Hawkeye G battles malware so you don't have to

08.12.2014
The number and complexity of cyber threats leveled against enterprises of all sizes these days is staggering. There's everything from advanced persistent threats created by well-sponsored nation states to disgruntled insiders looking to make a fast buck or enact revenge for some perceived wrongdoing.

In fact, one of the biggest problems faced by security professionals is that there are just too many threats to deal with, no matter how large a staff is employed. Large organizations can be faced with turning back thousands upon thousands of threats daily. The only way to deal with such a caustic environment is with automation.

We recently reviewed several automated incident response programs. HawkEye G from Hexis, was still in development at the time, but now it's ready and being deployed commercially. Network World was the first and only publication invited to review this new offering.

+ ALSO ON NETWORK WORLD: HP's new SlateBook, a guided tour +

In our testing, we found that Hawkeye G does a great job of identifying threats, blocking, removing them, while also locking things down so that they can never return.

Detection, prevention, response

Using the same methodology as in our previous roundup, HawkEye G was tested against three key elements: detection, prevention and automated or recommended response. The focus with this product is the response side of that equation, though it scores highly in all areas. While a human being is not required to be in the loop on every decision, HawkEye G does a good job of keeping humans in control of what is essentially a fully automated product.

Because HawkEye G is designed to work with hundreds and thousands of systems, no attempt to test scan performance was made, though it was observed running on a test network protecting thousands of clients. Instead, attacks were made against protected systems in both physical and virtualized environments of a small testbed.

The automatic response of the HawkEye G system was recorded, and then the administration console was examined to see how much information was provided to system administrators about the actions taken. The balance of how much of the HawkEye G product was automated, how much required human intervention, and the administration component of setting that balance was given particular emphasis in the testing.

HawkEye G is installed as an appliance, which makes the physical deployment rather simple. You do need to open up a hole in your firewall to allow the device to communicate with the Hexis Security Operations Center, where information about new threats is collected and pushed out.

HawkEye G can be tuned to accept threat feeds from Hexis, an independent feed if an organization has its own security operations center, any number of commercial feeds, or all of the above, as long as the data is expressed as a .csv file. As part of the hardware installation, a bot trap, deep packet inspector and a partition manager is also installed.

With those core devices in place, the HawkEye G program is able to begin automatically protecting a network. However, to enable the automatic removal of malware as well as a deeper level of client inspection, sensors need to be installed on network clients. The sensors are all software based and installation is very easy from the main console.

They can be installed to individual users or to every device within a group. It's also possible to use the DNS records to have them automatically deployed. The current version of the HawkEye G sensors will work with any Windows-based operating system that is XP or newer. A version that works with Linux clients is in the works. Every client within the scope of our testing had a sensor installed.

The sensors enable much more control over a host client, as well as a better collection of information relating to the processes, registry files, .dlls and network connections being activated on a monitored system. It also allows HawkEye G to detect static threats that might exist within a client, but which have not reached out and tried to do anything malicious yet. The true helpfulness of the sensors comes into play once malware is detected. When that happens, the MD5 hash of the file is recorded and then every other system is scanned to see if the malware has spread.

The main interface of the HawkEye G control panel is laid out cleanly and is very easy to use. However, those who need a deeper understanding of how the system works and what it can do will require training, something that Hexis offers with every purchase.

There are four levels of administration available from the main interface. These levels can not be changed or modified by users, though they seem to cover almost every use case.

At the highest level is the operator, who has full control over the system, including installing or uninstalling programs on systems protected by HawkEye G, even undoing any automatic processes that the program mistakenly took while trying to protect the network. Even though the operator can do everything, their work is never invisible. Everything that an operator scans or changes is logged into the system and visible by other operators. In this way, any operator's erratic behavior which could indicate either that they are the victim of a permission elevating attack, or the fact that they may be going rogue, is easy to spot.

Next in the hierarchy are administrators, which allows full permission to make changes, but only as it relates to users and groups. Administrators can change passwords, add or delete users, and reinstate user credentials if they are locked out by HawkEye G.

The final two security levels are analyst and observer. An analyst account is designed to be used by outside auditors who are responsible for verifying the integrity of network security. This is required by some government agencies. An auditor can see most things happening on the HawkEye G protected network, but can't make any changes.

