Professional Documents
Culture Documents
Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide
Deep Discovery 4.1 Advanced Threat Detection Certified Professional - Student Guide
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect,
and TrendLabs are trademarks or registered trademarks of Trend Micro Incorporated.
All other product or company names may be trademarks or registered trademarks of
their owners.
Portions of this manual have been reprinted with permission from other Trend Micro
documents. The names of companies, products, people, characters, and/or data
mentioned herein are fictitious and are in no way intended to represent any real
individual, company, product, or event, unless otherwise noted. Information in this
document is subject to change without notice.
CONTENTS
Trend Micro stands ahead of competition on both our coverage of an enterprises’ attack surface and the
extent in which we can deliver across the attack protection cycle – from preventing, detecting and
responding to threats, through to assessing, anticipating and mitigating cyber risks.
Previously, this type of in-depth coverage and capabilities were only available to large, established
security organizations that could afford to custom architect a platform integrating across multiple
individual security systems and supporting analytics or threat intelligence solutions. Trend Micro One
offers the opportunity for a much broader range of organizations to benefit from the advantages that
come from a platform approach, without that same heavy lifting.
Even organizations that have already invested in other point products can benefit from adopting Trend.
Each solution area within Trend Micro One is an opportunity to resolve an immediate pain point, while
also laying the groundwork for future consolidation, knowing that each additional capability, will mesh
seamlessly with what has already been deployed and unlock new benefits and added value that comes
through the synergy of a platform.
Trend Micro One enables organizations to prepare for, withstand, and rapidly recover from threats. It
does this by:
• Enabling organizations to meet multiple enterprise compliance requirements through:
- The inclusion of a wide range of threat defense capabilities that can address multiple data
privacy and security needs across cloud, endpoint, email, SaaS applications, network, and IoT
environments.
- A globally distributed and certified SaaS-based platform enables organizations to confidently
secure their sensitive data while respecting regional privacy requirements.
• Enabling vendor consolidation and business agility by delivering multiple capabilities for
protecting cloud, endpoint, email, network, and IoT environments in a single unified cyber
security platform from a trusted, proven security partner.
• Central visibility and analysis of your risk posture across your entire environment, including risk
indicators and insights from third-party ecosystem solutions.
• Helping address the cyber security skills gap by streamlining vendor management with a unified
cyber security platform designed to protect cloud, endpoint, email, network, and IoT
environments.
• Lowering the impact on security teams, enabling them to be more effective with fewer resources
through automation, prioritized alerts and insights, and augmenting security teams with expert
services like Trend Micro™ Managed XDR, threat assessment, and incident response.
• Enhancing cyber threat resilience by continuously discovering the ever-changing attack surface,
understanding and prioritizing vulnerabilities, detecting and rapidly responding to threats, and
applying the right security at the right time to mitigate risk. Supported by threat and
vulnerability insights from our global Trend Micro Research team.
Key Functionality
The Trend Micro One unified cyber security platform delivers advanced capabilities for protecting the
enterprise, including:
• Central visibility, continuous risk and threat assessment, and executive-level dashboard
reporting.
• Built-in capabilities for security operations like XDR and risk insights combined with market-
leading protection capabilities for securing cloud, endpoints, email, network, and IOT
environments.
• Native sensors for cloud, endpoint, email, network, and IoT environments combined with data
from a growing list of third-party security products for maximum insights.
• Data and insights from Trend Micro's global threat research team, including in-depth
knowledge of the latest threats, vulnerabilities, and cybercriminal activities.
• Common platform services like security engines and data analytics, combined with global
SaaS infrastructure for maximum protection and flexibility.
• Security services like Managed XDR, threat assessment, and incident response.
Portfolios
Product portfolios within Trend Micro One solve specific market needs and challenges, including:
Trend Micro also benefits from advanced cybercrime research, with support from law enforcement
agencies around the world. Trend Micro products blocks nearly 62B threats globally per year.
To maintain this immense scale of threat protection, Trend Micro has created one of the world’s most
extensive cloud-based protection infrastructures that collects more threat data from a broader, more
robust global sensor network to ensure customers are protected from the volume and variety of
threats today, including mobile and targeted attacks. New threats are identified quickly using finely
tuned automated custom data mining tools and human intelligence to root out new threats within
very large data streams.
Common Services
The products across the Trend Micro portfolios benefit from a collection of common services,
including:
• Account and license management
• Data architecture and analytics
• Core technology and security engines
• Software as a Service infrastructure
Ecosystem Integration
Trend Micro solutions are specifically designed for and tightly integrated with leading platforms and
applications, including:
• Cloud Infrastructure solution such as AWS, Microsoft Azure, Google Cloud, VMware, and
Docker.
• Cloud Apps including Microsoft 365, Google Workspace, and Dropbox.
• SIEM and SOAR solutions including Splunk, ArcSight, Microsoft Sentinel, IBM QRadar, and
Fortinet FortiSOAR.
• Security Tools including Qualys, Tenable, Checkpoint, and Palo Alto.
Customers can also connect into the Trend Micro ecosystem through various APIs.
Strong perimeter-focused network security is essential to any successful security strategy. Stopping an
intrusion or malware at the edge of the network is critical. This shouldn’t be a surprise to anyone,
however many organizations stop here and they miss the concept that perimeter-focused protection is
ill-equipped to stop today’s targeted attacks and advanced threats. Today’s attackers are skilled and
understand the security tools you are using to protect your network. They use evasion tactics to bypass
even the best perimeter defenses.
They are migrating infrastructure to cloud (and multi-cloud) deployments, as well as creating new,
cloud-native applications.
Services centered on users (like email, storage, and others) are migrating to the cloud, while users
continue to be even more mobile than ever.
The extended network continues to expand, now reaching into the cloud as well as including
operational technologies (IoT, IIoT) like smart factories and more.
This diverse environment introduces new opportunities for attacks and the risk of unpatched and
unprotected vulnerabilities. Some of these are listed below.
There are risks, mis-configurations and vulnerabilities across the entire environment. A set of new
risks in the cloud but also network vulnerabilities, challenges with old operating systems and the
Operational Technology environment. There is also of course the endpoint, which attackers often
target first, via email and other means.
With tele-working setups being more the norm than ever, organizations are forced to confront hybrid
environments and unsustainable security architectures. Enterprise software and cloud applications
used for remote work will be hounded by critical class bugs.
Any exposed APIs are the next favored attack vector for enterprise breaches. Attackers will quickly
weaponize newly disclosed vulnerabilities, leaving users with a narrow window for patching. The
unprecedented need for contact tracing will have malicious actors directing their attention to users'
gathered data.
For more information you can refer to the following article: https://branden.biz/wp-content/
uploads/2020/12/Turning-the-Tide-Trend-Micro-predictions- 2021.pdf.
Threat Classifications
Setting up cyber security requires knowledge and know-how, and these are not mutually exclusive.
Buying one or several security products and having the ability to install them is big part, but if you
don’t know what you are trying to protect yourself from, then you can’t be certain that what you have
is the right coverage.
Vulnerabilities can be known, unknown and undisclosed, and knowing if your protection approach
provides coverage for all of these is critical.
Known Vulnerabilities
Known vulnerabilities are known to the public and to security tools. These vulnerabilities or
threats are added to reputation databases, addressed by physical and virtual patches, have
security pattern files written for them, or have exploit signatures created to block them. Even
though vulnerabilities are known, many still get through – usually through unpatched software.
“Through 2020, 99% of the vulnerabilities exploited will continue to be ones known by security
and IT professionals for at least one year.”* Limited resources to implement patches and end-of-
life systems are the major reasons why systems remain unpatched. (* Source: Gartner, Inc. “It’s
Time to Align Your Vulnerability Management Priorities with the Biggest Threats.” 9 September
2016.)
Unknown Threats
Unknown threats have never been seen before and are usually created to specifically target an
individual or enterprise. These targeted attacks and advanced threats are customized to evade
your conventional security defenses, and can remain hidden while stealing your sensitive data or
encrypting critical data until ransom demands are met.
Unknown threats are often designed to impact a single system or a small group of hosts. These
targeted attacks often include a multi-vector attack including, but not limited to, emails, links,
downloads, and lateral movement.
The use of “zero-day” has become a blanket term to describe any type of threat that has not yet
been disclosed but is being used by malicious operators. However, painting in such broad strokes
leaves enterprises vulnerable.
There are actually three different types of zero-day threats enterprises should be aware of:
Zero-day vulnerabilities: These are the vulnerabilities that are not yet discovered or disclosed to
most of the world. For the 13th consecutive year, the ZDI has been the world leader in discovering
and disclosing zero-day vulnerabilities. In 2020, ZDI disclosed 60.5% of reported vulnerabilities,
more than all other vendors combined.
vulnerability, that’s called a zero-day exploit. Trend Micro uses a combination of technologies to
detect zero-day exploits and targeted attacks including machine learning, heuristics, anomaly
detection, and sandboxing.
Zero-day malware: The vast majority of malware targets and exploits known software
vulnerabilities to gain elevated access privileges and infect the host system. If the malware is
known to security vendors, its hash signature can be detected in transport, allowing their
solutions to filter and block the malware. But by changing just one piece of the code, the entire
signature can be changed—creating a new, unknown malware that has never been seen. If that
new zero-day malware takes advantage of zero-day exploits or zero-day vulnerabilities (or even
both), it becomes nearly undetectable by conventional means. Integration of Trend Micro
Network One’s TPS with the sandbox can block the malware and automatically send suspicious
objects to the sandbox for further analysis. If it’s found to be malicious, the TPS will block all
future attacks.
When selecting a security vendor, knowledge is power. The security vendor may say they can protect you
from known and unknown threats, and while this may be a good starting point, you also need to worry
about gaining protection from undisclosed vulnerabilities.
Network Detection
Once inside the network, perimeter-focused security has no visibility to the attack and is oblivious to its
existence. The threat is free to move laterally across the network with little chance of being detected. You
need counter measures to ensure that malicious activity moving across your network from infected
machines is detected and dealt with appropriately.
Network detection and response (NDR) is an industry category that is growing in appreciation and
importance by cyber security professionals and the analyst community. Network detection and response
enables organizations to monitor network traffic moving inbound, outbound, and laterally across the
network for malicious activity and suspicious behavior. After the threat is detected, it can be responded
to at the network layer and beyond. Response measures can be automated or manual for threat hunting
or increased control.
Prevention
In network security, prevention should still be a priority. As the saying goes: “An ounce of prevention is
worth a pound of cure.” Stopping threats before they reach your network is critical, and a key to a Zero
Trust philosophy. However, being 100% secure is unrealistic—that’s why layered security is always a
requirement. Once the network has been breached, how quickly can it be detected and how prepared are
you to respond?
Trend Micro Network One expands upon traditional network detection and response, delivering detection
and response capabilities combined with a powerful layer of protection. Trend Micro’s Threat protection
system (TPS) blocks threats before they reach the network and can provide proactive protection against
undisclosed vulnerabilities, protecting customers an average of 81 days before the release of a vendor
patch.
Trend Micro Network One™ is a family of solutions that brings together threat protection system and
advanced threat protection (ATP) methods. This provides in-line protection at wire speeds with very low
latency, and provides monitoring of out-of-band traffic and analysis of slow-moving or time-delayed
attacks.
While prevention should be the first step to any network security strategy, bad actors just need to get
their attack sequence correct one time, and they are able to get in. In the event malware, or a hacker,
does slip into the network, quick and accurate detection is critical. You need to know what the first point
of entry was, who in the environment is now impacted, and where the threat has started calling out to.
Once this is understood, response measures can be taken, including updating the protection devices to
block future attacks and stop call-outs to command and control (C&C) servers.
Together, Trend Micro Network One’s network detection and response (NDS) and threat protection
system (TPS) provide protection from known, unknown, and undisclosed threats. By leveraging Trend
Micro™ Zero Day Initiative™ (ZDI), the world’s largest bug bounty program, machine learning, heuristics,
sandboxing, and other detection and blocking techniques, Trend Micro Network One keeps bad actors at
bay and quickly identifies breaches.
Deep Discovery
Monitoring lateral movement across protocols like SMB, RDP, SNMP, IRC is critical. If you don’t have
tool that monitors these protocols you could be blind to an existing attack. On average, a threat will
go undetected for severals months due to the perimeter-focused security strategy. Once the threat
gets inside the network, this traffic is not being monitored due to the assumption that the perimeter
tools blocked all the attacks.
Deep Discovery is designed to sit off a SPAN or TAP port so that it can monitor not only inbound and
outbound traffic but also traffic moving across the network monitoring over 100 protocols and all
ports. This broad visibility will help prevent undetected malware from moving freely across the
network. Deep Discovery will share its findings with the IPS to provide real-time enforcement and
remediation.
Trend Micro™ Deep Discovery™ protects against targeted attacks, advanced threats, and
ransomware, giving you the power to detect, analyze, and respond to today’s stealthy attacks in real
time.
• Inspects network traffic between client networks and critical server networks
• Receives alerts on lateral movement activities
• Views lateral movement alerts alongside alerts from other attack phases
TippingPoint
Trend Micro™ TippingPoint™ provides complete visibility into all network traffic and activity to keep
your network security ahead of targeted attacks that bypass traditional controls, exploit network
vulnerabilities, and ransom or steal sensitive data, communications, and intellectual property. Trend
Micro™ TippingPoint™ provides high-speed, in-line intrusion prevention system (IPS) inspection,
offering comprehensive threat protection against known and undisclosed vulnerabilities with high
accuracy and low latency.
• Deploys in-line between client networks and critical server networks
• Receives alerts on attempted and thwarted Lateral Movement activities
• Leverages configuration options to easily go from detection to prevention
Note: This training focuses solely on Trend Micro Network One Network Detection and Response (NDR)
solutions offered by Trend Micro Deep Discovery.
For information on available training in your region for Threat Protection Systems TPS) like Trend
Micro TippingPoint, please visit the Trend Micro Eduction Portal:
https://www.trendmicro.com/en_us/business/services/support-services/education.html
Endpoint protection (EPP) and endpoint detection and response (EDR) tools provide security
operations center (SOC) analysts and security professionals great insights into attacks at the
endpoint. However, they are still missing critical pieces of information about the attacks, such as
bring-your-own-device (BYOD) and third-party devices, industrial Internet of things (IIoT) and
Internet of things (IoT) systems, printers, and forgotten or mis-configured systems.
These systems don’t have an agent or can’t have an agent installed on them. Focused on a single
area—the traditional endpoint—EDR solutions are blind to all of these devices, leaving visibility
gaps across the network. Network Detection and Response (NDR) shines a light and provides
visibility to all devices connecting to the network, eliminating the blind spots so you can see the
managed and unmanaged devices that make up the attack landscape.
Analyst groups recognize that EDR solutions provide host-level telemetry as well as information
for forensic investigation. They are also seeing more SOCs implementing NDR solutions to
investigative alerts and obtain additional context about suspicious activity in the network.
Trend Micro Network One is a key part of Trend Micro Vision One™, delivering critical network
visibility to the XDR cyber defense center. It provides critical logs and visibility into unmanaged
systems, such as contractor/third-party systems, IoT and IIoT devices, printers, and BYOD
systems. By correlating the network data, the attack life-cycle becomes visible, showing what was
the first point of entry, who else is part of the attack (managed and unmanaged systems), and
where they are reaching out.
Traffic moves in all directions through the network. Perimeter protection is an essential part of
network security, however, if it is only watching the perimeter, it can give you a false sense of
security. In an instant, a threat can zip past the perimeter defenses undetected and wreak havoc
from within. An essential part of a successful detection and response strategy is visibility of
traffic moving laterally across the network. Trend Micro gives users visibility to traffic moving
north/south and east/west with a single device, unlike other vendors in this category, that require
a device at the perimeter, and a separate device to watch lateral movement, adding both costs
and complexity.
With as much as 90% of Internet traffic encrypted these days, if you don’t have visibility into the
encrypted work flows, you are running blind. The cost of this visibility often comes at a high price
in performance. TLS/SSL decryption can have a 90% performance degradation on your network
security tools. Even if TLS inspection is included in the price of the solution, the performance
impact can drive organizations to purchase devices well above their current throughput
requirements just to have TLS inspection at their required rate. Trend Micro offers cloud, server,
and client TLS inspection using the in-line proxy method, essentially presenting itself as a
connecting client, as if it were a server or client. Through this method, the appliance maintains
end-to-end encryption protection, completing decryption-inspection-re-encryption while
maintaining perfect forward secrecy (PFS). Further, Trend Micro solutions utilize hardware and
software acceleration to increase performance, reducing the need for over provisioned
appliances in many cases.
Powered by XGen™ security, Deep Discovery combines specialized detection engines, custom
sandboxing, and global threat intelligence from the Trend Micro™ Smart Protection Network™ to identify
zero-day malware, malicious communications, and attacker activities. Deployed individually or as an
integrated solution, Deep Discovery works with Trend Micro and third-party network defense products to
provide advanced threat protection across your entire organization.
Deep Discovery Inspector is a virtual or hardware appliance that enables the detection of
network based targeted attacks and advanced threats. Deep Discovery Inspector monitors
network traffic across all ports and more than 100 protocols and applications. Using specialized
detection engines and custom sandboxing, it identifies the malware, command and control
communications (C&C), and activities signaling an attempted attack. Detection intelligence aids
your rapid response and is automatically shared with your other security products to block
further attacks.
Deep Discovery Analyzer provides advanced sandboxing analysis to extend the value of deployed
security such as endpoint protection, web and email gateways, firewalls, and other Deep
Discovery products. Deep Discovery Analyzer supports integration with many Trend Micro
products, manual suspicious sample submissions, and provides an open Web Services interface
to allow any product or process to submit suspicious samples and obtain results.
Deep Discovery Analyzer as a Service is an add-on to the virtual Deep Discovery Inspector
designed to provide cloud sandboxing capabilities. For smaller environments that require a
virtual form factor and cloud-based sandboxing, this solution will provide protection from
advanced threats and targeted attacks.
standards-based formats (STIX and YARA) and transfers (TAXII) it will pull threat information
from several sources and share the indicators of compromise (IOC) with Trend Micro and third-
party products.
Deep Discovery Email Inspector uses advanced detection techniques to identify and block spear
phishing emails that are often used to deliver advanced malware and ransomware to
unsuspecting employees. By working seamlessly, and in tandem with your existing secure email
gateway, Email Inspector can detect and block purpose-built spear phishing emails along with
advanced threats and ransomware. Deep Discovery Email Inspector can be deployed in MTA
(blocking), BCC mode (monitor only), or SPAN/TAP mode.
Deep Discovery
Email Inspector
Email
Deep Apex One
Security Agents
DMZ
Deep Discovery
Director
Deep Discovery
Inspector
Smart Protection
Server
SMS Threat
Insights
Deep Discovery
Trend Micro Analyzer
Apex Central
Lesson Objectives:
Deep Discovery Analyzer also provides a Web Services API to allow integration with any third-party
product, and a manual submission feature for threat research.
Layered Security
Modern organizations are threatened by the complexity of today’s threat landscape, and can struggle
to drive value from using multiple point solutions. That’s where using a layered security approach can
help.
Blending Deep Discovery Analyzer with other threat detection techniques optimizes detection rates
and your ability to respond by allowing you to use the right technique at the right time to deal with
threats. Simultaneously, by layering security, you are improving visibility and streamlining
investigation across your entire organization.
Key Benefits
Deep Discovery Analyzer, optimizes your security by providing the following benefits:
• Protection from suspicious URLs and files
• Definitive answers on potential threats
• Automation of threat intelligence sharing
• A reduction in exposure to hidden threats
Deep Discovery Analyzer ensures optimized performance with a scalable solution able to keep
pace with email, network, endpoint, and any additional source of samples.
Custom Sandboxing
Deep Discovery Analyzer performs sandbox simulation and analysis in environments that match
the desktop software configurations attackers expect in your environment and ensures optimal
detection with low false-positive rates.
Deep Discovery Analyzer examines a wide range of Windows executable, Microsoft Office, PDF,
web content, and compressed file types using multiple detection engines and sandboxing.
YARA Rules
Deep Discovery Analyzer uses YARA rules to identify malware. YARA rules are malware detection
patterns that are fully customizable to identify targeted attacks and security threats specific to
your environment.
Using specialized detection and sandboxing, Deep Discovery Analyzer discovers malware and
exploits that are often delivered in common office documents and other file formats.
Deep Discovery Analyzer performs page scanning and sandbox analysis of URLs that are
automatically submitted by integrating products.
Detailed Reporting
Deep Discovery Analyzer delivers full analysis results including detailed sample activities and
Command & Control communications via central dashboards and reports.
Alert Notifications
Alert notifications provide immediate intelligence about the state of Deep Discovery Analyzer.
Clustered Deployment
Multiple standalone Deep Discovery Analyzer appliances can be deployed and configured to form
a cluster that provides fault tolerance, improved performance, or a combination thereof.
Deep Discovery Analyzer enables out-of-the-box integration to expand the sandboxing capacity
of Trend Micro email and web security products.
