Professional Documents
Culture Documents
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
Table of Contents
Caveats for Deploying Deep Discovery Inspector Only at Ingress /Egress Points .........................38
Understanding the Attack Cycle ..........................................................................................................................39
Phases of a Targeted Attack ........................................................................................................................39
Looking at Attack Phases in Action - an Example ....................................................................................41
Lesson 8: Preventing Targeted Attacks Through Connected Threat Defense .......... 275
Connected Threat Defense Life-Cycle ............................................................................................................. 276
Detect .............................................................................................................................................................. 276
Respond .......................................................................................................................................................... 276
Protect .............................................................................................................................................................277
Visibility and Control ....................................................................................................................................277
Combating Targeted Attacks With Connected Threat Defense .................................................................277
Key Features of Connected Threat Defense .................................................................................................. 278
Connected Threat Defense Requirements ..................................................................................................... 278
Connected Threat Defense Architecture ........................................................................................................ 280
Trend Micro Connected Threat Defense Components ........................................................................ 280
How connected Threat Defense Works ................................................................................................... 282
Connected Threat Defense Deployment Scenarios ............................................................................. 282
Suspicious Object List Management ................................................................................................................ 287
Setting up Connected Threat Defense ............................................................................................................ 287
Trend Micro Apex Central .......................................................................................................................... 288
Subscribing Deep Discovery Inspector to the Apex Central Suspicious Objects List .................. 289
Subscribing Apex One to the Suspicious Objects List .......................................................................... 291
Connecting Deep Discovery Analyzer to Apex Central ....................................................................... 292
Suspicious Objects Handling Process .............................................................................................................. 294
Sample Submission ...................................................................................................................................... 295
Analysis ........................................................................................................................................................... 296
Distribution .................................................................................................................................................... 296
Impact Analysis and Mitigation .................................................................................................................. 301
NETWORK
DEFENSE
Network Defense
The enterprise is at the cross-hairs of an increasingly complex array of ransomware, advanced
threats, targeted attacks, vulnerabilities, and exploits.
Only complete visibility into all network traffic and activity will keep the organization ahead of
purpose-built attacks which bypass traditional controls, exploit network vulnerabilities, and either
ransom or steal sensitive data, communications, and intellectual property. Trend Micro Network
Defense detects and prevents breaches anywhere on the network to protect critical data and
reputation. Rapidly detect, analyze, and respond to targeted attacks on your network. Stop targeted
email attacks, and detect advanced malware and ransomware with custom sandbox analysis, before
damage is done
The Trend Micro Network Defense solution preserves the integrity of the network while ensuring
that data, communications, intellectual property, and other intangible assets are not monetized by
unwanted third parties. A combination of next-generation intrusion prevention and proven breach
detection enables the enterprise to prevent targeted attacks, advanced threats, and ransomware
from embedding or spreading within their network.
Hybrid Cloud Security delivers comprehensive, automated security for physical, virtual and cloud
servers. The organization can secure critical data and applications across their cloud and virtualized
environments with effective server protection that maximizes their operational and economic
benefits.
Whether you are focused on securing physical, virtual, cloud, or hybrid environments, Trend Micro
provides the advanced server security you need with the Trend Micro Deep Security platform.
Available as software, in the Amazon Web Services and Azure marketplace, or as a service, Deep
Security provides you with security optimized for VMware, Amazon Web Services, and Microsoft
Azure.
User Protection
The threat landscape is constantly changing, and traditional security solutions on endpoint
computers can’t keep up. Turning to multiple point products on a single endpoint results in too many
products that don’t work together, increasing complexity, slowing users, and leaving gaps in an
organization’s security.
To further complicate matters, organizations are moving to the cloud and need flexible security
deployment options that will adapt as their needs change.
Trend Micro User Protection is an interconnected suite of security products and advanced threat
defense techniques that protect users from ransomware and other threats, across endpoints,
gateways and applications, allowing the organization to secure all it users' activity on any
application, any device, anywhere.
Trend Micro rapidly and accurately collates this wealth of global threat intelligence to customize
protection to the specific needs of your home or business and uses predictive analytics to protect
against the threats that are most likely to impact you.
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s
most extensive cloud-based protection infrastructures that collects more threat data from a
broader, more robust global sensor network to ensure customers are protected from the volume
and variety of threats today, including mobile and targeted attacks. New threats are identified
quickly using finely tuned automated custom data mining tools and human intelligence to root out
new threats within very large data streams.
To address the resulting complexity, operational inefficiency, and loss of visibility, organizations
require consistent security management to bridge the independent IT structures that often separate
layers of protection and deployment models.
Trend Micro’s Visibility Control improves protection, reduces complexity, and eliminates redundant
and repetitive tasks in security administration. Whether your endpoints are internal or external, you
can manage a comprehensive set of security capabilities from one single management console. In
addition, suspicious objects discovered by different products can be consolidated into a single list
and distributed within the entire environment. This allows administrators to better understand risk
flow and close security gaps in outbreak prevention, virus response and cleanup or restoration.
Smart
Protects against the full range of known and unknown threats using a cross-generational blend of
threat defense techniques that applies the right technique at the right time, and is powered by global
threat intelligence
Optimized
Delivers security solutions to protect users, networks, and hybrid cloud environments – all designed
specifically for and tightly integrated with leading platforms and applications, like VMware, Amazon
Web Services (AWS), Microsoft® Azure™, Google Cloud, Office365, and more
Connected
Speeds time to response with automatic sharing of threat intelligence across security layers and
centralized visibility and control XGen™ security uses proven techniques to quickly identify known
good or bad data, freeing advanced techniques to more quickly and accurately identify unknown
threats. This identification in rapid succession with right-time technology regardless of location and
device across a connected system, maximizes both visibility and performance. This core set of
techniques powers each of the Trend Micro solutions, in a way that is optimized for each layer of
security: hybrid clouds, networks, and user environments.
Intrusion Prevention
Intrusion prevention protects against known, unknown, and undisclosed vulnerabilities in your
network. To learn more, you can refer to: https://www.trendmicro.com/en_sg/
business/products/network/intrusion-prevention.html
Advance Threat Protection allows you to detect and respond to targeted attacks moving
inbound, outbound, and laterally in your network.
In addition to riskier user behavior and more sophisticated threats including ransomware and
zero-day attacks, the increase of connected Internet of Things (IoT) and Industrial IoT devices poses
a unique security challenge for enterprises who may find that network-based security is their only
protection for these devices for which endpoint security cannot be applied.
While most Intrusion Prevention and security products can defend against malware and other known
vulnerabilities, they are not as effective against unknown (new and custom, targeted, never-been-
seen-before) attacks.
Targeted attacks and advanced threats, by design, are able to evade most standard perimeter and
endpoint defenses and can remain hidden while stealing your corporate data, intellectual property,
and communications, or encrypt critical data until ransom demands are met.
The tailored approach used by targeted attacks makes each attack unique, using unexpected
combinations of applications, devices, protocols, ports, command-and-control communications,
encrypted malware, and zero-day exploits to achieve its objectives.
Targeted attacks and advanced threats are also dynamic—they can change their behavior and digital
‘appearance’ during the course of an attack, making it even more difficult for traditional defenses to
detect and prevent them.
Advanced threats are engineered with sophisticated capabilities for intelligence gathering, network
penetration, communication and control, lateral movement and data exfiltration (or payload
execution).
An organization’s strategy against targeted attacks and advanced threats should utilize an approach
that takes into account how threats infiltrate and work inside an organization while keeping in mind
that threats are continuously evolving.
Threat Classifications
Threats can be simplified into three classifications: known, unknown and undisclosed.
Known Vulnerabilities
Known vulnerabilities are known to the public and to security tools. These vulnerabilities or
threats are added to reputation databases, addressed by physical and virtual patches, have
security pattern files written for them, or have exploit signatures created to block them. Even
though vulnerabilities are known, many still get through – usually through unpatched software.
“Through 2020, 99% of the vulnerabilities exploited will continue to be ones known by security
and IT professionals for at least one year.”* Limited resources to implement patches and end-
of-life systems are the major reasons why systems remain unpatched. (* Source: Gartner, Inc.
“It’s Time to Align Your Vulnerability Management Priorities with the Biggest Threats.” 9
September 2016.)
Note: Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library
which allows stealing the information protected, under normal conditions, by the SSL/TLS
encryption used to secure the Internet. In 2017, it was reported that around 200,000 unpatched
systems were still susceptible to the Heartbleed vulnerability, which has been around since April
2014, when it originally affected two thirds of the world’s Web servers.
(Source: The Register. “It’s 2017 and 200,000 services still have unpatched Heartbleeds”
https://www.theregister.co.uk/2017/01/23/heartbleed_2017/)
Unknown Threats
Unknown threats have never been seen before and are usually created to specifically target an
individual or enterprise. These targeted attacks and advanced threats are customized to evade
your conventional security defenses, and can remain hidden while stealing your sensitive data or
encrypting critical data until ransom demands are met.
Unknown threats are often designed to impact a single system or a small group of hosts. These
targeted attacks often include a multi-vector attack including, but not limited to, emails, links,
downloads, and lateral movement. In 2011, an RSA employee opened the Excel attachment from
an email in a junk folder, which contained a threat. This threat opened a back door into Adobe
Flash, and through lateral movement within the network, the attacker was able to target the
SecurID two-factor authentication product. (Source: Bank Info Security http://
www.bankinfosecurity.com/tricked-rsa-worker-opened-backdoor-to-apt-
attack-a-3504)
Undisclosed Vulnerabilities
Undisclosed vulnerabilities are a hybrid between known and unknown. These vulnerabilities are
usually known by some security researchers and the impacted software vendors. Until software
is patched, enterprises are at risk of threat actors exploiting vulnerabilities to gain access or
launch attacks.
A critical flaw in the VertX and Edge lines of door controllers from HID Global was found in 2015
by a researcher, who reported it to a bug bounty program. This vulnerability allowed remote
attackers to execute arbitrary code on vulnerable installations, which would give them the ability
to execute code with root privileges. While the vulnerability was known by a few and unknown to
all others, many enterprise networks who used the HID Global door controllers were at risk.
(Source: Trend Micro Simply Security Blog. “Let Me Get That Door for You: Remote Root
Vulnerability in HID Door Controllers” https://blog.trendmicro.com/let-get-door-
remote-root-vulnerability-hid-door-controllers/)
TippingPoint IPS and Deep Discovery advanced threat protection work closely together to deliver
integrated detection and prevention of known, unknown and undisclosed threats.
The world’s largest vendor-agnostic bug bounty program includes over 3,500 security
researchers discovering vulnerabilities in operating systems and software used by business.
When a zero day researcher’s bug report is acquired (via agreement), protection filters for Trend
Micro customers are developed and deployed immediately. Trend Micro customers are first
given a generic description of the filter provided, not the vulnerability itself until the details are
made public (in coordination with the product vendor). Once the vulnerability is officially
disclosed, an updated description of the vulnerability is made public so customers can identify
the appropriate filters that were protecting them. In other words, Trend Micro customers will be
protected from a Zero Day vulnerability even when they are not yet able to discern the
vulnerability itself. For more information on the Zero Day Initiative you can refer to:
www.zerodayinitiative.com.)
Collects, identifies, and delivers the latest threat information to Trend Micro products in order to
protect customers from new threats, and serves as a massive data source for understanding
threat behaviors and driving technological innovation around proactive threat protection.
Note: This training will focus on using Deep Discovery for advanced threat protection. To find out
about available training on Intrusion Prevention with Trend Micro™ TippingPoint® and other
products, please visit Trend Micro Education (trendmicro.education.com).
Powered by XGen™ security, Deep Discovery combines specialized detection engines, custom
sandboxing, and global threat intelligence from the Trend Micro™ Smart Protection Network™ to identify
zero-day malware, malicious communications, and attacker activities. Deployed individually or as an
integrated solution, Deep Discovery works with Trend Micro and third-party network defense products to
provide advanced threat protection across your entire organization.
Deep Discovery Inspector is a virtual or hardware appliance that enables the detection of
network based targeted attacks and advanced threats. Deep Discovery Inspector monitors
network traffic across all ports and more than 100 protocols and applications. Using specialized
detection engines and custom sandboxing, it identifies the malware, command and control
communications (C&C), and activities signaling an attempted attack. Detection intelligence aids
your rapid response and is automatically shared with your other security products to block
further attacks.
Deep Discovery Analyzer provides advanced sandboxing analysis to extend the value of
deployed security such as endpoint protection, web and email gateways, firewalls, and other
Deep Discovery products. Deep Discovery Analyzer supports integration with many Trend Micro
products, manual suspicious sample submissions, and provides an open Web Services interface
to allow any product or process to submit suspicious samples and obtain results.
Deep Discovery Analyzer as a Service is an add-on to the virtual Deep Discovery Inspector
designed to provide cloud sandboxing capabilities. For smaller environments that require a
virtual form factor and cloud-based sandboxing, this solution will provide protection from
advanced threats and targeted attacks.
standards-based formats (STIX and YARA) and transfers (TAXII) it will pull threat information
from several sources and share the indicators of compromise (IOC) with Trend Micro and third-
party products.
Deep Discovery Network Analytics is a module to Deep Discovery Director and provides
prioritized visibility into an attack. Leveraging Deep Discovery Inspector as Advanced Persistent
Threat (APT) detection and network metadata collection points, Deep Discovery Network
Analytics utilizes expert rules to correlate and connect threat detection events against network
access events, presenting threat investigators with complete view of the attack life-cycle.
Note: Although a Deep Discovery product also exists for Email security that is provided through Deep
Discovery Email Inspector, this training course will only focus on the above mentioned Network
Defense solutions.
who else has been impacted by the attack. Press play and watch the entire attack play out
step by step.
• Integration: Deep Discovery is built to work with the Trend Micro products as well as third
party products. With native integration and a multitude of APIs, Deep Discovery will help
automate security response, indicator of compromise (IOC) sharing, and prevention of
advanced threats and targeted attacks.
The following section is only meant to provide introductory level information about the different
engines and services used by Deep Discovery products. For a more in depth discussion on these
technologies, you can refer to the Appendix provided at the end of your Student Manual.
The main Deep Discovery engines that are used for threat detection are summarized below.
Note: VSAPI (Virus Scan API) is Trend Micro's File Scanning Engine, a core component of most Trend
Micro Security Products. It is the current technology module responsible for processing File
Objects and classifying them as malicious, suspected or non-malicious files.
Virtual Analyzer
• The Virtual Analyzer detects suspicious behavior in files by letting the code in the file
execute in an isolated virtual environment (sandbox) to determine what the code does
(dropping files or modifying registry settings for example).
Note: Virtual Analyzer sandbox technology is available in many of Trend Micro’s Network Defense
Products. The Virtual Analyzer can be either embedded into the product itself as in Deep
Discovery Inspector (and others), or as an external standalone hardware appliance, as in Deep
Discovery Analyzer.
The Deep Discovery threat detection engines must be able connect with various Trend Micro
cloud-based services in order to provide detection capabilities as described below.
Network Content
Inspection Engine
Event Classification
Engine (ECE)
LogX
Patterns
Event Classification
Patterns (ECP)
db
Target of evaluation
NIC
Deep Discovery is powered by the Trend Micro Smart Protection Network solution. The Smart
Protection Network is a cloud-client content security infrastructure designed to protect
customers from security risks and Web threats.
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service
within the Smart Protection Network. This service assigns a reputation score and either blocks
or allows users from accessing a web site. In Deep Discovery Inspector 5.0 and above, you can
have up to 10 Smart Protection Servers
Note: For additional information on technologies used by Deep Discovery solutions, you can refer to
the section Detection Technologies that is provided as an Appendix in this Student manual.
Deep Discovery Inspector deploys in off-line monitoring mode (connected to the mirror port of a switch)
for minimal or no network interruption while monitoring network traffic and detecting known and
potential security risks. System Requirements
Deep Discovery Inspector can be obtained as a hardware appliance or software (ISO file) for a virtual
appliance installation.
Virtual Appliance
The Deep Discovery Inspector virtual appliance is a packaged ISO file which is installed on a 64-bit
Linux OS included in the package. The software can be installed on a bare metal server or virtual
machine (VMware ESXi 6.x, Microsoft Hyper-V on Windows Server 2016 or 2019, and CentOS KVM 7.4
or later).
Note: The Deep Discovery Inspector Virtual Appliance, supports a Deep Discovery Analyzer (external
device) for virtual sandbox analysis, but does not support using an internal (embedded) Deep
Discovery Inspector Virtual Analyzer.
The Deep Discovery Inspector virtual appliances includes the components described below.
Application Software
• Deep Discovery Inspector software application
• PostgreSQL server software
Hardware Appliance
The Hardware Appliance is a server with Deep Discovery Inspection pre-installed. Deep Discovery
Inspector (5.1+) supports the latest Dell 14-gen hardware appliances in addition to a 10 Gb model.
This form factor supports both the Deep Discovery Inspector embedded Virtual Analyzer for virtual
sandbox analysis or an external Deep Discovery Analyzer.
Dell VA Throughput
Model Model instances (Mbps)
Note: Trend Micro provides the Deep Discovery Inspector appliance hardware. No other hardware is
supported.
• RS-232 serial connector: connects to the serial port of a computer with a RS-232 type
connection to perform Pre-Configuration such as network device settings
• Management port: connects to a management network for communication and
interaction with the web console and other products and services
• iDRAC port: connects to a dedicated management port on the iDRAC card
• Data port 1-5: integrated 10/100/1000Mbps NIC connector
• Main power supply connectors: two 550 watt hot-plug supply units
Note: "Hot-plug" refers to the ability to replace the power supply while the appliance is running. Deep
Discovery Inspector automatically and safely recognizes the change without operational
interruption or risk.
• 2 USB connectors: connects USB devices (for example, keyboard or mouse) to the
appliance
• RS-232 serial connector: connects to the serial port of a computer with an RS-232 type
connection to perform Pre-Configuration
• Management port: connects to a management network for communication and
interaction with the web console as well as with other products and services
• iDRAC port: connects to a dedicated management port on an iDRAC card
• Data port 1-5: integrated 10/100/1000 Mbps NIC connector
• Data port 6-9: 10 Gbps NIC connector
• Main power supply and backup power supply connectors: 750-watt (4200) or 1100-watt
(9200) hot-plug power supply units (see your device labels for wattage)
• Video connector: connects a VGA display to the appliance
Trend Micro Deep Discovery Inspector provides SFP+ direct attach to easily connect the Deep
Discovery Inspector appliance to your environment. However, different transceiver types (for
example, SX, LX etc.) require different connection cables (for example, SC, LC etc). If the SFP+
direct attach that comes with the Deep Discovery Inspector appliance is not appropriate for your
environment, you can purchase the required corresponding items.
Alternatively, there are adapters that can be purchased to convert from one type to another.
Note: For more information on how to install the enhanced small form-factor pluggable (SFP+) direct
attach of Deep Discovery Inspector, you can refer to the Knowledge Base article:
http://esupport.trendmicro.com/solution/en-US/1113317.aspx
Network Requirements
When placing Deep Discovery Inspector in your network, note that it must be able to receive all traffic
that can be caused by malicious software.
Additionally, Deep Discovery Inspector must be able to see the original IP-addresses of the endpoints,
therefore, Network Address Translation (NAT) or proxy services must not exist between any endpoints
and Deep Discovery Inspector.
For risk management, the Deep Discovery Inspector should be placed on the network where the most
critical and important assets are residing. Lateral movements can be monitored as well, depending on
traffic and performance.
Deep Discovery Inspector can monitor network traffic using the following methods:
• Port mirroring switch
• TAP mode
Best Practice: Administrators should mirror the ports that are closest possible to endpoints or
behind perimeter defenses.
In all cases, the first network interface card (eth0) is used for management purposes. This includes
communication with the administrator via HTTP / SSH and interaction with other products (such as
DDAN, Apex Central etc.) and for communication with Deep Discovery Inspector back-end services
(such as WRS, ActiveUpdate etc.).
The other network interfaces are used to intercept network traffic (Data Port) or for the Malware
Lab network (Custom Port) used by the Deep Discovery Inspector (internal) Virtual Analyzer.
The interfaces used to intercept network traffic operate in promiscuous mode and do not have an
IP-address.
The Data Ports on Deep Discovery Inspector are used to accept incoming network traffic.
In a typical deployment scenario, they are connected to the monitoring ports of the enterprise
switches.
To ensure that Deep Discovery Inspector captures traffic from both directions, configure the
mirror port, and make sure that traffic in both directions is mirrored to the port.
The Deep Discovery Inspector Management Port is used for communications between
administrators via HTTP / SSH and interaction with other products (such as Deep Discovery
Analyzer, or Apex Central, and others) and services (such as WRS, ActiveUpdate and others).
Note: The number of network interfaces on your Deep Discovery Inspector device will depend on the
hardware model.
In all cases however, the first NIC (eth0) is always used as the management port.
Intercepting Data
Deep Discovery Inspector uses the following internal kernel modules to intercept and scan the traffic
passing through the Data NICs.
• Network Content Inspection Technology (NCIT): Receive the network packets, stores them in
a single queue and sends them to Network Content Inspection Engine for scanning.
• Network Content Inspection Engine (NCIE): Assembles the packets to TCP streams (data
blocks) and scans the network protocol data. It sends the scanning results to the CAV
Daemon. NCIE is also responsible for extracting file content from the captured packets and
sending it to the File Scanning daemon for file scanning.
DDI must receive all traffic that can be caused by malicious software
In most cases, modern malware (botnets, etc.) try to establish a connection to an Internet server
which means that Deep Discovery Inspector must be able to see all outgoing network traffic.
However, if the administrator only concentrates on the outgoing traffic, malware that spreads
itself within the large enterprise network will be missed as this requires the Deep Discovery
Inspector data interfaces to intercept the internal traffic. If an organization runs internal DNS,
SMTP, Proxy or other servers, you should deploy the Deep Discovery Inspector data interface to
see the traffic between these servers and the endpoints.
If there is a NAT between the endpoints and Deep Discovery Inspector or endpoints use a proxy
located between endpoints and Deep Discovery Inspector, Deep Discovery Inspector cannot see
the real IP-address of the endpoint. This may lead the Inspector to report the wrong endpoint IP-
address to the mitigation servers. In the case of connections through proxy servers, IP address
rewriting can be enabled to determine the original source of the request.
If connection blocking for the Outbreak Containment Services is enabled, Deep Discovery
Inspector sends the TCP reset packets from the Management Port to the endpoints so the
endpoints must be in the same network segment as the Deep Discovery Inspector Management
Port or there must be a route for these packets to the endpoints.
The destination port speed should be the same as the source port speed to ensure equal port
mirroring. If the destination port is unable to handle the faster speed of the source port, the
destination port may drop some data.
Reputation Services
80/ 80/
443 443
Global Web Global File
BACK-END SERVICES
Reputation Reputation
Server Server
OR Smart Feedback
80/
5274
443
Cloud GRID
Web File Sandbox
Reputation Reputation
Local Smart Protection Server Census
443
Domain Census
443
MARS
Licensing
Deep Discovery Inspector Portal
162
SNMP 161
WIS
67
Web Console TrendX
DHCP
UDP: 514
TCP: 601
SSL: 443
SYSLOG
3269 147 25 80/443 53
80
HTTP Proxy
Server Active NetBIOS SMTP Active DNS
Directory Notification Update
(Windows Server Server
123 2012 R2)
Integrated Products
NTP
... and others
• Port 22 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Connect to the Pre-Configuration console
- Send logs and data to the Threat Management Services Portal if Deep Discovery
Inspector is registered over SSH
• Port 25 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled reports
through SMTP
• Port 53 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port for DNS resolution.
• Port 67 (UDP) Outbound: Deep Discovery Inspector sends requests to the DHCP server if IP
addresses are assigned dynamically.
• Port 68 (UDP) Listening: Deep Discovery Inspector receives responses from the DHCP server.
• Port 123 (UDP) Listening and Outbound: Deep Discovery Inspector connects to the NTP server to
synchronize time.
• Port 137 (UDP) Outbound: Deep Discovery Inspector uses NetBIOS to resolve IP addresses to
host names.
• Port 161 (UDP) Listening and Outbound: Deep Discovery Inspector uses this port for SNMP agent
listening and protocol translation.
• Port 162 (UDP) Outbound: Deep Discovery Inspector uses this port to send SNMP trap
notifications.
• Port 389 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory (This is the default. You can configure this port
from the Deep Discovery Inspector Management Console).
• Port 443 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Access the management console with a computer through HTTPS
- Register to the mitigation server
- Send logs and data to the Threat Management Services Portal if Deep Discovery Inspector is
using SSL encryption
- Connect to Trend Micro Threat Connect
- Communicate with Trend Micro Control Manager
- Note: This is the default port. Configure this port through the management console.
- Communicate with Deep Discovery Director
- Scan APK files and send detection information to the Mobile App Reputation Service
- Query Mobile App Reputation Service through Smart Protection Server
- Query the Web Reputation Services blocking reason
- Verify the safety of files through the Certified Safe Software Service
- Share anonymous threat information with the Smart Protection Network
- Send files to Deep Discovery Analyzer for sandbox analysis
• Port 465 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled reports
through SMTP over TCP with SSL/TLS encryption.
• Port 514 (UDP) Outbound: Deep Discovery Inspector sends logs to a syslog server over UDP
(Note: The port must match the syslog server.)
• Port 587 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled reports
through SMTP over TCP with STARTTLS encryption.
• Port 601 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP
(Note: The port must match the syslog server.)
• Port 636 (UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory. Note: This is the default port. Configure this port through the
management console.
• Port 3268 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.
• Port 3269 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.
• Port 4343 (TCP) Outbound: This port is used for communications with Smart Protection Server.
• Port 5275 (TCP) Outbound: Used for querying Web Reputation Services through Smart
Protection Server.
• Port 6514 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP with
SSL encryption. Note: The port must match the syslog server.
• Port 8080 (TCP) Listening: Share threat intelligence information with other products. Note: This
is the default port. Configure this port through the management console.
Note: For connections through proxy servers, IP address rewriting can be enabled to determine the
original source of the request.
The following section describes each service and provides the required address and port information
accessible to the product version in your region.
