When we started with Binary Defense’s Vision platform years ago, we knew it would be a long road and something to where we would continuously get better over time. Our motto is to always do things the right way, and build in the knowledge of attack intelligence through the industry to help the industry get better in defense.

Vision works by focusing on looking for abnormal behavior in an environment with agents all working together to identify attackers in the early stages. This is through understanding what normal behavior looks like, and looking for deviations to patterns on that behavior and sending the appropriate data to be reviewed by an analyst.

We’ve just released our Version 3 which brings a number of features and major enhancements to the product and places us in a whole different arena when it comes to endpoint security. This version is a testament to all the hard work and effort from the fine folks from Binary Defense and our mission. This version introduces a number of enhanced detection features, performance increases, and containment mode!

First, our dashboard has a number of new features and a redesigned look and feel:

The new dashboard has multiple statistics including largest bandwidth offenders, top alarms, and open versus closed alarms within the last 24-hour periods. The dashboard is a simple view to get the overall health and status of your environment in short order.

As part of version 3, we introduce Containment Mode which allows analysts to move a system off the network to reduce the impact to the organization when it’s compromised. Containment works by first going to the compromised asset, and selecting “Contain”:

The asset is moved off the network and only allows communications to the Vision server or whitelisted IP addresses (such as forensics machines and others). Containment allows responders to quickly minimize the damage to their organization and still perform remote analysis without having to be physically at the location to remove the compromise.

Next on the list is multiple new detection capabilities. We won’t go into all of them as there are many, but some of the fun ones and highlighted ones are named pipe impersonation. One of the common techniques for attackers once an administrator is to use named pipes in order to move themselves to SYSTEM level permissions. During this period, you can detect this based on specific indicators and trigger an alarm. In this example, we don’t particularly build alarms off specific tools, but more on the behavior the techniques themselves exhibit which are abnormal.

In this case, we’ll use Metasploit, but we don’t look at the specific tool itself. First, once a system is compromised (we get multiple indicators of this when it first happens), an attacker will typically escalate to SYSTEM in order to perform escalated attacks such as hash extraction, LSASS injection, etc. In the below screenshot, we use the GetSystem command which uses multiple techniques to escalate permissions; in this case, named pipe impersonation is used:

In Vision, we quickly go over to the alarms page and look to see if Vision identified this specific technique:

In the Vision alarms section, we see the technique, a description, and recommended efforts. Additionally, the raw log contains substantial information to make a determination of the offending process, host, originating IP, and more in order to perform more analysis about the specific attack.

Once escalated to SYSTEM, often an attacker may migrate to another process by injecting memory from one process to another. Vision also picks up this technique. Below is using process injection after searching for explorer.exe:

Within Vision, we can see the process injection alarm occurring and the information needed to investigate it:

These are some of the many new features added into the latest release as well as the platform we’ve built on over the past several years. This release is now out to all our customers and is available to all supported platforms.