Sample Submissions
Deep Discovery Analyzer allows sample submissions using one of the following:
• Integrated security products through web services API
• Manual submissions on the management console
• Email submissions from permitted sender domains and SMTP servers
• ICAP clients
• Network share scanning
• Manual Submission Tool
Deep Discovery Analyzer shares new IOC detection intelligence automatically with other Trend
Micro solutions and third-party security products.
ICAP Integration
Deep Discovery Analyzer supports integration with Internet Content Adaptation Protocol (ICAP)
clients. After integration, Deep Discovery Analyzer can perform the following functions:
• Work as an ICAP server that analyzes samples submitted by ICAP clients
• Serve User Configuration Pages to the end user when the specified network behavior
(URL access / file upload / file download) is blocked
• Control which ICAP clients can submit samples by configuring the ICAP Client list
• Bypass file scanning based on selected MIME content-types
• Bypass file scanning based on true file types
• Bypass URL scanning in RESPMOD mode
• Scan samples using different scanning modules
• Filter sample submissions based on the file types that Virtual Analyzer can process
Note: For a complete list of hardware specifications you can refer to the Deep Discovery Analyzer
Installation and Deployment Guide.
Note: For additional information on supported operating systems you can refer to the following:
https://docs.trendmicro.com/all/ent/va_prep_tool/v6.2/en-us/
va_image_prep_tool_6.2_ug.pdf
Network Requirements
Deep Discovery Analyzer requires a connection to a management network, which usually is the
organization’s intranet.
The management network is used for Deep Discovery Analyzer web console access and for
communications with other Trend Micro products that submit samples and receive Suspicious Objects
and Analysis Results from Deep Discovery Analyzer. After deployment, administrators can perform
configuration tasks from any computer on the management network.
Although Deep Discovery Analyzer only requires one network connection in order to connect it to the
management network, it is highly recommend to create a separate custom environment that will provide
Internet access to the sandbox environments but that is isolated from the rest of the management
network. This ensures that the Virtual Analyzer can analyze the activities that a particular sample
performs when it attempts to connect to the Internet, but at the same time prevents malware from
spreading into the management network.
Custom networks ideally are connected to the Internet but may be configured with its own set of proxy
settings, proxy authentication, and connection restrictions. Deep Discovery Analyzer provides the
option to configure proxies for custom networks, as well as providing support for proxy authentication.
Note: If Deep Discovery Analyzer is integrated with Vision One, there will be network connections
needed for Trend Micro Service Gateway as well.
Many of the ports used by Deep Discovery Analyzer are described below.
In Trend Micro Vision One environments, the Trend Micro Service Gateway is used to provide
services to connected products and third-party applications. Configure your product with the
following ports and URLs if your Deep Discovery devices are connected to Trend Micro Vision
One:
• 80: Service queries, Predictive Machine Learning, File Reputation Services, or Third-
Party Integration queries
• 443: Service queries, Predictive Machine Learning, File Reputation Services, or Third-
Party Integration queries
• 5274:Web Reputation Services or Web Inspection Service queries
• 5275:Web Reputation Services or Web Inspection Service queries
• 8080:Forward Proxy Service listening port for connection
• 8088:Zero Trust Secure Access On-Premises Gateway listening port for connection
Shown below are the characteristics included for each category. Deep Discovery Analyzer performs
analysis on each sample searching for these common malware characteristics and suspicious activities.
During analysis, Virtual Analyzer rates these characteristics in context and then assigns a risk level to the
object based on the accumulated ratings.
Preconfiguration Console
The Deep Discovery Analyzer preconfiguration console is a Bash-based (Unix shell) interface used to
configure or change network settings, view high availability details, ping remote hosts, and change
the preconfiguration console password.
In order to access the Deep Discovery Analyzer preconfiguration console, you will need:
• Monitor and VGA cable: Connects to the VGA port of the appliance
• USB keyboard: Connects to the USB port of the appliance
• USB mouse: Connects to the USB port of the appliance
• Ethernet cables:
- One cable connects the management port of the appliance to the management
network.
- One cable connects a custom port to an isolated network that is reserved for
sandbox analysis
Note: If using high availability, one cable connects eth3 to eth3 on an identical Deep Discovery Analyzer
appliance.
The following describes the Deep Discovery Analyzer preconfiguration console login process.
• Connect a USB keyboard and VGA monitor to the Deep Discovery Analyzer appliance (or
VMware console if using a virtual deployment).
- SSH is not enabled by default
- Default IP address: 192.168.252.2
• Log in to the Deep Discovery Analyzer preconfiguration console, using the following
default credentials at the command prompt:
- DDAN login: admin
- Password: Admin1234!
The process for configuring or changing the network settings for Deep Discovery Analyzer using
the preconfiguration console is the following.
1 Log in to the Deep Discovery Analyzer Pre-configuration Console using the default user name
and password: admin / Admin1234!
2 Once you are logged in to the preconfiguration console, select configure appliance IP address.
3 Fill in the IPv4 address, subnet, gateway and DNS information, then select Save.
Note: Once the required network settings have been configured for Deep Discovery Analyzer as
described above, it will now be possible to use the web-based management console for additional
set up and management of Deep Discovery Analyzer.
The Deep Discovery Analyzer web console can be accessed from any computer on the management
network using one of the following web browsers:
• Microsoft Edge™
• Google Chrome™
• Mozilla Firefox™
In order to access the Deep Discovery Analyzer web console, you will need:
• Internet-enabled computer: A computer with the following software installed:
- Microsoft Internet Explorer 9, 10 or 11, Microsoft Edge, Google Chrome, or Mozilla Firefox
• IP addresses:
- One static IP address in the management network
- If sandbox instances require Internet connectivity, one extra IP address for Virtual
Analyzer
- If using high availability, one extra virtual IP address
To log in to the Deep Discovery Analyzer web console, open a supported browser window and
type the following URL:
https://<Appliance IP Address>/pages/login.php
Note: If this the first time logging into the Deep Discovery Analyzer web console, you will be prompted
to change your password.
Procedure Overview
1 Activate the product license using a valid Activation Code.
2 Specify the Deep Discovery Analyzer host name and IP address.
3 Configure proxy settings if Deep Discovery Analyzer connects to the management network or
Internet through a proxy server.
4 Configure date and time settings to ensure that Deep Discovery Analyzer features operate as
intended.
The License Details will be presented. To enter a new activation code, click New Activation Code then
copy/paste a valid license string.
To configure the host name, the IPv4 and IPv6 addresses, other Deep Discovery Analyzer network
settings (including TLS 1.2 enforcement), go to Administration > System Settings and select Network.
An IPv4 address is required and the default is 192.168.252.2. Modify the Deep Discovery Analyzer
IPv4 address immediately after completing all deployment tasks.
You can select Enable TLS 1.2 to enhance data security for inbound and outbound connections on
Deep Discovery Analyzer. To be compliant with the Payment Card Industry Data Security Standard
(PCI-DSS) v3.2, the appliance should use only TLS 1.2 for all inbound and outbound connections.
To configure a proxy go to Administration > System Settings > Proxy and configure the settings for
your proxy.
To configure time settings, go to Administration > System Settings > Time and configure timezone and
NTP server settings for your geographic location.
Dashboard Overview
If you are new to Deep Discovery Analyzer, and you have completed the previously discussed post
deployment procedure, a great next step is to get familiar with the Deep Discovery Analyzer web console
Dashboard.
Note: This section can be skipped if you have already used Deep Discovery Analyzer before.
Once you have successfully logged in to the Deep Discovery Analyzer web console, you will be presented
with the Dashboard page where you can view various Deep Discovery Analyzer operational related
summaries using various widgets.
The widgets can be added or removed from your view as needed to any of the tabs shown which can also
be customized as required. Note that you can also adjust the layout of the tabs as needed to suit your
requirements.
Additionally, by clicking the System Status from the Dashboard view, you can view system status
information for the Deep Discovery Analyzer such as the Virtual Analyzer sandbox usage and status.
Another useful widget on this tab is Average Virtual Analyzer Processing Time, that allows you to see the
average Virtual Analyzer analysis time and the Total processing time for a specified time period.
Sandbox Components
- Fake Server: Part of network emulation facility that provides support for FTP, IRC and SMTP
server emulation
- Fake Web Server: Part of network emulation facility that provides support for HTTP and
HTTPS emulation. This enables many trojans, downloaders and worms that need to connect
to web servers to run.
If connection to a requested server is currently not available, the request is redirected to the
Fake Server or Fake Web Server. These fake servers provide fake responses to requests in the
hope of making the malware continue to execute to trigger more behavior. The FakeServer will
provide simple response when it receives requests.
• Bait Files: Bait document files are copied to the removable devices before each sample is
executed, to attract malwares that infect removable devices.
Docode Scanner
Script-based exploits are widely used by malicious documents, however because they are normally
obfuscated, it is easy for them to evade static signature-based solutions.
Dynamic emulation allows Inspector to simulate the execution of a script in order to study its
behavior. These behaviors may include heap spray techniques, return oriented programming(ROP),
or function call with specific parameters for specific CVE, and any other anomaly usage.
Dynamic analysis is necessary, as an exploit might not trigger if it isn't in or doesn't detect the right
environment, or that it believes it is being analyzed.
The Deep Discovery Analyzer performs both Behavior Analysis and Dynamic Emulation for
documents.
The Docode Scanner is the command-line tool that is used to scan and detect document exploit files
(PDF, Flash, Java and Office files) using Javascript and Shellcode emulation.
The Heuristics Engine uses dynamic emulation and rule based decisions
• Dynamic behavior
- Fingerprint of CVE & Exploit Kits
- Runtime characteristics (Method calls, sequence, call stack, parameters)
- Packer
- Heap spray
• Static info
- Script characteristics
- Script semantics
- Format
ATSE focuses on heuristic static analysis (for best performance, 100ms/file) and Script Analyzer
focuses on dynamic behavioral analysis.
DTAS Sync
DTAS (Dynamic Threat Analysis System) Sync is the interface used for communications between
Deep Discovery Inspector and the Virtual Analyzer.
DTAS Sync regularly queries the Deep Discovery Inspector to see if there is a file or files to be
analyzed and performs the following functions:
• If GRID (Certified Safe Software Service) is enabled, send the suspicious file hash to GRID to
determine if the file is whitelisted and therefore should not be submitted for analysis to the
Virtual Analyzer.
• Submit suspicious file samples to the Virtual Analyzer for analysis.
• Retrieve reports for analyzed files and stores in Deep Discovery Inspector (PostgreSQL
database).
• Retrieve feedback for analyzed files and stores it in Deep Discovery Inspector (PostgreSQL
database). The block list is loaded by the Network Content Correlation Engine (CAV daemon)
to detect related threats.
Note: If Deep Discovery Inspector is using a built-in Virtual Analyzer, DTAS Sync queries every 20
seconds (default), and if Deep Discovery Inspector is sending files to Deep Discovery Analyzer,
then DTAS Sync queries every 5 minutes.
The DTAS Sync Queue in Deep Discovery Inspector (version 5.0 and above) will always process
submissions in a First In First Out (FIFO) manner. This means that the oldest entries (file samples)
found in the database will be processed first and will be submitted for file analysis. In previous
versions of Deep Discovery Inspector, an administrator could configure DTAS Sync to use LIFO
(Last In First Out) or FIFO to process file submissions. This is no longer the case, and the
corresponding Queue Type setting has been removed from the Deep Discovery Inspector Debug
Portal page (RDQA).
The following is a summary of steps required to create a custom sandbox and import it for use by
Virtual Analyzer:
1 Prepare and install the required components and software on the Custom Sandbox VM Image.
2 Import the Custom Sandbox VM Image to Deep Discovery Analyzer Virtual Analyzer.
(Steps will be similar for importing the sandbox image into Deep Discovery Inspector and Deep
Discovery Email Inspector internal Virtual Analyzer.)
Note: VMware tools must NOT be installed on the sandbox image to prevent Anti-VM functions of some
malwares.
The tool verifies that all of the above configuration requirements have been done and will also
disable the services that need to be removed for proper sandbox functionality.
This tool can be obtained directly from the Trend Micro download center or using the provided
download link in the Deep Discovery Inspector web console.
Deep Discovery Inspector only supports the import of custom sandbox images up to 20 GB in size.
For additional information on importing a custom sandbox using the VA Image Preparation Tool you
can refer to:
https://docs.trendmicro.com/all/ent/va_prep_tool/v6.2/en-us/
va_image_prep_tool_6.2_ug.pdf
Note: The import process will fail if any of the required software is not found in the sandbox image.
Network Folder
- Uses specified share path of network folder to download the sandbox VM image.
Later, each of the above the option will be examined in more details through the Deep Discovery
Analyzer web console.
Note: This section can be skipped if your organization does not Linux.
There are two methods to prepare a Virtual Analyzer-supported Linux OVA file as described below.
Method 1 - Use the Predefined Linux Virtual Analyzer Image from Trend Micro
The Trend Micro provided predefined Linux Virtual Analyzer Image is based on CentOS 7.8, and
comes with all required packages installed, as well as an optimized system settings configuration.
The image can be obtained from the Trend Micro Download Center as shown below, or you can
obtain a copy of the image from your support provider. After customizing the image for your
environment, you must then run the Virtual Analyzer Image Preparation tool (also from the
Trend Micro Download Center) or obtain a copy from your support provider to validate the image
before importing it into your Deep Discovery Analyzer.
Optionally, you can create your own Virtual Analyzer-supported Linux OVA file from scratch.
For complete details you can refer to the Virtual Analyzer Image Preparation Tool User's Guide
at:
http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-
preparation.aspx
For complete steps and details, you can refer to the Virtual Analyzer Image Preparation Tool User's
Guide at:
http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-
preparation.aspx
Procedure
The following packages must be installed on the virtual machine to achieve satisfactory
detection results:
Repository Description
• glibc-2.17-307.el7.1 • libcurl-7.29.0-57.el7 • bash-4.2.46-
• glibc-devel-2.17-307.el7.1 • libcurl-devel-7.29.0-57.el7 34.el7.x86_64
• glibc-2.17-307.el7.1.i686 • zip-3.0-11.el7 • samba-4.10.4-10.el7
• kernel-3.10.0-1127.el7.x86_64
• glibc-devel
• libstdc++
debuginfo • libgcc
• zlib
• openssl
• libcurl
Note: The VirtualBox Open Source Edition is licensed under the GPL V2. The full text of the license is
available at http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
• Go through the wizard to set up all additional settings for the image.
For additional help you can refer to the Virtual Analyzer Image Preparation Tool User's
Guide at: http://docs.trendmicro.com/en-us/enterprise/virtual-
analyzer-image-preparation.aspx.
• IMPORTANT STEP: After the Begin Installation screen, on the CONFIGURATION screen,
set the ROOT PASSWORD to 1111. Do not use a different password here.
Modify the virtual machine environment to run Virtual Analyzer Sensors, a collection of utilities
that execute and detect malware, and record all behavior in Virtual Analyzer.
Step Process
Type nmcli to check the network interface status.
Verify that the network
interface is able to get
an IP address and Note: If the network interface is disconnected, type ifup "<network
connect to the interface name>" to connect the network interface.
network
Verify that the network Edit the network interface configuration file /etc/sysconf ig/network-
interface is enabled on scripts/ifcfg-<network interface name>, and modify the following line:
boot
ONBOOT=yes
Step Process
Edit the SELinux configuration file /etc/selinux/config, and modify the following
line:
Disable SELinux
SELINUX=disabled
Verify that all required Use Virtual Analyzer Image Preparation Tool to automatically install missing
packages are installed packages or manually install them.
A summary of the process for reducing the size of VirtualBox disk images is described below.
• Uninstall unnecessary applications and optional Windows components
• Run Disk Cleanup to free up space on the hard disk. The utility searches for files and data
that you can safely delete
• Use Deployment Image Servicing and Management (DISM) to free up space on the hard
disk. For details, see the Microsoft Developer resource website: https://
msdn.microsoft.com/en-us/windows/hardware/commercialize/
manufacture/desktop/clean-up-the-winsxs-folder
• Download SDelete and then zero out the free space on the hard disk. SDelete is a free
command-line utility that securely deletes existing files and permanently erases file data
in unallocated clusters of a disk. The utility even ensures that encrypted files cannot be
recovered by overwriting all addressable locations with new and random characters.
• Restart the virtual machine then open a Command Prompt window on the host system.
and enter the following command:
• "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" modifyhd
[path\[vm_name.vdi] --compact
http://docs.trendmicro.com/en-us/enterprise/virtual-analyzer-image-
preparation.aspx
A summary of the process for exporting the virtual machine images to OVA files is described
below.
A virtual machine image comprises many uncompressed files. The files must be combined into a
single OVA file to avoid issues when importing.
• Verify that the size of the created OVA file is supported by your product. For details, go
to https://docs.trendmicro.com/en-us/home.aspx#Enterprise
• On the VirtualBox Manager screen, power off the virtual machine.
Note: Verify that the CD/DVD drive is empty before powering off and exporting.
• Go to File > Export Appliance. When the Export Virtual Appliance window appears, select
the virtual machine image to export and click Next.
• Use ATSE to scan the samples (original sample and dropped files) to generate events (This
setting is configurable in the web console which will be covered later in the training).
• Use the Census query result from the pre-submission stage to generate events.
• Calculate the submitted sample overall rating based on the Virtual Analysis results and
post-submission generated events.
• Perform Email Reputation Service (ERS) query to identify dial-up IP addresses.
• Check the IP addresses, Domains and URLs are in the Deep Discovery Inspector Deny List
and generate an event.
Note: These elements will be covered in greater detail later in this training.
When creating sandbox images, it is highly recommended to create virtual machine sandbox images that
closely match typical workstations in your environment. This provides the benefit of seeing exactly how a
malware would behave within your real environment on a real host, as opposed to using generic
sandboxes that most malware will be able to detect and evade.
In Deep Discovery Analyzer, the following custom sandbox image operating systems are supported:
• Windows XP, Windows 7, Windows 8/8.1, Windows 10 Version 21H2 and before
• Windows Server 2003/2003 R2, Windows Server 2008/2008 R2, Windows Server 2012/2012 R2,
Windows Server 2016, and Windows Server 2019
• Pre-defined Linux VM based on Cent OS 7.8 or own image created if you need RHEL 7.9
In the following sections, each of the Sandbox Management tools will be described in more detail.
Status Information
This Status tab provides an overview of current sandbox image usage and sample processing/
queuing states.
Deep Discovery Analyzer allows a maximum of three Windows virtual images and one LINUX image.
Each windows virtual image can have several sandbox instances. However, the total number of
sandbox instances should not exceed 60 for the DDAN 1100 / 1200 models.
Please consult the Installation and Deployment guides for your specific hardware to review the most
up to date requirements and specifications.
First, you must use the menu item Virtual Analyzer > Sandbox Management to import the OVA image
to run the sandbox. From the Images tab, click Import.
A new image can be imported using any of the following sources: HTTP or FTP server and Network
Folder.
For example, if you are importing a new image using the Source option HTTP or FTP server, you will
need to enter the image Name and URL location of your OVA image, then click Import.
Note: You can import multiple images at the same time. Additionally, if you have Python running on
your server, you can run the command: python –m SimpleHTTPServer from your images
directory. This can be used to serve up images via http (using the TCP port 8000)
These are the configuration settings for YARA rules. Note that you can also define user-defined files
types to analyze as follows. User-defined file types are configured using the Deep Discovery Analyzer
RDQA debug portal.
File Passwords
In the File Passwords configuration, you can provide a list of passwords to be used by Virtual
Analyzer to extract files from a protected archive for analysis.
Note: Enabling this option is not safe unless you are using a custom dedicated connection.
Do NOT enable the setting Enable external connections if you have not defined a custom
interface to use for malware connections.
Scan Settings
Enabling this option instructs the Deep Discovery Analyzer to scan samples using the synchronized
suspicious objects list.
This option is useful if suspicious objects that are synced with your Deep Discovery Analyzer are
coming from other sources like 3rd party security products, or Vision Onen, where generic sandboxes
are used for analysis. This setting allows the synchronized SOs to be analyzed using the custom
sandboxes in Deep Discovery Analyzer.
To use this feature, you must also enable the option Synchronize suspicious objects from Deep
Discovery Director, OR you must integrate Deep Discovery Analyzer with Trend Micro Vision One.
In this area, you can configure advanced settings for VNC (Virtual Network Computing) access for
remote control access to another computer. Virtual Network Computing (VNC) uses remote frame
buffer (RFB) to remotely control a computer.
Type a VNC password on the Interactive Mode Settings tab. If you forget the password you specify,
you must reset it.
Note: The port range can only be in the range 5900 and 6100
Smart Feedback
To set up automatic threat detection anonymously to Trend Micro SPN, you can do that from the
Smart Feedback tab as follows.
It is important to note here that no personal or private data/information is uploaded to Trend Micro
when this is enabled.
Submission Policies
Sample submission policies can be used to fine tune how Deep Discovery Analyzer analyzes samples.