Note: Address and ports listed below vary by product version and region. Refer to the Online Help for
more information. Also note that all services, except Threat Management Services Portal,
connect using HTTPS with TLS 1.2. If your environment has man-in-the-middle devices, verify
that the devices support TLS 1.2.
Smart Feedback
This service shares anonymous threat information with the Smart Protection Network, allowing
Trend Micro to rapidly identify and address new threats. Trend Micro Smart Feedback may include
product information such as the product name, ID, and version, as well as detection information
including file types, SHA-1 hash values, URLs, IP addresses, and domains.
• URL: ddi500-en.fbs25.trendmicro.com
Census
This service, determines the prevalence of detected files. Prevalence is a statistical concept
referring to the number of times a file was detected by Trend Micro sensors at a given time.
• URL: ddi500-en-census.trendmicro.com:443
Domain Census
Domain Census determines the prevalence of detected domains and IPs. Prevalence is a statistical
concept referring to the number of times a domain or IP was detected by Trend Micro sensors at a
given time.
• URL: ddi500-en-domaincensus. trendmicro.com:443
License Portal
The Trend Micro License Portal, manages customer information, subscriptions, and product or
service licenses.
• URL: licenseupdate.trendmicro.com/ollu/license_update.aspx:443
Cloud Sandbox
The Trend Micro Cloud Sandbox service analyzes possible MacOS threats.
• URL: ddaaas.trendmicro.com:443
ActiveUpdate
This service provides updates for product components, including pattern files. Trend Micro regularly
releases component updates through the Trend Micro ActiveUpdate server.
• URL: ddi50-p.activeupdate.trendmicro.com:443
Threat Connect
Threat Connect correlates suspicious objects detected in your environment and threat data from the
Trend Micro Smart Protection Network. The resulting intelligence reports enable you to investigate
potential threats and take actions pertinent to your attack profile.
• URL: ddi50-threatconnect.trendmicro.com:443
TMSP receives and processes logs to build intelligence about your network. The Threat Management
Services Portal generates reports that contain information about the latest threats and your
network's overall security posture.
• Log Server: Port 443
• Status Server: Port 443 (Receives Deep Discovery Inspector heartbeat message at regular
intervals to inform TMSP that it is up and running.)
• SSH: Port 22 (User-defined values; no defaults)
Best Practice: Trend Micro recommends using the Network Service Diagnostics screen to
troubleshoot connections to all of the above services. This tool will be discussed in a
later lesson.
Best Practice: Since most modern malware establishes a connection to the Internet, the design goal
is to position Deep Discovery Inspector so that it is able to intercept all outgoing
network traffic.
To help choose a suitable topology for your Deep Discovery Inspector deployment, the following
guidelines can be used:
• Determine the segments of your network that need protection.
• Plan for network traffic, considering the location of appliances critical to your operations such as
email, web, and application servers.
• Determine both the number of appliances needed to meet your security needs and their
locations on the network.
• Conduct a pilot deployment on a test segment of your network.
• Redefine your deployment strategy based on the results of the pilot deployment.
Some sample Deep Discovery Inspector deployment scenarios that can help you plan a customized Deep
Discovery Inspector deployment are provided below.
You can optionally, configure the mirror port to mirror inbound/outbound traffic from single or
multiple data ports. It is important to note here also, that mirrored traffic should not exceed the
capacity of the network interface card.
Asymmetric Routing
In customer environments with asymmetric routing, connecting the Deep Discovery Inspector
data interfaces to the segment transferring packets in one direction disables the Deep Discovery
Inspector detection capabilities since Deep Discovery Inspector must see and re-construct the
whole network traffic.
The Deep Discovery Inspector data ports are connected to the switch monitoring port. Traffic can be
intercepted and analyzed with asymmetric routing.
Multi-Gig Environments
Deep Discovery Inspector currently handles 4 Gbps of aggregate throughput. For situations
where the aggregate throughput is higher a Network Packet Broker (smart tap) can be used to
spread the system load evenly across available Deep Discovery Inspectors. VSS monitoring can
take any amount of throughput and break it across multiple Deep Discovery Inspectors. When
multiple Deep Discovery Inspectors are deployed Trend Micro Control Manager (TMCM) can be
used for log aggregation and reporting however, this component is not mandatory.
Deep Discovery
Director
Network A Network B
1 5Gb/ N t k 1 5Gb/ N t k
The data port of multiple Deep Discovery Inspectors are connected to a ‘smart’ tap, and may
intercept and analyze traffic with asymmetric routing. This configuration is scalable and reliable, but
modifying the network schema may be difficult.
Distribution Switch
Benefits of this deployment include visibility into endpoint and data center traffic, as well as the
capability of detecting a lateral movement incident.
Inter-VM traffic
Network traffic between virtual machines in a VMware ESX remains within its ESX environment. In a
VMware ESX setup, if Deep Discovery Inspector is not in that same virtual environment, Deep
Discovery Inspector will not be able to monitor network traffic between the virtual machines within
that VMware ESX setup.
In this case, in order for Deep Discovery to be able to monitor the network traffic between the virtual
machines in an ESX environment, the network traffic must be mirrored from a virtual distributed
switch using either remote mirroring, or encapsulated remote mirroring remote mirroring as
described below.
Note: ERSPAN stands for encapsulated remote switched port analyzer. The traffic is encapsulated in
generic routing encapsulation (GRE) and can therefore be routed across a layer 3 network
between the source switch and the destination switch.
Remote Mirroring
With remote mirroring, a VDS (Virtual Distributed Switch) can be setup on a VMware vCenter
environment to forward Inter-VM traffic to Deep Discovery Inspector. Remote mirroring enables
you to monitor traffic on one switch through a device on another switch and send the monitored
traffic to one or more destinations.
The mirroring source is the Virtual distributed switch and it forwards mirrored traffic to the
mirroring destination which is a Physical switch that receives mirrored traffic, and that can route
the traffic to Deep Discovery Inspector. For proper functionality, verify that the uplink ports of
the ESXi hosts that receive traffic are linked to the physical switch trunk port.
Remote mirroring requires that you configure a remote mirroring VLAN on your physical
switches. If you cannot configure a remote mirroring VLAN, you can use encapsulated remote
mirroring as an alternative which is described below.
FIGURE 2. Mirrored Traffic Monitoring from a VDS with Encapsulated Remote Mirroring
Once established, all Inter-VM traffic will be forwarded to Deep Discovery Inspector.
Note: For step-by-step details on configuring Mirrored Traffic Monitoring from a Virtual Distributed
Switch, you can refer to the Deep Discovery Inspector Installation and Deployment Guide
(http://docs.trendmicro.com/all/ent/ddi/v5.5/en-us/ddi_5.5_idg.pdf)
Note that various mirroring and encapsulated setups can be used which depend on whether you
are using a Deep Discovery Inspector hardware or virtual appliance. All supported VDS
configurations are fully described in the above mentioned Installation and Deployment guide.
Advantages
• Deep Discovery Inspector is able to see Source IP address of the individual machine
requesting the web resource
• Web content being returned to the end user will have already passed through the web
security gateway
- This eliminates some of the known threats allowing Deep Discovery to focus on
malware that has made it through their security gateway
Disadvantages
• Web requests before they are filtered by the existing web security gateway
- This could raise detections in the product that are already addressed by the
gateway device
- But still gives visibility to possibly infected endpoints
• Some customers may route internal traffic through the web security gateways, which
may increase the amount of traffic being analyzed by the Deep Discovery Inspector
Advantages
• Reduced amount of traffic being analyzed
• Requests being filtered by the web security gateway will not reach Deep Discovery
Inspector
Disadvantages
• When Deep Discovery Inspector is deployed on the external side of the proxy, the source
IP for events will be that of the proxy server, and not that of the actual host making the
request.
Note: To see the actual source IP of the host which made the request, you can use the IP address
rewriting functionality if the web gateway supports the X-Forwarded-For http header.
This functionality (Enable IP address rewriting for CAV logs (according to X-Forward-For header)
can be configured through the internal Deep Discovery Inspector debug portal
that can be accessed by contacting Trend Micro Technical Support.
• Response data will not have been filtered by the web security gateway prior to
inspection
- This could result in events related to traffic that will ultimately be filtered by the
web gateway device and would therefore not require additional investigation
Later in this training, we will see how to avoid false alarms when configuring Deep Discovery
Inspector in proxy environments inside or outside the proxy server, by adding HTTP Proxies as
registered services on Deep Discovery Inspector.
Lateral Movement:
• Part of the attack phase is lateral movement where Machines which become infected are
then used by the attackers to move throughout the target’s network
• This allows the attacker to explore and collect information that can be used in future
attacks or information that can be prepared for exfiltration
• When Deep Discovery Inspector is only deployed at the Ingress/Egress points it will not
have access to the lateral movement activities (such as brute force attacks, internal port
scanning…)
• Since Deep Discovery Inspector has multiple ports, specific internal network segments
can still be monitored (as long as aggregate throughput isn’t greater than licensed
throughput or hardware capabilities)
DNS Queries:
• DNS traffic will show originating address of the internal DNS servers
• Therefore for Malicious communication identified based on DNS queries, Deep Discovery
Inspector is unable to provide information on the system that made the initial request
• The only way to correlate this information would be to:
- Review the logs on the DNS server, or SIEM device if it is collecting DNS logs, to
identify the system that initiated the query
- Also mirror DNS traffic going from monitored hosts to internal DNS servers
Targeted attacks and advanced persistent threats (APTs), are highly organized, focused efforts that are
custom-created to penetrate organizations for access to internal systems, data, and other valuable
assets.
It is important to note here however, that the different stages of an attack are not particularly
distinct. The stages of a targeted attack represent distinct steps in a logical, structured attack.
Reality, however, is far messier. Once a stage is “finished”, it does not necessarily mean that no
other activities related to that stage will take place. It may be possible for multiple stages of an
attack to be occurring at the same time. For example, C&C communication takes place through all
phases of a targeted attack. The attacker needs to keep control of any activities going on within the
targeted network, so naturally C&C traffic will continue to go back and forth between the attacker
and any compromised systems.
It is best to think of each component as different facets of the same attack, where different portions
of a network may be facing different facets of an attack at the same time.
This can have a significant effect on how an organization has to respond to an attack. It cannot
simply be assumed that because an attack was detected at an “earlier” stage, that “later” stages of
an attack are not in progress.
A proper threat response plan should consider this and plan accordingly. Below is a description of
each phase of an attack cycle.
Intelligence Gathering
In this stage of the attack, cyber criminals have their attack targets in mind and conduct
research to identify target individuals within the organization and then prepare a customized
attack—most likely leveraging public sources, such as LinkedIn, Facebook, and MySpace. With the
wealth of personal information provided on these sites, attackers arm themselves with in-depth
knowledge on individuals within the organization. For example, their role, hobbies, trade
association memberships, and the names of those in their personal network.
With this information in hand, attackers prepare a customized attack in order to gain entry into
the organization.
Point of Entry
The initial compromise is typically from zero-day malware delivered via social engineering
(email/IM or drive by download). A back door is created and the network can now be infiltrated.
Alternatively, a web site exploitation (such as a watering hole) or direct network hack may be
employed.
Once cybercriminals have gathered the intelligence on their intended target, they begin work on
designing their point of entry into the organization.
C&C communication is used by the attacker to instruct and control the compromised machines
and malware used for all subsequent phases of the attack (lateral movement, data discovery,
and exfiltration).
Lateral Movement
Once inside the network, the attacker compromises additional machines to harvest credentials
and gain escalated privilege levels. The attacker will also acquire strategic information about the
IT environment—operating systems, security solutions and network layout—to maintain
persistent control of the target organization.
Lateral movement uses legitimate system administration tools to help hide its activities, and has
three goals in mind: escalate the available privileges within the target network, perform
reconnaissance within the target network, and the lateral movement to other machines within
the network itself. In the attack, several tools are often used to increase the intruder’s level of
access in the network, including, port redirectors, scanning tools, and remote process executor
tools.
Asset/Data Discovery
In an advanced malware attack, cyber criminals are in pursuit of high valued assets. This could
be anything from financial data, trade secrets, or source code, and most noteworthy, attackers
know the intended data of interest when a target organization is selected.
The attacker’s goal is to identify the data of interest as quickly as possible without being noticed.
In this phase of the attack, the attacker can use several different techniques. For example, they
will:
• Check the configuration of the infected host’s email client to locate the email server
• Locate file servers by checking the host for currently mapped network drives
• Obtain the browser history to identify internal Web services, such as CMS or CRM
servers
• Scan the local network for folders shared by other endpoints, to identify noteworthy
servers and services that house data of interest.
• Use port scanning to discover open ports etc.
Data Exfiltration
Data exfiltration is the unauthorized data transmission to external locations. In this stage of a
targeted attack, sensitive information is gathered and then funneled to an internal staging
server where it is chunked, compressed, and often encrypted for transmission to external
locations under an attacker’s control.
Deep Discovery Inspector is purpose-built for detecting APT and targeted attacks. It identifies malicious
content, communications, and behavior that may indicate advanced malware or attacker activity across
every stage of the attack sequence.
In this section, we will look at how the RSA Excel Flash Vulnerability attack was carried out and how
each process of that attack, maps to the attack cycle phases previously discussed.
Although in reality, each attack is customized to its target, they commonly all follow a consistent
attack life-cycle to infiltrate, and operate inside an organization.
In March 2011, when EMC disclosed an attack against its RSA division that successfully stole
SecureID data, it quickly made national headlines — especially due to the millions of RSA
SecureID tokens in use at the time, providing protection to corporate networks and
smartphones.
It was subsequently discovered in June 2011 that targeted attacks against Lockheed Martin, L-3
Communications, and Northrop Grumman were made possible from the SecureID data obtained
in the successful RSA breach.
SOURCE: http://ralphshicks.blogspot.com/2011/08/security-firm-rsa-attacked-using-excel.html
Attack Steps
• Two spear phishing emails were sent over a two-day period targeted at low to mid-level
employees with subject “2011 Recruitment Plan” and .xls attachment with the same title.
• The .xls file contained an exploit through an Adobe Flash zero-day vulnerability that
installed a backdoor using a Poison Ivy RAT variant set in a reverse-connect mode.
• Attackers moved laterally to identify users with more access and admin rights to
relevant services and servers of interest. Access was then established to staging servers
at key aggregation points.
• Data of interest was moved to the internal staging servers, aggregated, compressed, and
encrypted for extraction.
• FTP was then used to transfer password protected RAR files to a compromised machine
at a hosting provider. Files were subsequently removed from the host to cover up traces
of the attack.
• Intelligence Gathering: In the attack on RSA, the criminal’s intelligence and gathering
phase focused on identifying a small group of employees within two groups to target
with a well-crafted and compelling email. According to RSA, the targeted employees
weren’t considered “particularly high profile or high value targets.” This research
approach has become commonplace, whereby employees within a certain department or
with a desired management level are targeted, which also demonstrates the importance
in educating employee about security awareness.
• Point of Entry: In the RSA example, the attack began with spear phishing emails sent to
targeted employees with an excel attachment titled, “2011 Recruitment Plans.” When the
employee opened the spreadsheet, it ran malware that exploited a previously unknown
Pre-Configuration Console
Following the deployment of a new Deep Discovery Inspector in your environment, the first task you will
do is log into the Deep Discovery Inspector Pre-configuration Console (a terminal communications
program) and configure the initial network and system settings that are required to access the Deep
Discovery Inspector web-based management console, or simply, the web console.
Note: Although the following screen captures are for a virtual appliance setup of Deep Discovery
Inspector, all the listed steps are identical for both hardware and virtual form factors.
1 Log on to the Pre-Configuration Console with the username: admin, and password: admin.
3 Enter the Deep Discovery Inspector IP address, subnet, gateway and DNS set up to use.
4 To save these settings, navigate to the option Return to the main menu located at the bottom of
the screen.
After the changes are saved, the following page will display, indicating the URL needed for
connecting to Deep Discovery Inspector web console using a supported web browser.
Information for completing the Deep Discovery Inspector configuration is provided below.
The Deep Discovery Inspector web management console supports the following web browsers:
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox
• Microsoft Edge
Note: Ensure that your web browser’s Internet Security level is set to Medium and enable ActiveX
Binary and Script Behaviors.
You should also use the minimum recommended screen resolution rate of 1280x800.
For a complete listing of supported web browser versions and other Deep Discovery Inspector
web console requirement you can refer to the Deep Discovery Inspector Quick Start Guide.
To connect to the Deep Discovery Inspector web console, launch a supported web browser and
open a HTTPS connection to the management port IP address of your Deep Discovery Inspector.
For example: https://<DDI Management IP Address>.
The management port IP address is configured as part of the Pre-Configuration Console setup
that was discussed earlier.
If the connection is successful, the Deep Discovery Inspector web console Log On screen will be
presented as follows. Enter the default web console password admin to login.
Once you have successfully logged in to the web console, you will be forced to change this
password to one that meets the criteria for a stronger password as indicated below.
Best Practice: Trend Micro recommends changing the Deep Discovery Inspector password to a strong
password after logging on for the first time, and periodically thereafter.
To activate Deep Discovery Inspector, you will need to enter a valid activation code as follows.
In the Deep Discovery Inspector web console, go to Administration > Licenses and select New
Activation Code. In the window that appears, type the activation code that you received with your
purchase of Deep Discovery Inspector.
After entering in your activation code for Deep Discovery Inspector, you will be presented with the
software license. Click Accept if you agree.
Once you have accepted the license agreement, the Licenses screen will be updated as follows to
notify you that the Deep Discovery Inspector is now activated:
In the web console, go to Administration > System Settings > Time and configure a timezone and NTP
server:
To configure the threat geographic map for your environment, perform the following steps:
1 Go to Dashboard > Threat Monitoring.
2 Next click Widget Settings.
This will set the Threat Geographic Map to your specific location similar to the following:
Once the Deep Discovery Inspector has been in use for a while, the Threat Geographic Map will
display regions with affected hosts as a solid red circle and the Deep Discovery Inspector location
being analyzed as a concentric red circle.
To add a network group in Deep Discovery Inspector go to Administration > Network Groups and
Assets > Network Groups.Note that if an internal host has a public IP address (for example, DMZ), it
should also be added here.
As shown above, descriptive names should be used for your network groups such as Finance, Sales,
Human Resources etc. This will make it easier to analyze your Deep Discovery Inspector detection
logs, widgets and reports.
In the following example, when viewing Deep Discovery Inspector detections such as the threat
detections by Affected Hosts (which will be discussed later in this training), having descriptive names
for the different network groups, makes it easier for you to quickly identify on which portion of your
network the affected host resides. This will improve the time it will take for you to respond to a
potential threat.
Identifying trusted domains and services in the network not only ensures detection of unauthorized
domains, applications, or services, but also avoids unnecessary detections (logs) of trusted domains
and services that become a distraction for important detections that need more attention.
In cases where a valid service has not yet been configured as registered “trusted” service within
Deep Discovery Inspector, an entry will appear in the detection logs with the threat description
“Unregistered service” similar to the following:
Depending on the amount of traffic seen by Deep Discovery Inspector, these entries can potentially
“flood” the Deep Discovery Inspector detection logs with unnecessary information. When trying to
filter through thousands of higher severity events (such as the above DNS Response, with a Medium
severity level) this can waste time (and possibly make it more confusing) when analyzing detection
logs to find actual risks that may be compromising your network.
Best Practice: - Register ALL trusted network domains and dedicated servers for specific services
that are used internally or are considered trustworthy
- Export all current network configurations using the Export function as backup
Next, you will need to add domains used for internal purposes or those considered trustworthy.
This tells Deep Discovery Inspector which domains should be trusted and ensures the detection
of any unauthorized domains.
To add a registered domain, use the Deep Discovery Inspector web console and go to
Administration > Network Groups and Assets > Registered Domains.
The Analyze button is used to auto-discover your domains. If any domains are found, they will be
displayed in a list where you will be able to select the ones to add as a registered domain.
The Registered Domains settings are used by the detection rules. Therefore, if a legitimate
domain is not registered, and this domain is used in the rule, it may incorrectly trigger an event.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.
If a trusted domain was not added above using the Registered Domains configuration page, and
Deep Discovery Inspector detected it as an unauthorized domain in the Detections > All
Detections page (All Detections page will be explored in more detail later in this training), you
have the ability to mark this trusted host as a Registered Domain directly from the Detections >
All Detections page as follows.
Click the down arrow for a trusted host that is listed under the Source Host column then select
Registered Domains from the Mark as list that is displayed.
This allows you to save the selected domain IP address to the Deep Discovery Inspector
Registered Domains list.
Registered Services can be defined in the web console by navigating to Administration > Network
Groups and Assets > Registered Services. The services that are mandatory to define include:
SMTP, HTTP Proxy, DNS.
Identifying the trusted services in your network, ensures the detection of unauthorized
applications and services. While it is better to add this information ahead of time, it can also
be added after the fact, but this will not be retroactive.
Detection rules in Deep Discovery Inspector use Registered Services.Therefore, if you do not
have a legitimate service registered, this can lead to rules being incorrectly triggered and files
unnecessarily going to the sandbox for virtual analysis, which can be a resource intensive
process depending on the file being analyzed.
Note: Only the SMTP server/relay and DNS server can be discovered automatically.
Any registered services that are not auto-discovered by Deep Discovery Inspector should be
manually added as follows:
In addition, any hosts that were not added in this configuration step, can optionally be added to
Registered Services by selecting them from the All Detections page as we saw previously with
Registered Domains.
You will need to select the detected “unauthorized” service from Detections > All Detections,
then click the down arrow and select Registered Services as follows:
Generating Reports
Reports use forensic analysis and threat correlations for an in-depth analysis of Deep Discovery
Inspector event logs to identify the threats more precisely.
Reports are designed to assist the administrator determine the types of threat incidents affecting
the network.
By using daily administrative reports, IT administrators are able to better track the status of threats,
while weekly and monthly executive reports keep executives informed about the overall security
posture of the organization.
In Deep Discovery Inspector, there are various reports that can be generated including:
• Scheduled Reports: Daily, weekly, and monthly reports are designed to provide the correlated
threat information.
• On-Demand Reports: Reports that can be generated as needed that are designed to provide
detailed information about specific files.
• Virtual Analyzer Reports: Virtual Analyzer reports are designed to provide detailed information
about specific suspicious objects.
Report Templates
Different report templates are available depending on the type of information that is needed. For
example Deep Discovery Inspector provides the following report templates that provide easy
access to threat information:
• Summary Report
• Executive Report
• Advanced Report
• Threat Detection Report
• Host Severity Report
Scheduled Reports
Scheduled Reports are PDF documents that are generated automatically daily, weekly, or
monthly. The reports are also automatically sent to the configured recipients via SMTP. There are
three default scheduled Reports generated automatically:
• End of Each Day (Advanced Report)
- Daily reports can be generated before the end of day
• End of Each Week (Executive Report)
• End of Each Month (Executive Report)
Other scheduled reports can be customized, specifying the frequency, report type, and enabling
or disabling notification.
The report name is specified when generating the customization. However, the filename will be
of the form “reporttype_period.pdf”.
On-Demand Reports
On-demand reports are PDF documents that can be generated as needed that are designed to
provide detailed information about specific files. On-demand Reports can be generated up to the
previous date.
The Customization tab can be used to configure the report covers with the company name and
logo.
Report Example
An Executive Report can be useful for managers who just need overall view of the threats
affecting their business and the potential impact. This report provides the follow sections.
Select the checkbox for Reports, and delete action then click Delete.
Email notifications can help your security team determine the action(s) required for certain events.
Note: Ensure the Deep Discovery Inspector IP address is added to the SMTP relay list!
Event types that you can create notifications for include the following.
Administrator
This account will be able to access and configure all sections of the Deep Discovery Inspector
web console.
Viewer
This account will ONLY be able view detection and system information from the web console.
To add new user accounts go to Administration > Accounts and click Add.
Also, note that from the following screen you can also reset a particular user’s password by
clicking Change Password from the Reset password column.
To check if any Deep Discovery Inspector components are out-of-date or to perform a manual
update from the web console, go to Administration > Updates > Component Updates > Manual as
follows:
Note: It is not possible to individually select the components you wish to update. All the Deep Discovery
Inspector components will be updated at once.
Deep Discovery Inspector automatically checks the update source at the specified update
frequency that is configured in the web console under Administration > Updates > Scheduled.
Changes can be made to the schedule as required.
Note: Trend Micro recommends setting the update schedule to every two hours.
If the firmware was updated during a scheduled update, you will receive an email notifying you to
restart Deep Discovery Inspector and you will need to restart the appliance at that point.
The following components are updated during scheduled and manual component updates:
OTHER COMPONENTS:
• Threat Correlation Pattern: Used to perform threat correlation.
• Threat Knowledge Base: Database used to provide further information for correlated
threats.
• Virtual Analyzer Sensors: Modules that run on the sandbox virtual machines that
perform virtual analysis of file samples.
• Widget Framework: Provides a template for the Deep Discovery Inspector widgets.
• Deep Discovery Inspector Appliance Firmware: Deep Discovery Inspector application
software.
In Air Gapped Environments (no access to the Internet), the Deep Discovery Inspector patterns
and engines must be updated using the Trend Micro Update Utility (TMUT).
This tool must be deployed in a network which has access to TrendMicro’s update server and also
within the air gapped environment itself. Once the tool has access to TrendMicro’s update server,
it downloads the updates which can then be transferred to the update utility tool that is deployed
in the air gapped environment. Deep Discovery Inspector is then able to retrieve its updates
using this tool (TMUT server) as its source.
Note: It is important to note also that in Air Gapped Environments you should disable all Web Services
including: WRS, MARS, CSSS.
To automatically keep the configuration of the original Deep Discovery Inspector, select the
“Migrate configuration?” checkbox and click Continue.
To use the default configuration (as with a new Deep Discovery Inspector installation), leave the
“Migrate configuration?” checkbox empty and click Continue. The database will be migrated,
which keeps all the original data. The Sandbox image and status can also be kept during firmware
update. After performing a firmware update, DO NOT select the old version in GRUB, since the
database data cannot rollback.
Deep Discovery Inspector provides a hardware detection feature to view your Deep Discovery
Inspector hardware model, CPU and memory information. It is good practice to check your model
information for compatibility with new firmware before upgrading. The hardware information can
be viewed from the web console under Help > About.
From here you can view the current firmware version for your device. From here, click the System
Information link indicated above to see additional appliance hardware information about CPU
and memory.
