CH-1.pdf

Chat with Document Download Quiz & Flashcards

Document Details

ComfortingWetland

Uploaded by ComfortingWetland

2022

Tags

computer security networking cybersecurity

Related

Full Transcript

Trend MicroTM TippingPoint® Solutions 1.0 Training for Certified Professionals Student Guide © 2022 Trend Micro Inc. Education Copyright © 2022 Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, TippingPoint, InterScan, VirusWall, ScanMail, ServerProtect, and Tr...

Trend MicroTM TippingPoint® Solutions 1.0 Training for Certified Professionals Student Guide © 2022 Trend Micro Inc. Education Copyright © 2022 Trend Micro Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo, TippingPoint, InterScan, VirusWall, ScanMail, ServerProtect, and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company names may be trademarks or registered trademarks of their owners. Portions of this manual have been reprinted with permission from other Trend Micro documents. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Information in this document is subject to change without notice. No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted without the express prior written consent of Trend Micro Incorporated. Released: May 01, 2021 TippingPoint SMS 5.5.2, TOS 5.5.2 © 2022 Trend Micro Inc. Education Table of Contents Table of Contents.........................................................................................................................................................i Introduction to Trend Micro and TippingPoint........................................................................... 1 Trend Micro Product Portfolios............................................................................................................................... 1 Supporting Components.......................................................................................................................................... 3 Global Threat Intelligence................................................................................................................................ 3 Common Services............................................................................................................................................... 4 Ecosystem Integration...................................................................................................................................... 4 Solutions Overview.................................................................................................................................................... 5 TippingPoint Inspection Portfolio.................................................................................................................. 5 Trend Micro Threat Intelligence Overview.......................................................................................................... 5 Threat Research................................................................................................................................................. 5 Vulnerabilities and Exploits.............................................................................................................................. 5 Targeted attacks................................................................................................................................................. 6 AI and Machine Learning.................................................................................................................................. 6 IoT, Industrial IoT & OT..................................................................................................................................... 6 Cybercriminal Underground............................................................................................................................ 6 Microsoft Vulnerability Acknowledgments Since 2006*......................................................................... 7 Global Reach: Research Centers..................................................................................................................... 8 Translating Security Intelligence to Protection.......................................................................................... 8 Zero Day initiative (ZDI)................................................................................................................................... 9 Typical Response Time....................................................................................................................................10 Published Advisories.........................................................................................................................................10 Vulnerability Filters...........................................................................................................................................10 Security Intelligence.......................................................................................................................................... 11 Threat Digital Vaccine (ThreatDV)................................................................................................................ 13 ThreatDV Reputation Feed............................................................................................................................. 13 docs.trendmicro.com........................................................................................................................................14 Success.trendmicro.com..................................................................................................................................15 Threat Management Center (TMC)...............................................................................................................16 Navigate TMC.....................................................................................................................................................16 Hands-on Labs........................................................................................................................................................... 17 Portfolio Overview.......................................................................................................................... 19 Inspection Devices Overview.................................................................................................................................19 Inspection Device Background.......................................................................................................................19 Centralized Management Experience..........................................................................................................20 8X00TX Platform Front Overview...............................................................................................................20 8X00TX Platform Rear Overview.................................................................................................................. 21 1100/5500TX Platform Front Overview......................................................................................................22 1100TX/5500TX Platform Rear Overview..................................................................................................22 2200T Mechanical Overview......................................................................................................................... 23 440T Mechanical Overview........................................................................................................................... 23 NX Platform Mechanical Overview...............................................................................................................24 Standard I/O Modules......................................................................................................................................24 Bypass I/O Modules..........................................................................................................................................25 vTPS Platform...................................................................................................................................................25 Cloud One Network Security.........................................................................................................................25 SMS Manager............................................................................................................................................................26 Feature Overview.............................................................................................................................................26 What’s New in SMS 5.5.................................................................................................................................... 27 SMS 5.4 Highlighted Features....................................................................................................................... 27 SMS 5.3 Highlighted Features.......................................................................................................................28 © 2022 Trend Micro Inc. Education i Prioritizing Vulnerabilities with Policy Workflow.....................................................................................28 Addressing High Security Risks with Policy Workflow............................................................................29 Deployment Scenarios............................................................................................................................................29 Element Management......................................................................................................................................29 Basic Deployment Scenario............................................................................................................................ 