For example, in the policy you can analyze samples using a specified Virtual Analyzer image based on
the file type and submitter.
This functionality is illustrated in the following example. The DDEI policy analyzes elf files that are
being submitted by Deep Discovery Email Inspector using a Linux sandbox.
Note: For information on how Deep Discovery Analyzer matches and applies submission policies, you
can refer to the Deep Discovery Analyzer Online Help or Administrator’s Guide.
In the VA Cache settings, you can configure the required settings that will prevent re-submissions
of samples, by first checking if the same sample was already processed within an acceptable
period. The Virtual Analyzer Cache setting is configured using the RDQA portal (DDAN debug
page).
• By default, the acceptable cache period is set to 48 hours for a file, and 6 hours for a
URL.
• In this case, when the Virtual Analyzer receives a file submission which was already
processed within the acceptable period, then the cached result will be used and
presented in the web console.
ATSE Scanning
Another way to save sandbox resources is to enable the ATSE scan option Scan dropped files
within the RDQA portal.
To avoid any negative system impacts, the above settings should ONLY be changed under the
guidance of Technical Support.
Automated submissions are received automatically by other Trend Micro security products (for example,
Deep Discovery Inspector, Deep Discovery Email Inspector, ScanMailExchange, IMSva, IWSva, Apex One
and so on).
Submitter Products
Products that can be integrated with Deep Discovery Analyzer for submitting samples are listed
below.
• Deep Discovery Inspector 3.7 or later
• Deep Discovery Email Inspector 2.5 or later
• InterScan Messaging Security Virtual Appliance (IMSVA) 8.2 SP2 or later
• ScanMail for Microsoft Exchange (SMEX) 11 or later
• ScanMail for IBM Domino (SMID) 5.6SP1 Patch 1 HF B4666 or later
• InterScan Web Security Virtual Appliance (IWSVA) 6.0 or later
• InterScan Messaging Security Suite (IMSS) for Windows 7.5 or later
• InterScan Messaging Security Suite (IMSS) for Linux 9.1
• Deep Security 10.0 or later
• Trend Micro Endpoint Sensor 1.6 or later
• OfficeScan XG or later
• Apex One
• TippingPoint Security Management System 5.0
• Deep Edge 2.5 SP2 or later
Submitter products must be configured correctly in order for them to submit samples to the Deep
Discovery Analyzer. The configuration details for this will be covered in the next section.
Note: There is no configuration required on the Deep Discovery Analyzer itself, for it to receive samples
from these products.
The steps for integrating Deep Discovery Analyzer with your supported product are explained below.
In order to integrate Deep Discovery Analyzer with other security products (or secondary
members in Deep Discovery Analyzer cluster mode), you will first need to obtain the Deep
Discovery Analyzer’s API key from the Deep Discovery Analyzer web console under Help > About.
In the web management console of the supported product (being connected with Deep Discovery
Analyzer) specify the information from the table below. (Refer to your product’s documentation
to access configuration settings for DDAN.)
Parameter Description
Available from Deep Discovery Analyzer management console
API Key
(Help > About)
Deep Discovery Same as the IP in the URL used to access the Deep Discovery Analyzer management console.
Analyzer IP address
When using Deep Discovery Analyzer in a high availability configuration, the virtual IP address is used
Deep Discovery Analyzer
to provide integrating products with a fixed IP address for configuration. (Obtain Virtual Address from
IPv4 or IPv6 virtual
Deep Discovery Analyzer management console, in Administration > System Settings > High Availabil-
address
ity.
Deep Discovery Analyzer
443 (This is not configurable.)
SSL port
Note: If the Deep Discovery Analyzer API key changes after registering with the integrated product,
remove Deep Discovery Analyzer from the integrated product and add it again.
3. Optional Configuration
On the Deep Discovery Analyzer management console, review and modify the weight values of
integrated products to adjust Virtual Analyzer resource allocation. For details, see Submitters.
After clicking Submit Objects, an administrator can upload a file, specify a URL, or upload a list of
URLs (in CSV or TXT format) to the Deep Discovery Analyzer for analysis.
It is also possible to submit a bundle of samples by selecting the Type ‘Bundle file’.
Note: The Prioritize option, is used to assign a higher priority level to manual submissions (this option
is enabled by default).
The Manual Submission Tool is an application provided by Trend Micro that can be downloaded from
the Deep Discovery Analyzer web console.
This tool allows users to submit multiple samples at once, which are added to the Deep Discovery
Analyzer Submissions queue.
The following steps are used to configure and use the Manual Submission Tool:
1 Obtain the Deep Discovery Analyzer’s API key. This can be obtained from the Deep Discovery
Analyzer web console under the menu option Help > About.
2 Make sure you know the Deep Discovery Analyzer IP address. (Same as the IP in the URL used to
access the Deep Discovery Analyzer web console.)
3 Download the Manual Submission Tool from the Deep Discovery Analyzer web console under
Administration > Tools. Click the Download link for the Manual Submission Tool.
4 in the Download Center window appears, click the download icon next to the correct platform.
After completing the above steps, the endpoint will now be able to manually submit samples to Deep
Discovery Analyzer for analysis. For more information, you can refer to the following technical article:
https://success.trendmicro.com/solution/1117189-manually-submitting-objects-
using-the-manual-submission-tool-in-deep-discovery-analyzer-ddan
Note: Always remember that you must remove Deep Discovery Analyzer from the integrated product
and add it again any time the Deep Discovery Analyzer API key changes.
All suspicious objects can be viewed from the Deep Discovery Analyzer web console by selecting
Virtual Analyzer > Suspicious Objects > Generated Suspicious Objects.
The Generated Suspicious Objects listing also provides the risk level that was assigned to the
suspicious object.
By clicking the numbers under Related Submissions, you can jump directly to the Submissions page
where you can view the list of related samples for this submission. The Submissions page will be
explored later in the training.
Additionally, from the Generated Suspicious Objects screen, you can select any trustworthy or
harmless objects that appear and move them to the Exceptions list.
For example, to add a Suspicious Object to the exceptions list, select the object and click Add to
Exceptions.
Note: As indicated in the above notification, from this point forward, any suspicious object that
matches this exception will automatically be considered safe (no longer be added to the
suspicious objects).
Suspicious objects can also be exported, set to never expire, or removed (by selecting Expire Now).
Information you can see about used defined suspicious objects includes:
• Added: Date and time when the SO was added
• Type: IP address, Domain, URL, file SHA-1, or file SHA-256
• Object: The IP address, domain, URL, or SHA-1 or SHA-256 hash value of the file. Click Edit to
modify the displayed value
• Source: The source (Deep Discovery Director, local, or Trend Micro Vision One) that added
the suspicious object
You can also import Suspicious Objects defined in Structured Threat Information eXpression (STIX)
format.
Exceptions can be used to avoid false positive results in the Virtual Analyzer. For example, an
exception can be added for unresolvable internal domains. The following types of exceptions can be
added:
As mentioned already, the objects in the exceptions list will automatically be considered safe.
Some products can additionally send exceptions to the Virtual Analyzer. As of this writing, the
following products can do this:
• Trend Micro Control Manager7.0 Patch 1 with latest Hotfixes installed
• Apex One
Note: Deep Discovery Inspector (version 5.0 and later) will wait for the results of the Virtual Analyzer
analysis results before presenting it to the user. Being able to view the sample’s VA processing
state lets you know exactly what is happening to the sample submission while waiting for the
analysis result.
The following diagram illustrates the different Virtual Analyzer states that a sample undergoing
Virtual Analyzer analysis may undergo.
Note: The Virtual Analyzer prefilter is essentially the Virtual Analyzer cache which was discussed
earlier. The Virtual Analyzer prefilter acts as the first layer of prefilter.
The submission filter is the second layer of prefilter which filters out submissions before they are
submitted either to the Deep Discovery Inspector Virtual Analyzer and external Virtual Analyzers
(Deep Discovery Analyzer).
VA_Pending
All illustrated above, VA_Pending is the first state that a sample enters when it undergoes
Virtual Analyzer analysis. From here, the sample may enter the following Virtual Analyzer
states:
• VA_Known_Good: If VA is enabled, then samples under the VA_Pending state will check
GRID to see if the submitted sample is known to be safe. If so, then the sample will enter
the VA_Known_Good state and will be treated as safe.
• VA_Abort: If VA is disabled, or not configured, then the sample will enter the VA_Abort
state.
• VA_Done: If a submitted sample already has an existing/cached analysis result from a
previous submission within the configured cache period, then the cached result will be
returned to the web console user and the sample enters the VA_done state.
• VA_InProgress: If VA is enabled and there are no records of the sample either in GRID or
in the VA cache, then the sample will enter the VA_InProgress state where it needs to be
submitted to the VA for analysis.
• VA_Timeout: When a sample enter the VA_Pending state it will be placed in a queue. If
the Virtual Analyzer does not pick up the sample within the specified timeout period, the
sample enters the VA_Timeout stage.
VA_InProgress
Once a sample enters the VA_InProgress state then this means that the sample is currently
undergoing Virtual Analyzer analysis. Based on the Virtual Analyzer analysis result, then the
sample may enter the following Virtual Analyzer states:
• VA_Done: The sample enters the VA_Done state when it successfully complete the VA
process and a corresponding Virtual Analyzer analysis result is returned.
• VA_Error: If the sample encounters an error while undergoing Virtual Analyzer analysis
and the this process cannot continue, then the sample enters the VA_Error state.
• VA_Timeout: If the sample undergoing Virtual Analyzer analysis exceeds the timeout
allocated for the Virtual Analyzer sample analysis process, then it enters the
VA_Timeout state.
Viewing Submissions
All the samples that have been submitted to Deep Discovery Analyzer and current processing states can
be viewed from the Virtual Analyzer > Submissions page.
The submitter product which can be any integrated Trend Micro or supported third-party products, will
regularly fetch results and reports.
From the Submissions page, you can obtain a view of samples already analyzed by Deep Discovery
Analyzer, and the ones that are in progress. The possible risk levels scores are: High, Low, No risk, and
Unsupported.
When files and URLs are submitted to Deep Discovery Analyzer, they follow the processing flow: Queue >
Processing > Completed.
If sandbox instances are available, the sample quickly enters into the Processing state. Once analysis is
complete, you can access the Completed tab for listing of all Deep Discovery Analyzer results for each
object. Here, you can view varying details regarding the product submission channel. As well, for each
sample, you can view the assigned risk level, the time that Deep Discovery Analyzer completed analysis,
the time the event was logged and more, including the name of the threat itself.
The list of results in the Completed view, can be filtered by Risk Level, Filename / Email Subject / URL and
by Period.
Clicking, the Advanced link provides more filters that can be used including: Message-ID, SHA-1, File Type,
Subject, Threat, Protocol, Submitter Type / Name / IP / Source / Sender and Destination / Recipient.
If the results list is empty, you should check the Processing and Queued tabs to see what is currently
being analyzed or waiting to be analyzed in the queue. You can also try clearing the filter by clicking the
X button appearing next to the filter definition.
If an object appears in the Completed view with the result “Not Analyzed”, more information can be
obtained from the Risk Level.
In this example, the file was not analyzed because the Virtual Analyzer does not support the file format,
or because the file is empty.
Virtual Analyzer allocates more resources to submissions with the highest Weight value. To adjust the
weight value, use the up and down arrows next the weight value itself.
Once selected, you can view all the analysis information that was generated by the Deep Discovery
Analyzer for that object.
By clicking on an object, the following details can be viewed for an analyzed sample:
• Submission details showing related URL of the sample, SHA-1 value of the sample, a list of child
files (if any) that were executed. (In this example there was one child file.)
• A group of links to all the MITRE ATT&CK Framework Tactics and Techniques that were used.
• The Notable Characteristics which provides a summary of the object’s malware characteristics or
suspicious activities that Deep Discovery Analyzer observed, and used to classify the malware as
malicious.
• A Report area where an HTML version of the report can be viewed, or optionally, a PDF of the
report can be downloaded.
• The Investigation Package which is useful for threat investigators to use for inspecting and
interpreting threat data generated from samples analyzed by Virtual Analyzer. The package is
generated as a zip file and encrypted using the password: virus.
- The zipped Investigation Package includes:
• Files in OpenIOC format that describe Indicators of Compromise (IOC) identified on the
affected host or network
• A copy of the sample itself
• Any dropped files
• The Global Intelligence area provides a link that you can use to view the threat information that
is available from the Trend Micro Threat Connect web site.
The Trend Micro Threat Connect web site provides additional information that is known about the
threat related to IP, URL, DNS and SHA-1.
This risk level is calculated based on accumulated settings by input vectors from all the other Deep
Discovery detection engines including ATSE, NCIE, WRS, NCCP, and so on.
Cybersecurity Framework
In order to really comprehend and value the depth and amount of threat information that is provided by
Deep Discovery Analyzer, it is a really good idea to have an understanding about cybersecurity
frameworks.
Note: This section in only intended to provide you with a brief overview and some common language
that is used in the topic of cybersecurity frameworks. For more in-depth information, links for
additional reading are provided in your Student Guide.
Frameworks are comprised of industry guidelines, best practices and standards, and can be voluntary or
mandatory. Implementation of a formal framework may benefit your organization in terms of helping to
improve your security posture and enhance your resilience against cyberattacks or other compromises.
Frameworks generally define a number of core functions that can help your organization assess your
cyber programs current state, improve cyber defenses, enhance incident detection capabilities, and
minimize impact and improve recovery from a cyber event, should one occur. Frameworks may also
provide metrics and other tools to help measure progress in regards to framework adoption and
assessment of security posture.
Security frameworks are a must-have in modern SOCs faced with complex attacks. SOCs use
cybersecurity frameworks to guide their approach to and understanding of attack and defense strategies
and manage and reduce cyber risk to continuously improve operations.
For example, many advanced SOCs integrate adversarial models, such as the MITRE ATT&CK framework,
into analyst workflows to provide automation that informs investigations, placing the SOC one step
ahead in stonewalling attacks.
MITRE ATT&CK
ATT&CK stands for Adversarial, Tactics, Techniques and Common Knowledge. MITRE ATT&CK is a
globally-accessible knowledge base of adversary tactics and techniques based on real-world
observations of cybersecurity security threats. It describes how adversaries:
• Penetrate your environment
• Move laterally
• Escalate privileges
• Evade your defenses
The PRE-ATT&CK stage can be viewed as the pre-planning stage where the attacker plans out
their target. The weaknesses in the organization, and other channels where they can exploit and
infiltrate.
ATT&CK for Enterprise is an adversary model and framework for describing the actions an
adversary may take to compromise and operate within an enterprise network (post-compromise).
NIST Cybersecurity Framework is a set of best practices, standards, and recommendations that
help an organization improve its cybersecurity measures. The SOC can apply this framework to
guide, assess, improve, and deliver on key security metrics and establish a mature approach to
securing the enterprise.
NIST Cyber Security Framework is a functional starting place to begin to build an enterprise
cybersecurity strategy. The NIST Framework includes the following components:
• Identify: Gain a complete understanding of your people, physical and digital assets, risks
and vulnerabilities, and defense systems.
• Protect: Establish a layered and diverse approach to defending the business, while also
being ready to respond to any attack.
• Detect: Implement technologies and practices for quickly detecting true positive events
across all security data.
• Respond: React appropriately to an incident and keep it from becoming a serious breach.
• Recover: Return the organization to its original state by planning for resilience, and
implement new preventative measures to safeguard against a repeat attack.
As a not-for-profit organization, MITRE works in the public interest cross federal, state and local
governments, as well as industry and academia. It brings innovative ideas into existence in areas as
varied as artificial intelligence, intuitive data science, quantum information science, health informatics,
space security, policy and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber
resilience.
So much information has been created by the MITRE community, from the ATT&CK to STIX and TAXII to
presentations on how Vendors, Blue Teams, Red Teams, and even customers who want to give back to the
Cyber Threat intelligence Community. It is a great way to learn and understand threats better.
ATT&CK is not focused on the malware or the tools used by attackers, but rather on the techniques
used by the attackers. ATT&CK is based on real-world observations of actual adversary behavior,
purposefully focused on the adversary and the behaviors they exhibit, tools they use and actions
they perform.
ATT&CK is currently being used by many government organizations and industry sectors including:
Financial, Healthcare, Retail, and Technologies. For example, Crowdstrike, Carbon Black, GOSecure,
Windows Defender ATP etc.
Tactics describe the objectives of an attack technique that is being used by an adversary while,
Techniques represent how an adversary achieves a tactical objective by performing an action.
Additionally, Common knowledge is the documented use of tactics and techniques by attackers (for
example, procedures).
ATT&CK can be used by red teams, vendors, and customers to improve security posture. Defenders
and decision makers can use the information in ATT&CK for various purposes, not just as a checklist
of specific adversarial techniques.
Trend Micro leverages the MITRE ATT&CK database to determine if these alerts are individual
isolated cases or part of the techniques being deployed.
ATT&CK Matrices
Since Adversaries use different techniques for different platforms and technologies, the ATT&CK
framework is divided into a series of domains.
Enterprise Matrix
ATT&CK for Enterprise is an adversary model and framework for describing the actions an
adversary may take to compromise and operate within an enterprise network.
The model can be used to better characterize and describe post-compromise adversary behavior.
It both expands the knowledge of network defenders and assists in prioritizing network defense
by detailing the tactics, techniques, and procedures (TTPs) that cyber threats use to gain access
and execute their objectives while operating inside a network.
The ATT&CK Enterprise matrix contains information for Windows, MacOS, Linux, PRE, Cloud,
Network and Containers.
The 11 tactic categories within ATT&CK for Enterprise were derived from the later stages (exploit,
control, maintain, and execute) of a seven-stage Cyber Attack Lifecycle (first articulated by
Lockheed Martin as the Cyber Kill Chain®). This provides a deeper level of granularity in
describing what can occur during an intrusion.
Each category contains a list of techniques that an adversary could use to perform that tactic.
Techniques are broken down to provide a technical description, indicators, useful defensive
sensor data, detection analytics, and potential mitigations.
Applying intrusion data to the model then helps focus defense on the commonly used techniques
across groups of activity and helps identify gaps in security.
Note: Techniques in all these tables are mixed and matched as adversaries usually employ multiple
techniques of different points PRE, Enterprise Windows, Enterprise Cloud, Enterprise Network,
and so on, to be successful.
PRE Matrix
In the Enterprise PRE matrix, we can see the different techniques used under the main
categories of Reconnaissance and Resource Development such as Gather Victim Host
Information, Phishing for Information, Compromise Accounts and so on.
Windows Matrix
Below is the tactics and techniques information for the Windows platform.
macOS Matrix
Linux Matrix
The Linux Matrix contains the tactics and techniques for the Linux platform.
Cloud Matrix
The Cloud Matrix contains information for the following platforms: Azure AD, Office 365, Google
Workspace, SaaS, IaaS.
Network Matrix
Below is the Network matrix for Enterprise covering techniques against network infrastructure
devices.
Containers Matrix
Below are the tactics and techniques information for the Containers platform.
Mobile Matrix
The following are the tactics and techniques representing the two MITRE ATT&CK matrices for
mobile. The Matrix contains information for Android, and iOS.
ICS Matrix
The MITRE ATT&CK for ICS matrix contains information about the behaviors that adversaries
have exhibited while carrying out attacks against industrial control system networks.
Groups in MITRE ATT&CK, are sometimes also referred to as Campaigns or Intrusion Sets. Some
groups have multiple names associated, with the same set of activities, due to various virus
organizations tracking the same set of activities by different names.
The MITRE group makes a best effort to track overlaps between names based on publicly reported
associations, which are designated as “Associated Groups” on each page (formerly labeled “Aliases”),
because these overlaps are useful for analyst awareness.
Note: These names are not represented as exact overlaps and analysts are encouraged to do additional
research.
The group or campaign APT37 is also known as Reaper. APT 37 is a suspected north Korean
cyber espionage group that has been active since 2012.
The group targeted victims, in South Korea, Japan, Vietnam, Russia, Nepal, China, India,
Romania, Kuwait and other parts of the Middle East. Its targets include: Chemical, electronics,
manufacturing, aerospace, automotive, and healthcare.
It works by employing social engineering tactics, tailored specifically to desired targets., strategic
web compromises typical of targeted cyber espionage operations, and the use of Torrent
file-sharing sites to distribute malware more indiscriminately. The vulnerability allows the
attacker to perform Remote Code Execution (RCE) through a malformed Flash object.
A Korean company KISA (Korean CERT that provides security certificates) also confirmed the
vulnerability about the Adobe zero-day and published an advisory.
Payload exploits this vulnerability with a flash object embedded in a Microsoft excel document.
By opening the Excel document, the exploit executes and attempts to download the payload from
a C&C web site.
The SWF (Shockwave Flash File) object installs ROKRAT, a remote administration tool that has
been tracked since 2017 by Talos.
• APT37 reference:
https://attack.mitre.org/groups/G0067/ and also https://
www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-
korean-actor.html
When viewing the details for an analyzed sample in Deep Discovery Analyzer, you can click the available
icons next to Report to either view the entire Deep Discovery Analyzer report through a web browser
(HTML), or download the report in PDF format.