Deep Discovery Inspector logs can be sent to supported syslog servers through TCP, TCP with SSL
encryption, or UDP in the following formats Common Event Format (CEF), Log Event Extended,
Format (LEEF) and Trend Micro Event Format (TMEF).
System logs provide summaries of system events, including component updates and appliance
restarts. Deep Discovery Inspector System Logs can be accessed through the Deep Discovery
Inspector web console as indicated below.
The Deep Discovery Inspector system logs are stored in the Deep Discovery Inspector database,
and but can also be stored in Trend Micro Apex Central or on a supported Syslog server.
System Event log queries can be performed to gather information from the Deep Discovery
Inspector log databases.
Queried logs can be exported to CSV file format. To perform a System Log query, you must set
the query Criteria as indicated below.
Virtual Analyzer uses ‘customized’ system images to observe sample behavior and characteristics within
an isolated and controllable virtual environment. Enabling the Virtual Analyzer feature not only helps
organizations to identify and combat potential threats at an early stage, but also gives a deeper
understanding and knowledge of potential threats.
The Virtual Analyzer component is also available with other Deep Discovery solutions as well including
Deep Discovery Email Inspector and Deep Discovery Analyzer (which is a standalone appliance that
allows you to load multiple virtual images of endpoint configurations to analyze and detect targeted
attacks. This is useful in larger deployments to off-load resource intensive sandboxing functions from
Deep Discovery Inspector.
This following section provides an overview of the functionality and configuration options for the Virtual
Analyzer and how to enable it in Deep Discovery Inspector.
If you are using the Deep Discovery Inspector’s Virtual Analyzer, as opposed to Deep Discovery Analyzer
for virtual sandbox analysis, you will need to configure various sandbox settings for this in the Deep
Discovery Inspector.
For example, you will need to import custom OVA images that mirror your own protected endpoints into
the Deep Discovery Inspector’s Virtual Analyzer. These images will be used by the virtual sandbox
functions to analyze suspicious threat detections and how they behave in your particular environment.
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create for
Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to configure any sandboxes
as described below.
You can refer to the Deep Discovery Analyzer Installation and Deployment guide
(docs.trendmicro.com/all/ent/ddan/v6.5/en-us/ddan_6.5_idg.pdf) for more
information on these custom sandbox requirements.
After importing the images, you can then decide how many instances should be allocated for each
image.
Note: The following section provides the steps for importing an existing custom sandbox into Deep
Discovery Inspector for use by the Virtual Analyzer. The complete steps for preparing your own
custom sandbox image for Virtual Analyzer will be covered in detail later in this training.
If you are using an existing Deep Discovery Analyzer in your environment for virtual sandbox
analysis, you can skip this process as you will need to import your custom sandbox into Deep
Discovery Analyzer instead.
1 Go to Administration > Virtual Analyzer > Internal Virtual Analyzer.
2 Next, select the Images tab and click Import.
There are two methods that can be used to import a new image that the VA will use for analyzing
suspicious samples.
You should select the method that is most appropriate for your environment.
Note: For detailed steps on importing a new image using one of the above methods, please refer to the
Deep Discovery Inspector Online Help Center (http://docs.trendmicro.com/en-us/
enterprise/deep-discovery-inspector.aspx).
For Deep Discovery Inspector version 5.1, Deep Discovery Inspector supports a maximum of 2
images.
Note: The hardware specifications of your Deep Discovery Inspector appliance will determine the total
number of instances which users can deploy. Trend Micro recommends:
• Use the official license (DDI 500/510: 2 instances, 1000/1100: 4 instances, and 4000/4100: 20
instances) to configure the maximum number of total instances (This is done using the DDI
debug portal which should only be used under the guidance of Support.)
• Enlarging the number of total instances which exceeds the hardware capability can cause
performance issues
• Modify the number of instances for each image
• Each image must have a minimum of one instance
Best Practice: The Virtual Analyzer feature in Deep Discovery Inspector can be enabled at any time
but by default, it is set to Disabled. To defend against potential threats, the following
are some recommended best practices for using the Virtual Analyzer:
- Enable Virtual Analyzer, then submit files to either the Deep Discovery Inspector
Virtual Analyzer or to an external Virtual Analyzer that is built into other Trend Micro
products such as Deep Discovery Analyzer (which will be discussed later in this
training).
- Enlarge the file size to 15 MB for intercepted files to minimize dropped file
occurrences.
1 To activate the Virtual Analyzer in Deep Discovery Inspector, open the web console and go to
Administration > Virtual Analyzer > Setup.
2 Next, configure the following parameters:
• Submit files to Virtual Analyzer: Enable this option
• Virtual Analyzer: Internal
• Network Type: Custom network (Malware network)
• If Specified Network is selected, set Sandbox Port, IP, subnet, gateway, DNS
When enabling the internal Virtual Analyzer for testing suspicious files that Deep Discovery
Inspector encounters, there are three different Network type options that can be selected. The
Network type selected determines the Internet connectivity of Virtual Analyzer. For example,
when Management network is used, internal Virtual Analyzer connects to the Internet using the
Deep Discovery Inspector management port. If Custom network is selected, the internal Virtual
Analyzer will have the ability to connect to the Internet using another data port.
Best Practice: Since suspicious files analyzed by internal Virtual Analyzer will commonly generate
malicious traffic (for instance, connections to command and control servers), this
traffic will be intercepted and trigger certain Deep Discovery Inspector detection rules.
To isolate and more easily identify detections triggered by the internal Virtual
Analyzer processes, it is recommended to set up a Custom network and specify a
different data port, IP, or proxy settings to use for Internet connectivity for the Virtual
Analyzer.
Best Practice: Test the Internet connectivity whenever new settings are saved.
After clicking Save, the following pop-up will be displayed notifying that submissions of files to the
Virtual Analyzer will be limited to a maximum file size of 15 MB (by default). This value can be
modified as will be discussed in the next section.
The Maximum File Size parameter shown above, controls the size of files that will be accepted by
Deep Discovery Inspector for scanning through the various Deep Discovery Inspector services (File
Scan daemon, ATSE etc.) including the Virtual Analyzer.
The default Maximum file size value is 15MB but can be changed to a maximum of up to 50 MB.
When a file is encountered that exceeds the maximum size that is configured here, Deep Discovery
Inspector will drop the file which also has the following implications:
• The file will not be scanned by ATSE
• The file will not be submitted to the Virtual Analyzer for analysis
• The file will not be stored by Deep Discovery Inspector
Files Submissions rules for Virtual Analyzer can be configured through the web console as follows. Go
to Administration > Virtual Analyzer > File Submissions.
This configuration ensures that only the necessary files are being submitted to the Virtual Analyzer
for sandboxing analysis.
Best Practice: It is not advisable to modify the default File Submission Rules following a new
deployment until proper functionality has been verified.
Always back up the original file submission rules using the Export feature before
applying any new configuration.
To enable the use of an existing Deep Discovery Analyzer for virtual analysis the process is as
follows:
1 In the Deep Discovery Inspector web console, go to Administration > Virtual Analyzer > Setup.
2 Set Virtual Analyzer to External and configure your settings as follows:
• Server Address: Enter the IP address of the Deep Discovery Analyzer in your network.
• API Key: Connect to the web console of your Deep Discovery Analyzer, then to go Help >
About to obtain the API key.
Pre-Scanning Flow
Before a sample is submitted to the Virtual Analyzer the following flow takes place:
1 Suspicious sample is scanned by ATSE:
• Identify the true file type
• Extract the files in non-password protected .eml formatted files and file archives
2 Determine if the sample needs to be submitted to the Virtual Analyzer Sandbox:
• Check the Deep Discovery Inspector File (SHA1) Allow List. Files in the list are not
submitted to the Deep Discovery Analyzer.
• Check if a file analysis report is available from the cache. Files with existing results are
not submitted again.
• If the file type is PE (Portable Executable), perform CSSS/GRID query to check the file
reputation. The file is not submitted if the reputation is Good.
• If file type is PE, call the MARS daemon to perform Census query to check if the sample
is generally available in the world. The file is not submitted to the sandbox if the file
prevalence is greater than 10,000.
3 Check Virtual Analyzer Cache:
• Analysis results for samples are cached by the Virtual Analyzer. The cache is checked
before the sample is processed.
Once the above flow has taken place the sample will get submitted to Virtual Analyzer for analysis.
DTAS Sync
DTAS Sync is the interface that is used for communications between Deep Discovery Inspector and
the Virtual Analyzer.
DTAS Sync queries Deep Discovery Inspector every 20 seconds (by default) and does the following
(note if using DDAN, query is every 5 minutes):
• If CSSS (GRID) is enabled, send the suspicious file hash to GRID to determine if the file is
whitelisted and therefore should be skipped
• Submit suspicious file samples from the /fileStore directory to the VA for analysis
• Retrieve reports for analyzed files and store it in the database
• Retrieve feedback (blacklist) for analyzed files and store it in the database. The blacklist is
loaded by the CAV daemon to detect related threats
Note: In the Deep Discovery Inspector Virtual Analyzer, DTAS Sync queries every 20 seconds (by
default). If however Deep Discovery Inspector is sending files to Deep Discovery Analyzer Virtual
Analyzer, then DTAS Sync queries every 5 minutes.
The DTAS Sync Queue will always process submissions in a First In First Out (FIFO) manner. This
means that the oldest entries found in the database will be processed first and will be submitted
for file analysis. In older versions of Deep Discovery Inspector, an administrator could configure
DTAS Sync to use LIFO (Last In First Out) or FIFO to process file submission. This is no longer the
case.
In order to cut down the amount of submissions to the Virtual Analyzer for this type of scenario,
Deep Discovery Inspector implements a Virtual Analyzer cache. Essentially, this cache will prevent
re-submissions of samples by checking first if the same sample was already processed within an
acceptable period. By default, this acceptable period is set to 24 hours. In this case, when the Virtual
Analyzer receives a file submission which was already processed within the acceptable period, then
the cached result will be used and presented in the web console.
Note that the Virtual Analyzer Cache setting can be changed if this is required using the Deep
Discovery Inspector debug portal, however this configuration should only be changed under the
guidance of Trend Micro Support.
As of DDI 5.X and later, Deep Discovery Inspector will wait for the Virtual Analyzer report before
displaying it through the web console to the administrative user. This Virtual Analyzer analysis result will
then be used for succeeding instances of the same sample (i.e. has the same file hash) being detected as
long as the cached result is still valid or hasn’t expired. When the cache result expires and another
instance of the same sample is submitted again, then this sample will be re-submitted to Virtual Analyzer
accordingly.
As a result, multiple versions of the Virtual Analyzer report may be generated for the same sample
based on it’s detection time. Deep Discovery Inspector however will only keep the latest version of the
Virtual Analyzer report. When viewing an older Virtual Analyzer report with an updated Virtual Analyzer
result in the Deep Discovery Inspector web console, an administrator may encounter the following
messages being displayed when they try to download the investigation package:
The following result was analyzed at <data stamp and time>. A component was
updated or the cached analysis expired, which caused a newer analysis of this
file at <data stamp and time>.
In this case, the Virtual Analyzer result will now be updated to reflect the newer analysis that was
performed.
The Virtual Analyzer feedback blacklist (Sandbox Feedback Blacklist) is the result of the analysis
of suspicious files by the Virtual Analyzer.
All Virtual Analyzer feedback blacklist entries can be viewed from the Deep Discovery Inspector
web console by selecting Detections > Suspicious Objects.
By default, only blacklist entries with High severity are loaded and these are used by Deep
Discovery Inspector to detect related threats and log any matching events.
A blacklist entry automatically expires after 30 days (set by the Virtual Analyzer) and is deleted
from list after this point.
The minimum severity level used for detection is configurable from the Virtual Analyzer debug
web page. This is an advance setting and should be used under the guidance of Support.
Administrators can move entries from the Virtual Analyzer Feedback Blacklist and copy detected
C&C Callback Addresses to the Deep Discovery Inspector Deny or Allow List.
The Deep Discovery Inspector modules use the Deny and Allow List for detection and to match or
bypass rules.
The NCIE and NCIT modules can implement the TCP Reset or DNS Spoofing action for the Deny
List entries.
This defines the whitelist that Deep Discovery Inspector uses to identify anything that is allowed in order
to avoid any false positive detections.
Best Practice: Add your organization’s internal domains and URLs to the Allow List to limit false
positives.
To configure the Allow List, access the Deep Discovery Inspector web console and go to Administration >
Monitoring / Scanning > Deny List / Allow List.
Red Status
A red status indicates that there is no connection. This may be due by network cable or device
problems, or the wrong link speed (connection type).
Green Status
A green status indicates that the connection is available. Ensure that the detected link speed
matches the correct link speed and check the NIC mirroring settings.
After deploying Deep Discovery Inspector into the target network segment, it is vital to check if Deep
Discovery Inspector is able to connect to these Internet and back-end services.
To verify network connections to these Deep Discovery Inspector back-end services, you can use the
Troubleshooting web page in Deep Discovery Inspector.
To access the Troubleshooting console, use a supported web browser and navigate to the following
URL: https://<IP address of DDI>/html/troubleshooting.html.
In the Troubleshooting console, select the Network Services Diagnostics tool (listed in the left-hand
menu options) and click Test to run a network connection test against all of Deep Discovery
Inspector’s services.
It will take a few moments required to complete the services test depending on the network
environment and the number of services that have been selected. Once the test is complete, the
results of the network connections test will be displayed as follows.
View the connection test results in the Result column to identify any connection errors for any of the
services.
These demo rules can be used to verify proper installation and detection functionality in Deep
Discovery Inspector.
For example, to verify if the Network Content Inspection Engine (NCIE) or demo rules are working
properly, for instance, Rule 2245 - DEMO RULE - DNS (Request), you can perform the following steps
on any host that is in a Deep Discovery Inspector monitored network:
• Open a DOS command prompt on a computer in the Deep Discovery Inspector monitored
network and use the nslookup command to generate a DNS request packet to resolve the
following: ddi.detection.test
• In the Deep Discovery Inspector web console and go to Detections > All Detections to verify if
Deep Discovery Inspector has detected a violation
• The Detail column can be checked for additional detection information
Note: You will have a chance to perform the complete steps for this process in an upcoming lab
exercise.
For more information about the built-in demo rules, refer to the Knowledge base article: Using Deep
Discovery Inspector (DDI) demo rules to validate monitored traffic.
Packet Capturing
You can additionally perform packet capturing to verify that Deep Discovery Inspector is able to
intercept traffic on a particular network interface. To start packet capturing on a network interface,
you will need to click the Network Traffic Dump link that is located at the bottom of the Network
Interface page that is shown above.
Clicking the Network Traffic Dump link will open a connection to the Deep Discovery Inspector
troubleshooting portal (https://DDI_IP/html/troubleshooting.htm) where the following
Network Traffic Dump screen displays:
Select the port/network interface that you wish to test then click Capture Packets.
Allow the capture to run for a pre-determined amount of time, then stop the packet capture on the
network interface by clicking Stop.
Once the Network Traffic Dump is stopped, the following links will be provided for viewing, exporting
or reseting the packet capture:
Clicking View from the above window, displays the Packet Capture Analysis window.
From here you can select what specific information you would like to see from the packet capture,
without having to filter through the entire network packet dump. You should ensure that the Deep
Discovery Inspector is able to see TCP conversations as follows:
You can additionally Export the packet capture, and view the collected results within wireshark.
If there is a network problem, you will be able to further investigate this by viewing the status of the
Deep Discovery Inspector component updates page in the web console. Go to Administration >
Updates as follows.
Deep Discovery Inspector will regularly (automatically) check for the latest available component
updates. If there is no Internet connection available, or if the Proxy settings have not been
configured correctly as described earlier, a red message is displayed as follows:
In this case, you should also check your network’s firewall settings to ensure Deep Discovery
Inspector has proper Internet access.
In addition to checking Deep Discovery Inspector’s ability to perform automatic updates, you can try
forcing a manual update to verify proper network connectivity.
If the network settings have been correctly configured for the Deep Discovery Inspector, the manual
update displays a list of updated components similar to the following:
To verify if the Advanced Threat Scan Engine (ATSE) within Deep Discovery Inspector is working
correctly, you can perform the following steps on any host that is in a Deep Discovery Inspector
monitored network.
1 Open a web browser and connect to www.eicar.org.
2 Download eicar.com from the http download area as shown below.
3 Save the file to a temp folder, but do not run it as this can harm your computer.
Note: This testing page from Trend Micro Coretech, is not dangerous.
2 Examine the Detection Name and other details. You can click View in Threat Connect to examine
the information that is provided.
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.
Threat at a Glance
The Threats at a Glance widget in the web console Dashboard, shows actionable information that
administrators use to gain access to attack and threat activity on their networks.
For example, clicking on any of the hyper-linked numbers shown in the top row of Threats at a Glance
(Targeted attack, C&C communication, and Lateral movement), will redirect you to the Affected hosts
view of the detection events where you can drill down for more information about these detections.
Alternatively, by clicking on any the hyper-linked numbers shown in the second row of Threats at a
Glance (Ransomware, Potential threats, and Email threats), you will be automatically redirected to
the Detection log view in the web console under Detections > All Detections.
The different log queries that can be performed include the following:
• Affected Hosts: Provides a view of all hosts that have been involved in one or more phases of a
targeted attack
• Hosts with Notable Event Detections: Identifies the hosts with C&C callback attempts, suspicious
object matches, and deny list matches
• C&C Callback Addresses: Shows hosts with C&C callback attempts to known C&C addresses
• Suspicious Objects: Identifies hosts with suspicious objects identified by Virtual Analyzer/Deep
Discovery Analyzer or synchronized from an external source
• RetroScan: Historical web access logs for callback attempts to C&C servers and other related
activities
• All Detections: View of hosts with detections from all event logs, including global intelligence,
user-defined lists, and other sources
For each log query, there will be different details and pieces of information that can be used for analyzing
detected threats.
For example:
• Interested Host: Shows the IP/hostname of compromised host
• Peer Host: Shows the IP/hostname of C&C or source of threat
• Threat Description: Description of threat detection (the threat name or rule name)
• Detected by: Engine name
• Detection Type: Malicious, Suspicious etc.
• Detection Severity (or Host Severity if viewing Affected Hosts display)
• Attack Phase: C&C Communication, Unknown etc.
• Protocol: SMTP, HTTP etc.
• Recipients, Sender, Email Subject…
Administrators and Security Officers can view information about hosts and events (threat behaviors with
potential security risks, known threats, or malware) for the past 1 hour, 24-hour, 7-day, and 30-day time
periods, or for a custom time range.
Note: It is good practice to sort detections by highest host severity (most critical) level first as this
shows you the most vulnerable hosts. This allows you to appropriately prioritize and quickly
implement related threat response policies for these hosts.
By default, the Affected Hosts screen displays the detections with severity values greater and equal
to Low and a time period set to Past 24 hours.
You can filter this list easily using several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Detection Severity
You should filter on the High Only severity. As indicated below there are four options for
detection severity setting. Drag the slider to set the detection severity level. A tool tip appears
when the mouse hovers over the severity level.
All
Low
Medium
High only
Time Period
To prevent the query from timing out, the console sends the query request to the back-end in
batch processing. The queried period of each request is 12 hours. The status bar will disappear
when the query is complete.
Customize Columns
The display of information on the All Detections screen is customizable. The columns may be
shown, hidden, and sorted. In addition, the width of the columns can be adjusted.
In addition, hovering over a column value with the mouse pointer will open a tool tip displaying
the full value of the column field.
Basic Search
To run a basic search, type an IP address or host name in the search text box and press “Enter”
or click the magnifying glass icon to proceed.
The basic search supports a case-insensitive keyword as a partial match to an IP address or host
name, as well as a search without any keyword. The search attempts to match the IP or host
name to the Interested Host.
The maximum length for the text box is 255 characters, and basic searches cannot be saved.
Advanced Search
To create and apply an advanced search filter, click the Advanced link, click the down arrow to
display the list of attributes, and select an attribute to use as a filter.
Affected Hosts filters by Host Name, IP, MAC Address, Network Group, Notable Events, or
Registered Services. Click the Search button to start the search. The search criteria will be
displayed in the Filter summary. Click the Cancel button to exit the Advanced search.
Note: In each case of search and filter, remember that the resulting list is ordered by highest number of
Host Severity which lets you see immediately the most vulnerable hosts so that these can be
prioritized and responded to first.
This opens a new browser window displaying details for that host. By default, the screen displays the
detections for the selected affected host, based on severity, and time period. The listed events are
ordered by timestamp.
Multiple events can be marked as Resolved after the Incident Response process has occurred.
From the Host Details screen, you can also expand one of the events listed for that affected host by
clicking the icon listed under the Details column.
Detection Information
Information provided in the Detection Information section includes some of the following. Note
that this is not a complete list. Additional information may appear for specific correlated
incidents.
Connection Summary
Protocol Information
The protocol section will include information such as Bot command, BOT URL, Domain name,
HTTP Referer, Protocol, Queried domain, Recipients etc.
Information provided in the File Information section may include the following:
• File name
• File SHA-1
• File SHA-256
• File size
Additional Information
Information provided in the Additional Information section may include the following:
• Attempted to disrupt connection
• Detected by
• Mitigation
• VLAN ID
From the Detection Details page, you can additionally select the tab View in Threat Connect located
at the top of the page to leverage Trend Micro Threat Connect information.
For example, after selecting the tab View in Threat Connect from the above screen, the following
page appears with correlated threat data from the Trend Micro Global Intelligence Network.
This information is useful for better understanding the threats affecting your environment and
provides the remediation steps that you can take to resolve them.
The All Detections page displays a list of hosts and events with information from the following log
types:
• Threats: as determined by NCCE rules
• Disruptive Applications: as defined by the administrator
• Malicious URLs: as determined by the Web Reputation Service
• Correlated Incidents
The All Detections list can be customized and filtered by several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Note: By default, the All Detections page displays the detections with severity greater and equal to Low
and the time period “Past 24 hours”.
The All Detections list columns can be customized just as we saw earlier with the Affected Hosts
view.
In addition, hovering over a value with the mouse will open a tool-tip with the full field value.
As indicated below, Filter displays the criteria used by the search query.
The advanced search filters can be accessed by clicking the Advanced link. Each filter is
described below.
• Host Information filters the Host Name, IP, MAC Address, Network Group, and Registered
Services by the Source, Destination and Interested host information.
• Network Traffic Information filters by the protocol and direction of the detection.
• Detection Information filters by basic information about the detection.
• Detection Characteristics filters by C&C detection sources and to identify which detections
have been analyzed by the Virtual Analyzer.
• Detected Object filters by information about the detected object.
Note: Up to 20 filters can be used for each search, and searches can be saved.
Host exhibits anomalous • Evidence of running IRC, TOR, or outbound tunneling software
or suspicious behavior Host may exhibit the following:
that may be benign or
indicate a threat • A low severity network event
2 • Evidence of receiving an email message that contains a dangerous
URL
• A downloaded file rated as low risk by Virtual Analyzer
Trivial Host may exhibit the following:
Host exhibits normal • An informational severity network event
behavior that may be
benign or indicate a 1 • Connection to a site rated as untested or to a new domain detected
threat in future by Web Reputation Services
identification of • Evidence of a running disruptive application such as P2P
malicious activities
Host severity is based on the aggregation and correlation of the severity of the events that
affect a host. If several events affect a host and have no detected correlation, the host
severity will be based on the highest event severity of those events. However, if the events
have a detected correlation, the host severity level will increase accordingly.
For example: Of five events affecting a host, the highest risk level is moderate. If the events
have no correlation, the host severity level will be based on the moderate risk level of that
event. However, if the events are correlated, then the host severity level will increase based
on the detected correlation.
Note: The host severity scale consolidates threat information from multiple detection technologies and
simplifies the interpretation of overall severity.
You can prioritize your response actions based on this information and your related threat
response policies.
In general for each single event, the event severity (information, low, medium, high) will map to
host severity 1, 2, 4, 8.
The host severity is determined by the maximum severity among all events detected during a
user-specified time-frame.
Exceptions are for host severity 6, 7 and 9 which are not directly mapped to event severity.
Note: Currently host severity 3, 5 and 10 are reserved, there are no event mapping rules to these 3
levels as of this time.
The different values that can be displayed for the Attack Phase classifications are summarized below:
• Intelligence Gathering (IG): Identify and research target individuals using public sources (for
example, social media websites) and prepare a customized attack
• Point of Entry (PoE): An initial compromise typically from zero-day malware delivered via
social engineering (email/IM or drive-by download) A backdoor is created and the network
can now be infiltrated. Alternatively, a website exploitation or direct network hack may be
employed.
• Command & Control (C&C) Communication: Communications used throughout an attack to
instruct and control the malware used. C&C communication allows the attacker to exploit
compromised machines, move laterally within the network, and exfiltrate data.
• Lateral Movement (LM): An attack that compromises additional machines. Once inside the
network, an attacker can harvest credentials, escalate privilege levels, and maintain
persistent control beyond the initial target.
• Asset/Data Discovery (AD): Several techniques (for example, port scanning) used to identify
noteworthy servers and services that house data of interest
• Data Exfiltration (DE): Unauthorized data transmission to external locations. Once sensitive
information is gathered, the data is funneled to an internal staging server where it is
chunked, compressed, and often encrypted for transmission to external locations under an
attacker’s control.
• Unknown Attack Phase: Detection is triggered by a rule that is not associated with an attack
phase.
You can look at this field for clues on how Deep Discovery Inspector categorized the threat detection.
Provided below are some examples of different detections that can exist.
Shown below are the detection details for a “Known Threat”. Here we can see the following key
information about the threat: Detection Severity (medium), Detection Name (TROJ_...), Detection
Type (Malicious Content) etc.
Also from the information that is provided, we also know that this detection was not sent to the
Virtual Analyzer for further analysis because in this case, we are dealing with a KNOWN threat
that was detected by the Deep Discovery Inspector Advanced Threat Scan Engine.
Although there is setting available in DDI to force all ATSE detections to be sent to the Virtual
Analysis, this is not typically recommended. By default, this configuration option is disabled.