31 Common Deployments..................................................................................................................................... 31 Hands-on Labs........................................................................................................................................................... 31 Inspection Device Setup................................................................................................................33 License Manager...................................................................................................................................................... 33 TPS Licensing System Concepts................................................................................................................... 33 Accessing License Manager........................................................................................................................... 33 License Management.......................................................................................................................................34 Device Licenses.................................................................................................................................................34 Default and Licensed Throughput................................................................................................................35 License Inventory.............................................................................................................................................36 Out-of-Box Experience (OBE)................................................................................................................................ 37 Initial Device Setup at a Glance.................................................................................................................... 37 Out-of–Box Experience (OBE)........................................................................................................................ 37 Security Settings..............................................................................................................................................38 Super-User Creation........................................................................................................................................39 Login With New Account............................................................................................................................... 40 Management Port Configuration................................................................................................................ 40 Gateway & DNS Setup......................................................................................................................................41 Timekeeping.......................................................................................................................................................42 Save the Settings and Login..........................................................................................................................42 Introduction to Local Security Manager (LSM)................................................................................................43 Element Management......................................................................................................................................43 Login Screen..................................................................................................................................................... 44 Home Screen.................................................................................................................................................... 45 Health Status and Log Summary................................................................................................................. 46 System Log....................................................................................................................................................... 46 Audit Log............................................................................................................................................................47 Alert and Block Logs........................................................................................................................................47 Manager User Accounts................................................................................................................................. 48 Device License.................................................................................................................................................. 49 Flexible License Model................................................................................................................................... 49 Attach License................................................................................................................................................. 50 Hands-on Labs......................................................................................................................................................... 50 Security Management System (SMS).........................................................................................51 Setup and Basic Configuration..............................................................................................................................51 Feature Overview..............................................................................................................................................51 Additional Key Features.................................................................................................................................52 Device Management........................................................................................................................................52 SMS Setup at a Glance................................................................................................................................... 54 Initial Login........................................................................................................................................................56 License and Setup Wizard..............................................................................................................................56 Security Level, Username and Password...................................................................................................56 Network Configuration....................................................................................................................................57 Finishing the Setup Wizard........................................................................................................................... 58 Communication Settings....................................................................................................................................... 58 Communication Channels.............................................................................................................................. 58 SNMP Traps from the TPS..............................................................................................................................59 SNMP Monitoring..............................................................................................................................................59 ii © 2022 Trend Micro Inc. Education SMS Web Console.................................................................................................................................................... 60 Threat Insights................................................................................................................................................. 60 Policy Workflow.................................................................................................................................................61 Active Malware Threats...................................................................................................................................61 Performance Insights......................................................................................................................................62 New/Modified DV Filters.................................................................................................................................62 Devices (L2FB)..................................................................................................................................................63 Reports................................................................................................................................................................63 Exports and Archives...................................................................................................................................... 64 System Logs......................................................................................................................................................65 Client Installation..............................................................................................................................................65 SMS Management....................................................................................................................................................66 Client Versions..................................................................................................................................................66 Dashboard and Main Window........................................................................................................................66 General Settings...............................................................................................................................................67 Server Properties Management................................................................................................................... 