The Virtual Analyzer report provides a lot of information that can help understand a threat and the
decisions used by the Virtual Analyzer to classify it as such.
The report can help you better investigate threats by providing the following information:
• Analysis Overview
• Sample Family Name and any child processes
• Virtual analysis environment that was used (shows objects executed in each image)
• Process graphs which show step by step execution details (includes legend to describe graph
icons such as root processes, child processes and notable threat characteristic icons)
• MITRE ATT&CK Framework tactics and techniques
• Notable Characteristics
• Network Destinations
• Dropped or Downloaded Files
• Suspicious Objects
Each of these report elements will be described in more detail in the following sections. The output below
is taken from an HTML based VA report however, the content would be identical in a PDF version of the
same report.
Analysis Overview
The first section in the Virtual Report is the analysis overview information. The overall risk
for this particular sample was HIGH RISK.
Notice that samples that are submitted for analysis to the Virtual Analyzer can often contain
multiple child objects nested within it. In the illustration below, the link Show child objects is
used to display the full list of child objects from an archive file.
In this case, the archive 8926645004.zip contained a windows 32-bit EXE file which Virtual
Analyzer detected as a TROJ_GEN.R03BC0DAT23.
When analyzing a list of child objects, the Overall risk level assigned by Virtual Analyzer, is
the highest risk level of any child object.
In this case, the executable in the archive was highly suspicious, and therefore the overall risk
level assigned by Deep Discovery Analyzer was HIGH risk. More details on how this assessment
was made by Virtual Analyzer will be explored later.
Analysis Environments
Next in the report is some information on the analysis environments that Virtual Analyzer used
to detonate the sample. In this case, you can see that Virtual Analyzer used a Win10 and Win2016
sandbox image.
Under Analysis Environments, you can see the different object behaviors that Virtual Analyzer
detected. In this example, we can see that the object engaged in the following activity:
• Anti-security, self-preservation
• Autostart or other system reconfiguration
• Deception, social engineering
• File dropping, downloading and so on
Object Information
Each Object section provides information for each file that was analyzed by Virtual Analyzer.
By expanding the view, you can see even more details about each object that was analyzed. In the
above illustration, take a look at the Threat Characteristics listed on the right for Object 1.1.
Note that this list of behaviors is the same list we saw earlier under Analysis Environments, but
this time there are links provided that can be used to drill down further to see why Deep
Discovery Analyzer identified the behavior as suspicious.
For example, if you click the number link next to Deception, social engineering, this skips directly
to the Deception, social engineering section of the Notable Threat Characteristics area of the
report.
• The value “1” indicates that Virtual Analyzer observed this behavior only once.Now we
can see why Virtual Analyzer classified the object as exhibiting Deception, social
engineering activities. The characteristic Virtual Analyzer observed the activity: Uses
deceiving extension. Additionally, you can see the name of the file jushed.txt under
Details.
• You can see even more information about what was observed by Virtual Analyzer, by
clicking the Uses deceiving extension link under Characteristic.
• This drops you directly into the report where you can view that analysis details showing
you everything that jusched.txt did during analysis. The following is a snippet of the
analysis details for jusched.txt.
Looking at the first few lines, you can see that jusched.txt dropped an executable, it made
multiple copies of itself, and so on. A few lines later we can see that the file’s type is an
executable.
Process Graph
If in the report you do not drill down into the specifics of the threat characteristics we saw above,
the next section that will be presented in the report is the Process Graph.
Here you can see the list of processes executed by the object in the sandbox. Again, we can see
that the object dropped and created an executable called jusched.exe. This is a more visual
way of seeing the same information we saw earlier when drilling down to the details for
Deception, social engineering.
Some of the icons used in the graph include the solid filled gear icon, which represents a root
process, the regular gear icon which represents a child process, and the notable characteristics
icons displayed in the bar next to the gear icons.
Note: All of the icons in the graph are hyperlinks and can be used as shortcuts to skip directly over to
the relevant information in the report.
Below is the process graph legend that is provided in the analysis report:
As previously mentioned, the MITRE ATT&CK area includes hyperlinks to access the MITRE
ATT&CK™ web site for each tactic and technique used by the analyzed object.
For example clicking on the tactic Credential Access above (technique is Input Capture:
Keylogging) you are redirected to the MITRE ATT&CK web site where the following information is
provided:
Note: MITRE information is not available for TMUFE and ATSE detections.
Notable Characteristics
The Notable Characteristics section of the report provides details about the malware behaviors
that Deep Discovery Analyzer observed while it was analyzing the object. This can help you
better understand why a sample was detected as being malicious.
To view all the suspicious behaviors that were detected during analysis by the various detection
methods, expand the Notable Threat Characteristics and then expand the different items under
Characteristic that are available.
The information that can be obtained here, and how to drill down further was already explored
earlier when we looked at the details for Deception, social engineering.
Network Destinations
Following the Notable Threat Characteristics, is the Network Destinations section where you can
view all the network activity that was detected during object analysis.
Looking at the details relevant to the same Windows32 exe file as above, we can see that no
network destinations accessed by the object were high risk as indicated by the Risk level column.
The following output is for a different sample, and shows what high risk network detections look
like:
If there any dropped or downloaded files by the object, the next section in the report will be the
following. Here we can see the dropped file jusched.exe and all additional dropped file. We can
also see here that jusched.exe was classified by the Virtual Analyzer as a worm:
VAN_WORM.UMXX that modifies important registry entries to evade firewall protection.
Clicking on the link 15 more, displays additional Threat Characteristics that Virtual Analyzer
observed for jusched.exe:
Suspicious Objects
The next section in the report is Suspicious Objects which shows any suspicious objects that
were detected during analysis. In our example, there are 2 suspicious objects identified by the
Deep Discovery Analyzer, and both objects are classified as HIGH risk.
Analysis
Next, is the Analysis section of the report that shows the step-by-step actions that were
performed by the object that was executed in the virtual sandbox and observed by the
Virtual Analyzer.
The above Analysis section was already explored earlier when we drilled down into the
details for Deception, social engineering.
The information can be viewed on the sample’s behavior during analysis can include:
• Registry add, delete and write actions
• File add, delete and write actions
• System/Windows/file system API calls
Screenshot
The last section of the report provides a screenshot of any user interface events that may have
occurred during analysis.
Note that the report will repeat each of the above sections for EACH sandbox image that is
analyzing the same object. In our example, the report will include the above discussed sections
for Win10 and Win2016.
In cases like these, where a sample’s analysis result is not as expected, you can submit the file to Trend
Micro in order to further investigate and updated any related detection rules if required.
Application activity noise are not filtered, such as Adobe updater, Adobe trust managers or
Adobe resource file (DLL) for example.
Also, there are some aggressive rules that cause false alarms such as:
• Generic and CVE (Common Vulnerability Exposures) rules
• Macromedia rules
• DDOS detection triggered because of inappropriate file types (for example, running
HTML with too many HTTP requests)
Some commonly used methods for evading VM and sandboxing measures include:
• VirtualBox guest add-on is not installed
• Enable VT-x on x86 platform
• Remove VM signatures in the registry
• Emulate mouse movement and clicking
• Configure a MAC address that does not belong to the VM allocated space
• Change the CPU ID information
The Virtual Analyzer shortens the delay functions to accelerate the execution of the program
code.
However, the Virtual Analyzer cannot accelerate the execution of programs that have specific
date or time triggers to execute.
However, if Deep Discovery Analyzer encounters an error and is unable to recover, it will no longer be
able to provide continued scanning and analysis services.
To handle this scenario, multiple standalone Deep Discovery Analyzers can be deployed and configured
to form a cluster that provides fault tolerance, improved performance, or a combination thereof.
Depending on your requirements and the number of Deep Discovery Analyzers available, you may deploy
the following cluster configurations.
In a high availability cluster, one appliance acts as the active primary appliance, and one acts as
the passive primary appliance. The passive primary appliance automatically takes over as the
new active primary appliance if the active primary appliance encounters an error and is unable to
recover.Deploy this cluster configuration if you want to ensure that Deep Discovery Analyzer
capabilities remain available even when the appliance encounters an error and is unable to
recover.
In a load-balancing cluster, one appliance acts as the active primary appliance, and any additional
appliances act as secondary appliances. The secondary appliances process submissions allocated
by the active primary appliance for performance improvement.Deploy this cluster configuration
if you require improved object processing performance.
In a high availability cluster with load balancing, one appliance acts as the active primary
appliance, one acts as the passive primary appliance, and any additional appliances act as
secondary appliances. The passive primary appliance takes over as the active primary appliance
if the active primary appliance encounters an error and is unable to recover. The secondary
appliances process submissions allocated by the active primary appliance for performance
improvement.Deploy this cluster configuration if you want to combine the benefits of high
availability clustering and load-balancing clustering.
When multiple Deep Discovery Analyzers are deployed as a cluster, this provides some additional benefits
over a single-instance deployment:
• Increased sandboxing capability (more sandboxes can be deployed)
• Improved performance
• Centralized configuration management
• Fault tolerance and simple scalability
Multiple Deep Discovery Analyzers can be deployed as a cluster to gain some of the following
benefits over a single-instance deployment:
• Increased sandboxing capability (more sandboxes can be deployed)
• Improved performance
• Centralized configuration management
• Fault tolerance and simple scalability
Configuring a Cluster
When deploying Deep Discovery Analyzer in a cluster environment, one appliance acts as the
Primary Appliance that communicates with the other Trend Micro products in the Connected Threat
Defense strategy.
The primary appliance receives the samples from the other products (for example, Deep Discovery
Inspector etc.) and distributes them to the secondary appliances for Sandbox analysis.
The secondary appliances then sends the analysis results to the primary appliance which in turn
provides the reports and suspicious objects list to the other Trend Micro products so that they can
act upon them.
Note: Up to ten Deep Discovery Analyzer appliances can be deployed and configured to form a single
cluster. Clusters provide fault tolerance, load balancing, or a combination of both depending on
your cluster configuration. You can refer to the Online Help for Deep Discovery Analyzer to
obtain more information on deploying Deep Discovery Analyzer cluster configurations.
As noted here, switching to the secondary mode will reset the Deep Discovery Analyzer settings
and will disconnect all nodes in the current cluster. Deep Discovery Analyzer will receive settings
and objects from the active primary appliance.
High Availability
Go to Administration > System Maintenance > High Availability, and define the IPv4 or IPv6
Virtual Address for the cluster (on Primary Deep Discovery Analyzer only).
Once installed in your environment, Deep Discovery Analyzer does not simply start monitoring traffic
independently, it must be connected with other products in order to begin working.
As mentioned already, in order for products to send samples to the Deep Discovery Analyzer, the
product’s connections settings must be configured using the Deep Discovery Analyzer’s API key. The
same applies to manual submissions from integrated products using Manual Submission Tool from Trend
Micro.
As noted in the above illustration, Deep Discovery Analyzer can also leverage REST API for integration
with third-party products.
For example, in Deep Discovery Inspector, once an object has been analyzed by the Virtual Analyzer,
there will be an additional tab displayed under Connection Details that is called File Analysis Result
where all the details of the Virtual Analysis report can be examined.
The following illustration provides an overview of the functionality that is available through Cloud
Sandbox integration.
Vision One can receive Suspicious Object information as well as Virtual Analyzer reports from an
on-premise Deep Discovery Analyzer (or the internal Virtual Analyzer in Deep Discovery Inspector)
however to date, functionality for Vision One to use an on-premise Deep Discovery Analyzer sandbox
is not yet available. This functionality is being planned for the next release of Deep Discovery
Analyzer.
The above illustration shows how Vision One can submit samples to the Cloud Sandbox and receive
Suspicious Object information, reports and investigation packages. Similarly, other integrated Trend
Micro solutions both on-premise and in the Cloud, can submit samples to the Cloud sandbox and
receive Suspicious Object information, as well as reports and investigation packages.
Deep Discovery Analyzer can also use a deployed Service Gateway as an alternative source for
ActiveUpdate or Smart Protection Services.
You can configure Service Gateway settings and view synchronization status from the Trend Micro
Vision One tab as shown above.
If Deep Discovery Director is deployed in your environment, you have the option of connecting Deep
Discovery Analyzer to Deep Discovery Director for the synchronization of threat intelligence.
However, if you enable this option, you will need be aware of the following:
• If you are already integrated with Vision One, Deep Discovery Analyzer can ONLY
synchronize threat intelligence information with Trend Micro Vision One.
• The moment you integrate Deep Discovery Analyzer with Deep Discovery Director through
these settings, synchronization of threat data will be with Deep Discovery Director only. You
cannot synchronize with both Deep Discovery Director and Vision One.
Note also, that synchronization with Deep Discovery Director also allows the Deep Discovery
Analyzer to retrieve threat data from Deep Discovery Director if you enable the last option on this
page (Synchronize Suspicious Object from Deep Discovery Director). When enabled, Deep Discovery
Analyzer can download the following from Deep Discovery Director:
• Exceptions
• Suspicious objects (user-defined and synchronized)
• YARA rule files
• File passwords (Deep Discovery Director on-premises version 5.2 and above)
Smart Protection
As with other Trend solutions, you also can connect to an existing smart protection server in your
environment rather than use the Trend Micro Smart Protection Network. The settings needed are as
follows.
ICAP
Deep Discovery Analyzer supports integration with Internet Content Adaptation Protocol (ICAP)
clients. An ICAP client can be a proxy server or network storage that submits samples to Deep
Discovery Analyzer for analysis. The ICAP client performs an action (pass or block) on the sample
based on the analysis result from Deep Discovery Analyzer.
After ICAP integration, Deep Discovery Analyzer can perform the following functions:
• Work as an ICAP server that analyzes samples submitted by ICAP clients
• Serve User Configuration Pages to the end user when the specified network behavior (URL
access / file upload / file download) is blocked
• Control which ICAP clients can submit samples by configuring the ICAP Client list
• Bypass file scanning based on selected MIME content-types
• Bypass file scanning based on true file types
• Bypass URL scanning in RESPMOD mode
• Scan samples using different scanning modules
• Filter sample submissions based on the file types that Virtual Analyzer can process.
Note: For full compatibility with Deep Discovery Analyzer, set both Request Modification and Response
Modification modes on ICAP clients.
When ICAP integration is configured, the Deep Discovery Analyzer will automatically slow down
Virtual Analyzer throughput to prevent system resources from running out.
SAML Authentication
Security Assertion Markup Language (SAML) is an open authentication standard that allows for the
secure exchange of user identity information from one party to another. SAML supports single sign-
on (SSO), a technology that allows for a single user login to work across multiple applications and
services.
When you configure SAML settings in Deep Discovery Analyzer, users signing in to your
organization's portal can seamlessly sign in to Deep Discovery Analyzer without an existing Deep
Discovery Analyzer account.
To connect Deep Discovery Analyzer to your organization environment for single-sign-on, complete
the following procedure:
1 Access the Deep Discovery Analyzer management console to obtain the service provider
metadata file.
You can also update the certificate in Deep Discovery Analyzer.
2 In your identity provider:
- Configure the required settings for single sign-on
- Obtain the federation metadata file (see the documentation that comes with your
identity provider)
3 In Deep Discovery Analyzer:
- Import the federation metadata file for your identity provider
- Create SAML user groups
Email Submission
In addition to submitting objects using the management console and the Manual Submission Tool,
you can enable the Email submission feature to allow users to send suspicious email messages and
attachments to Deep Discovery Analyzer for analysis.
When a user sends an email message with a suspicious attachment to Deep Discovery Analyzer, Deep
Discovery Analyzer scans the email content with the attachment.
Once the analysis is complete, Deep Discovery Analyzer sends an email notification to the user with
the following:
• Analysis result summary
• Detailed analysis report
Syslog
Use the Syslog tab, in Administration > Integrated Products/Services to configure Deep Discovery
Analyzer to send logs to multiple syslog servers.
You can select a scope option that defines which logs are to be sent to the Syslog server, including:
• Virtual Analyzer analysis logs
• Integrated product detection logs
• ICAP Pre-scan logs
• System Event logs
• Alert Event logs
To exclude logs for unrated and no risk objects, select the option Exclude logs for ‘unrated’ and ‘no
risk’ objects.
System Administration
The following section provides an overview of some common system maintenance and administrative
functions that must be regularly performed in order to keep the Deep Discovery Analyzer operational.
Updating Components
If any system component updates are available for the Deep Discovery Analyzer, these will be listed
under Administration > Updates on the Component Update Settings tab.
When updating components, you have the option to update them all at once, or they can be selected
individually for an update as follows.
Note: Note that you can change the update server to another source, by selecting the option Other
Source, and specifying the URL for the update server.
Installing Hotfixes
Additionally, you can install any needed hot fixes or patches as follows. They first need to be
uploaded before you can install any hot fixes or patches.
Note: This update will NOT overwrite the current configuration of the Deep Discovery Analyzer and all
data will be kept.
Firmware Updates
Firmware updates work similar to the Hotfixes / Patches function above.
Administrators have the ability to create user accounts with the following roles. The role types
provide varying levels of access to perform web console operations in Deep Discovery Analyzer.
• Administrator: The administrator account has full control to the entire Deep Discovery
Analyzer system and all consoles. As such, this account should ONLY be assigned to
individuals that have strict requirements for this level of access.
• Investigator: Similar to the Operator role but also has the permissions to download the
Investigation Package.
• Operator: The Operator role only has “Read Only” access to the Deep Discovery Analyzer
web console. This account can view product settings, and perform some limited actions
which do not modify the actual product settings including exporting and backup of
configuration settings, as well as modifying its own account information such as password.
The Operator role also does not have access to the RDQA page.
Note: The Add to contacts option is used to provide contact information for any users that will need to
receive system notifications from Deep Discovery Analyzer.
Performing Backups
System backups can be performed by selecting Administration > System Maintenance > Backup. In the
Configuration Settings Backup settings, you have the options to export the main system
configuration as a single backup file. Note that this option does not export the OVA and also does not
export submission samples and results.
The Data Backup settings shown here provide the configuration for your remote backup server.
Submission samples and results can be backed up to and SFTP or FTP server.
Generating Reports
From Alerts / Reports you can download any reports that have been scheduled or generated on-demand.
You can additionally generate new reports. The following report templates can be used.
Report Schedules
Customization
Under Customization you can configure a different logo, line colors and title for the report.
Emailing Reports
Reports can additionally be emailed to recipients if you have configured your SMTP server
settings in Deep Discovery Analyzer.
The following pages are samples taken from a monthly Deep Discovery Analyzer operational
report.
Using Alerts
Alerts can be configured from the Alerts / Reports > Alerts menu. If there are any available triggered
alerts, an administrator can review them from the Triggered Alerts tab.
Use the Details icon (last column of above Triggered Alerts page) to obtain the details about the
triggered alert.
For example, these are the alert details for New High-Risk Objects Identified. This particular alert
triggered because it met the following conditions.
Alert Rules
To view the list of available default alerts, click the Rules tab. You can enable or disable rules using
the on/off buttons under the Status column. Additionally you can view the Rule details by clicking the
hyper-linked rule name from the Rule column.
Troubleshooting
These tools can alternatively be downloaded directly from the Trend Micro download center.
The network share scanning feature has been enhanced to analyze files hosted on the following
cloud storage services:
• Amazon Web Services (AWS) S3
• Microsoft Azure Blob
You can now create sample submission policies that allow Deep Discovery Analyzer to analyze
samples using a specified Virtual Analyzer image based on the file type and the submitter of the
file.
For example, this DDEI policy instructs the Virtual Analyzer to use a Linux sandbox for analyzing
all elf.sh files submitted by Deep Discovery Email Inspector:
• For manual sample submissions, submitter name (the logon account user name)
information is included in syslog, data backup, and Submissions display and export.
The enhanced Trend Micro Vision One integration allows Deep Discovery Analyzer to use a
Service Gateway as an alternative local source for ActiveUpdate or Smart Protection Services.
The internal Virtual Analyzer has been enhanced. This release adds the following features:
• Windows 10 21H1 and RedHat 7.9 image support
• Support Microsoft Edge (Chromium) in Windows images.
• Support for MITRE ATT@CK™ version 9 to include additional sub-techniques information
in analysis reports
• YARA file scanning performance enhancement
The alert notification for the account locked event has been enhanced to include the source IP
address.
This release of Deep Discovery Analyzer provides the following features on the Submissions
screens:
• Samples can be deleted from the Processing tab. The system automatically moves
deleted samples to the Unsuccessful tab.
Operational Report
• The operational report has been enhanced to include ICAP pre-scan logs.
On hardware models 1100 and 1200, Deep Discovery Analyzer can automatically migrate the
settings of a Deep Discovery Analyzer 7.0 (with critical patch b1259) or 7.1 (with critical patch
b1149) installation to 7.2.