Here we can see the following key information about this event:
• Detection Name: NCIE / NCCE rulename
• Detected by: NCIE / NCCE
• Detection Severity: High
• Detection type: Malicious Behavior
• VA Information (SO information, VA risk level)
This time, because we are dealing with a Suspicious Behavior, we now have VA report that is
attached. Here Deep Discovery Inspector was able to identify the malware as Troj.Win32...
however this field can also indicate the malware name: VAN_XXXX, which will be discussed in
more detail later.
Events that can trigger Suspicious Behavior detections include the following:
• Archive contains file with script file extension
• Archive Upload
• CPL File Transfer detected
• DNS response from a shared public IRC Command and Control domain
• Email Attachment is an executable file
• Email from phished domain contains URL with hard-coded IP address
• Executable with suspicious file name requested
• File was analyzed by Virtual Analyzer
• Many unsuccessful login attempts
• Possible Self-Signed SSL certificate detected
• Pseudo random Domain name query
• SQL Dump File Upload
• Suspicious packed executable file
Threat descriptions that can be displayed for Malicious URL threats include:
• C&C Server URL request
• Malicious URL request, Malicious URL in email
• Ransomware URL request, Ransomware URL in email
• Untested URL request, Untested URL in email
• New domain URL request, New domain URL in email
Rule
matching
PDF
Deep Discovery Inspector
Suspicious objects can be viewed from the Deep Discovery Inspector web console under Detections >
Suspicious Objects.
Entries in the Suspicious Objects list automatically expire after 30 days (set by the Virtual Analyzer) and
is deleted from database.
An administrator can optionally move Suspicious object entries to the Deep Discovery Inspector Deny or
Allow List as needed. Deep Discovery Inspector detection modules use the Deny and Allow List for
detection and to match or bypass scanning rules.
The NCIE and NCIT modules implement the TCP Reset or DNS Spoofing action for the Deny List.
Note: Any time changes are made to the Deny/Allow, you will need to click the “reload” button so that
the changes take effect.
Deny List
For Virtual Analysis, you can add some malicious behaviors to the Deny List as follows:
• Type: File, IP address, URL or Domain
• SHA-1: Input or obtain from file upload (Maximum file size is 15MB )
Example of when you may need to move Suspicious Object entries to the Deny list can include:
• Need to block entities
• Need to receive detection notifications
• Need to reuse Virtual Analyzer feedback items even if they expire
• Need to focus on related detections
Allow List
For Virtual Analysis, you can skip over some malicious behaviors by adding them here.
• Type
- File / IP / Domain / URL / SHA1
• For NCIP, skip black list
• For NCCE, skip some rule detections
SHA1
• Risk is based on overall sample rating
URL
• Use WRS rating (if exists)
• URLs used in the following scenarios will get the risk level of the sample:
- Executable Downloaded
- Download file is renamed
- Downloaded web content contains malicious content
IP
• If in WRS database: use WRS rating
• If in NCCP C&C list: use assigned rating
• IPs used in the following scenarios will get the following risk level:
- Download executable -> High Risk
- Renamed executable -> High Risk
- Established network connection -> Medium Risk
- Web content contains malicious code -> High Risk
- Public IP address in modified IP address -> High Risk
- Establishes uncommon connection -> Medium Risk
- Open IRC channel -> High Risk
Domain
• Domain name of queried DNS Server -> Medium Risk
To view the affected hosts in the C&C Callback detections, you can click the number icon shown above.
IP/Domain
• Example: www.fakesite.com, 202.1.1.1
IP/Domain + Port
• Example: 202.1.1.1:8000
URL
• Example: http://www.fakesite.com/path/somefile
Email account
• Example: test@fakehost.com
The Virtual Analyzer cache essentially prevents re-submissions of samples by checking if the same
sample was already processed within an acceptable period (24 hours by default).
The default of 24 hours for cached files also ensures that when new patterns become available which
occurs on a daily basis, then ATSE along with other engines/patterns will be able to catch a D-day
event within a day (for example, D-day plus 1) of receiving the latest engines/patterns updates.
When the Virtual Analyzer receives a file submission which was processed within the set acceptable
period, then the cached result will be presented to the web console user.
For advanced configurations, you can contact your technical support representative at Trend Micro if
default values are not sufficient.
Analysis reports for detections made by Deep Discovery Inspector have a maximum waiting period of
20 minutes (by default). In advanced configurations, this waiting period (VA Queue Timeout setting)
can be configured to wait for the complete Virtual Analyzer analysis result. While waiting for the
complete Virtual Analyzer analysis results, detections will not be reported within the specified this
timeout period. If the VA Queue Timeout elapses before the analysis result can be provided, then the
Deep Discovery Inspector will publish the analysis report that is currently in its queue. The queue
itself can be checked by using the following Virtual Analyzer widget from the Deep Discovery
Inspector’s web console:
Also by clicking Remove Files from Queue, you can instruct Deep Discovery Inspector to publish all of
the detection logs currently in the queue without waiting for the analysis result. This can be used in
the event that Deep Discovery Inspector’s queue is too large or overloaded.
The custom sandboxing environments that can be created within Deep Discovery Analyzer precisely
match target desktop software configurations — resulting in more accurate detections and fewer false
positives.
Deep Discovery Analyzer supports integration with Trend Micro email and web security products, and can
also be used to augment or centralize the sandbox analysis of other products. Deep Discovery Analyzer
also provides a Web Services API to allow integration with any third-party product, and a manual
submission feature for threat research.
Note: Previously, the functions of the Deep Discovery Inspector internal Virtual Analyzer for analyzing
and detecting threats were discussed. This lesson will cover the use and functionality of Deep
Discovery Analyzer as a standalone or external Virtual Analyzer.
Deep Discovery Analyzer uses XGen security, a blend of cross-generational techniques, to ensure the
highest threat detection rate with the lowest false positives.
Key Features
Some key features of Deep Discovery Analyzer include:
• Sandboxing as a Centralized Service: Deep Discovery Analyzer ensures optimized
performance with a scalable solution able to keep pace with email, network, endpoint, and
any additional source of samples.
• Custom Sandboxing: Deep Discovery Analyzer performs sandbox simulation and analysis in
environments that match the desktop software configurations attackers expect in your
environment and ensures optimal detection with low false-positive rates.
• Broad File Analysis Range: Deep Discovery Analyzer examines a wide range of Windows
executable, Microsoft Office, PDF, web content, and compressed file types using multiple
detection engines and sandboxing.
• YARA Rules: Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules are
malware detection patterns that are fully customizable to identify targeted attacks and
security threats specific to your environment.
• Document Exploit Detection: Using specialized detection and sandboxing, Deep Discovery
Analyzer discovers malware and exploits that are often delivered in common office
documents and other file formats.
• Automatic URL Analysis: Deep Discovery Analyzer performs page scanning and sandbox
analysis of URLs that are automatically submitted by integrating products.
• Detailed Reporting: Deep Discovery Analyzer delivers full analysis results including detailed
sample activities and C&C communications via central dashboards and reports.
• Alert Notifications: Alert notifications provide immediate intelligence about the state of Deep
Discovery Analyzer.
• Clustered Deployment: Multiple standalone Deep Discovery Analyzer appliances can be
deployed and configured to form a cluster that provides fault tolerance, improved
performance, or a combination thereof.
• Trend Micro Integration: Deep Discovery Analyzer enables out-of-the-box integration to
expand the sandboxing capacity Trend Micro email and web security products.
• Web Services API and Manual Submission: Deep Discovery Analyzer allows any security
product or authorized threat researcher to submit samples.
• Custom Defense Integration: Deep Discovery Analyzer shares new IOC detection intelligence
automatically with other Trend Micro solutions and third-party security products.
• ICAP Integration: DDAN supports integration with Internet Content Adaptation Protocol
(ICAP) clients. DDAN can function as an ICAP server that analyzes samples submitted by
ICAP clients. It can serve User Configuration Pages to the end user when the specified
network behavior (URL access / file upload / file download) is blocked. In addition with ICAP
integration, DDAN can control which ICAP clients can submit samples by configuring the
ICAP Client list.
Note: For a complete list of hardware specifications you can refer to the online version of the Deep
Discovery Analyzer Data Sheet.
Note: If using high availability, one cable connects eth3 to eth3 on an identical Deep Discovery Analyzer
appliance.
Network Requirements
Deep Discovery Analyzer requires a connection to a management network, which usually is the
organization’s intranet. The management network is where Deep Discovery Analyzer communicates
with Control Manager and the other Trend Micro products that submit samples and receive
Suspicious Objects and Analysis Results from Deep Discovery Analyzer. After deployment,
administrators can perform configuration tasks from any computer on the management network.
Although Deep Discovery Analyzer only requires one network connection in order to connect it to the
management network, it is highly recommend to create a separate custom environment that will
provide Internet access to the sandbox environments but that is isolated from the rest of the
management network. This ensures that the Virtual Analyzer can analyze the activities that a
particular sample performs when it attempts to connect to the Internet, but at the same time
prevents malware from spreading into the management network.
Custom networks ideally are connected to the Internet but may be configured with its own set of
proxy settings, proxy authentication, and connection restrictions. Deep Discovery Analyzer provides
the option to configure proxies for custom networks, as well as providing support for proxy
authentication.
Ports Used
The following table shows the ports that are used with Deep Discovery Analyzer and what they are used
for.
During analysis, Virtual Analyzer rates these characteristics in context and then assigns a risk level to the
object based on the accumulated ratings. Shown below are the characteristics included for each
category. Deep Discovery Analyzer performs analysis on each sample searching for these common
malware characteristics and suspicious activities.
When submitting samples to Deep Discovery Analyzer, Trend Micro products generate a SHA-1
hash value to identify the sample. Deep Discovery Analyzer uses this SHA-1 hash to uniquely
identify the sample.
Samples which have the same SHA-1 hash value as previously analyzed samples are not
re-analyzed by Deep Discovery Analyzer.
• Bait Processes:
- Fake AVs: Copies Fake AV bait files to specific directories
- Fake Explorer: A fake windows explorer process used for launching malicious DLLs
- Fake Server: Part of network emulation facility that provides support for FTP, IRC and SMTP
server emulation
- Fake Web Server: Part of network emulation facility that provides support for HTTP and
HTTPS emulation. This enables many trojans, downloaders and worms that need to connect
to web servers to run.
If connection to a requested server is currently not available, the request is redirected to the
Fake Server or Fake Web Server. These fake servers provide fake responses to requests in the
hope of making the malware continue to execute to trigger more behavior. The FakeServer will
provide simple response when it receives requests.
• Bait Files: Bait document files are copied to the removable devices before each sample is
executed, to attract malwares that infect removable devices.
Docode Scanner
Script-based exploits are widely used by malicious documents, however because they are normally
obfuscated, it is easy for them to evade static signature-based solutions.
Dynamic emulation allows Inspector to simulate the execution of a script in order to study its
behavior. These behaviors may include heap spray techniques, return oriented programming(ROP),
or function call with specific parameters for specific CVE, and any other anomaly usage.
Dynamic analysis is necessary, as an exploit might not trigger if it isn't in or doesn't detect the right
environment, or that it believes it is being analyzed.
The Deep Discovery Analyzer performs both Behavior Analysis and Dynamic Emulation for
documents.
The Docode Scanner is the command-line tool that is used to scan and detect document exploit files
(PDF, Flash, Java and Office files) using Javascript and Shellcode emulation.
The Heuristics Engine uses dynamic emulation and rule based decisions
• Dynamic behavior
- Fingerprint of CVE & Exploit Kits
- Runtime characteristics (Method calls, sequence, call stack, parameters)
- Packer
- Heap spray
• Static info
- Script characteristics
- Script semantics
- Format
ATSE focuses on heuristic static analysis (for best performance, 100ms/file) and Script Analyzer
focuses on dynamic behavioral analysis.
• Calculate the submitted sample overall rating based on the Virtual Analysis results and
post-submission generated events
• Perform Email Reputation Service( ERS) query to identify dial-up IP addresses
• Check the IP addresses, Domains and URLs are in the Deep Discovery Inspector Deny List
and generate an event
4 Fill in the IPv4 address, subnet, gateway and DNS information, then select Save.
Once the required network settings have been configured for the Deep Discovery Analyzer as described
above, administrators will then be able to use the web console for setting up and managing Deep
Discovery Analyzer for use in their environment.
To log in to the Deep Discovery Analyzer web console, open a supported web browser and connect to:
https://<Appliance IP Address>/pages/login.php.
The Deep Discovery Analyzer web console supports the following web browsers.
Note: You can refer to the Deep Discovery Analyzer Online Help for additional information on
supported web browsers.
In the Login screen, enter the default user name admin and the password Admin1234!.
Note: You should change this password after logging into the Deep Discovery Analyzer web console for
the first time.
Once you have successfully logged in to the Deep Discovery Analyzer web console, you will be presented
with the Dashboard page where you can view various Deep Discovery Analyzer operational related
summaries using various widgets.
The widgets can be added or removed from your view as needed to any of the tabs shown which can also
be customized as required. Note that you can also adjust the layout of the tabs as needed to suit your
requirements.
Additionally, by clicking the System Status from the Dashboard view, you can view system status
information for the Deep Discovery Analyzer such as the Virtual Analyzer sandbox usage and status.
Another useful widget on this tab is Average Virtual Analyzer Processing Time, that allows
you to see the average Virtual Analyzer analysis time and the Total processing time for a
specified time period.
Listed below are the supported operating systems for virtual images imported into Deep Discovery
Analyzer:
• Windows XP (both 32-bit and 64-bit platform)
• Windows 7 (both 32-bit and 64-bit platform)
• Windows 8.1 (both 32-bit and 64-bit platform)
• Windows 8 (both 32-bit and 64-bit platform)
• Windows 10 1507/1511/1607/1703/1709 (both 32-bit and 64-bit platform)
• Windows Server 2003 (both 32-bit and 64-bit platform)
• Windows Server 2008 (both 32-bit and 64-bit platform)
• Windows Server 2012 or 2012R2 (64-bit platform)
• Windows Server 2016
The following sections will explore the various web console Virtual Analyzer > Sandbox Management
settings that are used for managing your custom Sandboxes in Deep Discovery Analyzer.
Note: Deep Discovery Analyzer allows a maximum of three windows virtual images. Each windows
virtual image can have several sandbox instances. However, the total number of sandbox
instances should not exceed 60 for the DDAN 1100/1200 model and 33 sandbox instances for the
DDAN 1000 model. Please consult the Installation and Deployment guides for your specific
hardware to review the most up to date requirements and specifications.
A new image can be imported using any of the following sources: HTTP or FTP server and Network
Folder. For example, if you are importing a new image using the Source option HTTP or FTP server,
you will need to enter the image Name and URL location of your OVA image, then click Import.
Note: You can import multiple images at the same time. Additionally, if you have Python running on
your server, you can run the command: python –m SimpleHTTPServer from your images
directory. This can be used to serve up images via http (using the TCP port 8000)
Once the above import process successfully completes, the loaded image appears in the web console
as follows:
YARA Rules
The Virtual Analyzer uses YARA rules to identify malware. YARA rules are malware detection
patterns that are fully customizable to identify targeted attacks and security threats specific to your
environment. Deep Discovery Analyzer supports a maximum of 5,000 YARA rules regardless of the
number of YARA rule files.
Click Add and configure setting for required Yara rules as follows:
Archive Passwords
In the Archive Passwords configuration, you can provide a list of passwords to be used by Virtual
Analyzer to extract files from a protected archive for analysis.
If however, you have enabled the option to allow external connections, you should use a dedicated
interface for malware connectivity by setting the Connection type to Custom and selecting the
correct network adapter. Note that Reporting will be more accurate with a live Internet Connection.
Smart Feedback
To set up automatic threat detection anonymously to Trend Micro SPN, you can do that from the
Smart Feedback tab as follows. It is important to note here that no personal or private data/
information is uploaded to Trend Micro when this is enabled.
Cloud Sandbox
For MacOS X binary submissions, you will need to access the Cloud Sandbox tab.
Additionally, you can install any needed hot fixes or patches as follows. They first need to be
uploaded before you can install any hotfixes or patches. This update will NOT overwrite the current
configuration of the Deep Discovery Analyzer and all data will be kept.
Additionally, you can select a scope option that defines which logs are to be sent to the Syslog server.
As of Deep Discovery Analyzer 6.x you now have the option to send System event logs and Alert
event logs to the Syslog server.
To exclude logs for unrated and no risk objects, select the option shown next to Exclusions.
Administrator
The administrator account has full control to the entire Deep Discovery Analyzer system and
all consoles. As such, this account should ONLY be assigned to individuals that have strict
requirements for this level of access.
Operator
The Operator role only has “Read Only” access to the Deep Discovery Analyzer web console.
This account can view product settings, and perform some limited actions which do not
modify the actual product settings including exporting and backup of configuration settings,
as well as modifying its own account information such as password. The Operator role also
does not have access to the RDQA page.
Investigator
Similar to the Operator role but also has the permissions to download the Investigation
Package.
From the Deep Discovery Analyzer web console, go to Administration > Accounts. Accounts can be
created, edited and deleted, as well as locked and unlocked.
Note: These user accounts can also be used with an integrated Trend Micro Control Manager or Apex
Central, to log in with the corresponding level of privileges.
The Contacts tab is used to provide contact information for any users that will need to receive
system notifications from Deep Discovery Analyzer.
The Data Backup settings shown here provide the configuration for your remote backup server.
Submission samples and results can be backed up to and SFTP or FTP server.
Note: These tools can alternatively be downloaded directly from the Trend Micro download center.
To configure a proxy go to Administration > System Settings > Proxy and configure the settings for
your proxy.
When deploying Deep Discovery Analyzer in a cluster environment, one appliance acts as the
Primary Appliance that communicates with the other Trend Micro products in the Connected Threat
Defense strategy. The primary appliance receives the samples from the other products (for example,
Deep Discovery Inspector etc. ) and distributes them to the secondary appliances for Sandbox
analysis.
The secondary appliances then sends the analysis results to the primary appliance which in turn
provides the reports and suspicious objects list to the other Trend Micro products so that they can
act upon them.
Note: Up to ten Deep Discovery Analyzer appliances can be deployed and configured to form a single
cluster. Clusters provide fault tolerance, load balancing, or a combination of both depending on
your cluster configuration. You can refer to the Online Help for Deep Discovery Analyzer to
obtain more information on deploying Deep Discovery Analyzer cluster configurations.
Depending on your requirements and the number of Deep Discovery Analyzer appliances
available, you may deploy the following cluster configurations.
If the Deep Discovery Analyzer is going to be in cluster mode you will need to perform some
additional tasks as outlined below.
• Go to Administration > System Settings > Cluster and attach the Secondary node to the
Primary Deep Discovery Analyzer by defining the Primary Appliance IP address and the
Primary Appliance API Key as illustrated below.
• Go to Administration > System Maintenance > High Availability, and define the IPv4 or IPv6
Virtual Address for the cluster (on Primary Deep Discovery Analyzer only) .
Once it has been properly connected to your environment, any results generated by the Deep Discovery
Analyzer (including risk scores, virtual analyzer reports etc.) can be shared with other integrated security
products (Trend Micro or other) as required.
Samples can also be sent by the integrated products to the Deep Discovery Analyzer using the Deep
Discovery Analyzer’s API key.
Manual submissions from integrated products is supported as well. This allows the endpoints in your
environment to manually submit samples to the Deep Discovery Analyzer. A tool called the Manual
Submission Tool (which can be obtained from downloadcenter.trendmicro.com) is required for this
capability.
As noted in the above illustration, Deep Discovery Analyzer can also leverage REST API for integration
with third-party products.
Supported Products
Products that can be integrated with Deep Discovery Analyzer for submitting samples and retrieving
suspicious object lists are listed in the table below.
Supported Products for Sample Submission Supported Products for Retrieving Suspicious
and Retrieving Results* Objects Information
Deep Discovery Inspector 3.7 or later Deep Discovery Inspector 3.7 or later
Deep Discovery Email Inspector 2.5 or later Deep Discovery Email Inspector 2.5 or later
InterScan Messaging Security Virtual Appliance
(IMSVA) 8.2 SP2 or later
ScanMail for Microsoft Exchange (SMEX) 11 or later
ScanMail for IBM Domino (SMID) 5.6SP1 Patch 1 HF
B4666 or later
InterScan Web Security Virtual Appliance (IWSVA) 6.0 or
InterScan Web Security Virtual Appliance (IWSVA) later
6.0 or later InterScan Web Security Suite (IWSS) 6.5
InterScan Messaging Security Suite (IMSS) for InterScan Messaging Security Suite (IMSS) for Windows
Windows 7.5 or later 7.5 or later
InterScan Messaging Security Suite (IMSS) for Linux
9.1
Deep Security 10.0 or later
* The submitter products above will regularly fetch Virtual Analyzer results and reports.
Exceptions
Additionally, the following products can send exceptions to the Virtual Analyzer:
• Trend Micro Control Manager7.0 Patch 1 with latest Hotfixes installed
• Apex One
In order to integrate Deep Discovery Analyzer with other security products (or secondary
members in Deep Discovery Analyzer cluster mode), you will first need to obtain the Deep
Discovery Analyzer’s API key from the Deep Discovery Analyzer web console under Help > About.
On the web management console of the supported product that you are connecting with Deep
Discovery Analyzer specify the following information:
(See your product specific documentation for details on which web console screen to access for
configuring Deep Discovery Analyzer settings.)
Parameter Description
Available from Deep Discovery Analyzer management console
API Key: (Help > About)
Deep Discovery Analyzer IP Same as the IP in the URL used to access the Deep Discovery Analyzer
address: management console.
When using Deep Discovery Analyzer in a high availability configuration, the
virtual IP address is used to provide integrating products with a fixed IP
Deep Discovery Analyzer IPv4 or address for configuration. (Obtain Virtual Address from Deep Discovery
IPv6 virtual address: Analyzer management console, in Administration > System Settings > High
Availability.
Deep Discovery Analyzer SSL 443 (This is not configurable.)
port:
If the Deep Discovery Analyzer API key changes after the product has been integrated with Deep
Discovery Analyzer, you will need to remove Deep Discovery Analyzer from the Integrated
Products configuration on the supported product, and then perform the above steps again to
re-add it.
After completing the above steps, the endpoint will now be able to manually submit samples to Deep
Discovery Analyzer for analysis. For additional details on using this tool, you can refer to Online Help
for Deep Discovery Analyzer)
Automated submissions are received automatically by other Trend Micro security products (for example,
Deep Discovery Inspector, Deep Discovery Email Inspector, ScanMailExchange, IMSva, IWSva, Apex One
and so on).
Note: These products must be configured correctly in order for them to submit samples to the Deep
Discovery Analyzer. There is no configuration required on the Deep Discovery Analyzer itself, for
it to receive samples from these products.
Additionally, an administrator can manually submit a sample for analysis by clicking Submit objects that
is located in the upper right hand corner of the page.
Here an administrator can upload a file, specify a URL, or upload a list of URLs (in CSV or TXT format) to
the Deep Discovery Analyzer for analysis. As of Deep Discovery Analyzer 6.0, you can also submit a
bundle of samples.
The Prioritize option, is used to assign a higher priority level to manual submissions (this option is
enabled by default).
Samples can also be manually submitted to the Deep Discovery Analyzer using the REST API, Windows
CLI tool, and Linux CLI tool.
For additional information on this, you can refer to the following Technical Support article:
https://success.trendmicro.com/solution/1117189-manually-submitting-objects-
using-the-manual-submission-tool-in-deep-discovery-analyzer-ddan
The submitter product which can be any integrated Trend Micro or supported third-party products, will
regularly fetch results and reports.
From the Submissions page, you can obtain a view of samples already analyzed by Deep Discovery
Analyzer, and the ones that are in progress. The possible risk levels scores are: High, Low, No risk, and
Unsupported.
When files and URLs are submitted to Deep Discovery Analyzer, they follow the processing flow: Queue >
Processing > Completed.
If sandbox instances are available, the sample quickly enters into the Processing state. Once analysis is
complete, you can access the Completed tab for listing of all Deep Discovery Analyzer results for each
object. Here, you can view varying details regarding the product submission channel. As well, for each
sample, you can view the assigned risk level, the time that Deep Discovery Analyzer completed analysis,
the time the event was logged and more, including the name of the threat itself.
The list of results in the Completed view, can be filtered by Risk Level, Filename / Email Subject / URL and
by Period.
Clicking, the Advanced link provides more filters that can be used including: Message-ID, SHA-1, File Type,
Subject, Threat, Protocol, Submitter Type / Name / IP / Source / Sender and Destination / Recipient.
If the results list is empty, you should check the Processing and Queued tabs to see what is currently
being analyzed or waiting to be analyzed in the queue. You can also try clearing the filter by clicking the
X button appearing next to the filter definition.
If an object appears in the Completed view with the result “Not Analyzed”, more information can be
obtained from the Risk Level.
Note: Deep Discovery Inspector (as of version 5.0) will wait for the results of the Virtual Analyzer
analysis results before presenting it to the user. Being able to view the sample’s VA processing
state lets you know exactly what is happening to the sample submission while waiting for the
analysis result.
The following diagram illustrates the different Virtual Analyzer states that a sample undergoing
Virtual Analyzer analysis may undergo.
Note: The Virtual Analyzer prefilter is essentially the Virtual Analyzer cache which was discussed
earlier. The Virtual Analyzer prefilter acts as the first layer of prefilter.
The submission filter is the second layer of prefilter which filters out submissions before they are
submitted either to the Deep Discovery Inspector Virtual Analyzer and external Virtual Analyzers
(Deep Discovery Analyzer).
• VA_InProgress: If VA is enabled and there are no records of the sample either in GRID or
in the VA cache, then the sample will enter the VA_InProgress state where it needs to be
submitted to the VA for analysis.
• VA_Timeout: When a sample enter the VA_Pending state it will be placed in a queue. If
the Virtual Analyzer does not pick up the sample within the specified timeout period, the
sample enters the VA_Timeout stage.
InProgress States
Once a sample enters the VA_InProgress state then this means that the sample is currently
undergoing Virtual Analyzer analysis. Based on the Virtual Analyzer analysis result, then the
sample may enter the following Virtual Analyzer states:
• VA_Done: The sample enters the VA_Done state when it successfully complete the VA
process and a corresponding Virtual Analyzer analysis result is returned.
• VA_Error: If the sample encounters an error while undergoing Virtual Analyzer analysis
and the this process cannot continue, then the sample enters the VA_Error state.