68 Network Settings..............................................................................................................................................70 SYSLOG Properties..........................................................................................................................................70 TLS Properties................................................................................................................................................... 71 SMS Admin - Users, Groups, and Roles........................................................................................................ 71 Authentication and Authorization................................................................................................................. 71 User Roles.......................................................................................................................................................... 72 Capabilities......................................................................................................................................................... 73 User Groups.......................................................................................................................................................74 Segment Groups...............................................................................................................................................75 User Management............................................................................................................................................75 User Creation.....................................................................................................................................................76 Membership.......................................................................................................................................................76 User Monitoring................................................................................................................................................ 77 SMS Resource Permissions............................................................................................................................ 77 Hands-on Labs..........................................................................................................................................................78 Inspection Device Management................................................................................................. 79 Device Configuration...............................................................................................................................................79 Device Summary and Configuration............................................................................................................79 Configuration.................................................................................................................................................... 80 Multi-Device Edit.............................................................................................................................................. 80 Starting Multi-Device Edit................................................................................................................................81 Devices Being Modified....................................................................................................................................81 Devices with Different Configurations........................................................................................................82 Member Summary............................................................................................................................................82 Network Summary...........................................................................................................................................83 Network Configuration...........................................................................................................................................83 Overview.............................................................................................................................................................83 Segment Groups.............................................................................................................................................. 84 Segment Group Concepts.............................................................................................................................. 84 Segment Group Management....................................................................................................................... 84 New/Editing Segment Groups...................................................................................................................... 85 Modifying Permissions................................................................................................................................... 86 Device Segment Settings............................................................................................................................... 86 Network Availability............................................................................................................................................... 86 Layer 2 Fallback (L2FB)..................................................................................................................................87 Configuring Fallback........................................................................................................................................87 Manual Fallback............................................................................................................................................... 88 L2FB Block Example........................................................................................................................................ 88 © 2022 Trend Micro Inc. Education iii Link Down Synchronization.......................................................................................................................... 89 Segment Settings............................................................................................................................................ 90 Port Settings.......................................................................................................................................................91 Zero Power High Availability (ZPHA)...................................................................................................................91 ZPHA Operation................................................................................................................................................92 Modular ZPHA Chassis....................................................................................................................................92 ZPHA Bypass Modules.....................................................................................................................................93 On Device ZPHA................................................................................................................................................93 TippingPoint Operating System (TOS)...............................................................................................................95 SMS Product Version Compatibility.............................................................................................................95 TOS Upgrade Path Verification.....................................................................................................................95 TOS Inventory and Distribution....................................................................................................................96 Member Summary............................................................................................................................................97 Hands-on Labs..........................................................................................................................................................97 Security Profile Management..................................................................................................... 99 Digital Vaccine (DV).................................................................................................................................................99 Overview.............................................................................................................................................................99 Active vs. Distributed.................................................................................................................................... 100 DV Mismatch.................................................................................................................................................... 100 Active DV and Inspection Profiles............................................................................................................... 101 Filter Distribution by Categories................................................................................................................ 102 Inventory.......................................................................................................................................................... 