Strong perimeter-focused network security is essential to any successful security strategy. Stopping an
intrusion or malware at the edge of the network is critical. This shouldn’t be a surprise to anyone
however many organizations stop here and they miss the concept that perimeter-focused protection is
ill-equipped to stop today’s targeted attacks and advanced threats.
Today’s attackers are skilled and understand the security tools you are using to protect your network.
They use evasion tactics to bypass even the best perimeter defenses. Once inside the network,
perimeter-focused security has no visibility to the attack and is oblivious to its existence. The threat is
free to move laterally across the network with little chance of being detected.
You need counter measures to ensure that malicious activity moving across your network from infected
machines is detected and dealt with appropriately. Trend Micro™ Deep Discovery™ and TippingPoint
solutions will work together to detect and prevent lateral movement.
Deep Discovery
Trend Micro™ Deep Discovery™ protects against targeted attacks, advanced threats, and
ransomware, giving you the power to detect, analyze, and respond to today’s stealthy attacks in
real time.
• Inspects network traffic between client networks and critical server networks
• Receives alerts on lateral movement activities
• Views lateral movement alerts alongside alerts from other attack phases
TippingPoint
Trend Micro™ TippingPoint™ provides complete visibility into all network traffic and activity to
keep your network security ahead of targeted attacks that bypass traditional controls, exploit
network vulnerabilities, and ransom or steal sensitive data, communications, and intellectual
property. Trend Micro™ TippingPoint™ provides high-speed, inline intrusion prevention system
(IPS) inspection, offering comprehensive threat protection against known and undisclosed
vulnerabilities with high accuracy and low latency.
• Deploys in-line between client networks and critical server networks
Monitoring lateral movement across protocols like SMB, RDP, SNMP, IRC is critical. If you don’t have tool
that monitors these protocols you could be blind to an existing attack. On average, a threat will go
undetected for severals months due to the perimeter-focused security strategy. Once the threat gets
inside the network, this traffic is not being monitored due to the assumption that the perimeter tools
blocked all the attacks.
Deep Discovery is designed to sit off a SPAN or TAP port so that it can monitor not only inbound and
outbound traffic but also traffic moving across the network monitoring over 100 protocols and all ports.
This broad visibility will help prevent undetected malware from moving freely across the network. Deep
Discovery will share its findings with the IPS to provide real-time enforcement and remediation.
Note: This training focuses solely on Trend Micro Network One Network Detection and Response (NDR)
solutions offered by Trend Micro Deep Discovery. For information on available training in your
region for Threat Protection Systems TPS) like Trend Micro TippingPoint, please visit the Trend
Micro Eduction Portal:
https://www.trendmicro.com/en_us/business/services/support-services/education.html
Deep Discovery Inspector is available as a physical or virtual network appliance and can deploy in off-line
monitoring mode (connected to the mirror port of a switch) for minimal or no network interruption while
monitoring network traffic and detecting known and potential security risks. When deploying a physical
Deep Discovery Inspector, you additionally have the option to deploy the hardware in-line. When deployed
in-line, Deep Discovery Inspector acts as a transparent bridge and can inspect decrypted TLS traffic.
Note: Only Deep Discovery Inspector hardware appliance models 520E, 1200E, 4200E, and 9200E will
support in-line deployment.
Deep Discovery Inspector monitors all traffic across physical and virtual network segments, all
network ports and over 100 network protocols to identify targeted attacks, advanced threats, and
ransomware. With an agnostic approach to network traffic, Deep Discovery Inspector is able to
detect targeted attacks, advanced threats, and ransomware from inbound and outbound network
traffic as well as lateral movement, C&C, and other attacker behavior across all phases of the
attack life cycle.
Extensive detection techniques utilize file, web, IP, mobile application reputation, heuristic
analysis, advanced threat scanning, custom sandbox analysis, and correlated threat intelligence
to detect ransomware, zero-day exploits, advanced malware, and attacker behavior.
Unlike other sandbox solutions that use a standard OS and apps template, Deep Discovery
Inspector uses virtual images that are tuned to precisely match an organization’s system
configurations, drivers, installed applications, and language versions. This approach improves the
detection rate of advanced threats and ransomware that are designed to evade standard virtual
images.
With Trend Micro Managed Detection and Response, Trend Micro security experts and industry
leading artificial intelligence are there to help you monitor and prioritize threats detected by
Deep Discovery Inspector. This managed service operates on a 24/7 basis and can be extended to
cover endpoints, email, cloud workloads for better insight into targeted attacks.
Deep Discovery Inspector uses standards-based advanced threat intelligence sharing to keep
ahead of threats (STIX/TAXII and YARA). Deep Discovery Inspector automates the sharing of
threat information across Trend Micro and third-party security solutions, which strengthens
multiple links in the security chain simultaneously.
Network Analytics
Security professionals are flooded with threat data from numerous sources. Network analytics
help prioritize threats and provide visibility into an attack. By looking back at months of historical
data, you will be able to see what was the first point of entry, who else in the organization is
impacted, and with whom the threat is communicating (for example, C&C).and with whom the
threat is communicating (for example, C&C)
XDR capabilities in Trend Micro Vision One break down the silos between email, endpoints,
servers, cloud workloads, and networks. It offers broader visibility and expert security analytics,
leading to fewer alerts and more higher-confidence detections for an earlier, faster response.
With XDR, you can identify and respond more effectively and efficiently to threats, minimizing
the severity and scope of an attack on the organization.
Deep Discovery Inspector and Trend Micro™ XDR for Networks are valuable parts of the XDR
solution, providing critical logs and visibility into unmanaged systems, such as contractor/third-
party systems, Internet of things (IoT) and industrial Internet of things (IoT) devices, printers, and
bring-your-own-device (BYOD) systems.
Authentication with API key supported for TippingPoint Security Management System (SMS).
Deep Discovery Inspector can now display User-Defined Suspicious Object and User-Defined
Exception lists on the management console.
Product Specifications
Deep Discovery Inspector uses a custom built Linux 3.10.x SMP 64-bit kernel. Standard Deep
Discovery Inspector appliances have the following specifications.
Contact Trend Micro if the appliance you are using does not meet these hardware specifications.
Note: Hardware vendors and specifications may vary for customers in China, Japan, and other regions.
Feature Specifications
Rack size 1U 19-inch standard rack
Availability Raid 1 configuration
Storage size 2 x 1 TB 3.5-inch SATA
• Management: 1 x 1 GB/100/10Base copper
• Data: 5 x 1 GB/100/10Base copper
Connectivity • Inline: 2 x 1 GB/100/10Base copper
Feature Specifications
Rack size 2U 19-inch standard rack
Availability Raid 10 configuration
Storage size 4 x 1 TB 3.5-inch SAS
• Management: 1 x 1 GB/100/10Base copper
• Data:
- 4 x 10 GB SPF+ Direct Attach copper
- 5 x 1 GB/100/10Base copper
Connectivity • Inline: 2 x 10 GB Fiber Ethernet
Hardware
Deep Discovery Inspector supports the following hardware appliance models. You can view the model
number on the front sticker of your physical appliance.
- 510
- 520
- 1100
- 1200
- 4100
- 4200
- 9200
Network Requirements
When placing Deep Discovery Inspector in your network, note that it must be able to receive all traffic
that can be caused by malicious software.
Additionally, Deep Discovery Inspector must be able to see the original IP-addresses of the endpoints,
therefore, Network Address Translation (NAT) or proxy services must not exist between any endpoints
and Deep Discovery Inspector.
For risk management, the Deep Discovery Inspector should be placed on the network where the most
critical and important assets are residing. Lateral movements can be monitored as well, depending on
traffic and performance.
Deep Discovery Inspector can monitor network traffic using the following methods:
• Port mirroring switch
• TAP mode
• In-line (as a transparent switch)
Best Practice: With port mirroring, administrators should mirror the ports that are closest possible to
endpoints or behind perimeter defenses.
As of version 6.0, DDI supports inline deployment in order to perform TLS inspection. Inline
deployment is only supported on hardware appliance versions of Deep Discovery Inspector, and
requires an additional NIC to be installed. Due to a shortage of NICs however, customers need to
purchase an additional NIC in order to deploy DDI in inline mode and support TLS inspection..
The Data Ports on Deep Discovery Inspector are used to accept incoming network traffic.
In a typical deployment scenario, they are connected to the monitoring ports of the enterprise
switches.
To ensure that Deep Discovery Inspector captures traffic from both directions, configure the
mirror port, and make sure that traffic in both directions is mirrored to the port.
The Deep Discovery Inspector Management Port is used for communications between
administrators via HTTP / SSH and interaction with other products (such as Deep Discovery
Analyzer, or Apex Central, and others) and services (such as WRS, ActiveUpdate and others).
Inline Ports
When Deep Discovery Inspector is deployed as an inline appliance and configured to decrypt TLS
traffic, an event such as a system crash, power outage, or other unexpected condition may have
an impact on the network accessibility.
Note: Deep Discovery Inspector uses traffic bypass to cross-connect the two physical network ports.
Traffic bypass helps to prevent Deep Discovery Inspector from being a single point of failure in
the network.
Inline ports are only available on certain Deep Discovery Inspector appliance models. For more
details, see the Installation and Deployment Guide.
Deep Discovery Inspector can automatically enable traffic bypass or you can manually enable it.
With automatic traffic bypass, Deep Discovery Inspector performs self-health checks. If an issue
is detected, Deep Discovery Inspector automatically enters traffic bypass mode to prevent the
potential impact on the network. When this occurs, a global notification appears in the
management console, and if configured, Deep Discovery Inspector can send an email notification
or an SNMP trap.
Note: Issues such as power outage, system hang, or kernel panic can prevent Deep Discovery Inspector
from sending email notifications and SNMP traps. Trend Micro recommends that you use tools
like an NMS or system monitoring to identify these issues.
Alternatively, you have the option to manually enable traffic bypass mode through the Deep
Discovery Inspector web management console (Administration > System Settings > Network
Interface and toggle Enable manual traffic bypass. The web console will be covered in an
upcoming training module.
You can also enable traffic bypass mode in the pre-configuration console (the pre-configuration
console will be covered later in this training). For more details on Inline Ports, see the Installation
and Deployment Guide.
Intercepting Data
Deep Discovery Inspector uses the following internal kernel modules to intercept and scan the traffic
passing through the Data NICs.
• Network Content Inspection Technology (NCIT): Receive the network packets, stores them in
a single queue and sends them to Network Content Inspection Engine for scanning.
• Network Content Inspection Engine (NCIE): Assembles the packets to TCP streams (data
blocks) and scans the network protocol data. It sends the scanning results to the CAV
Daemon. NCIE is also responsible for extracting file content from the captured packets and
sending it to the File Scanning daemon for file scanning.
DDI must receive all traffic that can be caused by malicious software
In most cases, modern malware (botnets, etc.) try to establish a connection to an Internet server
which means that Deep Discovery Inspector must be able to see all outgoing network traffic.
However, if the administrator only concentrates on the outgoing traffic, malware that spreads
itself within the large enterprise network will be missed as this requires the Deep Discovery
Inspector data interfaces to intercept the internal traffic. If an organization runs internal DNS,
SMTP, Proxy or other servers, you should deploy the Deep Discovery Inspector data interface to
see the traffic between these servers and the endpoints.
If there is a NAT between the endpoints and Deep Discovery Inspector or endpoints use a proxy
located between endpoints and Deep Discovery Inspector, Deep Discovery Inspector cannot see
the real IP-address of the endpoint. This may lead the Inspector to report the wrong endpoint IP-
address to the mitigation servers. In the case of connections through proxy servers, IP address
rewriting can be enabled to determine the original source of the request.
If connection blocking for the Outbreak Containment Services is enabled, Deep Discovery
Inspector sends the TCP reset packets from the Management Port to the endpoints so the
endpoints must be in the same network segment as the Deep Discovery Inspector Management
Port or there must be a route for these packets to the endpoints.
The destination port speed should be the same as the source port speed to ensure equal port
mirroring. If the destination port is unable to handle the faster speed of the source port, the
destination port may drop some data.
• Port 53 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port for DNS resolution.
• Port 67 (UDP) Outbound: Deep Discovery Inspector sends requests to the DHCP server if IP
addresses are assigned dynamically.
• Port 68 (UDP) Listening: Deep Discovery Inspector receives responses from the DHCP server.
• Port 123 (UDP) Listening and Outbound: Deep Discovery Inspector connects to the NTP server to
synchronize time.
• Port 137 (UDP) Outbound: Deep Discovery Inspector uses NetBIOS to resolve IP addresses to host
names.
• Port 161 (UDP) Listening and Outbound: Deep Discovery Inspector uses this port for SNMP agent
listening and protocol translation.
• Port 162 (UDP) Outbound: Deep Discovery Inspector uses this port to send SNMP trap
notifications.
• Port 389 (TCP/UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user
information from Microsoft Active Directory (This is the default. You can configure this port from
the Deep Discovery Inspector Management Console).
• Port 443 (TCP) Listening and Outbound: Deep Discovery Inspector uses this port to:
- Access the management console with a computer through HTTPS
- Register to the mitigation server
- Send logs and data to the Threat Management Services Portal if Deep Discovery Inspector is
using SSL encryption
- Connect to Trend Micro Threat Connect
- Communicate with Trend Micro Control Manager
- Note: This is the default port. Configure this port through the management console.
- Communicate with Deep Discovery Director
- Scan APK files and send detection information to the Mobile App Reputation Service
- Query Mobile App Reputation Service through Smart Protection Server
- Query the Web Reputation Services blocking reason
- Verify the safety of files through the Certified Safe Software Service
- Share anonymous threat information with the Smart Protection Network
- Send files to Deep Discovery Analyzer for sandbox analysis
• Port 465 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled reports
through SMTP over TCP with SSL/TLS encryption.
• Port 514 (UDP) Outbound: Deep Discovery Inspector sends logs to a syslog server over UDP
(Note: The port must match the syslog server.)
• Port 587 (TCP) Outbound: Deep Discovery Inspector sends notifications and scheduled reports
through SMTP over TCP with STARTTLS encryption.
• Port 601 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP (Note:
The port must match the syslog server.)
• Port 636 (UDP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory. Note: This is the default port. Configure this port through the
management console.
• Port 3268 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.
• Port 3269 (TCP) Outbound: Deep Discovery Inspector uses this port to retrieve user information
from Microsoft Active Directory.
• Port 4343 (TCP) Outbound: This port is used for communications with Smart Protection Server.
• Port 5275 (TCP) Outbound: Used for querying Web Reputation Services through Smart
Protection Server.
• Port 6514 (TCP) Outbound: Deep Discovery Inspector sends logs to a syslog server over TCP with
SSL encryption. Note: The port must match the syslog server.
• Port 8080 (TCP) Listening: Share threat intelligence information with other products. Note: This
is the default port. Configure this port through the management console.
Note: For connections through proxy servers, IP address rewriting can be enabled to determine the
original source of the request.
Note: Address and ports for below services vary by product version and region. Refer to the Online
Help for more information. All services, except Threat Management Services, connect using
HTTPS with TLS 1.2. Any man-in-the-middle devices in your network must support TLS 1.2.
Smart Feedback
This service shares anonymous threat information with the Smart Protection Network, allowing
Trend Micro to rapidly identify and address new threats. Trend Micro Smart Feedback may
include product information such as the product name, ID, and version, as well as detection
information including file types, SHA-1 hash values, URLs, IP addresses, and domains.
GRID or Certified Safe Software Service, verifies the safety of files. Certified Safe Software
Service reduces false positives, and saves computing time and resources.
Census
This service, determines the prevalence of detected files. Prevalence is a statistical concept
referring to the number of times a file was detected by Trend Micro sensors at a given time.
Domain Census
Domain Census determines the prevalence of detected domains and IPs. Prevalence is a
statistical concept referring to the number of times a domain or IP was detected by Trend Micro
sensors at a given time.
This service collects data about detected threats in mobile devices. Mobile App Reputation
Service is an advanced sandbox environment that analyzes mobile app runtime behavior to
detect privacy leaks, repacked mobile apps, third-party advertisement SDKs, vulnerabilities, and
app categories.
License Portal
The Trend Micro License Portal, manages customer information, subscriptions, and product or
service licenses.
Web Reputation Services, is used to track the credibility of web domains. Web Reputation
Services assign reputation scores based on factors such as a website's age, historical location
changes, and indications of suspicious activities discovered through malware behavior analysis.
The Web Inspection Service is an auxiliary service of Web Reputation Services, providing
granular levels of threat results and comprehensive threat names to users. The threat name and
severity can be used as filtering criteria for proactive actions and further intensive scanning.
Through the use of malware modeling, Predictive Machine Learning compares samples to the
malware models, assigns a probability score, and determines the probable malware type that a
file contains.
Cloud Sandbox
The Trend Micro Cloud Sandbox service analyzes possible MacOS threats.
ActiveUpdate
This service provides updates for product components, including pattern files. Trend Micro
regularly releases component updates through the Trend Micro ActiveUpdate server.
Threat Connect
Threat Connect correlates suspicious objects detected in your environment and threat data from
the Trend Micro Smart Protection Network. The resulting intelligence reports enable you to
investigate potential threats and take actions pertinent to your attack profile.
The Threat Management Services Portal (TMSP) receives logs and data from registered products
and creates reports to enable product users to respond to threats in a timely manner and receive
up-to-date information about the latest and emerging threats.
TMSP receives and processes logs to build intelligence about your network. The Threat
Management Services Portal generates reports that contain information about the latest threats
and your network's overall security posture.
Alternately, the Troubleshooting portal can be accessed directly from the Deep Discovery Inspector
web console as follows. Go to Administration > System Settings > Network Interface and click on the
link Network Traffic Dump.
Best Practice: Since most modern malware establishes a connection to the Internet, the design goal
is to position Deep Discovery Inspector so that it is able to intercept all outgoing
network traffic.
The following is a high-level overview of supported deployments that will be discussed in this section.
To help choose a suitable topology for your Deep Discovery Inspector deployment, the following
guidelines can be used:
• Determine the segments of your network that need protection.
• Plan for network traffic, considering the location of appliances critical to your operations such as
email, web, and application servers.
• Determine both the number of appliances needed to meet your security needs and their
locations on the network.
• Conduct a pilot deployment on a test segment of your network.
• Redefine your deployment strategy based on the results of the pilot deployment.
Sample Deployments
Some sample Deep Discovery Inspector deployment scenarios that can help you plan a customized Deep
Discovery Inspector deployment are provided below.
Out-of-Band
When deployed out-of-band, Deep Discovery Inspector monitors network traffic by connecting to the
mirror port on a switch for minimal to no network interruption.
When multiple VLANs encapsulate the same physical link, mirror the source port from a trunk
link. Make sure that the switch mirrors the correct VLAN tag to Deep Discovery Inspector for
both directions.
VLAN1
VLAN2
VLAN3
Deep Discovery Inspector can monitor different network segments using different data ports.
Deep Discovery Inspector data ports are connected to the mirror ports of access or distribution
switches.
Network taps monitor the data flowing across the network from interconnected switches,
routers, and clients. Multiple Deep Discovery Inspector appliances can be connected to a network
tap.
Internet
Server
Firewall
Core Switch
Note: If using network taps, make sure that they copy DHCP traffic to Deep Discovery Inspector instead
of filtering DHCP traffic.
Proxy Monitoring
When configuring Deep Discovery Inspector in proxy environments outside the proxy server,
enable XFF on the proxy server.To avoid false alarms when configuring Deep Discovery Inspector
in proxy environments inside or outside the proxy server, add HTTP Proxy as a registered service
on Deep Discovery Inspector
Internet
Server
Firewall
Core Switch
Redundant Networks
Many enterprise environments use redundant networks to provide high availability. When
available, an asymmetric route connects Deep Discovery Inspector to redundant switches.
Internet Internet
Server Server
Firewall Firewall
Deep Discovery Inspector
Asymmetric Routing
In customer environments with asymmetric routing, connecting the Deep Discovery Inspector
data interfaces to the segment transferring packets in one direction disables the Deep Discovery
Inspector detection capabilities since Deep Discovery Inspector must see and re-construct the
whole network traffic.
Note: In this diagram, the dotted line displays the remote mirror, and the solid line displays the direct
mirror.
The Deep Discovery Inspector data port connects to the mirror port of the core switch, which
mirrors the traffic through the port to the firewall.
(Optional) Configure the mirror port to mirror inbound/outbound traffic from single or multiple
source.
Internet
Server
Firewall
Core Switch
Note: Mirrored traffic should not exceed the capacity of the network interface card.
VLAN-based port mirroring allows users to choose to monitor traffic on all ports belonging to a
particular VLAN. In this scenario, connect Deep Discovery Inspector to a switch if the mirror
configuration is VLAN-based.
Use VMware port mirroring when traffic passes through a virtual distributed switch.
Note: For more details, refer to the Deep Discovery Inspector Installation and Deployment Guide, Port
Mirroring on a VMware Virtual Distributed Switch on page 5-1.
Inline
When deployed inline, Deep Discovery Inspector acts as a transparent bridge and can inspect
decrypted TLS traffic.