• VA_Timeout: If the sample undergoing Virtual Analyzer analysis exceeds the timeout
allocated for the Virtual Analyzer sample analysis process, then it enters the
VA_Timeout state.
There are two ways in which a sample may enter the VA_Timeout state. The first is when the
sample encounters the timeout while in the VA_Pending stage while it is still in the queue.
This risk level is calculated based on accumulated settings by input vectors from all the other Deep
Discovery detection engines including ATSE, NCIE, WRS, NCCP, and so on.
• You can see the Notable Characteristics which provides a summary of the object’s malware
characteristics or suspicious activities that Deep Discovery Analyzer observed, and used to make
its decision.
• A PDF can be downloaded or you can view the report through HTML using the icons shown next
to Report.
• The Investigation Package helps administrators and investigators inspect and interpret threat
data generated from samples analyzed by Virtual Analyzer. It includes files in OpenIOC format
that describe Indicators of Compromise (IOC) identified on the affected host or network, a copy
of the sample itself, any dropped files, PCAP (packet captures) and so on. The package is
generated as a zip file and encrypted using the password: virus.
Note: The Global Intelligence area provides a link that you can use to view the threat information that
is available from the Trend Micro Threat Connect web site. The Trend Micro Threat Connect web
site provides additional information that is known about the threat related to IP, URL, DNS and
SHA-1.The Virtual Analyzer information that will be described below is exactly the same
information that can be obtained when viewing Virtual Analyzer results from other Trend Micro
products. For example, in Deep Discovery Inspector once an object has been analyzed by the
Virtual Analyzer, there will be an additional tab displayed under Connection Details that is called
Suspicious Objects and Related File Analysis Result.
The Virtual Analyzer report provides a lot of information that can help understand a threat and the
decisions used by the Virtual Analyzer to classify it as such.
For example from this report you can view the following:
• Analysis Overview
• Virtual analysis environment that was used
• Sample Family Name and any child processes
• Notable Characteristics
• Analysis which shows step by step the full API execution details
• Screen shot that displays the virtual environment
Analysis Overview
Note that samples that are submitted for analysis to the Virtual Analyzer can often can
contain multiple child objects nested within it. For example, an email with multiple
attachments, archive files (zip/rar/tar), dropped files and so on.
Note: The Overall Risk Level assigned by Virtual Analyzer, is the highest risk level of any child object.
Notable Characteristics
The Notable Characteristics provide details about the malware behaviors that Deep Discovery
Analyzer observed while it was analyzing the object. This can help you better understand why a
sample was detected as being malicious.
To view all the suspicious behaviors that were detected during analysis by the various detection
methods, expand the Notable Threat Characteristics and then expand the different items that are
available.
In this case we can see exactly what behaviors or characteristics that Deep Discovery Analyzer
observed when the object was executed in the sandbox. For example, it modified firewall settings,
it added Autorun in the registry etc.
As mentioned already, the notable characteristics are grouped into the following categories:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File drop, download, sharing, or replication
• Hijack, redirection, or data theft
• Malformation or other known malware traits
• Process, service, or memory object change
• Rootkit, cloaking
• Suspicious network or messaging activity
Network Destinations
The Network Destinations item indicated here, allow you to see all the network activity that was
detected during object analysis. For example:
• Network access records from analyzed sample
• Malicious and non-malicious entities
Threat Sequence
To view the step by step actions that were performed by the malware that was executed in
the virtual sandbox and observed by the VA, you can expand the Analysis item as follows.
Here we can view the submitted sample’s behavior that was observed during the analysis
including:
• Registry add, delete and write actions
• File add, delete and write actions
• System/Windows/file system API calls
If there were any dropped or downloaded files, you can view that from the VA report as well.
Viewing or downloading the Virtual Analyzer report may take longer than the other options. Allocate
more time for the Virtual Analyzer report to appear or download.
You can optionally download the Investigation Package which is a password protected ZIP archive
containing the investigation package.
As well, you can select to download the Detected File which is also a password protected ZIP archive
containing the detected file.
Note: Always handle suspicious files with caution. Extract the detected file at your own risk. The
password for the zip archive is "virus".
For convenience, all of the items can be downloaded at once by selecting All. This creates a password
protected ZIP archive containing the detected file, the Virtual Analyzer report, and the investigation
package.
If you click the numbers under Related Submissions, you will be redirected the Submissions page where
you can view the list of related samples for this submission.
For example as mentioned already, from Submissions page, you can see exactly which of the submissions
have been processed successfully, which are still being processed, or queued, and which were
unsuccessful
The Suspicious Object list entries can be manually removed, placed on a blocking list or white-listed. To
add a Suspicious Object to the exceptions list, select the object and click Add to Exceptions.
When adding Suspicious Objects to the exceptions list the following notification will appear:
Note: From this point forward, any object that matches this Suspicious Object will NOT be added to the
suspicious objects list.
Adding Exceptions
Administrators can also add exceptions in order to avoid false positive results in the Virtual Analyzer.
For example, an exception can be added for unresolvable internal domains.
Exporting Exceptions
The list of exceptions can also be exported.
Note: As mentioned already, the objects in the exceptions list are automatically considered safe, and
are not added to the Suspicious Objects list.
Interpreting Results
The following section provides some tips for understanding a False Positives or False Negatives analysis
result. In cases like these, where a sample’s analysis result is not as expected, you can submit the file to
Trend Micro in order to further investigate and update Deep Discovery Inspector detection rules if
required.
Application activity noise are not filtered, such as Adobe updater, Adobe trust managers or
Adobe resource file (DLL) for example.
Also, there are some aggressive rules that cause false alarms such as:
• Generic and CVE (Common Vulnerability Exposures) rules
• Macromedia rules
• DDOS detection triggered because of inappropriate file types (for example, running
HTML with too many HTTP requests)
Some commonly used methods for evading VM and sandboxing measures include:
• VirtualBox guest add-on is not installed
• Enable VT-x on x86 platform
• Remove VM signatures in the registry
• Emulate mouse movement and clicking
• Configure a MAC address that does not belong to the VM allocated space
• Change the CPU ID information
The Virtual Analyzer shortens the delay functions to accelerate the execution of the program
code.
However, the Virtual Analyzer cannot accelerate the execution of programs that have specific
date or time triggers to execute.
Generating Reports
From Alerts / Reports you can download any reports that have been scheduled or generated on-demand.
Under Customization you can configure a different logo, line colors and title for the report.
Reports can be emailed to recipients if you have defined SMTP settings in Deep Discovery Analyzer.
Using Alerts
Alerts can be configured from the Alerts / Reports > Alerts menu. If there are any available triggered
alerts, an administrator can review them from the Triggered Alerts tab.
Use the Details icon to obtain the details about the triggered alert.
To view the list of available default alerts, click the Rules tab. You can enable or disable rules using the
on/off buttons under the Status column. Additionally you can view the Rule details by clicking the hyper-
linked rule name from the Rule column.
Note: VMware tools must NOT be installed on the sandbox image to prevent Anti-VM functions of some
malwares.
The tool verifies that all of the above configuration requirements have been done and will also
disable the services that need to be removed for proper sandbox functionality.
This tool can be obtained directly from the Trend Micro download center or using the provided
download link in the Deep Discovery Inspector web console.
Deep Discovery Inspector only supports the import of custom sandbox images up to 20 GB in size.
For additional information on importing a custom sandbox using the VA Image Preparation Tool you
can refer to: http://files.trendmicro.com/products/network/GSD-44849/
va_image_prep_tool_5.2_ug.pdf
- If not setup, create and start the NAT Gateway virtual machine
• Imports the Custom Sandbox VM Image:
- Import the OVA formatted custom Sandbox to Virtual Analyzer
- Boot the Sandbox VM
- Check for required software applications and configure the VM. The existence of the
following software are checked:
· Microsoft Office
· Internet Explorer
· .NET Framework
· Adobe Acrobat Reader/Flash Player (automatically installed if not present)
Note: The import process will fail if any of the required software is not found in the sandbox image.
Key Features
Deep Discovery Director can simply management within your Deep Discovery environments by
providing the following key benefits:
• Centralized deployment of Virtual Analyzer images
• Shared folder and SFTP Virtual Analyzer image upload
• Centralized Deep Discovery appliance hotfix/critical patch/firmware deployment
• Configuration replication
• Synchronize suspicious objects among all registered Deep Discovery appliances
• Centralized system logs for registered Deep Discovery products
• Dashboard widgets to view status of all Deep Discovery appliances
• Database and configuration backup and restore
• Bandwidth control and throttling
• Centralized view of all of the detections made on all managed Deep Discovery appliances
System Requirements
Deep Discovery Director is only available as a Virtual appliance supported on a VMware platform. Some
requirements for installing Deep Discovery Director include the following:
Hardware Requirements
• Network interface card: 1 with E1000 or VMXNET 3 adapter
• SCSI Controller: LSI Logic Parallel
• CPU: 1.8GHz (at least 4 cores)
• Memory: 8GB
• Hard disk: 135GB (thin provisioned
Note that the CPU, memory, and hard disk requirements increase with the number of Deep Discovery
appliances that Deep Discovery Director is expected to aggregate detection logs from. The following
table can be used as a general sizing guideline.
Note: Deep Discovery Director (Consolidated Mode) does not support the VMXNET 2 (Enhanced)
adapter type. For port binding, specify the same adapter type to use for all network interface
cards.
Management Console
• Google Chrome(TM) 46.0 or later
• Mozilla(TM) Firefox(TM) 41.0 or later
• Microsoft(TM) Internet Explorer(TM) 11.0
• Recommended resolution: 1280 x 800 or higher
Port Requirements
• TCP 443 (Deep Discovery Director connection)
• UDP 123 (default NTP server connection)
Planning a Deployment
Components
Deep Discovery Director use the following components to enable centralized deployment of product
updates, product upgrades, and Virtual Analyzer images, as well as configuration replication and log
aggregation.
Note: If you plan on uploading and deploying multiple larger Virtual Analyzer images (20GB to 30GB),
set the hard disk size accordingly. A general recommendation is to set the Local Repository
server hard disk size to the same as the Central Repository server hard disk size.
IMPORTANT: Local Repository servers download all update, upgrade, and Virtual Analyzer image
files from the Central Repository server. Setting the Local Repository server hard disk size lower
than the Central Repository server hard disk size may cause Local Repository servers to be
unable to download and send files required to execute plans to managed appliances.
Deployment Modes
When deploying Deep Discovery Director, you have the option to either install each component on a
dedicated server (Distributed Mode) or install all components on a single server (Consolidated Mode)
depending on the requirements of your network and organization.
Regardless of the deployment type, Deep Discovery Director provides certificate-based connections
to registered Deep Discovery appliances and integration with Microsoft Active Directory server.
Distributed Mode
This mode is best suited for larger environments, that span across multiple countries or
organizations. In Distributed Mode, the individual Deep Discovery Director components reside on
dedicated servers for load balancing and scalability. Each server is provided a management
console that enables functionalities associated with the installed component.
Consolidated Mode
For small and medium businesses, all of the above mentioned Deep Discover Director
components will reside on the same server. This provides a more straightforward approach to
management and maintenance.
HTTPS(443)
HTTPS(443)
In consolidated mode, you can access all management console functions, including creating
plans and uploading files to the repository.
4 Next, in the Deep Discovery Director Components screen select one of the following based on
your preferred deployment mode:
• For Consolidated mode: Select the option Install all components
• For Distributed mode: Select each of the below components individually (Install
Management Server, Install Central Repository, and Install Central Repository)
Note: To install all three components for Distributed mode, this installation procedure must be
completed three times.
5 When the License Agreement screen appears, click Accept to proceed with the installation.
6 Next, in the Disk Selection screen, select a disk that meets the minimum requirements for Deep
Discovery Director based on how many appliances you will have. Click Continue.
7 If the following Hardware Profile screen appears, then the system hardware check has
succeeded.
If however, the hardware check fails because the VM you are installing on does NOT meet the
minimum hardware requirements, then you will see the following screen:
You will need to cancel the installation in this case, and re-attempt the install once you have
configured the correct requirements for your VM.
8 Once the system hardware check passes, you will need to configure the log space for Deep
Discovery Director for the following Disk Space Configuration screen. Click Continue.
The Deep Discovery Director will now proceed with the installation. This process will take a few
minutes.
Once the installation has completed, you will be prompted to log into the Pre-Configuration
console to configure some initial system settings for the Deep Discovery Director.
3 In the Main Menu screen select Configure network settings and then press ENTER.
4 Next from the Configure Network Settings screen you will need to configure the following
settings for Deep Discovery Director:
Note: Only IPv4 settings can be configured from the Pre-Configuration console. To configure IPv6 and
port binding, you can use the Network menu from the Deep Discovery Director’s web-based
management console.
5 Once you have configured the above network settings, press TAB to navigate to Save, and then
press ENTER.
The Main Menu screen appears after the settings are successfully saved.
After a successful log on, the Deep Discovery Director console will appear as follows:
The API key can be obtained from the Deep Discovery Director web console under the Help menu as
follows.
Once you have obtained the Deep Discovery Director’s API key you can complete the following
process for connecting your Deep Discovery appliances to Deep Discovery Director. In this example,
Deep Discovery Inspector is being added as a managed product to Deep Discovery Director.
1 Log on to Deep Discovery Inspector and go to Administration > Integrated Products/Services >
Deep Discovery Director.
2 Enter the Deep Discovery Director Management Server IP address and API Key, then click
Register.
3 Under the Appliance Details, ensure that the Deep Discovery Inspector appliance is registered
and connected.
If Deep Discovery Director is not directly reachable, a proxy server can be configured to
establish a connection to it.
4 Once you have successfully registered your Deep Discovery device with Deep Discovery Director,
the device will appear as an unmanaged device in Deep Discovery Director. You can view this
device under from the Appliances > Directory page as follows.
To begin managing this device through Deep Discovery Director, you will need to move this
device from the Unmanaged group into the Managed group as described next.
5 Click the device name that appears under the Unmanaged folder, then click on the 3 vertical dots
to display the following menu items:
6 Next select move and from the pop up, select the folder Managed then click Move.
Once the appliance has been moved to the Managed group, Deep Discovery Director will now be
able to begin managing it.
You can also create separate folders under the Managed folder to organize the managed devices in
a more structured way that reflects your network and/or organization for example. The maximum
folder depth is four levels (three sub folder levels under the Managed folder. This is very useful for
larger deployments with hundreds of devices to manage. In this case, you could structure your
devices by Region, or Business Unit, or Network Profile etc.
Note: Newly added appliances that are still in the Unmanaged folder cannot be managed (added to
deployment plan etc.) unless they are moved to the Managed folder (or sub folders within it).
Additionally, by clicking the drop down for the All filter, you have the ability to further filter your
devices by product type as follows:
Note: The “Investigator” role is able to download malicious sample files, the investigation package, and
the PCAP file for threat analysis.
Administrators can additionally create custom roles that define the scope of permissions for
appliance management. An administrator can customize the role permissions for specific operation
requirements.
To add a new syslog server, go to Administration > Integrated Products/Services > Syslog and click
Add.
Before you are ready to start creating deployment plans and running them, you will first need to
populate the Deep Discovery Director Repository by uploading all the components that will be needed
for planned deployments to your managed devices including Hotfixes, Critical patches, new Firmware
images, Virtual Analyzer images etc.
The Deep Discovery Director Repository can be accessed from the Deep Discovery Director web console
under Appliances > Repository as follows:
For example to upload the latest patch for Deep Discovery Analyzer, click Upload > Select and browse to
the folder on your local computer where you have downloaded a copy of the Deep Discovery Analyzer
patch.In this case, the patch downloaded from the Trend Micro download center is called:
ddan_65_lx_en_patch1_b1183.7z.tar.
For example, to deploy a firmware update to a Deep Discovery Analyzer device that is currently
being managed by Deep Discovery Director the process is as follows:
• Go to Appliances > Plans.
• Click + Add to add a new deployment plan
• Within the Add Plan screen in the Details section, configure the following:
• Expand the Hotfix /Critical Patch /Firmware section and select to radio button to enable the
DDAN hotfix:
• Scroll down to and expand the Targets section and enable the checkbox to select the DDAN
device as follows:
• Scroll down to the Schedule section, and select one of the following options:
Deep Discovery Director can perform log aggregation and de-duplication for multiple Deep Discovery
Inspectors.
From the web console under Detections, events can be viewed by Affected Hosts or Network Detections:
• Affected Hosts are the hosts that have been involved in one or more phases of a targeted attack.
• Network Detections are the hosts with detections from all event logs, including global
intelligence, user-defined lists, and other sources
The columns displayed for the different views under Detections can be customized exactly the same as
with all the other Deep Discovery products already discussed in this training.
Clicking on the number links redirects you to the Detections page where you can view all the details
that exist for these detected events.
Deep Discovery Email Inspector assigns a risk rating to each email message based on the
investigation results. In the Deep Discovery Director, you can query detected email messages to:
• Better understand the threats affecting your network and their relative risk
• Find senders and recipients of detected messages
• Understand the email subjects of detected messages
• Research attack sources that route detected messages
• Discover trends and learn about related detected messages
• See how Deep Discovery Email Inspector handled the detected message
Configuring Alerts
Email alerts can be used to notify Administrators of important Email Security events (Deep
Discovery Email Inspector) and Network Detections (Deep Discovery Inspector).
Administrators can view the details of triggered alerts directly through the web console under Alerts
> Triggered Alerts.
There are built-in alert templates that can be used or you can create custom alerts to be alerted of
specific threats.
The default Built-in Rules are shown below. In this screen you can see which of the alert rules are
enabled by default.
Notice that all the Email Security rules are enabled by default, except for Watchlisted recipients at
risk.
An alert will be triggered and a notification email will be sent when email messages meet the
above setup rule criteria.
The detail result can be viewed via the indicated URL that redirects you to the Deep Discovery
Director web console. All matched Email messages will be listed. Information on the Email
Messages is listed in the CSV file (maximum 100 items listed).
As mentioned previously, clicking the URL in the alert email, will redirect you to the Deep
Discovery Director web console Email Messages screen where you can view related email
messages. Risk level filter can be used to filter the messages according to the rule settings.
Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain
names of botnet command and control servers. After IoCs have been identified in a process of incident
response and computer forensics, they can be used for early detection of future attack attempts using
intrusion detection systems and antivirus software.
User-defined Suspicious Object (UDSO) can be defined by users through the web console, or pushed
from TAXII clients, or downloaded from external threat feeds.
For example, the following shows a user-defined suspicious object being added through the Deep
Discovery Director web console:
Apex Central also supports User Defined Suspicious Objects, and an action for detection can
additionally be configured.
The action carried out by actual product will depend on specific product (refer to your product’s
documentation for support details).
Note: If both Apex Central and Deep Discovery Director are being used, the UDSO must be created in
Apex Central!
Exception Lists
Exception lists are used to configure conditions that can be exempted from the configured detection
rules. Exceptions help to reduce false positives.
Configured exceptions are exchangeable across any Deep Discovery products and include the
following data types:
• IP
• URL
• Domain
• SHA1 (hash of file object)
By integrating your Deep Discovery products with Deep Discovery Director, threat intelligence (custom
and product related intelligence) can be shared and received through Deep Discovery Director including:
• Suspicious Objects and C&C Callbacks
• Custom Intelligence – Yara, STIX, User-Defined
• External TAXII Feeds
• Intelligence Sharing – TAXII, Web, COTS integration
The following table summarizes the different threat intelligence objects that can be shared and receive
through Deep Discovery Director and integrated products and services:
YARA
TAXII
TAXIIServer
client
HTTP/HTTPS
HTTP/HTTPS TAXII Client
client
HTTP/HTTPS
HTTP/HTTPS
TAXII
STIX
TAXII Client
TAXII Server
Threat Sharing allows integrated products and services to act on these threat objects if encountered.
This provides security analysts with a more comprehensive defense against advanced persistent threats
and targeted attacks.
When deploying both Deep Discovery Director and Apex Central the following are some
considerations to take note of:
• All DD products must be registered to DDD first and DDD registers to Apex Central
afterwards
• All previously synchronized IoCs in DD products will be discarded
• Once DD products are registered to DDD, existing Suspicious Object Synchronization
link to Apex Central will be automatically disabled
• Not necessary to unregister Apex Central
• Apex Central will still receive logs from DD products as long as the Apex Central
registration is still valid
During the synchronization of IoCs from Deep Discovery Director, Deep Discovery products
(Deep Discovery Analyzer, Deep Discovery Inspector, Deep Discovery Email Inspector) will
download a super set of interested IoC categories. For example, when querying for user-defined
suspicious objects from Deep Discovery Director, ALL the user-defined suspicious objects that
have been uploaded by other Deep Discovery products will be downloaded.
STIX
STIX information that is imported from STIX files added through Deep Discovery Director web
console (or downloaded from an external TAXII source), will always be merged into the
User-Defined Suspicious Objects pool. STIX objects are handled the same way as User-Defined
Suspicious Objects are handled during synchronization process with other Deep Discovery
products.
*Apex Central (TMCM7.0 or later) included support for registering a sample. It can generate File-SO from the file
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator
Information (TAXII) are standard formats that can be used to more quickly analyze and exchange threat
information between organizations.
STIX is standards-based format or descriptor that tells Security Professionals what a specific threat looks
like, what kind of infection area or capabilities this threat is capable of, as well as potential mitigations
plans for this type of threat.
TAXII is a standards-based transport that simplifies and speeds up the process for securely exchanging
cyber- threat information. TAXII defines a set of services and message exchanges that when
implemented enable sharing of actionable cyber- threat information across departmental organization
or companies for the detection, prevention and mitigation of cyber- threats. TAXII eliminates the need
for custom IOC sharing and is ideal for widespread automated exchange of cyber-threat information.
While STIX is a descriptor format (similar to pattern files used by traditional security products), TAXII
provides a way of subscribing as well as publishing the actual STIX descriptors using the network. For
example, a company can use the National Cybersecurity and Communications Integration Center’s
(NCCIC) STIX feed by subscribing to it. Once subscribed, they will be able obtain all the latest signatures
from that US-Cert STIX feed.
Note: Today, most vendors are supporting STIX and TAXII. Trend Micro publishes STIX-based threat
information (on top of its regular pattern files and signatures).
Deep Discovery Director is able to operate as a STIX and TAXII exchange. This means that Deep
Discovery Director is able to subscribe to STIX feeds like USCert for example.
When Deep Discovery Directory is subscribed to a STIX feed, it can consume and analyze that STIX
information, and then correlate it with your existing network information. Deep Discovery Director
can then take all the correlated information and present it graphically in the Deep Discovery Director
web console for administrator or security professional access.
Furthermore, Deep Discovery Director is able to take detection information and publish it
downstream to additional STIX/TAXII clients that can also consume this information.
Using STIX and TAXII in Deep Discovery Director, Central Security Office Center (SOC) teams can
automatically publish STIX information between different departments to rapidly send and receive
samples and also carry out response plans more quickly.
As of Deep Discovery Director 5.1 the following support for STIX2.0 and TAXII2 is available:
• Users can import STIX2.0 from the Deep Discovery Director web console
• Users can also import STIX2.0 files to the writable collection of TAXII2.0 server in Deep
Discovery Director
• A TAXII2.0 server has been added to share imported STIX2.0 files and those generated
from Suspicious Objects
• In the TAXII feed management configuration, users can subscribe to TAXII2.0 servers
Deep Discovery Director - Network Analytics uses rules to correlate and connect threat detection events
against network access events, presenting threat investigators with a full view of the attack life-cycle.
Correlated event information provided by Deep Discovery Director - Network Analytics, allows you to
see:
• What the first point of entry was (source of the problem)
• Who has been affected (all users, servers, IP addresses)
• Where the attack is calling out to (command and control addresses)
The following Trend Micro products are required for the integrated solution:
Pre-Deployment Checklist
The following must be done before deploying Deep Discovery Director - Network Analytics (the
appliance):
• Deep Discovery Director and Deep Discovery Inspector must be deployed.
• Deep Discovery Inspector must be registered to Deep Discovery Director.
Required Description
Deep Discovery Director 3.0 or Provides management and access.
later
Deep Discovery Inspector 5.1 or Provides network meta data and syslogs used for correlation and advanced
later analysis.
Deep Discovery Director - Network Obtain from Trend Micro.
Analytics Activation Code
You must obtain one static IPv4 address for the network interface.
IP addresses
You must enter one DNS server IP address during initial deployment. You
DNS server IP addresses can enter up to three DNS server addresses.
You must use NTP to configure time on the Deep Discovery Director -
NTP server IP addresses or FQDNs Network Analytics appliance. You can enter up to four NTP server
addresses.
Monitor and VGA cable Connects to the VGA port of the appliance.
USB keyboard Connects to a USB port of the appliance.
Ethernet cable Connects to the management port.
System Requirements
Based on the above hardware specifications, and typical enterprise levels of network traffic,
Deep Discovery Director - Network Analytics can support:
• Up to 4 DDI-1000 devices
• 1 DDI-4K device
Additionally, with the storage capacity (6TB), the amount of time for which network data can be
retained (for which correlations will be available) is as follows:
• For a single DDI-1000 device: approximately 4-6 months
• For a single DDI-4000 device: approximately 40-45 days
Software Requirements
Deep Discovery Director - Network Analytics is an appliance based on CentOS Linux 7 (64-bit)
that supports the following:
• Hypervisor: VMware vSphere ESXi 6.5 or Microsoft Hyper-V in Windows Server 2016
Required Ports
Inbound ports:
• TCP 443 (Deep Discovery Director server and Deep Discovery Inspector connection)
• TCP 514 (Deep Discovery Inspector detection logs)
Outbound ports:
• TCP 443 and 80 (Deep Discovery Director server and Deep Discovery Inspector
connection)
• UDP 123 (default NTP server connection)
Note: Since students by now are already familiar with using the Deep Discovery Pre-Configuration
console, the steps for configuring the network settings for Deep Discovery Director - Network
Analytics have been omitted.
You can refer to the On-line Deep Discovery Director - Network Analytics Installation and
Deployment Guide for step-by-step instructions on configuring Deep Discovery Director -
Network Analytics network settings.
