July Updates: TMS, Traps Agent 6.1 and Linux Support

Community Team Member

Read about the new July updates for Traps Management Service (TMS), Traps Agent 6.1, and how Linux support fits in. See how these updates can help you improve security posture through these enhancements. Join the discussion today. Got questions? Get answers on LIVEcommunity.

Traps TMS july updates -agent 61- Linux.png

 

Joe from the LIVEcommunity here, bringing you some important information about updates made in July for Traps Management Service (TMS) and the new Traps Agent 6.1, which features include support for Linux. 

 

TMS - July Updates

Traps Management Service (TMS) is an important tool when it comes to managing Traps deployments, and keeping it up to date is an important step when it comes to making your life easier when having to manage Traps. Below you will find the enhancements and improvements for TMS for July.

Features Introduced in July 2019*

FEATURE
DESCRIPTION
New Response Actions for Mac and Linux Endpoints To take immediate action when a security event occurs on a Mac endpoint or a Linux server with Traps 6.1, you can now initiate the following response actions:
  • Terminate Process—Terminate the suspicious process on the endpoint. This option is available from security events for which the action is Report and allows you to issue a remote request to the endpoint to terminate the process.
  • Quarantine—If Traps has reported malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. Quarantine isn't enabled for security events that originated from network drives or containers.
You can review the status of the response actions both from the security event and from the Actions Tracker.
Data Collection for Mac and Linux Endpoints
Traps 6.1 now extends data collection and sharing capabilities to Mac and Linux endpoints. When enabled to do so, Traps uploads endpoint activity data to the Cortex Data Lake. This information provides Cortex apps with the endpoint context so that you can gain insight into the overall event scope when you investigate a threat. This includes all activities that took place during an attack and the endpoints that were involved.
When you enable Traps to Monitor and collect endpoint events in your Agent Settings profile, you must also allocate log storage for Endpoint Data in your Cortex Data Lake instance.
Behavioral Threat Protection for Mac and Linux Endpoints
Traps 6.1 now extends Behavioral Threat Protection to protect Mac and Linux endpoints. This enables Traps to monitor endpoint activity to identify and analyze chains of events—known as causality chains—instead of only evaluating a single event on its own. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
Blacklisted Signers Traps now includes a pre-defined list of blacklisted processes by signer with the default Malware Security policy. When a process signed by a blacklisted signer tries to run, Traps now blocks its execution and raises a security event. Blacklisted signers are defined by Palo Alto Networks and changes to the default list can be delivered with content updates. If necessary, you can create an exception from a security event to remove a process from the blacklist. To disable blacklisted signers, contact Support.
Blocking Upgrades for Isolated Agents
(Windows only)
After you isolate an endpoint, Traps management service now disables the ability to upgrade the Traps agent. This ensures the isolation state is enforced on the endpoints, keeping them disconnected from your network. Now, if you try to select one or more isolated endpoints the option to upgrade is disabled. If you select a mix of isolated and un-isolated endpoints, Traps management service excludes the endpoint from the bulk action.
Remote Investigation and Remediation with Live Terminal
(Windows only)
If an event requires further investigation and remediation, you can initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, and run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity. Live Terminal is supported on endpoints that meet the following requirements.
  • Traps 6.1 or a later release
  • Windows 7 SP1 or a later release
  • Windows update patch for WinCRT (KB 2999226)—to verify the Hotfixes that are installed on the endpoint, run the systeminfo command from a command prompt.
  • Endpoint activity was reported within the last 90 minutes (as identified by the Last Seen timestamp in the endpoint details).
Retrieve Files Response Action
(Windows only)
You can now initiate a response action to retrieve files from Windows endpoints with Traps 6.1 directly or from the security event in Traps management service. You can retrieve up to 20 files related to a security event (up to 200MB total). As part of the 20 files, you can retrieve additional files by supplying the file path. Outside of a security event, you can retrieve files from up to 10 different endpoints. To track the status of a file retrieval action, you can view the action from the Action Tracker.Traps management service retains retrieved files for up to one week.
Hardened Passwords Using PBKDF2 Encryption
(Windows only)
For increased security, the Traps agent uninstall password is now encrypted using a stronger encryption algorithm (PBKDF2) when transferred between Traps management service and the Windows agents. Traps management service automatically applies the stronger algorithm to the password for new installation packages (no password reset is required). The stronger encryption helps prevent attempts to obtain the password.

* - Information taken from the Traps Management release notes here: Features Introduced in 2019

 

Additional Information:

For more information on Traps, please see the Admin Guide here: Traps™ Management Service Administrator's Guide

 

For a complete list of features, software and content versions, limitations, and known issues for Traps Management Service, please see the full release notes here: Traps Management Service Release Information

 

Traps Agent 6.1.0 features and Linux support

The new Traps Agent 6.1.0 has several great features that include support for Linux. The following table describes the new features introduced in Traps Agent 6.1.0.