Note: Only Deep Discovery Inspector hardware appliance models 520E, 1200E, 4200E, and 9200E
support inline deployment.
Traffic cannot be blocked by Deep Discovery Inspector. When Deep Discovery Inspector is deployed
inline, traffic is only inspected or not inspected.
Transparent Bridge
Transparent bridge deployment is suitable when you want to use Deep Discovery Inspector as an
in-line device. Transparent bridge deployment is required for TLS traffic inspection.
When deployed as a transparent bridge, Deep Discovery Inspector acts as a layer 2 bridge
between network devices and is transparent on the network and you do not need to reconfigure
your network as you need only place the appliance in the network path that you want to monitor.
Internet
Server
Firewall
Core Switch
Inter-VM traffic
Network traffic between virtual machines in a VMware ESX remains within its ESX environment. In a
VMware ESX setup, if Deep Discovery Inspector is not in that same virtual environment, Deep
Discovery Inspector will not be able to monitor network traffic between the virtual machines within
that VMware ESX setup.
VMware ESXi
VM1
VM3
In this case, in order for Deep Discovery to be able to monitor the network traffic between the virtual
machines in an ESX environment, the network traffic must be mirrored from a virtual distributed
switch using either remote mirroring, or encapsulated remote mirroring remote mirroring as
described below.
VM VM
ESX ESX
VM VM
vDDI VM
ESX ESX
Layer 2 - vDS Virtual Distributed
VM VM Switch
Layer 3 - ERSPAN
VCenter Server
Deep Discovery
Virtual Distributed Inspector
Switch
VCenter Server
Note: ERSPAN stands for encapsulated remote switched port analyzer. The traffic is encapsulated in
generic routing encapsulation (GRE) and can therefore be routed across a layer 3 network
between the source switch and the destination switch.
Remote Mirroring
With remote mirroring, a VDS (Virtual Distributed Switch) can be setup on a VMware vCenter
environment to forward Inter-VM traffic to Deep Discovery Inspector. Remote mirroring enables
you to monitor traffic on one switch through a device on another switch and send the monitored
traffic to one or more destinations.
VM VM
ESX ESX
VM VM
Deep Discovery
Inspector
Layer 2 Physical Switch
Virtual Distributed Network (Mirroring
Switch (Mirroring Source) Destination)
VCenter Server
The mirroring source is the Virtual distributed switch and it forwards mirrored traffic to the
mirroring destination which is a Physical switch that receives mirrored traffic, and that can route
the traffic to Deep Discovery Inspector. For proper functionality, verify that the uplink ports of
the ESXi hosts that receive traffic are linked to the physical switch trunk port.
Remote mirroring requires that you configure a remote mirroring VLAN on your physical
switches. If you cannot configure a remote mirroring VLAN, you can use encapsulated remote
mirroring as an alternative which is described below.
FIGURE 2. Mirrored Traffic Monitoring from a VDS with Encapsulated Remote Mirroring
VM VM
ESX ESX
VM VM
VCenter Server
Once established, all Inter-VM traffic will be forwarded to Deep Discovery Inspector.
Note: For step-by-step details on configuring Mirrored Traffic Monitoring from a Virtual Distributed
Switch, you can refer to the Deep Discovery Inspector Installation and Deployment Guide
(https://docs.trendmicro.com/all/ent/ddi/v6.0/en-us/ddi_6.0_idg.pdf)
Note that various mirroring and encapsulated setups can be used which depend on whether you
are using a Deep Discovery Inspector hardware or virtual appliance. All supported VDS
configurations are fully described in the above mentioned Installation and Deployment guide.
Advantages
• Deep Discovery Inspector is able to see Source IP address of the individual machine
requesting the web resource
• Web content being returned to the end user will have already passed through the web
security gateway
- This eliminates some of the known threats allowing Deep Discovery to focus on
malware that has made it through their security gateway
Disadvantages
• Web requests before they are filtered by the existing web security gateway
- This could raise detections in the product that are already addressed by the
gateway device
- But still gives visibility to possibly infected endpoints
• Some customers may route internal traffic through the web security gateways, which
may increase the amount of traffic being analyzed by the Deep Discovery Inspector
Advantages
• Reduced amount of traffic being analyzed
• Requests being filtered by the web security gateway will not reach Deep Discovery
Inspector
Disadvantages
• When Deep Discovery Inspector is deployed on the external side of the proxy, the source
IP for events will be that of the proxy server, and not that of the actual host making the
request.
Note: To see the actual source IP of the host which made the request, you can use the IP address
rewriting functionality if the web gateway supports the X-Forwarded-For http header.
This functionality (Enable IP address rewriting for CAV logs (according to X-Forward-For header)
can be configured through the internal Deep Discovery Inspector debug portal
that can be accessed by contacting Trend Micro Technical Support.
• Response data will not have been filtered by the web security gateway prior to inspection
- This could result in events related to traffic that will ultimately be filtered by the
web gateway device and would therefore not require additional investigation
Later in this training, we will see how to avoid false alarms when configuring Deep Discovery
Inspector in proxy environments inside or outside the proxy server, by adding HTTP Proxies as
registered services on Deep Discovery Inspector.
Lateral Movement:
• Part of the attack phase is lateral movement where Machines which become infected are
then used by the attackers to move throughout the target’s network
• This allows the attacker to explore and collect information that can be used in future
attacks or information that can be prepared for exfiltration
• When Deep Discovery Inspector is only deployed at the Ingress/Egress points it will not
have access to the lateral movement activities (such as brute force attacks, internal port
scanning…)
• Since Deep Discovery Inspector has multiple ports, specific internal network segments
can still be monitored (as long as aggregate throughput isn’t greater than licensed
throughput or hardware capabilities)
DNS Queries:
• DNS traffic will show originating address of the internal DNS servers
• Therefore for Malicious communication identified based on DNS queries, Deep Discovery
Inspector is unable to provide information on the system that made the initial request
• The only way to correlate this information would be to:
- Review the logs on the DNS server, or SIEM device if it is collecting DNS logs, to
identify the system that initiated the query
- Also mirror DNS traffic going from monitored hosts to internal DNS servers
Targeted attacks and advanced persistent threats (APTs), are highly organized, focused efforts that are
custom-created to penetrate organizations for access to internal systems, data, and other valuable
assets.
The APT Attack Cycle, reveals the phases of targeted cyber-attack from initial reconnaissance, to
final data exfiltration. Note, that although each attack is customized to its target, it commonly
follows a continuous process of six key phases.
It is important to note here however, that the different stages of an attack are not particularly
distinct. The stages of a targeted attack represent distinct steps in a logical, structured attack.
Reality, however, is far messier. Once a stage is “finished”, it does not necessarily mean that no
other activities related to that stage will take place. It may be possible for multiple stages of an
attack to be occurring at the same time. For example, C&C communication takes place through all
phases of a targeted attack. The attacker needs to keep control of any activities going on within the
targeted network, so naturally C&C traffic will continue to go back and forth between the attacker
and any compromised systems.
It is best to think of each component as different facets of the same attack, where different portions
of a network may be facing different facets of an attack at the same time.
This can have a significant effect on how an organization has to respond to an attack. It cannot
simply be assumed that because an attack was detected at an “earlier” stage, that “later” stages of
an attack are not in progress.
A proper threat response plan should consider this and plan accordingly. Below is a description of
each phase of an attack cycle.
Intelligence Gathering
In this stage of the attack, cyber criminals have their attack targets in mind and conduct research
to identify target individuals within the organization and then prepare a customized attack—most
likely leveraging public sources, such as LinkedIn, Facebook, and MySpace. With the wealth of
personal information provided on these sites, attackers arm themselves with in-depth knowledge
on individuals within the organization. For example, their role, hobbies, trade association
memberships, and the names of those in their personal network.
With this information in hand, attackers prepare a customized attack in order to gain entry into
the organization.
Point of Entry
The initial compromise is typically from zero-day malware delivered via social engineering
(email/IM or drive by download). A back door is created and the network can now be infiltrated.
Alternatively, a web site exploitation (such as a watering hole) or direct network hack may be
employed.
Once cyber criminals have gathered the intelligence on their intended target, they begin work on
designing their point of entry into the organization.
C&C communication is used by the attacker to instruct and control the compromised machines
and malware used for all subsequent phases of the attack (lateral movement, data discovery, and
exfiltration).
Lateral Movement
Once inside the network, the attacker compromises additional machines to harvest credentials
and gain escalated privilege levels. The attacker will also acquire strategic information about the
IT environment—operating systems, security solutions and network layout—to maintain persistent
control of the target organization.
Lateral movement uses legitimate system administration tools to help hide its activities, and has
three goals in mind: escalate the available privileges within the target network, perform
reconnaissance within the target network, and the lateral movement to other machines within
the network itself. In the attack, several tools are often used to increase the intruder’s level of
access in the network, including, port redirectors, scanning tools, and remote process executor
tools.
Asset/Data Discovery
In an advanced malware attack, cyber criminals are in pursuit of high valued assets. This could be
anything from financial data, trade secrets, or source code, and most noteworthy, attackers know
the intended data of interest when a target organization is selected.
The attacker’s goal is to identify the data of interest as quickly as possible without being noticed.
In this phase of the attack, the attacker can use several different techniques. For example, they
will:
• Check the configuration of the infected host’s email client to locate the email server
• Locate file servers by checking the host for currently mapped network drives
• Obtain the browser history to identify internal Web services, such as CMS or CRM servers
• Scan the local network for folders shared by other endpoints, to identify noteworthy
servers and services that house data of interest.
• Use port scanning to discover open ports etc.
Data Exfiltration
Data exfiltration is the unauthorized data transmission to external locations. In this stage of a
targeted attack, sensitive information is gathered and then funneled to an internal staging server
where it is chunked, compressed, and often encrypted for transmission to external locations
under an attacker’s control.
Deep Discovery Inspector is purpose-built for detecting APT and targeted attacks. It identifies
malicious content, communications, and behavior that may indicate advanced malware or attacker
activity across every stage of the attack sequence.
APT36, also known as Earth Karkaddan, a politically motivated advanced persistent threat (APT) group,
has historically targeted Indian military and diplomatic resources. This APT group (also referred to as
Operation C-Major, PROJECTM, Mythic Leopard, and Transparent Tribe) has been known to use social
engineering and phishing lures as an entry point, after which, it deploys the Crimson RAT malware to
steal information from its victims.
In late 2021, the group was observed leveraging CapraRAT, an Android RAT with clear similarities in
design to the group’s favored Windows malware, Crimson RAT. It is interesting to see the degree of
crossover in terms of function names, commands, and capabilities between the tools, which we cover in
more detail in our technical brief, “Earth Karkaddan APT.”
This investigation is based on Trend Micro Smart Protection Network (SPN) data gathered from January
2020 to September 2021.
The malicious emails feature a variety of lures to deceive victims into downloading malware,
including fraudulent government documents, honeytraps showing profiles of attractive women, and
recently, coronavirus-themed information. The following is an example of a fake government-related
spear-phishing email.
Once the victim downloads the malicious macro, it will decrypt an embedded executable dropper that
is hidden inside a text box, which will then be saved to a hardcoded path prior to it executing in the
machine. The following is the malicious macro that decrypts an executable hidden inside a text box.
The following are examples of encrypted Crimson RAT executables hidden inside text boxes
Once the executable file is executed, it will proceed to unzip a file named mdkhm.zip and then
execute a Crimson RAT executable named dlrarhsiva.exe.
Earth Karkaddan actors are known to use the Crimson RAT malware in its campaigns to communicate
with its command-and-control (C&C) server to download other malware or exfiltrate data.
Trend Micro’s analysis shows that the Crimson RAT malware is compiled as a .NET binary with
minimal obfuscation. This could indicate that the cyber criminal group behind this campaign is
possibly not well-funded. The following is a list of minimally obfuscated commands, function names,
and variables from a Crimson RAT malware sample:
Crimson RAT can steal credentials from browsers, collect antivirus information, capture screen
shots, and list victim drives, processes, and directories. An infected host communicates with a
Crimson RAT C&C server to send exfiltrated information including PC name, operating system (OS)
information, and the location of the Crimson RAT malware inside the system. The following is the
network traffic from a Crimson RAT malware sample:
Once the victim clicks the link, it will download a document laced with a malicious macro. Upon
enabling the macro, it will then download the ObliqueRat malware that is hidden inside an image file.
The downloaded “1More-details.doc” contains malicious macros that will download and execute the
ObliqueRat malware in a victim’s machine:
The macros inside the file will then download a bitmap image (BMP) file where the ObliqueRAT
malware is hidden, decode the downloaded BMP file, then create a persistence mechanism by
creating a Startup URL which will automatically run the ObliqueRAT malware.
Below is a list of backdoor commands that this particular ObliqueRAT malware variant can perform:
In this specific campaign, both the Crimson RAT malware downloader document and the ObliqueRat
malware downloader share the same download domain, which is sharingmymedia[.]com. This
indicates that both malware types were actively used in Earth Karkaddan APT campaigns.
Shown here are the Crimson RAT and ObliqueRat spear-phishing email attachments that feature the
same download domain.
This group was observed using another Android RAT — TrendMicro has named this “CapraRat”—
which is possibly a modified version of an open-source RAT called AndroRAT. While analyzing this
android RAT, several similar capabilities to the CrimsonRat malware were seen that the group usually
uses to infect Windows systems.
CapraRAT samples have been observed by Trend Micro since 2017, and one of the first samples
analyzed (SHA-256: d9979a41027fe790399edebe5ef8765f61e1eb1a4ee1d11690b4c2a0aa38ae42,
detected by Trend Micro as AndroidOS_Androrat.HRXD) revealed some interesting things in that
year: they used "com.example.appcode.appcode" as the APK package name and used a possible
public certificate “74bd7b456d9e651fc84446f65041bef1207c408d,” which possibly meant the
sample was used for testing, and they just started to use it for their campaigns during that year.
The C&C domain android[.]viral91[.]xyz, where the malware was connecting to also shows that it is
very likely that the APT team uses subdomains to host or connect to Android malware. In previous
years, some CrimsonRAT samples were also found to be hosted on the viral91[.]xyz domain. The
following is the CrimsonRAT malware hosted in viral91[.]xyz:
Trend Micro was also able to source a phishing document, “csd_car_price_list_2017,” that is related to
this domain and has been seen in the wild in 2017. This file name is interesting as “csd” is likely to be
associated to "Canteen Stores Department" in Pakistan, which is operated by the Pakistani Ministry
of Defense. This is a possible lure for the Indian targets to open the malicious attachment, also used
in a similar attack in 2021.
Upon downloading this malicious app that possibly arrived via a malicious link, the user will need to
grant permissions upon installation to allow the RAT access to stored information. The malware can
do the following on a compromised device:
• Access the phone number
• Launch other apps’ installation packages
• Open the camera
• Access the microphone and record audio clips
• Access the unique identification number
• Access location information
• Access phone call history
• Access contact information
Once the Android RAT is executed, it will attempt to establish a connection to its C&C server,
209[.]127[.]19[.]241[:]10284. Trend Micro Research had observed that the Remote Desktop Protocol
(RDP) certificate associated in this deployment, “WIN-P9NRMH5G6M8,” is a common string found in
previously identified Earth Karkaddan C&C servers.This is the decompiled code from CapraRAT
connecting to its C&C server:
The following is the CapraRAT config showing its C&C server and port information:
The CapraRATAPK file also has the ability to drop mp4 or APK files from asset directory.
In addition, the RAT also has a persistence mechanism that always keeps the app active. It checks
whether the service is still running every minute, and if it is not, the service will be launched again.
Users can adopt the following security best practices to thwart Earth Karkaddan attacks:
• Be careful of opening unsolicited and unexpected emails, especially those that call for
urgency
• Watch out for malicious email red flags, which include atypical sender domains and
grammatical and spelling lapses
• Avoid clicking on links or downloading attachments in emails, especially from unknown
sources
• Block threats that arrive via email such as malicious links using hosted email security and
antispam protection
• Download apps only from trusted sources
• Be wary of the scope of app permissions
• Get multi-layered mobile security solutions that can protect devices against online threats,
malicious applications, and even data loss
The following security solutions can also protect users from email-based attacks:
Note: For more information on this attack and ongoing threat research at Trend Micro you can visit:
https://www.trendmicro.com/en_no/research.html
Indicators of Compromise
For a list of IOCs (indicators of compromise) for this attack you can visit:
https://www.trendmicro.com/en_no/research/22/a/investigating-apt36-or-
earth-karkaddans-attack-chain-and-malware.html
Here you will find a link to a text file at the very end of the article that contains all the IOCs for this
attack.
The following section is only meant to provide introductory level information about the different engines
and services used by Deep Discovery products. For a more in depth discussion on these technologies, you
can refer to the Appendix provided at the end of your Student Manual.
The main Deep Discovery engines that are used for threat detection are summarized below.
Note: VSAPI (Virus Scan API) is Trend Micro's File Scanning Engine, a core component of most Trend
Micro Security Products. It is the current technology module responsible for processing File
Objects and classifying them as malicious, suspected or non-malicious files.
Virtual Analyzer
• The Virtual Analyzer detects suspicious behavior in files by letting the code in the file
execute in an isolated virtual environment (sandbox) to determine what the code does
(dropping files or modifying registry settings for example).
Note: Virtual Analyzer sandbox technology is available in many of Trend Micro’s Network Defense
Products. The Virtual Analyzer can be either embedded into the product itself as in Deep
Discovery Inspector (and others), or as an external standalone hardware appliance, as in Deep
Discovery Analyzer.
The Deep Discovery threat detection engines must be able connect with various Trend Micro cloud-based
services in order to provide detection capabilities as described below.
Network Content
Inspection Engine
Event Classification
Engine (ECE)
LogX
Patterns
Event Classification
Patterns (ECP)
db
Target of evaluation
NIC
Deep Discovery is powered by the Trend Micro Smart Protection Network solution. The Smart
Protection Network is a cloud-client content security infrastructure designed to protect
customers from security risks and Web threats.
The Trend Micro URL Filtering Engine (TMUFE) communicates with the Web Reputation Service
within the Smart Protection Network. This service assigns a reputation score and either blocks or
allows users from accessing a web site. In Deep Discovery Inspector 5.0 and above, you can have
up to 10 Smart Protection Servers
Note: For additional information on technologies used by Deep Discovery solutions, you can refer to
the section Detection Technologies that is provided as an Appendix in this Student manual.
Pre-Configuration Console
Following the deployment of a new Deep Discovery Inspector in your environment, the first task you will
do is log into the Deep Discovery Inspector Pre-configuration Console (a terminal communications
program) and configure the initial network and system settings that are required to access the Deep
Discovery Inspector web-based management console, or simply, the web console.
Note: Although the following screen captures are for a virtual appliance setup of Deep Discovery
Inspector, all the listed steps are identical for both hardware and virtual form factors.
1 Log on to the Deep Discovery Inspector Pre-Configuration Console with the following default
credentials:
• username: admin
• password: admin
3 Enter the Deep Discovery Inspector IP address, subnet, gateway and DNS set up to use.
4 To save these settings, navigate to the option Return to the main menu located at the bottom of
the screen.
5 Back in the main menu, select the option Log Off with Saving.
After the changes are saved, the following page will display, indicating the URL needed for
connecting to Deep Discovery Inspector web console using a supported web browser.
The Deep Discovery Inspector web management console supports the following web browsers:
• Google Chrome
• Microsoft Internet Explorer
• Mozilla Firefox
• Microsoft Edge
Note: Ensure that your web browser’s Internet Security level is set to Medium and enable ActiveX
Binary and Script Behaviors. You should also use the minimum recommended screen resolution
rate of 1280x800. (For a complete listing of supported web browser versions and other Deep
Discovery Inspector web console requirements you can refer to the Deep Discovery Inspector
Quick Start Guide.)
To connect to the Deep Discovery Inspector web console, launch a supported web browser and open a
HTTPS connection to the management port IP address of your Deep Discovery Inspector using the
following URL: https://<DDI Management IP Address>.
Note: The DDI Management IP Address gets configured as part of the initial setup using the Pre-
Configuration Console that was discussed earlier.
If the connection to the web console is successful, the Log On screen will be presented. Enter the default
web console password admin to login.
Once you have successfully logged into the web console, you will be forced to change the admin
password to one that meets the criteria for a stronger password as indicated below.
Best Practice: Trend Micro recommends changing the Deep Discovery Inspector password to a strong
password after logging on for the first time, and periodically thereafter.
To activate Deep Discovery Inspector, go to Administration > Licenses and select New Activation Code. In
the window that appears, enter a valid activation code.
After entering in the activation code for Deep Discovery Inspector, you will be presented with the
software license. Click Accept to continue.
Once you have accepted the license agreement, the Licenses screen will be updated to indicate that Deep
Discovery Inspector is now activated:
To configure the threat geographic map for your environment, perform the following steps:
1 Go to Dashboard > Threat Monitoring.
2 Next click Widget Settings.
This will set the Threat Geographic Map to your specific location similar to the following:
Note: Once the Deep Discovery Inspector has been in use for a while, the Threat Geographic Map will
display regions with affected hosts as a solid red circle and the Deep Discovery Inspector location
being analyzed as a concentric red circle.