The following is the Main menu of the Pre-Configuration console where you will need to select
Network Configuration in order to configure the management interface as well as Hostname and DNS
settings for the device:
Once these settings have been configured for the Deep Discovery Director - Network Analytics using
the Pre-Configuration console, you will need to connect to the Deep Discovery Director - Network
Analytics web-based console to complete additional setup tasks as will be discussed next.
The Deep Discovery Director API value is available in the Deep Discovery Director web console on the
Help page:
Once the Deep Discovery Director API key has been obtained, you must enter it into the Deep
Discovery Director Registration screen using the Deep Discovery Director - Network Analytics
Pre-Configuration console.
From the Main menu of the Deep Discovery Director - Network Analytics Pre-Configuration console
(refer to previous section) you will need to select the option Register with Deep Discovery Director.
The Deep Discovery Director registration configuration will display similar to the following:
To simplify the installation process, you can copy the API value from the Deep Discovery Director
prior to installing Deep Discovery Director - Network Analytics so that you can complete this step at
the same time as the network interface setup process described earlier.
To perform this task, you must first access the Deep Discovery Director - Network Analytics (the
appliance) Settings screen and record the syslog IP address and port number.
Next, you must log on to Deep Discovery Inspector and use the recorded information to add the
appliance as a syslog server.
If you are using Deep Discovery Director - Network Analytics as a Service, the settings that can be
configured include the following:
Correlation Overview
Deep Discovery Director - Network Analytics correlates the following information:
• Internet protocol (IP values)
• Domain Names
• SHA1 values
• Uniform Resource Locator (URL)
Correlation is done based on Deep Discovery Inspector events and on meta data coming from Deep
Discovery Inspector. Deep Discovery Director - Network Analytics will correlate and display (via
Correlated Events on Deep Discovery Director) only such events/info that it thinks is worth having
administrators look at, thereby saving the administrator’s time.
Deep Discovery Director - Network Analytics shows the correlated event if overall risk assessment is
7 and above (7-medium, 8,9,10-high).
Deep Discovery Director - Network Analytics can raise or lower or leave unchanged an event’s risk
value based on multiple events or Virus Total score.
Metadata Samples
Correlation in Deep Discovery Director - Network Analytics is done based on meta data coming from
Deep Discovery Inspector for the following protocols HTTP, FTP, File Transfer, FTP Response RDP,
SMTP, Kerberos, SMB, SMB2.
For example:
HTTP
• All headers incl. malformed
• Response codes (20x, 30x, 40x)
• SHA-1 of files downloaded
• SHA-1 of files uploaded
• All transactions in each session
• Info of each transaction
• Session duration (time)
• TCP (sport, dport, total data, etc)
• IP (src, dst, protocol)
• MAC (src, dst)
HTTPS
• All certificate information
• Amount of data transferred
• Duration of the session
• TCP (sport, dport, total data, etc)
SMTP
• Sender, recipient list
• SHA-1 of all attachments
• True file type, subtype, filename
• Extracted URLs from attachment
• Extracted URLs from body
• Mime-type
• Subject
• Amount of data transferred
• Duration of the session
• Content-encoding-type
Note: Note that, not all events detected by Deep Discovery Inspector are listed on the Correlated
Events screen. Deep Discovery Director - Network Analytics (the appliance) creates correlated
data only for detection events it determines are high risk where advanced analytics are of
special interest to administrators and can help with advanced analysis of threats.
There are several reason why an event might be listed on the Affected Hosts screen or the Network
Detections screen, but is not listed on the Correlated Events screen:
• The appliance determined that the detected event was not high risk.
• There are no correlations for that particular event.
• There are correlations for a particular event, but the appliance is still processing and
correlating the event.
There is a certain delay between when Deep Discovery Director lists a detection in the Network
Detections or Affected Hosts screens and when the Correlation Data icon is visible on the Correlated
Events screen (if it is determined high risk). Generally the delay is 10-15 minutes, but can be up to 30
minutes under heavy load.
The process for viewing correlated data from the correlated events includes the following:
1 Log on to the Deep Discovery Director web console.
2 Go to Detections > Correlated Events. The Correlated Events screen opens, which displays the list
of detections with correlated events for the specified time period.
You can also optionally change the time period to see more or less correlated events. If no
events are displayed for the selected time period, increase the time period until you can see
correlated events.
3 Additional filters can also be used to filter the results displayed in the Correlated Events screen
to make selection of the desired correlation data easier. (See the Deep Discovery Director
Administrator's Guide for more information.)
4 Click on the Correlation Data icon ( ).
This will open the Correlation Data screen which can be used for advanced analysis and to view
threat histories for detected threats. This will be discussed next.
Risk Summary
• The attack pattern for the correlated event or suspicious object selected in Deep
Discovery Director.
• Risk assigned by Deep Discovery Director - Network Analytics to the event and related
correlations. Deep Discovery Director - Network Analytics uses a number of factors to
assign risk, including proprietary risk analysis.
Activity Summary
• Identifies which hosts are involved in the suspicious or malicious activity. Activity might
be between internal hosts and external servers or might include lateral activity between
internal hosts. Internal hosts are defined by the Trusted Internal Networks list that you
configured during setup. For Deep Discovery Director - Network Analytics to provide an
accurate analysis of correlation data, it is important to enter your internal networks and
hosts in the Trusted Internal Networks list.
• Identifies the malicious activities found in the correlation data.
• Identifies protocols involved in the transactions that are part of the correlation data.
• Can include information about additional hosts that participated in the suspicious
activity.
• Can include information about suspicious objects when viewing correlation data for
suspicious objects.
• Each unique summary is generated from the dynamically created data in the Correlation
Data screen.
3 Review more detailed summary data by clicking on Show detection history. The detection history
provides the following information:
Start IP Address
• Displays the IP address found in the Interested IP field of the correlated event selected in
Deep Discovery Director
• The detection history for suspicious objects does not contain a start IP address entry.
The Summary Details section, identifies key activities for the internal host and external server
participants in the graph. Activities vary for each specific correlation data graph.
• Can include activities similar to the following: Lateral Activity, Detected Event, C&C
Activity, and Malicious Download
• Actions correspond to “Reason” in Deep Discovery Inspector logs.
• Summary details shown are log event entries sent by Deep Discovery Inspector for
correlated events.
The Correlation Data Graph is a visual representation of correlations made between the correlated
event or suspicious object selected in the Deep Discovery Director and other related events as they
occurred over time.
Playback Bar
From the main screen, you can perform the initial analysis by clicking on the playback bar
located in the top left-hand corner of the page, to view the time line for the correlated events.
Deep Discovery Director - Network Analytics draws the oldest correlation event first and
continues through to the latest correlation.
Correlation Line
• All the lines (thick bars) are called Correlation Lines. These provide a visual
representation of correlations made between the correlated event (or suspicious object)
selected in Deep Discovery Director and other related events as they occur over time.
• Each correlation line represents one or more transactions between hosts.
• Correlation lines can be between an internal host and external server or between two
internal hosts (lateral correlations).
• The thickness of the line is proportionate to the number of transactions occurring
between the hosts.
• The circular icon embedded in each line displays the number of transactions associated
with each correlation.
• You can additionally hover over a line to see more details about that Correlation.
Internal Hosts
Internal hosts are members of trusted internal networks list that were configured while
deploying Deep Discovery Director – Network Analytics.
• Internal hosts are identified by IP address – hostname and logged on user (if known) are
displayed for each internal host
• Icons representing relevant information might be displayed next to an internal host.
Example that you can see here, is the priority watch list icon that looks like a red eye.
• The activity legend at the top-left identifies key activities for internal hosts. This includes
the method of attack, whether the detection was found by Machine Learning, whether
this was the Deep Discovery Inspector trigger event, and so on…
• If an endpoint analysis report exists for an internal host, the “Endpoint Analysis Report”
icon displays below the internal host IP address.
• Clicking on the icon will open the endpoint analysis report as follows:
External Hosts
External hosts are any hosts that are NOT members of the trusted internal networks lists.
• The IP address and domain name (if known) are displayed for each external host
• Other relevant information might be displayed for external hosts. For example, if the host
is a member of a registered service list, the graph displays the appropriate icon.
• The activity legend at the top-right identifies key activities for the external hosts,
including the method of the attack
Transaction Data
The Transaction Data section (located below the graph) provides details about each transaction
included in the correlations from the Correlation Data Graph section. The oldest transaction are
listed first.
Lesson Objectives:
In the modern data center, more and more security breaches are a result of advanced targeted attacks
using techniques such as phishing and spear-phishing. In these cases, malware writers can bypass
traditional malware scanners by creating malware specifically targeted for your environment. To enhance
malware protection for new and emerging threats Deep Discovery Inspector can be integrated into a
Connected Threat Defense system.
Trend Micro Connected Threat Defense allows multiple Trend Micro products to share threat information
and analysis across multiple layers of protection critical to defending against targeted attacks.
RESPOND PROTECT
DETECT
Detect
Components of the Connected Threat Defense detect advanced malware, behavior and
communications invisible to standard defenses.
• Spot advanced malware not detected and blocked by the first stage
• Discover APT back door agents, botnets and compromised devices inside the network
• Out-of-band network traffic inspection via port mirroring supporting VLAN, TAP and ERSPAN
• Real-time detection and built-in reports provide visibility of malicious network activities and
compromised IP addresses (devices on the network)
• Advanced threat detection across layer 2 through 7 of the OSI model
• More than 100 supported protocols, including HTTP, FTP, SMTP, SNMP, IM, IRC, DNS, P2P, SMB
and database protocols
The Detect tier also includes CUSTOM SANDBOXING. When one of the techniques from the Protect
tier finds something that is suspicious, the item is automatically submitted to a customized virtual
sandbox. You can optimize detection as the sandbox mirrors your own system configurations,
ensuring accurate analysis. When the suspicious content is safely executed within the virtual
sandbox, you will be able to determine its potential impact and if it is, in fact, malicious. Threat
simulation occurs within sandboxes to reveal malicious APT actions without relying on malware
signatures
Respond
Once you have detected a threat, you must be able to respond quickly. The Respond phase delivers
real-time signatures and security updates to the other tiers to prevent future attacks, identify root
cause and speed up remediation. This tier relies findings in the Detect tier. If an attack is detected in
this tier, targeted intelligence covering malicious files, IP addresses, and C&C communications is
shared with the Protect tier to deliver real-time protection. The next time these objects are
encountered they can automatically be blocked, delivering on the benefit of Connected Threat
Defense. This tier also includes Remediation which is the ability to automatically clean computers of
file-based and network viruses, as well as virus and worm remnants.
Protect
The Protect tier pro-actively protects your networks, endpoints, and hybrid cloud environments. No
single technique can protect all threats, so incorporating multiple techniques ensures the broadest
range of threat protection. Trend Micro solutions incorporate many protection technologies such as
anti-malware, behavior monitoring, intrusion prevention, white-listing, application control, encryption
and data loss prevention. Despite the strength of its techniques, the Protect tier will not block 100
percent of malware or attacks. That is why the Detect tier employs techniques that will help you to
detect advanced malware, malicious behavior, and communications that are invisible to standard
defenses. This tier is particularly strong at detecting zero-day attacks, command and control (C&C)
communications, and advanced persistent threats.
The following sections will discuss how Connected Threat Defense works to provide threat sharing,
improved visibility on when threats are taking place, and what has happened post-attack.
Post attack investigation is playing a bigger role in Connected Threat Defense and as Trend Micro
Endpoint Detection Response (EDR) and X-Detection and Response XDR is added, this capability greatly
increases. XDR extends detection and response beyond the endpoint to offer broader visibility and expert
security analytics, leading to more detections and an earlier, faster response.
Threat intelligence sharing is at the core of Connected Threat Defense, and this can be achieved using
different combinations and configurations of products depending on which security features are
required.
The following are different products that can be implemented for Connected Threat Defense depending
on your particular setup and requirements:
• Trend Micro Apex Central*
• Product to submit threat intelligence or SO
- Mail (SMEX, CAS, IMSVA, HES, DDEI)
- Endpoint (APEX,OSCE, DS, EPS)
- Web (IWSVA)
- Network (DDI)
To verify Connected Threat Defense compatibility for your specific Trend Micro product, refer to the
Trend Micro web site. Some additional interoperability information is summarized below:
Later in this training, we will look at different Connected Threat Defense setups and configurations that
can be used to support different case scenarios.
Dirty
Internet Component Updates
SANDBOX
GATEWAY SECURITY SERVER SECURITY
CLUSTER
DDEI Deep Discovery Deep Discovery
Analyzer Analyzer APPLICATION
Suspicious Samples Suspicious Samples SERVERS
MANAGEMENT
Suspicious URLs
IMSVA
Suspicious Objects Suspicious Objects WEB SERVERS
Su
Smart Protecon
sp
ici
Server
ou
Su
sS
sp
ici
am
Su
ou
sp
pl
sU
es
ici
ou
RL
sO
s
ENDPOINT SECURITY
bj
ec
Suspicious Objects
Suspicious Samples
ts
TMES EXCHANGE SECURITY
Suspicious Samples
SMEX
CONTINUOUS NETWORK
MONITORING
Span Feeds Deep Discovery
Span Feeds
Inspector
Gateway Security
• DDEI – Deep Discovery Email Inspector provides in-line email sandboxing security to help
detect, analyze and prevent phishing campaigns and advanced malware
• IMSVA – InterScan Messaging Security Virtual Appliance provides in-line email content
filtering including SPAM, AV and DLP technology
• IWSVA – InterScan Web Security Virtual Appliance provides in-line web content filtering,
including URL filtering, Av and DLP technology
• IPS – Intrusion Prevention (TippingPoint) provides network real-time, in-line enforcement of
threats with low latency
Endpoint Security
• Apex One provides layered endpoint security including technology such as Machine
Learning, Behavioral analysis and traditional techniques such as Anti-Malware
Server Security
• Deep Security 10 provides server security across virtual, physical and cloud infrastructures,
all from a single management platform providing technology such as Vulnerability Patching,
Anti-Malware, Web Reputation and other etc.
Exchange\Domino Security
• ScanMail for Exchange\Domino provides internal email security to help identify potential
threats within your email infrastructure
Management
• DDAN – Deep Discovery Analyzer provides central custom sandboxing analytics to all
other Trend Micro Connected Threat Defense Components
• Apex Central (formerly Control Manager) provides central visibility of all Connected
Threat Defense components, providing single sign on, but most importantly it plays a
vital role in distributing Suspicious Objects to all connected Trend Micro threat security
components to prevent advanced malware spreading
• Apex One (formerly OfficeScan XG) provides management of all Apex One Agents, it s
also responsible for submitting suspicious samples to the Deep Discovery Analyzer for
further analysis
• Deep Security 10 provides management of all DS 10 agents, and as with the Apex Central,
it is responsible for submitting suspicious samples to Deep Discovery Analyzer
• SMS - Security Management System which allows management of our IPS appliances
from a single interface, in addition to central management the SMS also provides central
reporting and event management
However, if Deep Discovery Inspector is registered to both Apex Central and Deep Discovery Director,
Deep Discovery Director will take precedence. This means that once Deep Discovery Inspector is
registered with Deep Discovery Director, Deep Discovery Inspector will stop synchronizing suspicious
objects with Apex Central and will begin synchronizing with Deep Discovery Director from this point
forward.
In this situation, you should ensure that you configure synchronization of the Suspicious Objects
between Deep Discovery Director and Apex Central. This is important for Connected Threat Defense,
since this will allow Apex Central to synchronize these objects with other products in your protection
tier, such as Apex One, Deep Security or SMEX.
In this scenario, the Deep Discovery Inspector is monitoring east-west traffic. The process flow is
described below.
DMZ
Mail Gateway
Web Gateway
Tipping Point
Deep Security
Agents
Deep
Security Manager
Deep Discovery
Apex
Inspector
Central
Apex One
Apex One
Agents
Server
Third-Party
3 Apex Central shares the Suspicious Object with other products configured to use and receive
Suspicious Objects. For example as shown here, Mail Gateways, Web Gateways, Deep Security
Manager and Apex One Server.
4 The Deep Security Manager and Apex One Server will share the Suspicious Objects with Deep
Security Agents and Apex One agents.
In this example, Deep Discovery Inspector is submitting a suspicious object to the external
sandbox on Deep Discovery Analyzer. The process flow is described below.
DMZ
Mail Gateway Web Gateway
Tipping Point
Apex
Central
Apex One
Agents Apex One
Server
Local SMTP
In this example the we are looking at a scenario where InterScan Messaging Security Virtual
Appliance (IMSVA) or Scanmail for Exchange (SMEX) is connected to Deep Discovery Analyzer.
The process flow is described below.
Web Gateway
Deep Security Deep
Agents Security Manager
Apex
Tipping Point
Central
Apex One Apex One
Agents Server
Deep Discovery
DMZ
Mail Gateway
Deep Discovery Analyzer
Inspector
1 The threat email is picked up by the ATSE, and held locally until a sandbox analysis can be
obtained.
2 The Suspicious Object meanwhile, is sent to Deep Discovery Analyzer. If the submission is
negative the email is released and the mail is delivered. If the submission is positive (contains a
Suspicious Object), it is shared to Apex Central and the mail is not delivered.
3 The Apex Central shares the Suspicious Object with the other security servers.
4 The managed servers like Deep Security Manager and Apex One will share the Suspicious Object
to the Security Agents (Apex One, and Deep Security Agents).
SMTP/Cloud
In this example the Connected Threat Defense is used in the Cloud. In this case, the process flow
is as follows:
Cloud
Apex One Apex One Sandbox
Agents SaaS Cloud DMZ
Sandbox
Cloud App
Security
1 Cloud App Security detects a threat and sends to the suspicious file to the Cloud Sandbox.
2 Next, the Cloud Sandbox sends the Suspicious Object to Apex One SAAS.
3 The Apex one SAAS, shares the Suspicious Object list to the Apex One Agents.
In this scenario, Deep Discovery Analyzer and Deep Discovery Inspector are connected to a Deep
Discovery Director. The process flow is as flows.
DMZ
Mail Gateway Web Gateway
Tipping Point
Apex
Central
Apex One
Agents Apex One
Third-Party
Server
Deep Discovery
Director Deep Discovery
Analyzer
1 First, the Deep Discovery Inspector sends the file to the Deep Discovery Analyzer.
2 Deep Discovery Analyzer then sends the Suspicious Object information to Deep Discovery
Director.
3 Deep Discovery Director then sends the Suspicious Object information to the other Deep
Discovery products and it also sends the Suspicious Object information to Apex Central.
4 Next, Apex Central sends the Suspicious Object to other products accepting Suspicious Objects.
5 Security Agents then receive the Suspicious Object information from Deep Security Manager and
Apex One Server.
XDR for users can also be added into Connected Threat Defense as illustrated in the following
scenario. In this case, the process flow for Connected Threat Defense is the following.
DMZ
Apex One Apex One Cloud
Agents SaaS Sandbox
Cloud App
Security
1 The Cloud App Security (CAS) and endpoints has detected an advanced threat.
2 The Suspicious Object is then sent to the Apex SaaS from the Apex one Agent.
3 From here the object is then sent to the Cloud Sandbox.
4 The Apex One SaaS shares with Apex One Agents and Cloud App Security.
5 The user can now start an investigation into the threat to determine if the threat has been seen
in the mail system. How many other endpoints have encountered the Suspicious Object etc.
6 This can be passed on to the Security team who can investigate further to provide a system level
of what happened when the file was run, what impact it had etc.
Managed products that integrate with a Virtual Analyzer submit suspicious files or URLs to
Virtual Analyzer for analysis. If Virtual Analyzer determines that an object is a possible threat,
Virtual Analyzer adds the object to the Suspicious Object list. Virtual Analyzer then sends the list
to its registered Apex Central server for consolidation and synchronization purposes.
Apex Central provides different ways to protect against suspicious objects not yet identified
within your network. You can use the User-Defined Suspicious Object list or import indicators
from Open Indicators of Compromise (OpenIOC) or STIX files to take proactive actions on
suspicious threats identified by external sources. This will be explained in more detail later.
From the list of Virtual Analyzer suspicious objects, you can select objects that are considered
safe and then add them to an exception list. Apex Central sends the exception list to the Virtual
Analyzers (except for Apex One Sandbox as a Service) that subscribe to the list. When a Virtual
Analyzer detects a suspicious object that is in the exception list, the Virtual Analyzer considers
the object as “safe” and does not analyze the object again.
When Deep Discovery Analyzer discovers suspicious objects through the sandbox analysis of a file, it can
send information about the object (SHA-1, URL, IP, Domain) to Deep Discovery Director (or Apex Central)
for local sharing.
Deep Discovery Director (or Apex Central) can also send the Suspicious Object List, along with executable
files, to the Trend Micro Smart Protection Network.
Trend Micro will validate the suspicious objects within a maximum of 6 hours. If suspicious objects are
found to be malicious they will be added to Smart Protection Network and all products which integrate
with the network can leverage this information.
Trend Micro products, including Apex One and Deep Security, synchronize with Apex Central to obtain
updated Suspicious Object Lists.
- Apex One
- Deep Discovery Analyzer (with a customized sandbox already imported)
- Deep Discovery Endpoint Sensor
· For Endpoint Detection and Response (EDR) functionality
3 (OPTIONAL) Add any contributing features:
- Trend Micro Smart Protection Server (C&C URL)
- IOC rules
Customizable data displays provide the visibility and situational awareness for administrators to
rapidly assess status, identify threats, and respond to incidents. Administration can be streamlined to
achieve more consistent policy enforcement with single-click deployment of data protection policies
across endpoint, messaging, and gateway solutions.
User-based visibility shows what is happening across all endpoints owned by users, enabling
administrators to review policy status and make changes across all user devices.
In the event of a threat outbreak, administrators have central access point for complete visibility of
an environment to track how threats have spread.
With a better understanding of security events, it becomes easier to prevent them from reoccurring.
Direct links to Trend Micro Threat Connect database provides access to actionable threat intelligence,
which allows administrators to explore the complex relationships between malware instances,
creators, and deployment methods. Apex Central is then able to apply policy on how these suspicious
objects should be treated.
Deep Discovery Inspector sends and can retrieve suspicious objects from Apex Central.
The Dashboard in the Apex Central web console provides the status summary for the entire Apex
Central network.
In order for Deep Discovery Inspector to retrieve and synchronize suspicious objects from Trend
Micro Apex Central, Deep Discovery Inspector must be added to Trend Micro Apex Central as a
managed server.
To complete the Deep Discovery Inspector registration process with Apex Central perform the
following steps:
1 Go to Administration > Integrated Products/Services > Apex Central.
2 Under Connection Settings, specify the name that identifies Deep Discovery Inspector in the
Apex Central Product Directory.
3 Configure Apex Central Server Settings, including the Apex Central server FQDN or IP address
and port numbers.
4 Under Suspicious Object Synchronization, select Synchronize suspicious objects with Apex
Central, and type the API Key.
5 Click Test Connection to verify that Deep Discovery Inspector can connect to the Apex Central
server.
Note: In Deep Discovery Inspector 5.1, suspicious object lists will be synced every 5 minutes.
For the Deep Discovery Inspector 5.1 and higher versions, suspicious object lists will be synced
every 20 seconds.
In the Agent Settings section, verify that URL, IP and File and Domain are all enabled.
2 Click Test Connection. A success message should be displayed in the console window.
3 Click Save. In the Agent Management list, right mouse-click a domain or an Agent and click
Settings > Sample Submission.
4 Click to Enable suspicious file submission to Virtual Analyzer and click Save.
3 Type the details of the Deep Discovery Analyzer device and click Save.
Adding Deep Discovery Analyzer to the Apex Central Product Directory List
In the Apex Central Web Management console, add the Deep Discover Analyzer to the Product
Directories list.
1 In the Apex Central Web Management console, click Directories > Products and click Directory
Management.
2 Expand the New Entity folder. Drag the Analyzer device from New Entity folder to the previously
created Trend Micro Servers folder.
The Deep Discovery Analyzer should be displayed in the Trend Micro Servers folder.
Trend Micro will validate the suspicious objects within a maximum of 6 hours. If suspicious objects are
found to be malicious they will be added to Smart Protection Network and all products which integrate
with the network can leverage this information.
Other Indicators of Compromise (IOC) may also be manually configured and sent to Apex Central (or
Deep Discovery Director if it has been deployed in your environment).
Trend Micro products, including Apex One and Deep Security, sync with Apex Central to obtain updated
Suspicious Object Lists.
Note: If Deep Discovery Inspector is registered with Deep Discovery Director, Deep Discovery Inspector
will stop synchronizing with Apex Central and will instead synchronize with Deep Discovery
Director.
The Suspicious Objects list can be viewed in the Apex Central web console under Threat Intel > Virtual
Analyzer Suspicious Objects.
From here, you can view the entire handling process information, by selecting a Suspicious Object from
the Virtual Analyzer Suspicious Objects list and then clicking View from the Handling Process column as
follows.
In the following sections we will review the handling process for each suspicious object. The process is
broken down into the following phases as seen in the web console:
• Sample Submission
• Analysis
• Distribution
• Impact Analysis & Mitigation
Sample Submission
To view the Virtual Analyzer Sample Submission details for a Suspicious Object select the Sample
Submission tab as follows:
Apex One Sandbox as a Service does not provide Sample Submission information.
Apex One and other Trend Micro products use administrator-configured file submission rules to
determine the samples to submit to Virtual Analyzer.
Analysis
Deep Discovery Analyzer tracks and analyzes the submitted samples. Deep Discovery Analyzer flags
suspicious objects based on their potential to expose systems to danger or loss. Supported objects
include files (SHA-1 hash values), IP addresses, domains, and URLs. The Analysis tab provides the
following details about the Suspicious Object.
Distribution
Apex Central consolidates Virtual Analyzer and user-defined suspicious objects (excluding
exceptions) and sends them to other managed products. These products synchronize and use all or
some of these objects.
Apex Central administrators can select objects from the list of suspicious objects that are
considered safe and then add them to an exception list. Apex Central sends the exception list
back to the products integrated with Virtual Analyzer.
If a suspicious object from a managed product matches an object in the exception list, the
product no longer sends it to Apex Central.
Apex Central administrators can also add customized suspicious objects that they consider
suspicious but are not currently in the list of Virtual Analyzer suspicious objects.
Scan Actions
In Apex Central, you should configure scan actions (log, block, or quarantine) against suspicious
objects that affect computers.