103 Import and Download from TMC................................................................................................................. 104 Distribution...................................................................................................................................................... 104 Profile Versioning, Rollback, and Auditing...................................................................................................... 105 Profile Snapshots........................................................................................................................................... 105 Profile Versions............................................................................................................................................... 106 Profile Overview............................................................................................................................................. 107 Which Profiles are Applied Where?............................................................................................................ 107 Profile Search......................................................................................................................................................... 108 Searching for Individual Filters to Edit by Text or Filter Number...................................................... 108 Editing Multiple Filters.................................................................................................................................. 109 Source Criteria Search................................................................................................................................... 110 Additional Criteria Search............................................................................................................................. 110 Filter Taxonomy Criteria..................................................................................................................................111 Search Results....................................................................................................................................................111 Modified Filters.................................................................................................................................................112 Import/Export Profiles.pkg files..........................................................................................................................112 Profile Import/Export......................................................................................................................................112 Importing a Profile...........................................................................................................................................113 Exporting a Profile...........................................................................................................................................113 Managing Multiple Profiles................................................................................................................................... 114 Global Search Across Multiple Profiles...................................................................................................... 114 Profile Compare............................................................................................................................................... 114 Profile Compare Details for Categories......................................................................................................115 Profile Compare by Filter...............................................................................................................................115 Hands-on Labs......................................................................................................................................................... 116 Traffic Management Filters......................................................................................................... 117 Flow Based vs. Non-Flow Based...........................................................................................................................117 Flow Based Filters vs. Other Protection.....................................................................................................117 Different Ways to Detect a Malicious Flow................................................................................................117 Vulnerabilities vs. Exploits............................................................................................................................ 118 Traffic Management Filters.................................................................................................................................. 118 iv © 2022 Trend Micro Inc. Education Vulnerability Scan Example - Use Cases.................................................................................................... 118 Filter Actions.................................................................................................................................................... 119 Creation............................................................................................................................................................ 120 Network Settings..............................................................................................................................................121 Ordering.............................................................................................................................................................122 Notes on Rate Limiting..................................................................................................................................122 Rate Limit Action Set.....................................................................................................................................123 HTTP Rate Limit...............................................................................................................................................123 Network Settings Configuration................................................................................................................. 124 LSM Rate Limit Reports (NX Example)..................................................................................................... 125 Hands-on Labs........................................................................................................................................................ 125 Quarantine...................................................................................................................................... 127 Quarantine Concepts.............................................................................................................................................127 Blocking............................................................................................................................................................127 Thresholds........................................................................................................................................................ 128 Considerations................................................................................................................................................ 129 Action Set Creation........................................................................................................................................ 129 Flow Control..................................................................................................................................................... 130 Quarantine Settings....................................................................................................................................... 130 Restrictions........................................................................................................................................................131 Apply Action Set to Filter...............................................................................................................................131 Automatic Timeout.........................................................................................................................................132 Monitoring.........................................................................................................................................................132 Quarantine Block Web Page.........................................................................................................................133 Hands-on Labs.........................................................................................................................................................133 SMS Events and Reports............................................................................................................. 135 SMS Event Management...................................................................................................................................... 135 Query Event Panes......................................................................................................................................... 135 Filter Help......................................................................................................................................................... 136 F2 Information..................................................................................................................................................137 SMS Events.......................................................................................................................................................137 Column Aggregation...................................................................................................................................... 