To add a network group in Deep Discovery Inspector go to Administration > Network Groups and
Assets > Network Groups.Note that if an internal host has a public IP address (for example, DMZ), it
should also be added here.
As shown above, descriptive names should be used for your network groups such as Finance, Sales,
Human Resources etc. This will make it easier to analyze your Deep Discovery Inspector detection
logs, widgets and reports.
In the following example, when viewing Deep Discovery Inspector detections such as the threat
detections by Affected Hosts (which will be discussed later in this training), having descriptive names
for the different network groups, makes it easier for you to quickly identify which portion of your
network the affected host resides. This can improve the time it will take for you to respond to a
potential threat.
Alternatively, accepting the default network group name will display the same name for all the
network groups as follows. In this case, you cannot see at a glance which part of your network
segment requires immediate response and remediation for potential threats.
Identifying trusted domains and services in the network not only ensures detection of unauthorized
domains, applications, or services, but also avoids unnecessary detections (logs) of trusted domains
and services that become a distraction for important detections that need more attention.
In cases where a valid service has not yet been configured as registered “trusted” service within
Deep Discovery Inspector, an entry will appear in the detection logs with the threat description
“Unregistered service” similar to the following:
Depending on the amount of traffic seen by Deep Discovery Inspector, these entries can potentially
“flood” the Deep Discovery Inspector detection logs with unnecessary information. When trying to
filter through thousands of higher severity events (such as the above DNS Response, with a Medium
severity level) this can waste time (and possibly make it more confusing) when analyzing detection
logs to find actual risks that may be compromising your network.
Best Practice: Register ALL trusted network domains and dedicated servers for specific services
that are used internally or are considered trustworthy.
Export all current network configurations using the Export function as backup.
Next, you will need to add domains used for internal purposes or those considered trustworthy.
This tells Deep Discovery Inspector which domains should be trusted and ensures the detection
of any unauthorized domains.
To add a registered domain, use the Deep Discovery Inspector web console and go to
Administration > Network Groups and Assets > Registered Domains.
The Analyze button is used to auto-discover your domains. If any domains are found, they will be
displayed in a list where you will be able to select the ones to add as a registered domain.
The Registered Domains settings are used by the detection rules. Therefore, if a legitimate
domain is not registered, and this domain is used in the rule, it may incorrectly trigger an event.
Note: Add only trusted domains (up to 1,000 domains) to ensure the accuracy of your network profile.
Suffix-matching is supported for registered domains. For example, adding domain.com adds
one.domain.com, two.domain.com, etc.
If a trusted domain was not added above using the Registered Domains configuration page, and
Deep Discovery Inspector detected it as an unauthorized domain in the Detections > All
Detections page (All Detections page will be explored in more detail later in this training), you
have the ability to mark this trusted host as a Registered Domain directly from the Detections >
All Detections page as follows.
Click the down arrow for a trusted host that is listed under the Source Host column then select
Registered Domains from the Mark as list that is displayed.
This will save the selected domain IP address to the Deep Discovery Inspector Registered
Domains list.
Registered Services can be defined in the web console by navigating to Administration > Network
Groups and Assets > Registered Services.
Registered Services can be entered in manually or they can be auto-discovered by clicking
the Analyze button.
Note: Only the SMTP server/relay and DNS server can be discovered automatically.
The services that are mandatory to define include: SMTP, HTTP Proxy, DNS. Identifying the
trusted services in your network, ensures the detection of unauthorized applications and
services. While it is better to add this information ahead of time, it can also be added after the
fact, but this will not be retroactive. Detection rules in Deep Discovery Inspector use Registered
Services.Therefore, if you do not have a legitimate service registered, this can lead to rules being
incorrectly triggered and files unnecessarily going to the sandbox for virtual analysis, which can
be a resource intensive process depending on the file being analyzed.
Any registered services that are not auto-discovered by Deep Discovery Inspector should be
manually added as follows:
In addition, any hosts that were not added in this configuration step, can optionally be added to
Registered Services by selecting them from the All Detections page as we saw previously with
Registered Domains. You will need to select the detected “unauthorized” service from Detections
> All Detections, then click the down arrow and select Registered Services as follows:
Administration Tasks
This section explores common system management and administration functions that Deep Discovery
Inspector administrators regularly perform such as:
• Generating management reports
• Creating event notifications
• Managing user accounts
• Performing system updates
• Updating firmware
• Working with DDI system logs
• Integrating with Syslog servers
Reports are designed to assist the administrator determine the types of threat incidents affecting
the network.
By using daily administrative reports, IT administrators are able to better track the status of threats,
while weekly and monthly executive reports keep executives informed about the overall security
posture of the organization.
In Deep Discovery Inspector, there are various reports that can be generated including:
• Scheduled Reports: Daily, weekly, and monthly reports are designed to provide the correlated
threat information.
• On-Demand Reports: Reports that can be generated as needed that are designed to provide
detailed information about specific files.
• Virtual Analyzer Reports: Virtual Analyzer reports are designed to provide detailed information
about specific suspicious objects.
Report Templates
Different report templates are available depending on the type of information that is needed.
For example Deep Discovery Inspector provides the following report templates that provide easy
access to threat information:
• Summary Report
• Executive Report
• Advanced Report
• Threat Detection Report
• Host Severity Report
Scheduled Reports
Scheduled Reports are PDF documents that are generated automatically daily, weekly, or
monthly. The reports are also automatically sent to the configured recipients via SMTP. There
are three default scheduled Reports generated automatically:
• End of Each Day (Advanced Report)
- Daily reports can be generated before the end of day
• End of Each Week (Executive Report)
• End of Each Month (Executive Report)
Other scheduled reports can be customized, specifying the frequency, report type, and enabling
or disabling notification.
The report name is specified when generating the customization. However, the filename will be
of the form “reporttype_period.pdf”.
On-Demand Reports
On-demand reports are PDF documents that can be generated as needed that are designed to
provide detailed information about specific files. On-demand Reports can be generated up to the
previous date.
The Customization tab can be used to configure the report covers with the company name and
logo.
Purging Reports
Deep Discovery reports not automatically purged by Deep Discovery Inspector. To purge report
files, you no longer wish to keep, go to Administration > System Maintenance > Storage
Maintenance. You will have the following purging options. Select which reports to delete and
click Delete.
Email notifications can help your security team determine the action(s) required for certain events.
Note: Ensure the Deep Discovery Inspector IP address is added to the SMTP relay list!
Event types that you can create notifications for include the following.
Also, note that from the following screen you can also reset a particular user’s password by
clicking Change Password from the Reset password column.
SAML Authentication
Security Assertion Markup Language (SAML) is an industry authentication standard that allows the
secure exchange of user identity information from one party to another.
If SAML is configured, users signing into your organization's portal can seamlessly sign into Deep
Discovery Inspector without an existing Deep Discovery Inspector account.
See the documentation that comes with your identity provider for the following setup:
• Configuring the required settings for single sign-on.
• Obtaining the metadata file.
In Deep Discovery Inspector, you will need to import the metadata file for your identity provider.
Deep Discovery Inspector supports the following identity providers for single sign-on:
• Microsoft Active Directory Federation Services (AD FS) 4.0 or 5.0
• Okta
Best Practice
To transfer user’s detection filters, generated reports from Active Directory to SAML account,
create SAML account and have the user log in BEFORE deleting user’s Active Directory account
Manual Updates
To check if any Deep Discovery Inspector components are out-of-date or to perform a manual
update from the web console, go to Administration > Updates > Component Updates > Manual.
Note: It is not possible to individually select the components you wish to update. All the Deep
Discovery Inspector components will be updated at once.
Deep Discovery Inspector automatically checks the update source at the specified update
frequency that is configured in the web console under Administration > Updates > Scheduled.
Changes can be made to the schedule as required.
Note: Trend Micro recommends setting the update schedule to every two hours.
If the firmware was updated during a scheduled update, you will receive an email notifying you to
restart Deep Discovery Inspector and you will need to restart the appliance at that point.
The following components are updated during scheduled and manual component updates:
OTHER COMPONENTS:
• Threat Correlation Pattern: Used to perform threat correlation.
• Threat Knowledge Base: Database used to provide further information for correlated
threats.
• Virtual Analyzer Sensors: Modules that run on the sandbox virtual machines that
perform virtual analysis of file samples.
• Widget Framework: Provides a template for the Deep Discovery Inspector widgets.
• Deep Discovery Inspector Appliance Firmware: Deep Discovery Inspector application
software.
In Air Gapped Environments (no access to the Internet), the Deep Discovery Inspector patterns
and engines must be updated using the Trend Micro Update Utility (TMUT). This tool must be
deployed in a network which has access to TrendMicro’s update server and also within the air
gapped environment itself. Once the tool has access to TrendMicro’s update server, it downloads
the updates which can then be transferred to the update utility tool that is deployed in the air
gapped environment. Deep Discovery Inspector is then able to retrieve its updates using this tool
(TMUT server) as its source.
Note: It is important to note also that in Air Gapped Environments you should disable all Web Services
including: WRS, MARS, CSSS.
To automatically keep the configuration of the original Deep Discovery Inspector, select the
“Migrate configuration?” checkbox and click Continue.
To use the default configuration (as with a new Deep Discovery Inspector installation), leave the
“Migrate configuration?” checkbox empty and click Continue. The database will be migrated,
which keeps all the original data. The Sandbox image and status can also be kept during
firmware update. After performing a firmware update, DO NOT select the old version in GRUB,
since the database data cannot rollback.
Deep Discovery Inspector provides a hardware detection feature to view your Deep Discovery
Inspector hardware model, CPU and memory information. It is good practice to check your
model information for compatibility with new firmware before upgrading.
The hardware information can be viewed from the web console under Help > About.From here
you can view the current firmware version for your device.From here, click the System
Information link View Details.
This will display additional appliance hardware information about CPU and memory.
System logs
• Accessed through Deep Discovery Inspector web console
• Provides System events and component Update events
• Stored on the Deep Discovery Inspector’s hard drive
• For example, administrator logons and pattern updates
Debug logs
• Accessed and configured through Deep Discovery Inspector Troubleshooting Portal
- Provide processing-related data and debugging-related information for individual Deep
Discovery Inspector components
- Stored in the /var/log directory
- The maximum is 50MB
- The contents of a debug file that reaches the maximum size is rotated in the
corresponding previous file
• Reporting logs
- Records traffic information and analysis results produced by the threat detection
modules of Deep Discovery Inspector
- Stored in the database
- The Web Console uses the Reporting logs from the database tables to display logs and
statistics and to generate reports
- The logs are kept for a maximum of 30 days
System logs provide summaries of system events, including component updates and appliance
restarts. To access the Deep Discovery Inspector System Logs, go to Administration > System
Logs.
System Log queries can be performed to gather information from the Deep Discovery Inspector
log databases. To perform a System Log query, set an appropriate query Criteria as indicated
below.
System logs are not auto-purged by Deep Discovery Inspector. For example, to manually purge
all your system log files, go to Administration > System Maintenance > Storage Maintenance.
Select the checkbox for System Log, and a delete action, then click Delete.
Deep Discovery Inspector’s syslog facility can integrate with existing syslog reporting and alerting
systems. It can send both system and detection events that can be specified in the syslog settings
below.
You can define up to three syslog servers using the following supported log formats:
If the log format is CEF, ensure that Deep Discovery Inspector is connected to ArcSight ESM through
an ArcSight connector. The following is a sample log output from ArcSight ESM:
The following is a sample log view from IBM QRadar. To obtain a different log format, Trend Micro
can provide sample logs to IBM for a new QRadar update package. This integration support is
different than the integration provided for ArcSight.
Deep Discovery Inspector transports log content to a configured external syslog server using one of
the following syslog protocols:
• Transmission Control Protocol (TCP)
• Transmission Control Protocol (TCP) with Secure Sockets Layer (SSL) encryption
• User Datagram Protocol (UDP)
To add a Syslog server to Deep Discovery Inspector go to Administration > Integrated Product/
Services > Syslog as follows:
Virtual Analyzer uses ‘customized’ system images to observe sample behavior and characteristics within
an isolated and controllable virtual environment. Enabling the Virtual Analyzer feature not only helps
organizations to identify and combat potential threats at an early stage, but also gives a deeper
understanding and knowledge of potential threats.
The Virtual Analyzer component is also available with other Deep Discovery solutions as well including
Deep Discovery Email Inspector and Deep Discovery Analyzer (which is a standalone appliance that
allows you to load multiple virtual images of endpoint configurations to analyze and detect targeted
attacks. This is useful in larger deployments to off-load resource intensive sandboxing functions from
Deep Discovery Inspector.
This following section provides an overview of the functionality and configuration options for the Virtual
Analyzer and how to enable it in Deep Discovery Inspector.
Features
The main features of the Deep Discovery Inspector Virtual Analyzer include:
• Threat execution and evaluation summary
• In-depth tracking of malware actions and system impact
• Network connections initiated
• System file/Registry modification
• System injection behavior detection
Note: Trend Micro does not provide any Microsoft Windows operating systems or Microsoft Office
products required for installation on Virtual Analyzer images or sandbox instances you create
for Deep Discovery Inspector. You must provide the operating system and Microsoft Office
installation media and appropriate licensing rights necessary for you to configure any sandboxes
as described below.
Virtual Analyzer does not contain any sandbox images by default. You must prepare and import your
own custom system images before Virtual Analyzer will be able to analyze any samples.
• On Deep Discovery Analyzer 1000 appliances, Virtual Analyzer supports custom OVA files up
to 20 GB in size.
• On Deep Discovery Analyzer 1100 and 1200 appliances, Virtual Analyzer supports custom
OVA files up to 30 GB in size.
You can consult the on-line Deep Discovery Analyzer Installation and Deployment guide for more
information on these custom sandbox requirements.
After importing the images, you can then decide how many instances should be allocated for each
image.
Note: If you are using an existing Deep Discovery Analyzer in your environment for virtual sandbox
analysis this process is not required. You will instead need to import your custom sandbox into
Deep Discovery Analyzer (as covered already earlier in this training).
There are two methods that can be used to import a new image that the VA will use for analyzing
suspicious samples.
You should select the method that is most appropriate for your environment.
Note: For detailed steps on importing a new image using one of the above methods, please refer to the
Deep Discovery Inspector Online Help Center (http://docs.trendmicro.com/en-us/
enterprise/deep-discovery-inspector.aspx).
After importing the images, you can then decide how many instances should be allocated for each
image. Deep Discovery Inspector supports a maximum of 2 images.
Note: The hardware specifications of your Deep Discovery Inspector appliance will determine the total
number of instances which users can deploy. Trend Micro recommends:
• Use the official license (DDI 500/510: 2 instances, 1000/1100: 4 instances, and 4000/4100: 20
instances) to configure the maximum number of total instances (This is done using the DDI
debug portal which should only be used under the guidance of Support.)
• Enlarging the number of total instances which exceeds the hardware capability can cause
performance issues
• Modify the number of instances for each image
• Each image must have a minimum of one instance
If the Management network is used, the internal Virtual Analyzer connects to the Internet using the
Deep Discovery Inspector management port. If Custom network is selected, the internal Virtual
Analyzer will have the ability to connect to the Internet using another data port.
Best Practice: To isolate this traffic from the Management network, and more easily identify
detections triggered by the internal Virtual Analyzer processes, it is recommended to
set up a Custom network and specify a different data port, IP, or proxy settings to use
for Internet connectivity for the Virtual Analyzer. This is shown below.
The steps below are not required if you are using an existing Deep Discovery Analyzer in your
environment for virtual sandbox analysis.
1 To activate the Virtual Analyzer in Deep Discovery Inspector, open the web console and go to
Administration > Virtual Analyzer > Setup.
2 Next, configure the following parameters:
• Submit files to Virtual Analyzer: Enable this option
• Virtual Analyzer: Internal
• Network Type: Custom network (Best Practice: Always use a custom network)
• If Specified Network is selected, set Sandbox Port, IP, subnet, gateway, DNS
Testing Connectivity
Once you have configured the above settings, click Test Internet Connectivity to verify the
connection to the Deep Discovery Inspector internal Virtual Analyzer.
Best Practice: Connectivity should be tested any time new virtual analyzer settings are saved.
After clicking Save, the following pop-up will be displayed notifying that submissions of files to the
Virtual Analyzer will be limited to a maximum file size of 15 MB (by default).
In Deep Discovery Inspector, you can control the size of the files captured by Deep Discovery
Inspector as follows.
Go to Administration > System Maintenance > Storage Maintenance > File Size Settings.
The Maximum File Size parameter shown above, controls the size of files that will be accepted by
Deep Discovery Inspector for scanning through the various Deep Discovery Inspector services
(File Scan daemon, ATSE etc.) including the Virtual Analyzer.
The default Maximum file size value is 15MB but can be changed to a maximum of up to 50 MB.
When a file is encountered that exceeds the maximum size that is configured here, Deep
Discovery Inspector will drop the file which also has the following implications:
• The file will not be scanned by ATSE
• The file will not be submitted to the Virtual Analyzer for analysis
• The file will not be stored by Deep Discovery Inspector
Deep Discovery Inspector uses Virtual Analyzer File Submission rules to identify which files it will
submit to Virtual Analyzer(s) for object analysis. Discovery Inspector contains a default file
submission rule set after installation.
Administrators can (should) also create their own file submission rules to ensure that suspicious
files are analyzed.
Files Submissions rules for Virtual Analyzer can be configured through the web console as
follows. Go to Administration > Virtual Analyzer > File Submissions.
This configuration ensures that only the necessary files are being submitted to the Virtual
Analyzer for sandboxing analysis.
Best Practice: It is not advisable to modify the default File Submission rules following a new
deployment until proper functionality has been verified. Always back up the original
file submission rules using the Export feature before applying any new configuration.
The default File Submissions settings for Virtual Analyzer are as follows:
• Files that are NOT submitted (Actions column: Do not submit files)
- Trusted software (Defined as safe by CSSS)
- Known Malware (Avoid unnecessary analysis)
• Files that are submitted (Actions column: Submit files)
- Uncertified or Rare Binary
- Suspicious File based on ATSE Heuristic or Exploit detection
- Suspicious File based on NCIE/NCCE suspicious event
In the web console you can view the status of a sample submission to the Virtual
Analyzer by going to Dashboard > Virtual Analyzer Status:
To enable the use of an existing Deep Discovery Analyzer the process is as follows:
1 In the Deep Discovery Inspector web console, go to Administration > Virtual Analyzer > Setup.
2 Set Virtual Analyzer to External and configure your settings as follows:
• Server Address: Enter the IP address of the Deep Discovery Analyzer in your network.
• API Key: Connect to the web console of your Deep Discovery Analyzer, then to go Help >
About to obtain the API key.
3 Click Test Connection and then click Save to continue. From this point on, the Deep Discovery
Inspector will send all sample submissions to the external Deep Discovery Analyzer.
DDI detects suspicious DDI Virtual Analyzer detects Suspicious Objects List
PDF file from mail and sends to sample is exhibiting malicious
Virtual Analyzer for behavior and watches network Entry 1: 12345678
analysis connections
NetworkitContent
makes Entry Network
2: http:/badurl.com
Content
PDF Hash: 12345678 DDI records PDF Hash
Correlation and URL
Engine Correlation Engine
Rule
matching
PDF
Deep Discovery Inspector
For every detected file, Deep Discovery Inspector will generate a unique SHA1 hash value
(40-hexadecimal value in length) that uniquely identifies the file within Deep Discovery
Inspector.
This SHA1 hash is also used by other Trend Micro services/products that Deep Discovery
Inspector integrates with such as DDA and GRID.
Even if a file is renamed or comes from a different source, the generated SHA1 hash value is the
same.
A file (identified with its SHA1 hash) that already has an analysis report is not re-analyzed by the
Virtual Analyzer.
Entries in the Suspicious Objects list automatically expire after 30 days. This is set by the Virtual
Analyzer. Once the entry expires, it is then deleted from the database.
Also, if you click the hyper-link shown under the Detections column, this will allow you to view any
matched detections for that suspicious object.
Deep Discovery Inspector detection modules use the Deny List and Allow List for detection and to
match or bypass scanning rules.
When changes have been made to the Deny/Allow list, click Reload so that the changes take effect.
Deny List
After Virtual Analysis, malicious objects can be added to the Deny List.
The following object types are supported for Deny List entries:
• Type: File, IP address, URL or Domain
• SHA-1: Input or obtain from file upload (Maximum file size is 15MB)
Some cases where you may need to move Suspicious Object entries to the Deny List can include
the following:
• Need to block entities
• Need to receive detection notifications
• Need to reuse Virtual Analyzer Suspicious Objects even if they expire
• Need to focus on related detections
When detections match a Deny List entries, the NCIE and NCIT modules implement one of the
following Reset actions where possible:
• TCP Reset
• DNS Spoofing action
Allow List
To bypass Virtual Analysis, for certain detections, you can add these objects to the Allow List.