Block and quarantine actions are considered active actions, while the log action is considered
passive.
• If products take an active action, Apex Central declares the affected computers as
mitigated.
• If the action is passive, computers are declared at risk.
Scan actions are configured separately for Virtual Analyzer and user-defined suspicious objects.
The Virtual Analyzer Suspicious Object (VASO) scan action settings that can be configured are
shown below. Each object type can either be set to log or block and with File Objects you
additionally have the option to quarantine.
Apex Central automatically deploys the actions to the managed products using one of the
following conditions:
• Apply the scan action to All future objects
• Apply the scan action to All present and future objects
In Apex Central, you also have the ability to configure separate scan actions for the User-Defined
Suspicious Objects. Each user-defined object type can either be set to log or block, and with File
objects you additionally have the option to quarantine. The different objects types are as follows:
You can similarly configure scan actions for any STIX and OpenIOC suspicious objects that are
added.
Security agents perform active scan actions against suspicious objects as defined in Apex Central.
For example, in this case the Scan Action configured is Block.
As mentioned earlier, when the scan action configured in Apex Central and deployed to Security
Agents is Block or Quarantine, the affected computers are considered mitigated. Managed servers
such as Apex One will retrieve the Suspicious Object list from Apex Central on a regular basis. An
administrator can also trigger the retrieval of the list manually. The Security Agents will obtain the
Suspicious Objects List from the managed server on its next update.
Based on the able example, when the Security Agent encounters this suspicious object in the future,
a suspicious file violation will be displayed.
Apex Central also checks Web Reputation, URL filtering, network content inspection, and rule-based
detection logs received from all managed products and then compares them with its list of suspicious
objects. If there is a match from a specific computer and the managed product takes an active action
such as Block, Delete, or Quarantine, Apex Central treats the computer as mitigated.
Note: Impact analysis requires a valid Apex One Endpoint Sensor license. Ensure that you have a valid
Apex One Endpoint Sensor license and enable the Enable Sensor feature for the appropriate
Apex One Security Agent or Apex One (Mac) policies. For more information, see the Apex Central
Widget and Policy Management Guide: http://docs.trendmicro.com/en-us/
enterprise/apex-central-widget-and-policy-management-guide.aspx
Endpoint Isolation
Endpoint Isolation can be used in cases where an endpoint must be isolated from the network
because it poses a potential threat.
This functionality provides you with the ability to assess the impact of a threat without risking
further damage by the affected endpoint.
For Endpoint isolation, Apex One Security Agents MUST be installed on the target endpoints.
To deploy the Isolate task for an endpoint perform the following steps:
1 Find and select the infected endpoint.
2 Click the Task drop-down list, and select the option Isolate.
3 The following prompt will appear. To proceed with the endpoint isolation, click Isolate Endpoint.
Note: For endpoint isolation with Apex Central and OfficeScan Agents you MUST enable the OfficeScan
firewall. This is no longer a requirement if you are using an Apex Central and Apex One Security
Agents.
Once the files are submitted, you can track the processing of the suspicious object through the Deep
Discovery Analyzer web console as described below.
1 Go to Virtual Analyzer > Submissions.
2 On the Processing tab, any submitted files currently being processed by Deep Discovery Analyzer
will be listed under today's date.
There will be some delay before the file is submitted to the Deep Discovery Analyzer by the
product that is submitting the sample (for example, DDI, or Apex One Server etc.)
Once the submission has been processed, the entry will be displayed on the Completed tab.
There will be some delay while the file is processed.
Once the processing is complete, click Virtual Analyzer > Suspicious Objects. The object is now
visible in the list.
The suspicious object information from Deep Discovery Analyzer gets submitted to Apex Central
for addition to its Suspicious Objects List information. This can be viewed from Apex Central as
discussed earlier in this lesson.
Note: You may need to wait several minutes for the results of the analysis to be passed to Apex Central.
Note: Refer to the Deep Discovery Inspector Installation and Deployment Guide for Hyper‐V setup and
configuration information including:
- Creating a Virtual Machine in Microsoft Hyper-V
- Configuring the Traffic Mirroring by:
- External Traffic
- Internal VM Traffic
This can be configured through the web console by navigating to: Administration > System
Settings > Network Interface. Specify an IP address to receive mirrored traffic (ERSPAN).
This can be configured using the Deep Discovery Inspector web console by navigating to
Administration > Integrated Products/Services > Deep Discovery Director.
Once you have registered to Deep Discovery Director using the Deep Discovery Inspector web
console, the Deep Discovery Director administrator will need to bind Deep Discovery Inspector to
Deep Discovery Director-Network Analytics as a Service using the Deep Discovery Director web
console.
The enabled Deep Discovery Inspector device will send its detection logs and network meta data to
Deep Discovery Director-Network Analytics as a Service for further analysis.
The Deep Discovery Inspector management web console provides automatic account lock after
multiple failed logon attempts. In the web console go to Administration > Accounts to configure
this setting.
After 5 failed log in attempts, local accounts are automatically locked. Locked accounts are
automatically unlocked after 10 minutes.
To manually unlock an account, select the account and click Unlock button:
Note: MITRE information not available for TMUFE and ATSE detections.
- MITRE information that is included in the Virtual Analyzer Report appears as follows:
Note: There is support for 80 000 User-Defined Suspicious Objects (with a maximum of 40 000
UDSOs from Apex Central and 40 000 UDSOs from Deep Discovery Director. The expiration for
UDSO is configurable and set through Deep Discovery Director.
Note: Use caution with rule 4142. Enabling this rule will detect every SSL handshake which will
negatively impact the performance of Deep Discovery Inspector.
• New SNI hostname field added to the Protocol Information section of Detection Details page.
• Can only enable file retrieval after Deep Discovery Inspector is registered to Threat
Investigation Center successfully
• Legal agreement is required to enable this feature
ActiveUpdate Enhancement
• ActiveUpdate Security Enhancement:
- HTTPS server authentication check for global ActiveUpdate channel
- Download package integrity check for global ActiveUpdate and Apex Central
ActiveUpdate channels
- Force TLS 1.2 for global ActiveUpdate and Apex Central ActiveUpdate channels
• ActiveUpdate Phase Deployment:
- Phase deployment capability for ActiveUpdate is enabled for global ActiveUpdate
channel, can be triggered on-demand based on Activation Code
• New File Type Support: .mht, .com (for Win x86 only)
• Support for the following operating systems and applications:
- Windows 10 RS4
- Windows 10 RS5
- Office 2019
• Significance of Notable Characteristics in VA Report: to show each event's contribution in
final rating:
Can Configure the Port to Use for Deep Discovery Director and Deep
Discovery Analyzer
To support deployment where Deep Discovery Inspector is placed behind NAT, administrators have
the ability to configure a different port for Deep Discovery Director and Deep Discovery Analyzer.
Deep Discovery Director port setting (Administration > Integrated Products/Services > Deep
Discovery Director):
Deep Discovery Analyzer port setting (Administration > Virtual Analyzer > Setup ):
Rsniffer Enhancement
Rsniffer traffic filter capability provided (default port 88) in the Deep Discovery Insepctor’s internal
debug portal. Use under the guidance of Trend Micro support if this is needed.
• Rsniffer is a daemon that connects to PCAP clients using remote PCAP protocol. A PCAP
client receives and Rsniffer connection and sets up PCAP filter and mirrors the traffic to
Rsniffer.
• Since the PCAP filter is hard-coded to use port 88, which is a Kerberos protocol, this is not
ideal for interoperating with a MITRE framework.
Enhancements
• DDCloud agent enhancement for quota controlling and troubleshooting
• Operation enhancement by built-in OMSA & logstash packages
Integration Support
• Apex One as a Service
• Apex One On premise
• vDDI-1000
• TMEMS
Have reminder on web page if any cannot support with TLS 1.2 and need to resolve before
enforcing to use TLS 1.2
– The checkbox will be greyed out before user solved all issues
In version 6.5:
This release also provides enhanced Virtual Analyzer management to allow you to:
• Rename image groups
• View actual Virtual Analyzer instance count on the Virtual Analyzer Status widget and the
Sandbox Management screen
An additional license is required to enable DDD-NAaaS for network analytics. You will also need to
connect Deep Discovery Inspector with DDD-NAaaS for feeding network detections and meta data.
In this release of Deep Discovery Director, the web console includes the following configuration
settings for DDD-NAaaS:
• Domain exceptions
• Priority watch list
• Registered service
• Trusted internal network.
Correlated event alerts obtained from Deep Discovery Director - Network Analytics can be viewed
from Deep Discovery Director.
Clicking the “play” button in the timeline bar shown above will launch an animation of the network
flow by time sequence.
The Root Cause Analysis reporting functionality provides you with visibility and tracking information
to perform your root cause analysis tasks to track the origin, path and patient-zero information of
detected threats. A sample Root Cause Analysis Report is shown here:
In Deep Discovery Director, you can view the endpoint root cause analysis report of hosts listed in
Network Analysis report.
Through account management, Administrators can enable the permission for using WebAPI. If the
account is later disabled, API capability will be removed.
The threat intelligence related functions that can be automated using Web API included the
following:
• Import, export, list, delete, modify YARA files
• Import, export, list, delete STIX files
• Import, list, delete user defined suspicious objects (UDSO)
• Import, list, delete exceptions
• Export, list command and control list
• Retrieve Virtual Analyzer report
• Retrieve PCAP of the specific network detection
OpenDXL support
Deep Discovery Director (Consolidated Mode) can now share threat intelligence data with other
products or services through OpenDXL. OpenDXL is an open source version of Data Exchange Layer
(DXL) which is a framework that enables real-time security context sharing between products.
OpenDXL provides a way of interconnecting services for sharing information that is needed for
making security decisions. This allows products to share security information as a collective rather
than by individual security product. With OpenDXL, network, endpoint, mobile and other security
solutions can operate as one synchronized adaptive security system that communicate and share
information to make real-time, accurate security decisions.
Deep Discovery Director (Consolidated Mode) now provides access to view quarantined emails
from Deep Discovery Email Inspector according to login users’ domain privilege for taking
permitted actions including:
• Release emails directly.
• Resume scanning by DDEI.
• Delete emails directly.
Users can search quarantined emails by multiple criteria with AND operator in the quarantined
email view.
Deep Discovery Director (Consolidated Mode) can now be used to manage the email queue of
registered Deep Discovery Email Inspector appliances. This provides a central view of the Deep
Discovery Email email queue according to the login users’ Deep Discovery Email Inspector device
privilege for taking permitted actions. In this case an administrative user with the proper DDEI
priviliges will be able to:
• Directly delete emails
• Directly deliver emails
• Reroute emails through another MTA server
End-User Quarantine
Deep Discovery Director (Consolidated Mode) now includes the End-User Quarantine (EUQ)
feature to improve spam management.
Note: While other tools can identify malware hashes and behaviors, ATT&CK is one of the more
comprehensive methods that can look at the actual malware components and lay them out in
detail tactics and techniques that have been observed from millions of attacks on enterprise
networks. The acronym stands for Adversarial Tactics, Techniques, and Common Knowledge.
Central Reporting
• New Central Host Severity PDF report of network detections
• New Central Email Security PDF report of message detections
• Daily, weekly, and monthly schedule report available as well as manual generation
• Ability to choose all monitoring hosts or the filter from Affected Host view in Host Severity
report. Additionally, can select the managed Deep Discovery Director device scope for
generated host severity PDF reports
• Option to determine criteria (inbound, outbound, or all emails) for Email Security Report as
well as the monitoring domains for email security PDF reports
- Enhanced Sankey graph with various line width indicating flow volume
Note: A Sankey graph is simply a visualization technique that display flows. Several entities or nodes
are represented by shapes or text. Their links are represented with arrow or arcs that have a
width proportional to the importance of the flow.
- Timeline slider
- Flow sequence replay function
- Endpoint analysis report integration for suspicious hosts and priority watched hosts
- Deep Discovery Director can receive Deep Discovery Network Analytics correlation event
logs
- Deep Discovery Director can receive Deep Discovery Network Analytics RCA report tasks
• Machine Learning (Deep Learning) detections
• Data retention period 6 months (180 days)
• API based Deep Discovery Network Analytics as a Service on AWS
• New Deep Discovery Network Analytics as a Service license with bandwidth control
Trend Micro Threat Connect is a cloud expert service powered by the Trend Micro Global Intelligence
Network that is designed to provide Trend Micro enterprise customers with relevant and actionable
intelligence about threats.
Trend Micro Threat Connect shows correlated threat data such as: IP addresses, DNS domain names,
URLs, filenames, process names, Windows registry entries, file hashes, malware detections and malware
families. Deep Discovery Inspector logs each detection with relevant information about the threat. When
an administrator clicks on the provided Threat Connect link in the Deep Discovery Inspector detections
list, the Deep Discovery Inspector redirects the query to the Trend Micro Threat Connect portal. This
service is located at ddi50-threatconnect.trendmicro.com:443. Trend Micro Threat Connect is accessible
only through your Trend Micro product.
Based on detected threats, Trend Micro Threat Connect provides more correlated threat data that the
administrator can use to further assess the situation and take action on detected threats.
WRS
Content
WRS
To connect to the Threat Connect portal to view information about a detected malicious file simply
perform the following procedure:
1 Log in to the Deep Discovery Inspector management console (https://<your-ddi-server) and log
in as the user admin.
2 Navigate to Detections > All Detections.
3 Within the list of detections, select the icon under the Details column for any malicious file
detected.
4 From the Detection Details page click View in Threat Connect. This will route you to the Trend
Micro Threat Connect portal landing page for that file.
Vendors use different names for the same threat. Threat Connect provides users the most common
name used for each malware family. The malware family name and other details of the malware can
be obtained from the description box shown on the right side of the Threat Web pane.
For example, TROJ_FAKEAV.SMVF and TROJ_FKEAV.SMEE both map to the malware family FAKEAV.
It can benefit analyst to save searching efforts on different names.
Characteristics that indicate relationships among malware include infection methods, propagation
methods, and symptoms exhibited by infected hosts. Malware functionality often converges because
authors create malicious code that exhibit similar observed behavior. Malware authors are also
known to share routines with each other.
A malware family is named by the entity that first identifies it, and security software vendors usually
adopt this given name. In some cases, however, vendors use different names for the same threat.
With the absence of an enforced malware naming standard, Threat Connect provides users the most
common name used for each malware family.
Threat Web
Threat Web provides a visual representation of the relationships between potential threats identified
in your detection and related suspicious objects in the Trend Micro threat databases. Each detection
object is displayed as a central node with direct connections to individual or groups of suspicious file
or network objects.
Threat Web displays relationships between objects in your detection and global threats analyzed by
Trend Micro in a controlled environment.
Vertical View
The vertical view section provides details of the current center node on Threat Web.
Here are samples of vertical view information on threat web nodes. The detection node provides
threat level and threat overview. Most information is from the Threat Encyclopedia.
For network objects, URL, domain, and IP, the vertical view provides the rating and category from
WRS.
For file objects, it provide the SHA1 information sourcing from Census, the 1st seen, the last seen,
and top countries and industries.
The targeted attack group node is a grouping mechanism related to information from the APT
knowledge base. Attack methodology and industry distribution are provided by Trend threat
experts.
Hover Action
You can hover over each connected object to obtain additional information and see associated
relationships. For example, this can show you the most prevalent items.
Export Data
Export the list of connections to obtain the information related to a specific threat (center node)
and take action with this information if required. For example, update the associated
vulnerabilities or block the related network objects through black listing.
The View report link directs you to the full report page where the entire report content can be
accessed. This will be covered in an upcoming section.
No Results Found
When no results are found, you can perform a Google search on the threat name.
Report Content
Threat Overview
Notable Characteristics
This section lists characteristics that are commonly associated with malware. This comes from
the Sandbox.
Threat Potential
They are categorized by sandbox report. Threats are categorized based on specific
characteristics of behavior exhibited by samples during execution in a controlled environment.
Trend Micro threat researchers may also assign categories based on the historical behavior of
known threat families.
Detection Names
This section lists the names used by TrendMicro and other security vendors to identify the threat
by File Reputation Service.
Details Page
The Details page combines the information from each source related to the suspicious malware file.
Highlight the detection name to get census information.
The System Impact tab is broken down into Network Activities and System Modifications.
• Network Activities - This section summarizes the changes in network traffic after this
threat was executed in a controlled environment. Such information is critical because a
threat must engage in network activity in order to realize its goals. Links are provided to
reports about threats that exhibit similar behavior.
• System Modification - This section summarizes the system changes found after this
threat was executed in a controlled environment. Links are provided to reports about
threats that exhibit similar behavior.
The Execution Flow tab lists the threat activities when it was executed in a controlled
environment, which is sandbox report. User can use the time line view to trace how the threat
activities happened.
Recommendation Page
This section provides instructions for reversing the threat effects. Advanced users may refer to the
Details tab for more specific information about the behavior of the threat.
Open Architecture
Deep Discovery can enhance existing investments in NGFW/IPS, SIEM and gateways by sharing in-depth
threat intelligence with your other Trend Micro and third-party security products to create a real-time
defense against targeted attacks, advanced threats, and ransomware.
Deep Discovery Inspector transports log content to a configured external syslog server using one of the
following syslog protocols:
• Transmission Control Protocol (TCP)
• Transmission Control Protocol (TCP) with Secure Sockets Layer (SSL) encryption
• User Datagram Protocol (UDP)
The following syslog message formats are supported by Deep Discovery Inspector:
• Common Event Format (CEF) - used for Arcsight
• Log Event Enhanced Format (LEEF) - used for QRadar
• Trend Micro Event Format (TMEF) – used for Trend Micro products
CEF
Common Event Format (CEF) is an open log management standard developed by HP ArcSight.
CEF comprises a standard prefix and a variable extension that is formatted as key-value pairs.
Sample log:
CEF:0|Trend Micro|Deep Discovery Inspector|3.6.1161|300999|The syslog
server settings have been changed|2|dvc=10.204.190.229
deviceMacAddress=00:0C:29:4B:9F:52 dvchost=localhost
deviceExternalId=7B99706303C7-401D990F-5DAE-3945-9759 rt=Dec 11 2017
16:52:51 GMT+08:00
TMEF
TMEF is the format used by Trend Micro products for reporting event information. Deep
Discovery Analyzer uses TMEF to integrate events from various Trend Micro products.
Sample log:
CEF:0|Trend Micro|Deep Discovery
Inspector|3.6.1161|300999|SYSTEM_EVENT|2|ptype=IDS dvc=10.204.190.229
deviceMacAddress=00:0C:29:4B:9F:52 dvchost=localhost
deviceGUID=7B99706303C7-401D990F-5DAE-3945-9759 rt=Dec 11 2017 12:28:01
GMT-02:00 msg=The syslog server settings have been changed
LEEF
Log Event Extended Format (LEEF) is a customized event format for IBM Security QRadar. LEEF
comprises an LEEF header, event attributes, and an optional syslog header.
Sample log:
LEEF:1.0|Trend Micro|Deep Discovery
Inspector|3.6.1161|SYSTEM_EVENT|dvc=10.204.190.229<009>deviceMacAddress=
00:0C:29:4B:9F:52<009>dvchost=localhost<009>deviceGUID=7B99706303C7-
401D990F-5DAE-3945-9759<009>ptype=IDS<009>devTimeFormat=MMM dd yyyy
HH:mm:ss z<009>sev=2<009>msg=The syslog server settings have been
changed<009>devTime=Dec 11 2017 17:08:52 GMT+08:00
Deep Discovery Inspector provides standard syslog level categorization: Emergency, Alert, Critical,
Error, Warning, Notice, Info and Debug.
Each log format displays a different list of detection log options as follows:
CEF:
LEEF:
TMEF:
ArcSight ESM
The log format is CEF. Deep Discovery Inspector must be connected to ArcSight ESM through an
ArcSight connector.
IBM QRadar
The log format is LEEF. To change the log format, Trend Micro would give sample logs to IBM for
a new QRadar update package. This is different than the ArcSight integration.
Trend Micro
Tipping Point SMS
The native feature of third-party vendors can be leveraged to synchronize Suspicious Objects detected
by Virtual Analyzer.
Various IOC (Indicators of Compromise) that are available for blocking include: URL, DNS, IP, SHA-1.
Deep Discovery Inspector integrates with the following third-party inline solutions:
Deep Discovery Inspector supports only one third-party product/service at a time. Also, when enabled,
Deep Discovery Inspector sends suspicious objects and C&C callback addresses every 10 minutes.
Note: See Deep Discovery Inspector Online Help for complete steps on integrating with these
supported 3rd party products.
Deep Discovery Inspector integrates with Check Point OPSEC via the Suspicious Activities Monitoring
(SAM) API. The SAM API implements communications between the SAM client (Deep Discovery
Inspector) and the Check Point firewall, which acts as a SAM Server. Deep Discovery Inspector uses
the SAM API to request that the Check Point firewall take specified actions for certain connections.
For example, Deep Discovery Inspector may ask Check Point OPSEC to block a connection with a
client that is attempting to issue illegal commands or repeatedly failing to log on.
Trend Micro TippingPoint Security Management System (SMS) uses reputation filters to apply block,
permit, or notify actions across an entire reputation group. For more information about reputation
filters, refer to your Trend Micro TippingPoint documentation.
To integrate Deep Discovery Inspector with IBM XGS, configure a generic agent to do the following:
• Accept alerts that adhere to a specific schema
• Create quarantine rules based on a generic ATP translation policy
The ATP translation policy allows several categories of messages to take different actions on IBM
XGS, including blocking and alerting.
Service Name
• List infrastructure service of environment
• Mandatory: HTTP Proxy, SMTP MX and SMTP Server, DNS
• Optional: AD/DC, Kerberos Server, DB Server, File Server, Radius, Vulnerability Scanner,
Update Server, Web Server
Note: SMTP and DNS services can be auto-discovered through the Deep Discovery Inspector
installation wizard
Network Group
• If any public address are hosted internally, it must be added as a Trusted Network
The following worksheet can be used gather all the information required in this phase:
Active Directory
Database Servers
DNS Server(s)
Domain Controller
File Server
FTP
HTTP Proxy
Radius Server
SMTP Server(s)
Web Server(s)
Performing an Installation
The Deep Discovery Inspector installation can be performed on an appliance (bare metal) or into a Virtual
Machine.
Note: (Optional) To export the installation logs, you must select option (3) before selecting option (1) to
begin the installation.
Selecting option “3” and hitting Enter toggles between enabling and disabling the export of the
installation logs.
If the installation log is enabled in this step, then during the final stages of the installation, the
Deep Discovery Inspector installation program prompts for the location to store the installation
logs. You can select sda11 when prompted which will consequently save the installation logs to
the /var/log directory. The logs are stored in a text file with the name: install.log.<TimeStamp>
2 From the Main Menu, select option (1) to start the Deep Discovery Inspector installation process.
Note: Ensure this is selected correctly, as this cannot be changed from the Deep Discovery Inspector
management web console once it has been selected here.
Once the device reboots, you will be ready to access the Deep Discovery Inspector
Pre-Configuration console and configure necessary initial system settings for your device as
described in the section that follows.
On a Hardware Appliance - Connect using a USB keyboard and VGA monitor to access the
Pre-Configuration Console
Once you have connected to the Pre-Configuration console, you are ready to setup the necessary
pre-configuration device settings for Deep Discovery Inspector as described below.
1 Log in to the Pre-Configuration Console using the default login credentials of username: admin,
and password: admin.
3 Navigate through the interface and enter the IP, subnet, gateway and DNS addresses. For
example:
4 Save the changes (select Return to the main menu and log out by saving changes)
5 Access the Deep Discovery Inspector Web Console from a supported browser (such as IE, Firefox)
using HTTPS as follows:
Note: You will need to note the above link for accessing the Deep Discovery Inspector’s web console
(HTTPS://IP ADDRESS OF Deep Discovery Inspector). The web console will be used in the next
phase of the installation to configure the final system settings for Deep Discovery Inspector.
1 Access the Deep Discovery Inspector web console using a web browser and connecting to the
URL that was provided in the last step of the Pre-Configuration phase above. The credentials
needed to log in are the same as the Pre-Configuration console credentials (admin/admin).
2 Once you have logged in to the web console, you will be prompted to change the password to one
that meets the criteria indicated below. Click Save once you have configured a new password for
accessing the Inspector web console.
3 Next, you will need to install a valid license. Go to Administration > License. In order to activate
the new license you will need to select the button Update Information.
4 Next, go to Administration > System Settings > Time and configure a timezone and NTP server:
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create in
Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to create any sandboxes as
described below.
There are two methods you can use to import a new image that the VA will use for analyzing samples.
Each method is described below. Select the method that is most appropriate for your environment.
• If the connection to Deep Discovery Inspector is successful, click Download Image Import
Tool
• Launch the Virtual Analyzer Image Import Tool to start the image import process
- Enter the IP address of the Virtual Analyzer (same as Deep Discovery Inspector
machine) and then browse to the location of your image (OVA) file
- Click Import after you have entered the above settings. (Note that the upload
process can take up to 20 minutes to complete.)
• Enter an image Name and specify the link to your image (OVA) file
• Click Import (Note that the upload process can take up to 20 minutes to complete.)
2 Once you have saved the above settings, you can click Test Internet Connectivity to verify if the
connection is successful.
Note: IMPORTANT: If you are using Deep Discovery Analyzer for sandboxing you will need to select
“External” as the Virtual Analyzer and configure your settings as follows:
3 Next, go to Administration > System Maintenance > Storage Maintenance and extend the
maximum file size for Deep Discovery Inspector. This is the maximum file size that will be
accepted and scanned by Deep Discovery Inspector’s ATSE engine. You can extend the maximum
file size setting up to 50 MB.
Note: The maximum file size that is set does not only set the limit the size of files submitted to the
Virtual Analyzer but also sets the limit on what the File Scan daemon and ATSE scans. Files that
exceed the size specified (in MB) are NOT scanned by ATSE, and NOT submitted to the Virtual
Analyzer.
4 Back in the Setup page for the Virtual Analyzer, the following pop-up will be displayed when
clicking Save for the first time notifying that submissions to the Virtual Analyzer will be limited to
a maximum file size of 15 MB.
