In M-Trends 2020, the global median dwell time—defined as the duration between the start of a cyber intrusion and it being identified—was 56 days. The longer an attacker dwells inside an organization the greater the potential impact of the breach. A longer dwell time means the attacker has more opportunity to infect devices, implant backdoors or exfiltrate valuable data. Time is the enemy of the security responder.
Slowing down a responder even more are various other roadblocks, including:
- Rules meant to protect the organization
- Slow or no response from affected employees
- Tools used to manage client machines are only available to the desktop or network teams
- Disabled tools due to an infection or breach
As a result, the mean time to respond (MTTR) and resolve incidents increases.
With this in mind, FireEye has created the Host Remediation module for FireEye Endpoint Security. To respond quickly and resolve issues, security responders often require direct access to a user device or server, and not being reliant on other teams or tools for access. With the new Host Remediation module, users are provided a fast, real-time responsive shell that allows a responder to remotely run commands on devices managed from the FireEye Endpoint Security console. Responders now have the ability to quickly remediate a threat or perform corrective actions on an endpoint.
How It Works
The new Host Remediation module, like all modules, can be downloaded from the FireEye Market at no additional cost for licensed customers. Once downloaded, deploying this module is as easy as installing the server component in the Endpoint Security console and enabling the client component via an Agent Policy. Once deployed, an Endpoint Security administrator can enable the Host Remediation module on all hosts or a subset of hosts using the host set feature of FireEye Endpoint Security.
Figure 1: Enabling Host Remediation in Agent Policy
The Host Remediation module uses the existing Endpoint Security (formerly HX) server to agent communication channels to securely communicate with endpoints using mutual TLS v1.2 and AEAD mode cipher. This eliminates the need to use third-party tools or configure any additional firewall rules or open any ports for the module to be able to perform operations.
Additionally, a log is created with a session transcript that includes all commands issued within the Host Remediation module for auditing purposes. Commands can also be streamed in real time to FireEye Helix or a SIEM by leveraging the Event Streamer module for FireEye Endpoint Security, which can also be downloaded at no additional cost from the FireEye Market.
Using the Host Remediation user interface, an administrator can remotely connect to an endpoint and execute native operating system commands such as deleting malicious files, killing malicious or processes, or deleting a registry entry in order to clean up an infected system. The Host Remediation module also supports uploading or dragging and dropping custom batch or PowerShell scripts for more streamlined and automated remediation steps.
Figure 2: Host Remediation session in progress
With this module, security responders can quickly and securely contain an attack, reduce the time that an attacker resides on the endpoints and reduce the impact of any breach.
The Host Remediation module for FireEye Endpoint Security is available right now on the FireEye Market.