Trellix logo
Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

The Threat Report - Summer 2022
Latest Report

Our Summer 2022 threat report details the evolution of Russian cybercrime, research into medical devices and access control systems, and includes analysis of email security trends.

Critical Flaws in Widely Used Building Access Control System
Critical Flaws in Widely Used Building Access Control System

At Hardwear.io 2022, Trellix researchers disclosed 8 zero-day vulnerabilities in HID Global Mercury access control panels, allowing them to remotely unlock and lock doors, modify and configure user accounts and subvert detection from management software.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

Stories

The latest cybersecurity trends, best practices,
security vulnerabilities, and more

ARCHIVED STORY

How FireEye Endpoint Security Protects Against Ransomware (Like DARKSIDE)

Although reports indicate that DARKSIDE ransomware operations have shut down, the issue of ransomware itself is only getting worse. We’ve all seen the impact that ransomware can have on critical operations, so organizations across all industries must remain vigilant to reduce risk and combat the threat. Unfortunately, the battle is asymmetrical. Threat groups are constantly shifting their tactics, techniques, and procedures (TTPs) to try to bypass security, and defenders need to keep up.

The recent high-profile attack involving DARKSIDE is an example of ransomware-as-a-service (RaaS). In this model, one group creates and maintains the service and another group uses the service to target victims, sharing any ransoms received with the “service provider.” The attacking group uses the tools just like a developer using open source code. These types of attacks can happen quickly, and organizations need to have the right tools in order to adequately detect and respond to them.

FireEye Endpoint Security uses multiple protection engines and customer deployable modules built from the experience of front-line responders to defend against these types of attacks. The combination of signature-based, machine-learning based, and behavioral-based protection capabilities, the UAC Protect module, and the Process Guard module for FireEye Endpoint Security provide maximum protection for customers. FireEye has verified that all currently available DARKSIDE samples are proactively blocked by FireEye Endpoint Security. 

To use Endpoint Security to defeat techniques used by DARKSIDE and other ransomware operators, FireEye recommends enabling the following settings and feature configurations as outlined in this post:

  • Malware Protection – Signature-based and Machine-learning based protection
  • UAC Protect – Module that protects against User Access Control (UAC) Bypass Attacks
  • Process Guard – Module that protects against Credential Dumping
  • Real-Time Indicator Detection – Indicator of Compromise detection

Malware Protection

Navigate to Admin -> Policies.

Endpoint Security Protect Fig 1

Select the desired policy (or policies).

Endpoint Security Protect Fig 2

Select Malware Protection.

Endpoint Security Protect Fig 3

Malware Detection

Switch Signature and Heuristic Detection to ON, and switch MalwareGuard Detection to ON.

Endpoint Security Protect Fig 4

Quarantine

Switch Signature and Heuristic Quarantine to ON, and switch MalwareGuard Quarantine to ON.

Endpoint Security Protect Fig 5

Click Save.

UAC Protect

DARKSIDE and similar threats also abuse the User Access Control feature of Windows, so it’s important to download, install, and enable the UAC Protect module for FireEye Endpoint Security. This will help reduce the attack surface for DARKSIDE and other types of attacks and increase overall security posture. This video provides information about protecting against UAC Bypass Attacks with UAC Protect for FireEye Endpoint Security.

Download

Visit FireEye Market.

Endpoint Security Protect Fig 6

Download UAC Protect.

Endpoint Security Protect Fig 7

Install

Navigate to Modules -> HX Module Administration.

Endpoint Security Protect Fig 8

Click INSTALL MODULES and select the UAC Protect module downloaded in the previous step.

Endpoint Security Protect Fig 9

Enable

Navigate to Admin -> Policies.

Endpoint Security Protect Fig 10

Select the desired policy (or policies).

Endpoint Security Protect Fig 11

Select UAC Protect and switch Enable module for hosts to On.

Endpoint Security Protect Fig 12

Click Save.

Process Guard

Credential dumping is a popular technique used for privilege escalation in many attacks, including those perpetrated by DARKSIDE. The Process Guard module for FireEye Endpoint Security can protect against common credential dumping attacks so it’s important to download, install, and enable the Process Guard module for FireEye Endpoint Security. More information about using Process Guard to protect against these types of attacks is available in this video.

Download

Visit FireEye Market and download Process Guard.

Endpoint Security Protect Fig 15

Install

Navigate to Modules -> HX Module Administration.

Endpoint Security Protect Fig 16

Click INSTALL MODULES and select the UAC Protect module downloaded in the previous step.

Endpoint Security Protect Fig 17

Enable

Navigate to Admin -> Policies.

Endpoint Security Protect Fig 18

Select the desired policy (or policies).

Endpoint Security Protect Fig 19

Select Process Guard.

Endpoint Security Protect Fig 20

Switch Enable Process Guard on the host to ON, and switch Block on Detection to ON.

Endpoint Security Protect Fig 21

Click Save.

Real-Time Indicator Detection

FireEye Endpoint Security can also be configured to alert based on IOC detections related to DARKSIDE and other similar threats. In order to enable that functionality, follow the steps below to ensure that Real-Time Indicator Detection is enabled in the environment.

Navigate to Admin -> Policies.

Endpoint Security Protect Fig 22

Select the desired policy (or policies).

Endpoint Security Protect Fig 23

Select Real-Time Indicator Detection and switch Real-Time Indicator Detection to ON.

Endpoint Security Protect Fig 24

Click Save.

Summary

FireEye Mandiant has been tracking DARKSIDE since August 2020 and proactively providing protection to customers as samples and techniques are discovered on the front lines during investigations by Mandiant. Customers should ensure they have configured and enabled FireEye products to protect against threats such as DARKSIDE using the information in this post. Additionally, Mandiant Managed Defense customers can reach out for assistance in configuring and operating FireEye products to provide maximum protection.

FireEye solutions and Mandiant services offer comprehensive coverage against DARKSIDE and other threats that matter most. Head over to our site to learn more about how FireEye Endpoint Security, Email Security, Network Security, and Helix, the FireEye security operations console, provide a layered approach to security that helps organizations see the bigger picture.

Featured Content

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.
Zero spam. Unsubscribe at any time.