138 Column Filtering.............................................................................................................................................. 138 Search by Filter Text..................................................................................................................................... 138 Right Clicking on an Event........................................................................................................................... 139 Event Details.................................................................................................................................................... 140 Edit a Filter Directly from an Event........................................................................................................... 140 View Packet Traces......................................................................................................................................... 141 SMS Event Integration: Configuring Syslog.............................................................................................. 141 SMS Reports............................................................................................................................................................ 142 Report Types................................................................................................................................................... 142 Creation Process............................................................................................................................................ 143 Report Options................................................................................................................................................ 144 Generate Report............................................................................................................................................. 145 Scheduling a Report....................................................................................................................................... 145 Export Reports................................................................................................................................................ 146 View Saved Reports....................................................................................................................................... 147 Report Example............................................................................................................................................... 147 Executive Report............................................................................................................................................ 148 SMS Web Dashboard...................................................................................................................................... 148 Hands-on Labs........................................................................................................................................................ 149 SMS Dashboard.............................................................................................................................. 151 SMS Dashboard........................................................................................................................................................151 © 2022 Trend Micro Inc. Education v Dashboard via SMS..........................................................................................................................................151 Geo Locator Database................................................................................................................................... 152 Dashboard........................................................................................................................................................ 152 Dashboard Customization............................................................................................................................ 153 Options.............................................................................................................................................................. 153 Blank Dashboard............................................................................................................................................. 154 Palette Selection............................................................................................................................................. 154 Adding Items.................................................................................................................................................... 155 Restored Dashboard...................................................................................................................................... 155 General Settings............................................................................................................................................. 156 Event Criteria.................................................................................................................................................. 156 Display Options............................................................................................................................................... 157 Making Items Full Sized................................................................................................................................. 157 Linked Events.................................................................................................................................................. 158 Hands-on Labs........................................................................................................................................................ 158 Maintenance and Performance Optimization........................................................................ 159 SMS Health Monitoring......................................................................................................................................... 159 Verify System Health..................................................................................................................................... 159 System Health Details................................................................................................................................... 160 Real-time Memory.......................................................................................................................................... 160 Performance Data........................................................................................................................................... 161 Tier Stats................................................................................................................................................................... 161 Threat Suppression Engine (TSE) Flow...................................................................................................... 161 Tier 1 View via SMS......................................................................................................................................... 163 Check for Errors and Discards.................................................................................................................... 163 Historical Graphs............................................................................................................................................ 164 Traffic Stats..................................................................................................................................................... 165 UDP Packets..................................................................................................................................................... 166 Management Information............................................................................................................................. 166 LSM............................................................................................................................................................................ 167 At a Glance....................................................................................................................................................... 167 System Log...................................................................................................................................................... 168 Cleared Log...................................................................................................................................................... 169 Show log system tail...................................................................................................................................... 169 LSM Reports.................................................................................................................................................... 169 Technical Support Report............................................................................................................................ 170 Hands-on Labs..........................................................................................................................................................171 Course Survey..........................................................................................................................................................172 Best Practices................................................................................................................................ 