Features Introduced in Traps Agent 6.1.0**

FEATURE
DESCRIPTION
Data Collection for Mac and Linux Endpoints
Traps now extends EDR data collection capabilities to Mac and Linux endpoints. When enabled to do so, Traps uploads endpoint activity data to the Data Lake. This information provides Cortex apps with the endpoint context so that you can gain insight on the overall event scope when you investigate a threat. This includes all activities that took place during an attack and the endpoints that were involved.
When you enable Traps to Monitor and collect endpoint events in your Agent Settings profile, you must also allocate log storage for Endpoint Data in your Cortex Data Lake instance.
New Response Capabilities for Mac and Linux Endpoints To take immediate action when a security event occurs on a Mac endpoint or Linux server, you can now initiate the following response actions:
  • Terminate Process—Terminate the suspicious process on the endpoint. This option is available from security events for which the action is Report and allows you to issue a remote request to the endpoint to terminate the process.
  • Quarantine—If Traps has reported malware on the endpoint, you can initiate an on-demand action to quarantine the malicious file or process and remove it from its working directory. Quarantine isn't enabled for security events that originated from network drives or containers.
You can review the status of the response actions both from the security event and from the Actions Tracker.
Behavioral Threat Protection for Mac and Linux Endpoints
Traps now extends Behavioral Threat Protection to protect Mac endpoints and Linux servers. This enables Traps to monitor endpoint activity to identify and analyze chains of events—known as causality chains—instead of only evaluating a single event on its own. This enables Traps to detect malicious activity in the chain that could otherwise appear legitimate if inspected individually.
Palo Alto Networks defines the causality chains that are malicious as behavioral threat rules in the default policy and delivers any changes to the rules with content updates. While you cannot configure your own behavioral threat rules, you can configure the action Traps takes when it detects a match from a Malware Security profile in Traps management service. You can also configure Traps to quarantine the causality group owner (CGO) which initiated the activity when Traps detects a match.
Enhanced Investigation with Live Terminal If an event requires further investigation, you can now initiate a Live Terminal to the remote endpoint. This enables you to navigate and manage files in the file system, run Windows or Python commands, and manage active processes. After you terminate the Live Terminal session, you also have the option to save a log of the session activity.
New Response Capability for Windows Endpoints You can now initiate a response action to retrieve files from Windows endpoints. You can retrieve up to 20 files in a security event (and up to 200MB total), or you can retrieve a file by supplying the file path. You can also retrieve files from one or more endpoints at a time. Traps management service retains retrieved files for up to one week. To track the status of a file retrieval action, you can view the action from the Actions Tracker.
Windows Data Collection Enhancements To provide additional context during an investigation, Traps now collects the following additional activity information on the endpoint:
  • File – Symbolic-links, hard-links and reparse points
  • File – File times and DACL modifications
  • Signature and MD5/SHA2 hash calculation on DLL load events
  • Network – Resolve hostnames on local network
  • User presence
Traps can leverage this endpoint activity data to detect malicious causality chains. Traps management service can also share this information with Cortex apps to aid with event investigation.
Extended Ransomware Protection Coverage on Windows Endpoints Traps extends Ransomware Protection on Windows endpoints to also protect you from ransomware behavior that Traps detects in network folders. The network folders are not configurable but are determined by Palo Alto Networks threat researchers and delivered with content updates in the form of Ransomware Protection rules.
New Windows Operating System Version Support You can now install Traps on Windows 10 RS6. For complete compatibility information, see the Palo Alto Networks Compatibility Matrix
Compliant Mode for Mac Endpoints Traps can now provide continuous protection through major operating system (OS) upgrades on Mac endpoints. In compliant mode, Traps automatically but temporarily disables any features or modules affected by the OS change (such as exploit protection modules) that would cause Traps to operate in an incompatible state. In compliant mode, the agent remains active and connected to Traps management service. After Palo Alto Networks tests all features and modules on new OS, Traps management service automatically instructs the agent to activate modules or features that were previously disabled in compliant mode (taking into account the Traps security policy). If Palo Alto Networks determines a capability or feature is not compatible with the new OS, the agent can operate in compliant mode until a subsequent agent release is available for upgrade and full support of the new OS.
Blacklisted Signers Traps now includes a pre-defined list of blacklisted processes by signer with the default Malware Security policy. When a process signed by a blacklisted signer tries to run, Traps now blocks its execution and raises a security event. Blacklisted signers are defined by Palo Alto Networks and changes to the default list can be delivered with content updates. If necessary, you can create an exception from a security event to remove a process from the blacklist. To disable blacklisted signers, contact Support.

** - Information taken from the Traps Agent 6.1 release notes here: Features Introduced in Traps Agent 6.1

 

Linux Support

There are many moving parts when it comes to the new Traps Agent 6.1 for Linux. Depending on which version of Linux versions can change the  protections capabilities available. There are also links for instructions on how to install and use Traps Agent, how to upgrade, how to uninstall, and troubleshooting guides. For all of those details, please review the Traps Agent 6.1 for Linux Admin Guide

 

Additional Information:

To read more about how to use the new Traps Agent 6.1 features, please review the Traps Agent 6.1 Administrator’s Guide.

 

Thanks for taking time to read my blog.

 

If you enjoyed this, please hit the Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity blog.
As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

 

441 Views
Ask Questions Get Answers Join the Live Community
Labels