (VPD)
Show Appliance Software Version
Shows the DeceptionGrid version installed on the Appliance
Upgrade NIC Firmware Use only when and as directed View Last Upgrade Log (Brief)
If you upgraded an appliance’s version, view a digest of the upgrade log, including the upgrade status (whether the upgrade was successful or unsuccessful)
View Last Upgrade Log (Full)
Same as previous but includes entire log contents
Reset Appliance Certificate Start / Stop Events
For TrapX support only
Middleware event and log cleanup Set Max Logs/Spindata View current sizes of spin data and of logs; size for Backup change maximum sizes for Appliance backup Appliance (see Backup & Restore on page 75)
DeceptionGrid Administration Guide, © TrapX
82
Troubleshooting and Maintenance Category / Item Connectivity
Description Status
Check connectivity from Appliance to TSOC Actions for Network Intelligence Sensor (NIS) (see Deploying Network Intelligence Sensor on page 56)
NIS Settings
Malware Trap Settings
Check Network Connectivity
Use Ping to test IP connectivity from Appliance interfaces to the configured gateway. You can test parent interfaces connected to single networks (for example, eth0; but not its subinterfaces), and virtual VLAN interfaces in trunk connections (but not their child VLAN Alias interfaces) Select to test all relevant interfaces, or, to test just one, provide its name (for example, eth0 or vlan42 ).
Enable / Disable / Run Network Discovery
Generally should only be used for troubleshooting scenarios or other special situations. Otherwise, do in TSOC as in Set Network Discovery DeceptionGrid Security Deployment Guide Subnet Configure SMB Domains
Generally should only be used for troubleshooting scenarios or other special situations. Otherwise, do in TSOC (see Enabling SMB Signing Support on page 18)
Check SMB Domain Connectivity
For troubleshooting scenarios
Configure SMB Share False Positives
For internal use. See DeceptionGrid Security Handling & Analysis Guide, Exceptions
Stop / Start / Restart Malware Trap
Start, stop, or restart the Appliance’s service for emulation traps
Disable / Enable OS Fingerprint
For troubleshooting scenarios, can disable traps' OS emulation component. Use only by direction of TrapX support
Configure ARP Listener For TrapX support only Configure special parameters
For troubleshooting scenarios. Use only by direction of TrapX support
Repairing or Reconfiguring a Full OS Trap To solve issues with a full OS trap agent’s installation, upon a change to the TSOC address, and/or to change the name by which TSOC identifies a full OS trap agent: 1. From TSOC, set the trap to Maintenance mode (see Setting Maintenance Mode on page 66). 2. On the agent host computer, do one of the following: a. Run the installer and select the option to repair. A copy of the installer is located on the host computer, at: \Data\
DeceptionGrid Administration Guide, © TrapX
83
Troubleshooting and Maintenance where is the full OS agent's installation directory, named according to the selected obfuscation profile. Note: If for some reason you cannot set the trap to maintenance mode, the agent will not allow remote repair. In this case open a direct console to the agent host, run the installer and you’ll be presented with an option for maintenance mode. Select it, click Submit, and then repair. b. Run the installer via the following command line: msiexec /fvomus /quiet NCIAInstaller.msi TSOC_ADDRESS= TSOC_TRAP_ID=
The above arguments are: i.
TSOC_ADDRESS : TSOC’s IP address
ii. TSOC_TRAP_ID : Trap name to appear in TSOC. Must be 5-15 alphanumeric characters iii. (required): One of: /forcerestart (recommended): Restart when complete /norestart (not recommended): Don’t restart
Note: If for some reason you cannot set the trap to maintenance mode, the agent will not allow remote repair. In this case you must run the command from a direct console to the agent host. 3. If you made changes to the TSOC IP address and/or trap ID, you’ll need to initialize the trap from TSOC as after installing the trap (see Setting Up Full OS Trap on page 59).
Viewing TSOC Logs For troubleshooting and maintenance purposes, TSOC displays several types of logs: 4. WebApp: TSOC backend operations 5. Audit: TSOC user actions 6. Distribution: Deception token distribution operations To view logs, in TSOC go to Settings > Logs:
DeceptionGrid Administration Guide, © TrapX
84
Troubleshooting and Maintenance You can filter the displayed logs by Message strings and by date range. Module is one of the types above. Audit logs are cleared every 30 days; WebApp and Distribution logs are cleared every 7 days. To keep logs longer, you can Export to CSV. Or, for Audit logs, you can automate periodic retrieval via API (see the TSOC API Developer's Guide) or CLI/SDK (see the DeceptionGrid CLI/SDK Developer's Guide). Alternatively, contact TrapX support to extend the period of log retainment.
Obtaining Diagnostics For troubleshooting purposes, TrapX support may ask you to download and send a package of TSOC or Appliance logs or configuration files. 7. For TSOC logs or configuration files, in TSOC go to Settings > Logs > Diagnostics. 8. For Appliance logs or configuration files, in TSOC go to Appliances > Appliance > Diagnostics. In the relevant section, first have TSOC Retrieve and build the package; when an availability message appears, Download the package:
Testing Communications You can test communications between an Appliance and TSOC. To test, in TSOC go to Appliances > Appliance > Diagnostics, and by Infrastructure test click Run:
DeceptionGrid Administration Guide, © TrapX
85
Troubleshooting and Maintenance TSOC will display an informative message including status and recommendations as relevant.
DeceptionGrid Administration Guide, © TrapX
86
Support Support for TrapX products is provided by TrapX or by an authorized TrapX Service Partner. More information and technical support for TrapX products are available at:
•
support.trapx.com/portal
•
[email protected]
•
Americas: EMEA & Asia Pacific: +44-208-819-9849
1-855-249-4453
Documentation Feedback TrapX Security continually strives to produce high quality documentation. If you have any comments, please contact [email protected].
About TrapX Security® TrapX Security is the pioneer and global leader in cyber deception technology, with flagship solution DeceptionGrid effectively detecting, deceiving, and defeating advanced cyber attacks and human attackers in real-time. DeceptionGrid provides automated, highly accurate insight into malicious activity unseen by other types of cyber defenses. Deploying DeceptionGrid sustains a proactive security posture, fundamentally halting the progression of an attack. DeceptionGrid changes cyber-attack economics by shifting the cost to the attacker. The TrapX Security customer base includes worldwide Forbes Global 2000 commercial and government customers in key industries including defense, healthcare, finance, energy, and consumer products. Learn more at www.trapx.com .
Disclaimer Product specifications are subject to change without notice. This document is believed to be accurate and reliable at the time of printing. However, due to ongoing product improvements and revisions, TrapX cannot guarantee accuracy of printed material after the Date Published nor can it accept responsibility for errors or omissions. Before consulting this document, check the corresponding Release Notes regarding feature preconditions and/or specific support in this release. In cases where there are discrepancies between this document and the Release Notes, the information in the Release Notes supersedes that in this document. Updates to this document and other documents as well as software files can be obtained by TrapX customers.
Trademarks and Copyright © Copyright 2022 TrapX Security Ltd. All rights reserved. This document is subject to change without notice. TrapX, TrapX Security, DeceptionGrid and CryptoTrap are trademarks or registered trademarks of TrapX Security in the United States and other countries. Other trademarks used in this document are the property of their respective owners. Updated 20/2/22
DeceptionGrid Administration Guide, © TrapX
87