173 Inspection Architecture.........................................................................................................................................173 Modifying TSE Configuration/Behavior/Parameters.............................................................................173 TSE Connection Table - Blocked Streams.................................................................................................173 TSE Adaptive Filtering................................................................................................................................... 174 Filtering Concepts.................................................................................................................................................. 175 TMF Ordering................................................................................................................................................... 175 Configuration Considerations..................................................................................................................... 176 Deployment Considerations.................................................................................................................................177 Positioning........................................................................................................................................................177 Physical Connections..................................................................................................................................... 178 I/O Modules...................................................................................................................................................... 179 Standard I/O Modules.................................................................................................................................... 179 Bypass I/O Modules........................................................................................................................................ 180 General Module Information........................................................................................................................ 180 vi © 2022 Trend Micro Inc. Education Module Hot-Swapping Guidelines................................................................................................................ 181 System Administration.......................................................................................................................................... 181 Device Management in SMS.......................................................................................................................... 181 Management Port........................................................................................................................................... 182 Authentication Levels................................................................................................................................... 184 Inspection Device Password Recovery..................................................................................................... 184 Inspection Device Factory Reset................................................................................................................ 185 System Upgrades........................................................................................................................................... 186 TPS Storage Devices..................................................................................................................................... 186 Link-Down Synchronization (LDS).............................................................................................................. 187 Intrinsic Network High Availability (HA)................................................................................................... 188 Snapshot........................................................................................................................................................... 189 Common Pitfalls.............................................................................................................................................. 190 Throughput Licensing.................................................................................................................................... 191 Hands-on Labs......................................................................................................................................................... 191 Course Survey......................................................................................................................................................... 192 © 2022 Trend Micro Inc. Education vii viii © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Lesson 1: Introduction to Trend Micro and TippingPoint Lesson Objectives: After completing this lesson, participants will be able to: Discuss the Trend Micro Product Portfolio Identify the inspection devices in the TippingPoint portfolio Explain the services offered by Trend Micro Threat Research Navigate useful links for managing Trend Micro products Trend Micro Product Portfolios Trend Micro, a global cyber-security leader, leverages decades of security expertise, research, and innovation to help make the world safe for exchanging digital information. Trend Micro provides layered content security with interconnected solutions that share data so you can protect your users, network, data center, and cloud resources from data breaches and targeted attacks. The products and services offered through the various Trend Micro product portfolios provide a technological approach to delivering multiple capabilities to customers. © 2022Trend Micro Inc. Education 1 Lesson 1: Introduction to Trend Micro and TippingPoint Trend Micro Network One™ is a network security portfolio for IT and OT. The Trend Micro Network One Portfolio includes powerful network security capabilities for stopping attacks and detecting advanced threats on the network. It includes: Next-generation IPS (Trend Micro™ TippingPoint™) Advanced Threat Protection (Trend Micro™ Deep Discovery™) Adaptive solutions for Operational Technologies (OT) (TXOne™ Networks) Trend Micro Network One preserves the integrity of the network while ensuring that data, communications, intellectual property, and other intangible assets are not monetized by unwanted third parties. A combination of nextgeneration intrusion prevention and proven breach detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware from embedding or spreading within their network. As the cloud security leader, Trend Micro simplifies security with Trend Micro Cloud One™, an automated, flexible, all-inone security services platform for organizations building in the cloud. With the broadest and deepest set of security services on the market, including workload, container, serverless, file storage and network security, combined with the ability to ensure your cloud infrastructure is configured according to industry best practices and able to comply with key regulations, you can secure your entire environment with one powerful platform. With multiple built-in services, the Trend Micro Cloud One platform enables organizations to be more agile, easily securing new cloud projects and providing the flexibility to adapt quickly to new business and compliance needs. The Trend Micro Cloud One portfolio includes comprehensive security capabilities for securing the cloud, including: 2 Trend Micro Cloud One, an automated, flexible, all-in-one security services platform for organizations building in the cloud. Trend Micro™ Deep Security™ software, delivering runtime security for workloads across physical, virtual, cloud, and container environments. © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Trend Micro Apex One™ is a user protection portfolio for IT security. The Trend Micro Apex One portfolio includes integrated security offering for protecting business users. It includes security for: Endpoints (Trend Micro Apex One) Cloud applications (Trend Micro™ Cloud App Security) Email (Trend Micro Email Security) Web (Trend Micro Web Security) Trend Micro Vision One™ is a threat defense platform for security operations. Trend Micro Vision One is powered by a cloud-based platform and managed from a single console that enables organizations to gain visibility across the enterprise, understand risks and root cause, rapidly respond to incidents, centrally manage agents and policies, and more. Trend Micro Vision One includes capabilities for: XDR and Managed XDR Risk visibility Agent and policy management Trust and Insight Supporting Components Global Threat Intelligence Trend Micro products benefit from global up-to-the-second threat intelligence. Trend Micro Research includes over 15 global research centers with over 450+ threat researchers and is the market leader in the public disclosure market with 60% of detected vulnerabilities. Trend Micro also benefits from advanced cybercrime research, with support from law enforcement agencies around the world. Trend Micro products blocks nearly 62B threats globally per year. To maintain this immense scale of threat protection, Trend Micro has created one of the world’s most extensive cloud-based protection infrastructures that collects more threat data from a broader, more robust global sensor network to ensure customers are protected from the volume and variety of threats today, including mobile and targeted attacks. New threats are identified quickly using finely tuned automated custom data mining tools and human intelligence to root out new threats within very large data streams. © 2022Trend Micro Inc. Education 3 Lesson 1: Introduction to Trend Micro and TippingPoint Common Services The products across the Trend Micro