An observer account is designed for C-level bosses who would like to see an overview of everything happening on their network from a very high level using dynamic charts and graphs. HawkEye G will show observers how many attacks are occurring, how many systems have been infected and healed and other general information. Observers have no power to change or modify anything and aren't shown granular information.

In addition to the different account types, the other thing most users will notice right away is the current cybercon level. Cybercon is a play off the word DEFCON, the defense readiness condition indicator used by the armed forces. Unlike account types, what each cybercon level means is completely definable by the user. However, by default, Hexis technicians recommend and help most customers install the system based on increasing threat levels.

So at cybercon level five, indicating the least amount of threat, HawkEye G may only be allowed to detect problems. Moving down to cybercon level three would enable detection, engagement of threats and automatic removal of offending malware. Cybercon level one is designed as a sort of panic button, and more or less locks down all protected systems until a threat can be completely contained. Humans need to manually change the cybercon level, and a cybercon one condition would likely only get used in extreme circumstances. For these tests, everything was set to cybercon level three, which allowed HawkEye G to automatically combat threats.

The first test of HawkEye G was malware installed on a protected system. As the malware tried to contact its botnet handler, it was caught because the URL it was trying to reach was on the list of known threats, as downloaded to the system from the Hexis support center. At that point, all traffic from that client was instead routed to the bot trap.

Had there not been a sensor on that client, HawkEye G would still have prevented the malware from spreading. But because a sensor was also in place, HawkEye G was able to take several automatic actions, which were visible from the administration window when logged in as an operator. These processes didn't require any intervention on the part of the user, but since our test network was small, it was easy to see activity occurring.

The first thing that was checked was if a human had typed in the restricted URL, or if it were done by a program. If a human did it, there are several steps that could be taken based on the cybercon level. A warning could be issued at one end of the spectrum all the way up to the revoking of user privileges at the other. But since this was being done by a program, that step was skipped.

After first blocking the communications channel, HawkEye G examined the file and recorded everything that it was trying to achieve, something that could help later determine the level of threat and the attempted target of the offending program.

HawkEye G then automatically stopped the process from running on the host computer. The MD5 information on the file was recorded for later use. Once the process was stopped, the malicious file was encrypted and renamed with a .quarantine extension. Had HawkEye G been operating at cybercon one, the program could have been automatically deleted. However, since it was operating at cybercon three during the first test, it instead kept it encrypted and locked away.

In the event that a user actually needed that file to run for whatever reason, it could be restored by an operator. This would likely only take place in the event of a false positive, which this clearly wasn't, but the option is there as a security blanket for organizations that fear fully automatic control of their cyber security.

Because the malware was clearly identified as a threat, HawkEye G then scanned other clients on our test network, finding a matching MD5 file on another client which indicated that the program also existed there, but had not yet activated. It was automatically encrypted and quarantined as well, though again, it could have been automatically deleted outright depending on the cybercon level that HawkEye G was currently operating under.

Trying to install the same malware on any other system within the testbed resulted in its automatic deletion at high cybercon threat levels, and encryption and quarantine at more relaxed levels.

Other attacks were conducted against protected clients and all were turned away by HawkEye G. One interesting thing about the program is that the longer it's installed on a network, the smarter it becomes at emulating human interactions through automatic processes. Whenever an operator takes an action against malware, that action is recorded and automatically used each time a similar process or threat occurs. With multiple threat feeds and active operators helping to train the program by simply doing their jobs as it observes, it's difficult to conceive of a scenario where a network protected by HawkEye G could become compromised.

HawkEye G is a big leap forward for automated incident response. Unless it's forced to run at a cybercon level that hamstrings its automatic response capability, it does a great job of identifying threats, blocking, removing and then purging them from a network while also locking things down so that they can never return.

The only way to successfully combat the multitude of threats these days is with automation, and HawkEye G makes this possible in a safe way that keeps humans apprised of the situation, but doesn't require or need their approval to get the job done.

John Breeden II has been covering and speaking about technology for more than 20 years. He was the lab director of product testing for Government Computer News magazine for the past decade. Today he's the president of the Tech Writer's Bureau, a group of influential journalists that pen interesting technology stories and analysis pieces for a variety of publications and companies. He can be reached at johnbreeden@comcast.net.

(www.networkworld.com)

By John Breeden II

Zur Startseite