The detection rules and severities can vary if the host which triggers an event is in the monitored
network or not. Therefore all IP address ranges for your network environment, which are going to be
monitored by Deep Discovery Inspector, should be added.
It is recommended not to use the default Group Name, but to use more descriptive names for the IP
ranges. For example, you could use names like Finance, Sales, HR, etc. as Group Names.
1 Go to Administration > Network Groups and Assets > Network Groups.
Note: If an internal host has a public IP (for example, DMZ), it must be added here!
Using descriptive network names will make it easier to work with and analyze detection logs,
widgets and reports.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.
2 Next, go to Administration > Network Groups and Assets > Registered Services and add dedicated
servers for specific services that your organization uses internally or considers trustworthy.
Identifying trusted services in the network ensures detection of unauthorized applications and
services. While it is better to add this information upfront, it can be added after the fact, but it is
not retroactive.
Note: The mandatory services to define include: SMTP, HTTP Proxy, DNS
The registered services are also used by the Detection Rules. Therefore, if you do not have a
legitimate service registered, it can lead to rules being incorrectly triggered and files
unnecessarily going to the sandbox.
3 Click the Analyze button to auto-discover services. Check for valid services that were detected
under Detected Services and click Save.
Note: Only the SMTP Server/Relay and DNS Server can be discovered automatically.
4 Next, you can manually add any other services that are missing. Again, the mandatory ones are
SMTP, HTTP Proxy and DNS.
These are used on NCxE rules to adapt detection log. Note that they can also be discovered
automatically like Registered Services.
Note: It is not advisable to modify File Submission Rules for a new deployment.
2 (Optional Step) Configure a proxy for update and reputation query. This step will depend on the
network architecture.
3 Click Test Connection to verify that the proxy is available and working.
The following testing should be completed to ensure that you have a working Deep Discovery Inspector
deployment.
Packet Capturing
You can also perform packet capturing to verify if network traffic is being received by clicking the
Network Traffic Dump link provided at the bottom of the Network Interface screen. Clicking the
link will open a connection to the Troubleshooting portal (https://DDI_IP/html/
troubleshooting.htm) where the following Network Traffic Dump screen displays:
Select the port/NIC to capture traffic for then click Capture Packets.
Let the capture run for a pre-determined amount of time, then to stop packet capturing on the
NIC, click Stop.
Once the Network Traffic Dump is stopped, the following links are provided for viewing, exporting
or reseting the capture:
Clicking View from the above window, displays the Packet Capture Analysis window. From here
you can select what specific information you would like to see from the capture, without having
to filter through the entire network packet dump. You should verify that the Deep Discovery
Inspector can see TCP conversations as follows:
You can additionally Export the packet capture, and view the collected results within wireshark.
In environments where Deep Discovery Inspector receives all packets, there can be a small
difference between these two numbers.
Once the manual update is complete the list of updated components will appear similar to the
following:
Note: This testing page from Trend Micro Coretech, is not dangerous.
2 Examine the Detection Name and other details. You can click View in Threat Connect to examine
the information that is provided.
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.
To view the installation logs, export the installation log using the Deep Discovery Inspector
Debug Portal.
• By default, Deep Discovery Inspector is assigned the IP address of 192.168.252.1/24
If the web console is not accessible to export the installation logs, access the DDI Mini Shell using
the Deep Discovery Inspector installation disk to view and analyze the installation logs:
• Gain access to the DDI Mini Shell using the Deep Discovery Inspector installation disk
• Mount the partition where the installation log file is stored, /dev/sda11 (for SCSI) or /dev/
hda11 (for IDE).
For example:
mount –t ext3 /dev/sda11 /mnt
Basic Linux commands can be used to view and search through the installation log file for
possible problems.
Configuration Files
The /mr_etc directory stores most of the configuration settings of Deep Discovery Inspector
components and email notification templates.
The main configuration file, igsa.conf, keeps the product-wide configuration settings. Modules
that do not have a separate configuration file store their configuration in the igsa.conf file.
Database
The PostgreSQL database name and account settings are stored in the database.conf file.
Files in the /mr_etc directory that have the .def extension contain the default factory settings for
the corresponding configuration file.
Boot Options
The boot menu can be invoked by pressing <Esc> after the bootloader starts. The menu offers four
different boot options:
• Boot Primary System
• Boot Secondary System
• Restore to factory mode
The Deep Discovery Inspector BIOS loads GRUB (GRand Unified Bootloader) from the Master Boot
Record (MBR). GRUB checks the configuration file, /dev/sda1/grub/menu.lst, that specifies the root
device, path to the kernel, RAM disk settings and other parameters.
Deep Discovery Inspector performs the same steps as above except that it mounts the non-
actual root partition (/dev/sda6 or /dev/sda7) as a root file system.
This option is used to mount the last good root file system after unsuccessful firmware update or
when the actual root file system gets corrupted.
Note: This boot option may not be possible when there has been a Database schema change.
Deep Discovery Inspector re-creates all file systems, except for /dev/sda4 (factory image) and
then re-installs the original software from /dev/sda4 to /dev/sda6 and /dev/sda7.
Note: All logs, configuration settings and software updates will be lost!!
In this section, these technologies are explored more deeply to show how they work together in Deep
Discovery Inspector to perform inspection and detection, and how this information is made available to
the security specialist for analysis.
Network Content
Inspection Engine
Event Classification
Engine (ECE)
LogX
Patterns
Event Classification
Patterns (ECP)
db
Target of evaluation
NIC
The primary engines and services used by Deep Discovery Inspector are described below.
• Network virus scanning - known network threats (like the SQL Slammer) are detected by
NCIE
• Protocol parsing - the CAV detection of potential threats relies on the parsed protocol data
from NCIE
• Application protocol detection - the Deep Discovery Inspector application filtering
functionality (P2P, IM, Streaming), relies on the patterns in the NCIP
All details about the NCIE detections are written to the Deep Discovery Inspector /var/log/cav.log
file. The Deep Discovery Inspector Troubleshooting Portal is used to enable debug-level logging
and download the archive file containing the cav.log file to troubleshoot a specific situation.
Contact your Support representative for help using the debug portal. The cav.log file must be
extracted from the downloaded archive to view the collected log entries.
Similar to ZEUS and SPYEYE, POISONIVY has a toolkit/builder which can be purchased or
downloaded from underground forums selling such tools. The builder can be customized to cater
to the needs of its buyers. Its variants can be configured to perform any or all of the following:
• Capture screen, audio, and webcam
• List active ports
• Log keystrokes
• Manage open windows
• Manage passwords
• Manage registry, processes, services, devices, and installed applications
• Perform multiple simultaneous transfers
• Perform remote shell
• Relay server
• Search files
• Share servers
• Update, restart, terminates itself
Most POISONIVY malware can copy itself into Alternate Data Stream (feature of NTFS that
contains metadata for locating a specific file by author or title) making this a valuable place for
attackers to hide their tools.
RATs such as Gh0st and POISONIVY are widely available and frequently used by APT actors, but
the traffic these produce is easily detectable. The network traffic generated by POISONIVY
begins with 256 bytes of seemingly random data after a successful TCP handshake. These bytes
comprise a challenge request to see if the “client” (for example, the RAT controller) is configured
with a password embedded in the “server” (for example, the victim).
Detecting simply based on a request of 256 bytes will yield false positives. This can, however, be
combined with protocol-aware detection. While the default port for POISONIVY is 3460, it is most
commonly seen used on ports 80, 443, and 8080 as well. This traffic can generically be detected
by looking for a 256-byte outbound packet containing mostly non-ASCII data on the ports
PoisonIvy attackers commonly use. This helps reduce false positives but still broadly covers
PoisonIvy variants as long as they use the said challenge request.
After the challenge response is received, the client (RAT controller) then sends the following 4
bytes as shown below, specifying the size of the machine code that it will send. This value has
consistently been “D0 15 00 00” for all samples analyzed for this particular version of PoisonIvy.
This makes a great additional indicator on top of the logic previously described and significantly
increases the confidence level of the detection.
PoisonIvy also makes use of “keep-alive” requests that are 48 bytes long. These requests appear
to be always of the same length but their content differed depending on the “password” with
which the PosionIvy client/server is configured. The default password, “admin,” is consistently
detected.
Deep Discovery Inspector takes all of the aforementioned approaches to generic and specific
PoisonIvy detection, assigning the appropriate severity rating depending on the confidence level
of the detection.For more information you can refer to: http://www.trendmicro.it/media/wp/
detecting-apt-activity-with-network-traffic-analysis-whitepaper-en.pdf.
Files intercepted by Deep Discovery Inspector are scanned using the Advanced Threat Scan Engine
(ATSE). This engine, is the same threat scanning engine used in many Trend Micro products including
Deep Discovery, InterScan Web and so on. The Advanced Threat Scan Engine (ATSE) is an enhanced
version of the standard virus scan engine (VSAPI) that is also used in Trend Micro products. The main
differences though between VSAPI and ATSE is that the VSAPI engine only does pattern based
scanning, whereas the ATSE engine used a combination of pattern-based detection and dynamic
heuristic rule-based scanning. This allows the ATSE scan engine to perform analysis based on the
“characteristics” of a file which we will see later in this section.
How it Works
Zero-day exploits are malware taking advantage of unpatched vulnerabilities but they do so,
using similar exploitation techniques. By looking for commonly used exploit “characteristics”,
ATSE is able to determine if a file is a malicious exploited document.
There are approximately 50 CVE rules and 82 heuristic rules in Deep Discovery Inspector.
• ATSE engine is updated regularly
• Updates carried out through standard update process (not through a software update)
• New CVEs are added and others are enhanced regularly
from being logged. If an override value is selected here, then ATSE detections higher than
the level configured, will not be logged.
Level Description
0 Pattern Matching
Note: WARNING, the above setting is a more of an advanced configured. NOTE that this setting is NOT
configuring the Detection Level for ATSE. It is an override setting used to limit the amount of
ATSE events that will be logged by Deep Discovery Inspector.
ATSE Detections higher than the specified ATSE detection level will be overridden – that is NOT
logged. As ATSE detection levels go higher, more and more heuristic rules are used to detect
malicious behavior which also increases the possibility of false positives. It therefore makes
sense to override such ATSE detections (Default Level: 4)
ATSE Events
ATSE is very good at detecting unknown Malware long before it is publicly known.
Ordinarily the decision of ATSE will stop file analysis, unless File submission rules are specifically
configured to send it to Virtual Analyzer.
If Virtual Analyzer is disabled, the file size scanning limit is set by Deep Discovery Inspector to
5MB. This setting can be modified in the /proc/sys/net/fse/file_maxsize file. If Virtual Analyzer is
enabled the Default size is 15 MB and can be configured from 5 to 50 MB via the GUI. The
maximum file size that is set does not only set the limit the size of files submitted to the Virtual
Analyzer but also sets the limit on what the File Scan daemon and ATSE scans.
The Network Content Inspection Engine (NCIE) along with Network Content Inspection Pattern
(NCIP) are designed to detect network threats based on the protocol data.
Originally, the NCIE was designed to complement the VSAPI detection functionality by the network
protocol data. This is why is was named VSAPI2.
The Network Content Correlation Engine collects network information and file information, matches
rules and writes logs.
The NCCE (CAV) logic is specified in the pattern file in the form of rules. These rules use the
packet, session and connection characteristics to decide if this is a security risk, define the risk
properties and decide if mitigation is required.
All detection rules in Deep Discovery Inspector have the following general properties:
• Rule ID: Double-byte rule identifier in HEX format
• Confidence Level: Decimal value showing how confident this rule is about the result. The
pattern-based detection (ATSE, VSAPI) has confidence level "High"
• Risk Type: The type of the detected security event displayed at “Type” in the Detections
page of the Deep Discovery Inspector web console. Event types include:
- Network Virus - A known network virus is detected in the transferred content
The Rule ID, Risk Type, Confidence Level and Description can be viewed in the Deep Discovery
Inspector web console from Administration > Monitoring / Scanning > Detection Rules:
Rule Direction
• Internal Detections: if Source IP of detected session is INSIDE Monitored Network
• External Attacks: if Source IP of detected session is OUTSIDE of Monitored Network
Scenario:
• Host downloads an executable file from web site
• Web server reports content type as image/gif
Example: Rule 72-Monitored client is receiving email with phishing link (External)
Severity: Low
Scenario:
• SMTP server receives phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Severity: High
Scenario:
• Infected host is sending phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Note: The same rule is being triggered as in the previous example, except this time it is internal
detection and therefore the severity is now High.
Virtual Analyzer
Virtual Analyzer provides custom sandboxing capabilities. This allows for observation of file and
network behavior in a natural (virtual) setting without any risk of compromising your actual network.
Virtual Analyzer is available on Deep Discovery Inspector, Deep Discovery Email Inspector and Deep
Discovery Analyzer (as an external standalone Virtual Analyzer).
Prevalence is a statistical concept referring to the number of times a file was detected by Trend Micro
sensors at a given time. If a file has not triggered any detections, the file becomes suspicious if it has
only been seen once or a few times. Over 80% of all malware is only seen once.
Census covers over 300 million distinct executable files. File prevalence and maturity is important
because polymorphism is the primary weapon of malware.
Note: Domain Census is only supported on Smart Protection Server (SPS) 3.3 or later.
By using Domain Census, Deep Discovery Inspector can ignore the WRS Whitelist for domains
which have low prevalence in Domain Census. The reason behind this is that these “good
domains” may already have been compromised by threat actors and simply have remained
obscure from the information security community due to their low prevalence.
By using the statistics in Domain Census, Deep Discovery Inspector can exclude CDN (Content
Delivery Network) IP’s from the blacklist/Suspicious Objects (SO) list in order to prevent false
alarms. This is used to prevent an IP address that is shared by both good and bad domains from
being blocked which would otherwise prevent users from accessing the good domains.
This is a more advanced feature that is enabled by default, and can be configured in Deep
Discovery Inspector’s Debug Portal (RDQA page) under VA Settings > Suspicious Object List
Criteria.
This feature is useful to avoid false positives when IP addresses from Internet Service Providers
have been incorrectly Black Listed by ‘appearing’ suspicious.
In order to enable the Cloud Sandbox, there must be an existing internal VA image deployed on the
Deep Discovery Inspector even if it will not be used to analyze Mac OS files. This is required because
the Cloud Sandbox functions are tied in with the Internal VA, and the Internal VA can only be enabled
if there is already an Internal VA image residing on the Deep Discovery Inspector. Furthermore, this
means that Deep Discovery Inspector 5.0 will only make use of the cloud sandbox if it is also
configured to make use of it’s internal virtual analyzer.
Note: If Deep Discovery Inspector is configured to make use of an external virtual analyzer like Deep
Discovery Analyzer, then Mac OS files will be submitted to Deep Discovery Analyzer and it is the
Deep Discovery Analyzer that will submit the files to the Cloud Sandbox.
In the above instances, Deep Discovery Inspector performs the following process:
• The CAV Daemon contacts the TMUFE Daemon and provides the URL
• The TMUFE Daemon runs the Trend Micro URL Filtering Engine (TMUFE) to detect the URL
reputation
• TMUFE checks the local in-memory cache for rating information
- If the reputation of this URL is not cached, the Trend Micro cloud-based Web Reputation
Service is contacted via HTTP (by default) to query the URL reputation. The default
timeout for communication with the Web Reputation Service is set to 5 seconds.
- If the Web Reputation score of the URL is below 50 (configurable) Deep Discovery
Inspector will log the event. However, if the URL is Spam or Adware related, the event will
NOT be logged, unless the Spam or Adware URL is also classified as a C&C Server, in
which case the event WILL be logged.
TMUFE Configuration
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service within the
Smart Protection Network. This service assigns a reputation score and either blocks or allows users from
accessing a web site.
Note: In Deep Discovery Inspector 5.0+, you can have up to 10 Smart Protection Servers.
To enable Deep Discovery Inspector to query the MARS server, go to Administration > Monitoring /
Scanning > Threat Detections and configure the following settings:
TrendX improves the Deep Discovery Inspector’s Virtual Analyzer detection capabilities as compared
to using traditional pattern based solutions alone.
Currently, Deep Discovery Inspector supports the following file types for TrendX queries:
• PE Files, and JS files detected in Email protocols (SMTP, POP3, and IMAP4)
Malicious Content or
Advanced Threat Scam
Grayware (Malware Yes Yes No Possible
Engine (ATSE)
transferred)
Exploits (Network
Yes No Possible Possible
Virus detected)
Network Content
Inspection Engine and
Disruptive Pattern ( NCIE / NCIP,
Applications also known as VSAPI v2) Yes No No No
(Filtered application
protocol detected)
Network Content
Malicious Behavior
Correlation Engine and
(Potential network Pattern (NCCE / NCCP, Yes Possible Possible Possible
threat)
also known as CAV)
Mobile Application
Mobile Application
Reputation Reputation Service Yes Possible No No
(MARS)
Contextual Intelligence
TrendX Machine Query Handler and
Yes Yes No No
Learning Advanced Threat
Correlation Pattern
The "Possible" action indicates that the decision relies on the NCCP (CAV pattern) and Deep Discovery
Inspector configuration. The Virtual Analyzer only logs the results of its findings (detection type of
Suspicious Behavior) and creates new CAV blacklist rules. It is CAV that implements the actions (rules).
The list of the network protocols that Deep Discovery Inspector detects, depends on the protocol
definitions in the Network Content Inspection Pattern (NCIP).
Note: Values listed under the column Initiate Mitigation indicate whether or not any mitigation steps
can be taken. Mitigation is ONLY possible when ADDITIONAL Deep Discovery products are also
installed (for example, Deep Discovery Endpoint Sensor or OfficeScan and Control Manager).
It is also important to note that when deciding if the transferred content is malicious, Deep Discovery
Inspector takes into account the direction of the traffic. For example, the eicar.com test file transferred
via SMB from the endpoint is considered as suspicious activity but the same content transferred to the
endpoint is not considered as suspicious. The rules defining this behavior can be changed with the new
NCCP / CAV pattern.
Kernel
NCIT
NCIE
The NCIT and NCIE kernel modules are collectively known as the NCIT (Network Content
Inspection Technology) kernel module. The NCIT kernel module is in charge of intercepting traffic
and connection tracking.
While listening for traffic on the Deep Discovery Inspector data ports the NCIT obtains the packet
capture rules from the CAV rules. It then passes the traffic and the packet capture rules to NCIE
which determines whether or not the traffic matches the packet capture rules obtained from
CAV.
In Stage 1:
• The NCIT (Network Content Inspection Technology) kernel module receives Ethernet
packets from the NIC and sends them to the Network Content Inspection Engine module.
• The NCIE kernel module assembles the captured packets and extracts the file content
from the TCP block and sends it to the NCIT kernel module.
NCIE
The NCIE kernel module checks individual packets against the signatures in the Network Content
Inspection Pattern (NCIP) file.
• If a match is found in the DDI URL, IP or Domain Allow List, the DDI Deny List is bypassed
• If a match is found in the DDI URL, IP or Domain Deny List, NCIE checks the configured
action for the deny list entry that matched.
• Triggers are then passed on to the Collaborative Anti-Virus (CAV) daemon (also known as
the Network Content Correlation Daemon)
File Scan
The file scanning daemon (filescan) receives the file descriptor of the extracted file and
invokes the Virus Scanning Engine (ATSE).
• ATSE determines the true file type and scans the file for malware using the virus pattern
file, spyware pattern file, Intellitrap pattern file and Intellitrap exceptions file.
• Triggers are sent to the CAV/Network Content Correlation daemon.
CAV (Part 1)
The Network Content Correlation Engine (NCCE / CAV) receives the triggers from the NCIT kernel
module and checks whether the facts about the traffic collected by all modules match any rules
in the Network Content Correlation Pattern (NCCP).
If one or more rules match, the CAV Daemon obtains information about the threat details and
required actions from the pattern file and provides it to the CAV daemon.
CAV (Part 2)
• If a match is found in the DDI IP or Domain Allow List, the DDI IP or Domain Deny List and
NCCP (for C&C Server) checks are bypassed.
• If a match is found in the DDI URL Allow List, the DDI URL Deny List, NCCP (for C&C
Server) and Web Reputation Server (WRS) checks are bypassed.
• If no match is found in the DDI URL Deny List, contact the TMUFE Daemon running the
Trend Micro URL Filtering Engine (TMUFE) to get the rating of the accessed Web-site or
transferred URL. (If Retro Scan is enabled, the GUID and client IP address submitted by
TMUFE for each query; this enables the C&C connections of monitored endpoints to be
tracked.)
• If a match is found in the DDI File (SHA1) Allow List:
- If the file is an Android APK file (type 4050), Mobile Application Reputation
Service (MARS) Query is bypassed.
- If the file is not an Android APK file, the file is not submitted to the Virtual
Analyzer (if enabled).
• If no match is found in the DDI File Allow List, and the file is an Android APK file, the
MARS server is contacted to get the reputation of the application
TCP Reset
• If the outbreak detection and traffic blocking functionality (Outbreak Containment
Services –OCS) is enabled from the Web Console, TCP reset packets are sent to both
communicating parties to possibly drop the malicious session.
• If a match is found in the DDI IP or URL Deny List and the action is Monitor and Reset,
TCP reset packets can be sent to both communicating parties to possibly drop the
malicious session.
DNS Spoofing
• If a match is found in the DDI Domain Deny List for a DNS (UDP) request and the action is
Monitor and Reset, DDI performs DNS Spoofing by trying to send a DNS response to the
client with a bogus IP address (127.0.0.1 or ::1 for example). The intention here is for the
client not to resolve the domain name to the correct IP address and therefore prevent a
connection to the intended server.
Note: The TCP Reset actions discussed above will not always succeed in preventing a connection from
being established. This is because when the connection has already been established before
Deep Discovery Inspector takes the action, it may not be possible to reset the connection.
Additionally, the action of sending spoofed DNS responses may also not work at all times since
the client may already have received the response to the DNS query by the time Deep Discovery
Inspector sends its spoofed DNS response.
Also note that the TCP Reset and DNS Spoofed records are sent through the Deep Discovery
Inspector Management interface so the routes to the target hosts must be available from this
interface.
VA Analysis
• If the file matches a Virtual Analyzer rule that has the Submit Files action, the CAV
daemon contacts the File Stream Server (fstream_serv) to store the file in the local
storage for analysis. (Refer back to the Threat Detection Overview diagram at the
beginning of this lesson for more information.)
Mitigation/Cleanup
• If a Mitigation Server is configured, the CAV daemon contacts the DCS Agent to initiate
the mitigation of the infected endpoint from the Mitigation Server. Deep Discovery
Inspector triggers mitigation for both known and potential security risks based on the
settings in the Network Content Correlation Pattern (NCCP) file and the cleanup settings
configured from the Web Console.
DTAS Sync
• Queries the database for the latest files to be uploaded to the Virtual Analyzer
• If GRID analysis is configured, performs a query to determine if file is whitelisted. The file
is only submitted to the Virtual Analyzer if it is not in the GRID whitelist.
• Retrieves the analysis report and blacklist feedback from the Virtual Analyzer and stores
them in the database.
• If new blacklist entries are created, DTAS Sync notifies the CAV daemon to reload the
blacklist.
All items in this Appendix are written in short, cheat-sheet style lists. For complete information, please
refer to the User guide:
https://docs.trendmicro.com/all/ent/va_prep_tool/v5.3/en-us/
va_image_prep_tool_5.3_ug.pdf
Office Applications
• Supported: 2003 & 2007 (32bit only), 2010, 2013, 2016 & Office 365.
• Ensure to install MS Word, Excel, PowerPoint and Publisher.
• Disable Updates for MS Office.
• Start each application in order to disable any configuration pop ups.
• Do not activate Office before the Virtual Analyzer preparation tool is used.
• Confirm the Office license can be used to virtualize Office.
• Enable Macros.
Note: If Adobe PDF Reader is not installed, the Virtual Analyzer will install version 9, 11 and DC (starting
Windows 7) and will use ALL versions during the analysis; this will require additional hardware
resources!
If required, you can reduce the space of the OVA file by checking the section Reducing Size of
VirtualBox Disk Images from above.
Note: Ensure that the Virtual Analyzer Preparation Tool supports the Deep Discovery product used.
There are a few recommendations to look after, when using Windows 10.
Generic Recommendations
• Reduce the amount of common files sent to the Virtual Analyzer. Common files, such as
HTML, might result in a back log on the Virtual Analyzer.
• Use a build version earlier than Windows 10 RS3. Windows 10 RS3 has shown a significant
increase in performance drop compared to earlier versions.
• In case Windows RS3 has to be used, it is recommended to use a minimal ISO to install the
Operating System.
• If PDF are regularly submitted, ensure to pre-install only 1 Adobe Reader version before
uploading to the DD product. If no Adobe Reader is installed, Virtual Analyzer will install 3
different versions and all 3 of them will be used for analysis.
• Reduce the amount of sandbox instances per Virtual Analyzer image.
• For DDAn, allocate at least 30% more instances than other OS; e.g. having a total of 20
instances available, use 7 for Windows 7 and 13 for Windows 10.
• Continuously monitor the dashboard of DDAn and confirm, that the VA does not queue more
than 100 samples, the CPU stays below 80-90% and the average processing time is below
600 seconds.
Windows 10 Pre-RS3
• Disable visual effects through System > Advanced System Settings > Performance.
• Uninstall unnecessary Windows components using PowerShell:
- Get-AppxPackage *Microsoft.3dbuilder* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowsalarms* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowscalculator* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowscommunicationsapps* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowscamera* | Remove-AppxPackage
- Get-AppxPackage * Microsoft officehub* | Remove-AppxPackage
- Get-AppxPackage * Microsoft skypeapp* | Remove-AppxPackage
- Get-AppxPackage * Microsoft getstarted* | Remove-AppxPackage
- Get-AppxPackage * Microsoft zunemusic* | Remove-AppxPackage
- Get-AppxPackage * Microsoft windowsmaps* | Remove-AppxPackage
- Get-AppxPackage * Microsoft solitairecollection* | Remove-AppxPackage
- Get-AppxPackage * Microsoft bingfinance* | Remove-AppxPackage
- Get-AppxPackage * Microsoft zunevideo* | Remove-AppxPackage
- Get-AppxPackage * Microsoft bingnews* | Remove-AppxPackage
- Get-AppxPackage * Microsoft onenote* | Remove-AppxPackage