portfolios benefit from a collection of common services, including: Account and license management Data architecture and analytics Core technology and security engines Software as a Service infrastructure Ecosystem Integration Trend Micro solutions are specifically designed for and tightly integrated with leading platforms and applications, including: Cloud Infrastructure solution such as AWS, Microsoft Azure, Google Cloud, VMware, and Docker. Cloud Apps including Microsoft 365, Google Workspace, and Dropbox. SIEM & SOAR solutions including Splunk, ArcSight, Microsoft Sentinel, IBM QRadar, and Fortinet FortiSOAR. Security Tools including Qualys, Tenable, Checkpoint, and Palo Alto. Customers can also connect into the Trend Micro ecosystem through various APIs. 4 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Solutions Overview TippingPoint Inspection Portfolio Trend Micro Threat Intelligence Overview Trend Micro Research covers a wide range of areas within the threat and computing landscape. Up-todate intelligence ensures customer protection from a variety of threats and helps provide all organizations and individuals with information and tools that will help them protect their information in the ever-changing threat landscape. This section details the areas Trend Micro researchers are investigating. Threat Research The first area is where Trend Micro has a vast amount of intelligence garnered over 29 years of protecting customers from a range of cyber threats. Our researchers continually analyze and identify new malware, malicious URLs, command & control (C&C) locations, and domains that could be potentially used in attacks. Vulnerabilities and Exploits Exploits have been used in a number of high-profile attacks recently like WannaCry and the Equifax breach. We expect threat actors will use exploits and exploit kits in more attacks in the future. © 2022Trend Micro Inc. Education 5 Lesson 1: Introduction to Trend Micro and TippingPoint Targeted attacks Targeted attacks and APTs continue to cause major issues for organizations and our researchers are constantly analyzing the entire attack chain lifecycle to better understand how hackers evolve their tools, tactics, and procedures (TTPs) to help our customers minimize the risk of being breached, and also how to detect when a breach has occurred in order to remediate it. AI and Machine Learning Machine learning and Artificial Intelligence are critical capabilities for detecting threats, and Trend Micro has a lot of experience with them both. Our data scientists and development teams have been using this technology to detect a myriad of threats since 2005. We utilize AI/ML to detect spam, phishing, malicious social media accounts, exploits, domain generation algorithms, good files used in whitelisting, malicious webpages, BEC emails, and even pre-execution & runtime ML for malicious files. We will continue to invest in new ways to utilize this technology to protect our customers more effectively as a part of a layered defense strategy. IoT, Industrial IoT & OT IoT, Industial IoT, and OT are areas we’re actively investing in research to identify how these devices and the processes used by them could be exploited by threat actors—and then how to protect them. Some examples include, vulnerabilities in robotic manufacturing equipment, medical devices used in healthcare facilities, and hijacking the communication protocols used by drones that have recently been approved for use over large groups of people. It also includes active research into consumer devices, such as kitchen appliances, smart TVs, and more, that are increasingly connected to the Internet. Cybercriminal Underground We have researchers who have been investigating many of the underground communities (ex. China, Russia, Germany, France, Middle East & North Africa, West Africa, North America, Japan, Brazil) to give us valuable insight into what is going on within these undergrounds. Identifying new TTPs and even many of the actors or groups that share information here allows us to identify ways to protect our customers more effectively. We even have researchers who are futurists that look at the changing computing landscape and map it to where we think the threat actors will move to give us better visibility into where Trend Micro needs to invest in the future. Our vulnerability research that is anchored by the Zero Day Initiative (ZDI) bug bounty program allows us to identify and disclose new vulnerabilities across a wide range of platforms including OS (Windows, Linux, Mac among others), Applications (consumer and business) and mobile devices. In 2017 ZDI disclosed over 66% of all vulnerabilities discovered in the world and has been THE leader since 2007. In 2017, ZDI identified over 1000 vulnerabilities. The ZDI program includes ~3500 external researchers who submit vulnerabilities to Trend Micro. The ZDI program also helps to inform the protection updates that we provide to our customers, sometimes protecting them from vulnerabilities months/years in advance of public disclosure. 6 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint The Trend Micro Security Labs research team of highly skilled cybersecurity experts specialize in vulnerability analysis, malware and exploit analysis, and custom research -- helping to further strengthen this area of Trend Micro Research and extending visibility and expertise globally. As you can see we have a very broad and deep amount of security research that is done within Trend Micro. What this means to our customers is they gain access to not only the products that can protect them today leveraging the latest in threat and vulnerability information, but also that we are investing in people and technology to continually innovate the approach to security and protect them from threats today AND tomorrow. Microsoft Vulnerability Acknowledgments Since 2006* © 2022Trend Micro Inc. Education 7 Lesson 1: Introduction to Trend Micro and TippingPoint Global Reach: Research Centers Translating Security Intelligence to Protection 8 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Zero Day initiative (ZDI) The Zero Day Initiative began in 2005 and it is now one of the largest vendor-agnostic bug bounty programs in the world. The Zero Day Initiative was created to promote the responsible disclosure of vulnerabilities. The ZDI Process: 1 Vulnerability Submitted: An external researcher submits a previously unpatched vulnerability to the Zero Day Initiative, who validates the vulnerability, determines its worth, and makes a monetary offer to the researcher. Vulnerabilities are also submitted from internal researchers. 2 Vendor Notified: The Zero Day Initiative responsibly and promptly notifies the appropriate product vendor of a security flaw with their product(s) or service(s). 3 Digital Vaccine Filter Created: Simultaneously with the vendor being notified, Trend Micro works to create a Digital Vaccine filter to protect customers using TippingPoint solutions from the unpatched vulnerability. 4 Vendor Response: The Zero Day Initiative will allow the vendor four months to address the vulnerability with a patch. 5 Vulnerability Patched or Remains Unfixed: The vendor will either release a patch for the vulnerability or indicate to the Zero Day Initiative that it is unable to, or chooses not to, patch the vulnerability. 6 Public Disclosure: The Zero Day Initiative will publicly disclose the details of the vulnerability on its website in accordance with its vulnerability disclosure policy. In 2017, Trend Micro protected customers an average of 72 days before the vendor issued a patch. Some vendors may not be able or may choose not to provide a patch. Why do the 72 days matter? In the event of an exploit, you’re protected. Yes, you still need to patch your systems, but you can do it on YOUR schedule – not at 3am with your hair on fire. You’re in control of your patch management. Plus, we can provide protection for legacy software where no patches are available from the vendor. On the flip side of the coin, you also need to think about the length of an exploit campaign as well. Typically the exploits have a lifetime during which they experience the same cycle as other products. There is a beeline of malware or exploits during the initial phase. TippingPoint customers are sure to be protected against that first phase of exploits when its most likely to affect users. In addition, while our security intelligence protects against the full vulnerability, some competitors’ may only provide partial coverage after a vulnerability is disclosed. Any variants of an exploited vulnerability may not be protected by traditional exploit signatures from other vendors and may leave their customers susceptible to future attack. Note: Trend Micro does not resell or redistribute the vulnerabilities that are acquired through the ZDI. © 2022Trend Micro Inc. Education 9 Lesson 1: Introduction to Trend Micro and TippingPoint Typical Response Time Criteria Typical Timeframe Actively Exploited Vulnerabilities / Zero Day Vulnerabilities 4 - 24 Hrs. Microsoft Patch Tuesday Immediately after Microsoft ships patches CVSS 9.0 - 10.0 Within 7 days CVSS 7.0 - 9.0 Within 14 days All other vulnerabilities Best Effort Published Advisories Vulnerability Filters Over 20,000 filters of network protection out of the box! A simple exploit filter for Blaster would not detect Welchi. An RPC DCOM Virtual Software Patch vulnerability filter would detect and stop both plus any other exploit variant that attempted to cause the RPC DCOM buffer overflow. 10 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Simple exploit filters refer to the fact that on a software system there is a zero-sum game with respect to how much processing is available. If you add a single filter, you now have a slower system or you need to remove something to get the same performance. This is the reason that IDSs traditionally simplified signatures to the simplest level and disregarded checking for ALL necessary conditions for a particular attack. It is a classic 90:10 rule. I’ll do 10% of the work to be 90% right and leave the final 10% up to the security admin to figure out. This is the main reason for False Positives. With a hardware platform like ours we do not face the same trade-offs. Our engine allows us to load thousands of filters that can be processed in parallel. Furthermore, our filters are at the application level. Packets are reassembled into flows where the reassembled application layer message is parsed and our filter can assess, for example, whether a buffer overflow condition is being attempted. The result is absolute accuracy when all necessary conditions are met. Testing for all necessary conditions can be compute intensive for software solutions and the primary reason why software-based IDSs often compromise accuracy for performance resulting in false positives and false negatives. Security Intelligence All TippingPoint solutions utilize the Digital Vaccine (or DV) service. DV packages include filters written to cover an entire footprint of a vulnerability, not just a specific exploit. Packages also include zero-day filters that are developed using exclusive access to vulnerability information from the Zero Day Initiative. DV packages are distributed weekly or as critical vulnerabilities emerge. Customers can use the DVToolkit to create custom filters for proprietary or user-developed applications. They can also import open-source rules, define their own DV filter triggers as well as create custom filters for both IPv4 and IPv6 environments. Our ThreatLinQ threat intelligence portal looks at the details and trends associated with DV filters and allows customers point the browser to https://www.trendmicro.com/en_us/business/ products/network/intrusion-prevention/threat-intelligence.html. © 2022Trend Micro Inc. Education 11 Lesson 1: Introduction to Trend Micro and TippingPoint Digital Vaccine® (DV) Service 12 Security filters written to cover the entire footprint of a vulnerability Includes zero-day filters using intelligence from Zero Day Initiative Distributed weekly or as critical vulnerabilities emerge DVToolkit Create custom filters for proprietary or user-developed applications Import open-source rules Define DV filter triggers or support triggerless filters Create custom filters in IPv4 and IPv6 environments © 2022 Trend Micro Inc. Education ThreatLinQ Easy-to-use, real-time threat intelligence portal Review DV filter intelligence and details Compare DV filter profiles to threat landscape, identify security gaps, and deploy any necessary policy changes Lesson 1: Introduction to Trend Micro and TippingPoint Threat Digital Vaccine (ThreatDV) ThreatDV is a subscription service that includes: Malware Filter Package -protection against various malware-related threats and can detect infected hosts communicating in your network DGA Defense filters - protect against known malware families as well as suspicious domain names generated by unknown malware families Ransomware filters - utilize a “trace” action set to extract a private key from the network flow in order to help restore encrypted files to the victim while blocking traffic to the CnC server Malware Filter Package updated weekly Reputation Feed: Reputation Feed monitors and blocks inbound and outbound communications with known malicious and undesirable IP addresses and domain names Over Millions of known “bad” domain names Updated approximately every two hours. Each given a threat score from 0 to 100 Customers can tune policy based on geolocation, category, source, etc. and assign actions based on their threat score threshold URL Reputation: TippingPoint devices can harness the security intelligence from the Trend Micro Smart Protection Network to monitor and block suspicious URLs as well as provide their own entries for added protection. Premium subscription service includes Reputation Feed and Malware Filter Package Reputation Feed monitors and blocks inbound and outbound communications with known malicious and undesirable IP addresses and domain names DGA Defense filters protect against known malware families as well as suspicious domain names generated by unknown malware families Ransomware filters utilize a “trace” action set to extract a private key from the network flow in order to help restore encrypted files to the victim while blocking traffic to the CnC server Malware filters detect infected hosts communicating in your network Malware Filter Package updated weekly; Reputation Feed updated ~2 hours ThreatDV Reputation Feed Content Awareness - Detects mail traffic containing phishing attack techniques. Context Awareness - Blocks mail traffic from known sources of phishing emails. ThreatDV provides security intelligence feeds from a global reputation database so you can actively enforce and manage reputation based security policies. It will have a database on malware sites, Phishing sites, Compromised hosts, Botnet and spammers information. Detect bot infected hosts on your network and stop data before it leaks out © 2022Trend Micro Inc. Education 13 Lesson 1: Introduction to Trend Micro and TippingPoint Block drive-by downloads of malware from known malware depots Block zero-day exploits from known attackers before signatures are available Block targeted phishing attacks from compromising users’ systems Stop polymorphic malware from known malware sites that anti-virus tools may miss due to rapidly changing signatures Block sites that use fast-fluxing IP addresses by blocking DNS host names FQDN fully qualified domain name - specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including top-level domain and root zone. A fully qualified domain name is distinguished by its lack of ambiguity: it can be interpreted only in one way. Over Millions of known “bad” domain names Each given a threat score from 0 to 100 Customers tune policy based on geolocation, category, source, etc Updated ~2 hours daily The TippingPoint Reputation Digital Vaccine Service (Rep DV) provides IPv4, IPv6 and Domain Name System (DNS) security intelligence feeds from a global reputation database so customers can actively enforce and manage reputation security policies using the TippingPoint Intrusion Prevention System (IPS) Platform. The TippingPoint IPS Platform acts as an enforcement point, inspecting traffic in real-time and enforcing Rep DV security policies. docs.trendmicro.com ThreatLinQ was created to collect and analyze information about the security posture of the Internet. ThreatLinQ presents this information to TippingPoint customers and acts as a portal for the DVLabs team to provide additional information about TippingPoint IPS filters. This information helps customers make decisions about how, why, and when to enable different TippingPoint filters. ThreatLinQ is also designed to provide TippingPoint customers with extra security information about Filter IDs and attack activity by country, TCP ports, and IP addresses. Because this data is 14 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint concentrated in one easy-to-use dashboard, customers can access security information quickly and easily. Success.trendmicro.com © 2022Trend Micro Inc. Education 15 Lesson 1: Introduction to Trend Micro and TippingPoint Threat Management Center (TMC) The Threat Management Center (TMC) is a TippingPoint service center that monitors sensors around the world for the latest attack information and builds and distributes attack filters. The TMC web site also serves as a central repository for SMS Operating Systems and Patches, TippingPoint Operating Systems, Digital Vaccines (DV and ThreatDV), Digital Vaccine Toolkit, documentation and other support materials. Account holders also receive email notifications for new DVs and other support information. TippingPoint sends out a weekly DV that typically releases each Tuesday. TMC requires a user account. TAC can get customer ID using the certificate number Be clear about the differences in serial Number and Certificate The physical label Serial Number is the hardware serial number, the Certificate is the software “serial number” and is used to identify the IPS when it connects up to the SMS or TMC Use the “show version” command in the CLI and read the “Serial:” field to get the software Certificate Number. Navigate TMC The TippingPoint Threat Management Center (TMC) provides access to centralized, up-to-date repository of the latest Digital Vaccines, Reputation Database (RepDV), and TippingPoint Operating System (TOS). In addition, the TMC offers software patches and product documentation. It features articles that contain technical notes and documentation of known product issues with indepth descriptions and resolutions. An easy-to-use, real-time threat monitoring console that provides a means to evaluate the changing threat landscape and connect that to specific intrusion prevention system (IPS) policy changes. ThreatLinQ gives organizations the ability to proactively optimize their network security in order to reduce unnecessary business risks based on a detailed real-time analysis of today's threat landscape. ThreatLinQ is available to all TippingPoint customers through the TMC. 16 © 2022 Trend Micro Inc. Education Lesson 1: Introduction to Trend Micro and TippingPoint Hands-on Labs Lab 1: Navigate Trend Micro Links Estimated time to complete this lab: 15 minutes © 2022Trend Micro Inc. Education 17 Lesson 1: Introduction to Trend Micro and TippingPoint 18 © 2022 Trend Micro Inc. Education

Use Quizgecko on...
Browser
Open
Browser
Browser