SHA-1
• Risk is based on overall sample rating
URL
• Use WRS rating (if exists)
• URLs used in the following scenarios will get the risk level of the sample:
- Executable Downloaded
- Download file is renamed
- Downloaded web content contains malicious content
IP Address
• If in WRS database: use WRS rating
• If in NCCP C&C list: use assigned rating
• IPs used in the following scenarios will get the following risk level:
- Download executable -> High Risk
- Renamed executable -> High Risk
- Established network connection -> Medium Risk
- Web content contains malicious code -> High Risk
- Public IP address in modified IP address -> High Risk
Domain
• Domain name of queried DNS Server -> Medium Risk
Detection Rules
For the most part, the Deep Discovery Inspector detection rules that are already configured and enabled
by default are a good start for new deployments. However, it is important to grasp how direction affects
a detection rule in order to understand how detections are made by Deep Discovery Inspector. This is
explained below.
Rule Directions
Deep Discovery Inspector detects threats based on the direction (external or internal) of an attack
relative to the monitored network. This is described below.
• Internal Detections: Any detected session where the Source IP is in the Monitored Network
• External Attacks: Any detected session where Source IP is NOT in Monitored Network
Scenario:
• Host downloads an executable file from web site
Severity: Low
Scenario:
• SMTP server receives phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
Severity: High
Scenario:
• Infected host is sending phishing emails
• Email sender domain is in list of commonly phished domains and email contains IP address
URL
If the configured rules in your environment are causing safe traffic to be detected as malicious
(for example, your organization’s internal domains and URLs etc.) you can add them to the Allow
List to limit false positives.
Note: Additional troubleshooting steps can be obtained from the technical support web site at:
https://success.trendmicro.com/solution/000285843
Red Status
A red status indicates that there is no connection. This may be due by network cable or device
problems, or the wrong link speed (connection type).
Green Status
A green status indicates that the connection is available. Ensure that the detected link speed
matches the correct link speed and check the NIC mirroring settings.
After deploying Deep Discovery Inspector into the target network segment, it is vital to check if Deep
Discovery Inspector is able to connect to these Internet and back-end services.
To verify network connections to these Deep Discovery Inspector back-end services, you can use the
Troubleshooting web page in Deep Discovery Inspector.
To access the Troubleshooting console, use a supported web browser and navigate to the following
URL: https://<IP address of DDI>/html/troubleshooting.html.
In the Troubleshooting console, select the Network Services Diagnostics tool (listed in the left-hand
menu options) and click Test to run a network connection test against all of Deep Discovery
Inspector’s services.
It will take a few moments required to complete the services test depending on the network
environment and the number of services that have been selected. Once the test is complete, the
results of the network connections test will be displayed as follows.
View the connection test results in the Result column to identify any connection errors for any of the
services.
These demo rules can be used to verify proper installation and detection functionality in Deep
Discovery Inspector.
For example, to verify if the Network Content Inspection Engine (NCIE) or demo rules are working
properly, for instance, Rule 2245 - DEMO RULE - DNS (Request), you can perform the following steps
on any host that is in a Deep Discovery Inspector monitored network:
• Open a DOS command prompt on a computer in the Deep Discovery Inspector monitored
network and use the nslookup command to generate a DNS request packet to resolve the
following: ddi.detection.test
• In the Deep Discovery Inspector web console and go to Detections > All Detections to verify if
Deep Discovery Inspector has detected a violation
• The Detail column can be checked for additional detection information
Note: You will have a chance to perform the complete steps for this process in an upcoming lab
exercise.
For more information about the built-in demo rules, refer to the Knowledge base article: Using Deep
Discovery Inspector (DDI) demo rules to validate monitored traffic.
The following should be displayed in your web browser after attempting to access this URL:
You can additionally, click the Details icon to view more information about any of the detections.
Once in the Detection Details, there is an additional option to view threat information that is
provided by Trend Micro by clicking View in Threat Connect as follows:
Other Considerations
• Deep Discovery Inspector cannot decrypt encrypted traffic
• Deep Discovery Inspector cannot analyze proprietary protocols*
Note: * Deep Discovery Inspector can analyze TNEF – Transport Neutral Encapsulation Format which is
a proprietary email attachment format used by Microsoft Outlook and Microsoft Exchange
Server.
Clicking the Network Traffic Dump link will open a connection to the Deep Discovery Inspector
troubleshooting portal (https://DDI_IP/html/troubleshooting.htm) where the following
Network Traffic Dump screen displays.
Select the port/network interface that you wish to test then click Capture Packets.
Allow the capture to run for a pre-determined amount of time, then stop the packet capture on the
network interface by clicking Stop.
Once the Network Traffic Dump is stopped, the following links will be provided for viewing, exporting
or reseting the packet capture:
Clicking View from the above window, displays the Packet Capture Analysis window.
From here you can select what specific information you would like to see from the packet capture,
without having to filter through the entire network packet dump. You should ensure that the Deep
Discovery Inspector is able to see TCP conversations as follows:
You can additionally Export the packet capture, and view the collected results within wireshark.
Note: It is very important to use this capability with caution, as forgetting to disable the packet capture
can quickly degrade processing capacity and use up disk space.
Click Add to specify the required criteria for your packet capture as shown in the following example.
If there is a network problem, you will be able to further investigate this by viewing the status of the
Deep Discovery Inspector component updates page in the web console. Go to Administration >
Updates as follows.
Deep Discovery Inspector will regularly (automatically) check for the latest available component
updates. If there is no Internet connection available, or if the Proxy settings have not been
configured correctly as described earlier, you will see the a red message notifying you that there is
no available Internet connection. In this case, you should also check your network’s firewall settings
to ensure Deep Discovery Inspector has proper Internet access.
In addition to checking Deep Discovery Inspector’s ability to perform automatic updates, you can try
forcing a manual update to verify proper network connectivity.
If the network settings have been correctly configured for the Deep Discovery Inspector, the manual
update displays a list of updated components.
Note: Data in the Dashboard widgets is aggregated from raw log data every 10 minutes.
Threat at a Glance
The Threats at a Glance widget in the web console Dashboard, shows actionable information that
administrators use to gain access to attack and threat activity on their networks.
For example, clicking on any of the hyper-linked numbers shown in the top row of Threats at a Glance
(Targeted attack, C&C communication, and Lateral movement), will redirect you to the Affected hosts
view of the detection events where you can drill down for more information about these detections.
Alternatively, by clicking on any the hyper-linked numbers shown in the second row of Threats at a
Glance (Ransomware, Potential threats, and Email threats), you will be automatically redirected to
the Detection log view in the web console under Detections > All Detections.
Both of these Detections views will be explored further in the following sections.
• Affected Hosts: Provides a view of all hosts that have been involved in one or more phases of a
targeted attack
• Hosts with Notable Event Detections: Identifies the hosts with C&C callback attempts, suspicious
object matches, and deny list matches
• C&C Callback Addresses: Shows hosts with C&C callback attempts to known C&C addresses
• Suspicious Objects: Identifies hosts with suspicious objects identified by Virtual Analyzer/Deep
Discovery Analyzer or synchronized from an external source
• RetroScan: Historical web access logs for callback attempts to C&C servers and other related
activities
• All Detections: View of hosts with detections from all event logs, including global intelligence,
user-defined lists, and other sources
For each log query, there will be different details and pieces of information that can be used for analyzing
detected threats.
For example:
• Interested Host: Shows the IP/hostname of compromised host
• Peer Host: Shows the IP/hostname of C&C or source of threat
• Threat Description: Description of threat detection (the threat name or rule name)
• Detected by: Engine name
• Detection Type: Malicious, Suspicious etc.
• Detection Severity (or Host Severity if viewing Affected Hosts display)
• Attack Phase: C&C Communication, Unknown etc.
• Protocol: SMTP, HTTP etc.
• Recipients, Sender, Email Subject…
Detection Severity
As indicated below there are four options for detection severity setting. Drag the slider to set the
detection severity level. A tool tip appears when the mouse hovers over the severity level.
Best Practice: Sort detections by highest host severity (most critical) level first as this shows you the
most vulnerable hosts. This allows you to appropriately prioritize and quickly
implement related threat response policies for these hosts.
Time Period
Administrators and Security Officers can view information about hosts and events (threat behaviors
with potential security risks, known threats, or malware) for the past 1 hour, 24-hour, 7-day, and 30-
day time periods, or for a custom time range.
The maximum search time range is 31 days.To prevent the query from timing out, the console sends
the query request to the back-end in batch processing. The queried period of each request is 12
hours. The status bar will disappear when the query is complete.
Customize Columns
The display of information on the All Detections screen is customizable. The columns may be shown,
hidden, and sorted. In addition, the width of the columns can be adjusted.
In addition, hovering over a column value with the mouse pointer will open a tool tip displaying the
full value of the column field OR you can simply resize the column.
Basic Search
To run a basic search, type an IP address or host name in the search text box and press “Enter” or
click the magnifying glass icon to proceed.
Note: The maximum length for the text box is 255 characters, and basic searches cannot be saved.
Advanced Search
To create and apply an advanced search filter, click the Advanced link, click the down arrow to display
the list of attributes, and select an attribute to use as a filter.
For example, the following shows an Advanced filter for detections based on SMB protocol:
<Protocol> <In> <SMB, SMB2>
The above illustration shows the results after executing the search query. In this case, only
detections matching the protocol SMB are listed. This is a useful way to filter out only the detections
you are interested in.
Affected Hosts
The Affected Hosts view under the Detections menu in the web console, allows you pinpoint the exact
origin of threats and attacks in your environment. This allows you to more closely examine the
machines involved in, or being used to carry out the attack itself.
This list can be filtered exactly like the All Detection page (as seen earlier) using several criteria
including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Use the Advanced search option to filter Affected Host Information by Host Name, IP Address, MAC
Address, Network Group, Notable Events, or Registered Services.
Note: In each case of search and filter, remember that the resulting list is ordered by highest number of
Host Severity which lets you see immediately the most vulnerable hosts so that these can be
prioritized and responded to first.
Set the Host Severity ordering to most Critical first so that you can quickly prioritize your response.
This opens a new browser window displaying details for that host. By default, the screen displays the
detections for the selected affected host, based on severity, and time period. The listed events are
ordered by timestamp.
From here you can additionally mark the detection as Resolved once it has been investigated (by
your Security Officer) by clicking Mark Displayed as Resolved.
If you click Mark Displayed as Resolved for a detection, this will display the following where you will
need to confirm the action as shown below.
Once the detections have been marked as resolved, they will appear in the list as follows:
From the Host Details screen, you can also expand one of the events listed for that affected host by
clicking the icon listed under the Details column.
The following illustration shows the Detection Details page for a POISONIVY - HTTP (Response)
threat detected by Deep Discovery Inspector.
Detection Information
Information provided under Detection Information includes the following. Note that this is not a
complete list. Additional information may appear for specific correlated incidents.
Connection Summary
Protocol Information
The protocol section will include information such as Bot command, BOT URL, Domain name,
HTTP Referer, Protocol, Queried domain, Recipients etc.
Information provided in the File Information section may include the following:
• File name
• File SHA-1
• File SHA-256
• File size
Additional Information
Information provided in the Additional Information section may include the following:
• Attempted to disrupt connection
• Detected by
• Mitigation
• VLAN ID
From the Detection Details page, you can additionally select the tab View in Threat Connect
located at the top of the page to leverage Trend Micro Threat Connect information.
For example, after selecting the tab View in Threat Connect from the above screen, the following
page appears with correlated threat data from the Trend Micro Global Intelligence Network.
This information is useful for better understanding the threats affecting your environment and
provides the remediation steps that you can take to resolve them.
Download
Note: The PCAP File option is not shown below. This will only appear as a selection, if a packet capture
has been enabled and the detection matched a packet capture rule.
The All Detections page displays a list of hosts and events with information from the following log
types:
• Threats: as determined by NCCE rules
• Disruptive Applications: as defined by the administrator
• Malicious URLs: as determined by the Web Reputation Service
• Correlated Incidents
The All Detections list can be customized and filtered by several criteria including:
• Detection Severity
• Time Period
• Customize Columns
• Basic Search
• Advanced Search
Note: By default, the All Detections page displays the detections with severity greater and equal to Low
and the time period “Past 24 hours”.
The All Detections list columns can be customized just as we saw earlier with the Affected Hosts
view.
In addition, hovering over a value with the mouse will open a tool-tip with the full field value.
Advanced Filters
The advanced search filters can be accessed by clicking the Advanced link. Each filter is
described below.
• Host Information filters the Host Name, IP, MAC Address, Network Group, and Registered
Services by the Source, Destination and Interested host information.
• Network Traffic Information filters by the protocol and direction of the detection.
• Detection Information filters by basic information about the detection.
• Detection Characteristics filters by C&C detection sources and to identify which
detections have been analyzed by the Virtual Analyzer.
• Detected Object filters by information about the detected object.
Note: Up to 20 filters can be used for each search, and searches can be saved.
Investigating beyond event security, the host severity numerical scale exposes the most
vulnerable hosts and allows you to prioritize and quickly respond.
Host exhibits anomalous • Evidence of running IRC, TOR, or outbound tunneling software
or suspicious behavior Host may exhibit the following:
that may be benign or
indicate a threat • A low severity network event
2 • Evidence of receiving an email message that contains a dangerous
URL
• A downloaded file rated as low risk by Virtual Analyzer
Trivial
Host may exhibit the following:
Host exhibits normal • An informational severity network event
behavior that may be
benign or indicate a 1 • Connection to a site rated as untested or to a new domain detected
threat in future by Web Reputation Services
identification of • Evidence of a running disruptive application such as P2P
malicious activities
Host severity is based on the aggregation and correlation of the severity of the events that
affect a host. If several events affect a host and have no detected correlation, the host
severity will be based on the highest event severity of those events. However, if the events
have a detected correlation, the host severity level will increase accordingly.
For example: Of five events affecting a host, the highest risk level is moderate. If the events
have no correlation, the host severity level will be based on the moderate risk level of that
event. However, if the events are correlated, then the host severity level will increase based
on the detected correlation.
Note: The host severity scale consolidates threat information from multiple detection technologies and
simplifies the interpretation of overall severity.
You can prioritize your response actions based on this information and your related threat
response policies.
In general for each single event, the event severity (information, low, medium, high) will map to
host severity 1, 2, 4, 8.
The host severity is determined by the maximum severity among all events detected during a
user-specified time-frame.
Exceptions are for host severity 6, 7 and 9 which are not directly mapped to event severity.
Note: Currently host severity 3, 5 and 10 are reserved, there are no event mapping rules to these 3
levels as of this time.
The different values that can be displayed for the Attack Phase classifications are summarized below:
• Intelligence Gathering (IG): Identify and research target individuals using public sources (for
example, social media websites) and prepare a customized attack
• Point of Entry (PoE): An initial compromise typically from zero-day malware delivered via
social engineering (email/IM or drive-by download) A backdoor is created and the network
can now be infiltrated. Alternatively, a website exploitation or direct network hack may be
employed.
• Command & Control (C&C) Communication: Communications used throughout an attack to
instruct and control the malware used. C&C communication allows the attacker to exploit
compromised machines, move laterally within the network, and exfiltrate data.
• Lateral Movement (LM): An attack that compromises additional machines. Once inside the
network, an attacker can harvest credentials, escalate privilege levels, and maintain
persistent control beyond the initial target.
• Asset/Data Discovery (AD): Several techniques (for example, port scanning) used to identify
noteworthy servers and services that house data of interest
• Data Exfiltration (DE): Unauthorized data transmission to external locations. Once sensitive
information is gathered, the data is funneled to an internal staging server where it is
chunked, compressed, and often encrypted for transmission to external locations under an
attacker’s control.
• Unknown Attack Phase: Detection is triggered by a rule that is not associated with an attack
phase.
The value here shows you how Deep Discovery Inspector categorized the threat detection. You can
view all the possible Detection Type values as follows. Select the Advanced search option and set the
Filter to Detection Type.
Shown below are the detection details for a “Known Threat”. Here we can see the following key
information about the threat: Detection Severity (medium), Detection Name (TROJ_...), Detection
Type (Malicious Content) etc.
Also from the information that is provided, we also know that this detection was not sent to the
Virtual Analyzer for further analysis because in this case, we are dealing with a KNOWN threat
that was detected by the Deep Discovery Inspector Advanced Threat Scan Engine.
Although there is setting available in DDI to force all ATSE detections to be sent to the Virtual
Analysis, this is not typically recommended. By default, this configuration option is disabled.
Here we can see the following key information about this event:
• Detection Name: NCIE / NCCE rulename
• Detected by: NCIE / NCCE
• Detection Severity: High
• Detection type: Malicious Behavior
• VA Information (SO information, VA risk level)
This time, because we are dealing with a Suspicious Behavior, we now have VA report that is
attached. Here Deep Discovery Inspector was able to identify the malware as Troj.Win32...
however this field can also indicate the malware name: VAN_XXXX, which will be discussed in
more detail later.
Events that can trigger Suspicious Behavior detections include the following:
• Archive contains file with script file extension
• Archive Upload
• CPL File Transfer detected
• DNS response from a shared public IRC Command and Control domain
• Email Attachment is an executable file
• Email from phished domain contains URL with hard-coded IP address
• Executable with suspicious file name requested
Threat descriptions that can be displayed for Web Reputation threats include:
• C&C Server URL request
• Malicious URL request, Malicious URL in email
• Ransomware URL request, Ransomware URL in email
• Untested URL request, Untested URL in email
• New domain URL request, New domain URL in email
Exploit
A detection type of Exploit means that Deep Discovery Inspector detected an attempt to take
advantage of a particular security weakness, such as a bug, or design vulnerability. This can
include websites, or databases, SSH, and any other applications and services with Internet
accessible open ports. In this example, the exploit detected was a file and directory discovery.
This attack attempts to enumerate files and directories or may search in specific locations of a
host for certain information within a file system.
The severity level set in the Deep Discovery Inspector detection logs will take into consideration
the following:
• Rule ID
• Direction
• Protocol
Virtual Analyzer also updates the severity level according to its analysis report if the Detection
Log has the same SHA-1 value. The result from Virtual Analyzer takes higher priority than the
other rules. Because of this, it overwrites the severity level determined by other rules.
Severity Levels refer to the extent of the damage of a potential or known threat.
Confidence Level, on the other hand, refers to how strong the Deep Discovery Inspector pattern
files are. Just like Severity Levels, Confidence levels are marked as Low, Medium, and High.
Low Confidence Levels are very prone to false positives while High Confidence Levels are unlikely
to have false positives.
(Reference: https://success.trendmicro.com/solution/1102257-different-severity-levels-for-
detections-with-the-same-rule-id-in-deep-discovery-inspector-ddi)
To view the affected hosts in the C&C Callback detections, you can click the number icon shown above.
By clicking on the hyper-link provided for C&C communications for a particular host, you can
view all the C&C detections made by Deep Discovery Inspector for that host.
There are four types of communication and control callbacks which Deep Discovery Inspector
tracks:
• IP/Domain: For example, www.fakesite.com, 202.1.1.1
• IP/Domain + Port: For example, 202.1.1.1:8000
• URL: For example, http://www.fakesite.com/path/somefile
• Email account: For example, test@fakehost.com
The Virtual Analyzer cache essentially prevents re-submissions of samples by checking if the same
sample was already processed within an acceptable period (24 hours by default).
The default of 24 hours for cached files also ensures that when new patterns become available which
occurs on a daily basis, then ATSE along with other engines/patterns will be able to catch a D-day
event within a day (for example, D-day plus 1) of receiving the latest engines/patterns updates.
When the Virtual Analyzer receives a file submission which was processed within the set acceptable
period, then the cached result will be presented to the web console user.
For advanced configurations, you can contact your technical support representative at Trend Micro if
default values are not sufficient.
Analysis reports for detections made by Deep Discovery Inspector have a maximum waiting period of
20 minutes (by default). In advanced configurations, this waiting period (VA Queue Timeout setting)
can be configured to wait for the complete Virtual Analyzer analysis result. While waiting for the
complete Virtual Analyzer analysis results, detections will not be reported within the specified this
timeout period.
If the VA Queue Timeout elapses before the analysis result can be provided, then the Deep Discovery
Inspector will publish the analysis report that is currently in its queue. The queue itself can be
checked by using the following Virtual Analyzer widget from the Deep Discovery Inspector’s web
console:
Also by clicking Remove Files from Queue, you can instruct Deep Discovery Inspector to publish all of
the detection logs currently in the queue without waiting for the analysis result. This can be used in
the event that Deep Discovery Inspector’s queue is too large or overloaded. If purged, the files will
still exist in Deep Discovery Inspector, this function just keeps them from being uploaded to the Deep
Discovery Analyzer.
• To ignore a detection which meets a particular criteria, such as Host name, Protocol, or
File SHA-1 etc, go to Administration > Monitoring/Scanning > Detection Exceptions, and
then register an appropriate criteria into the Detection Exception list.
• For legitimate connections from particular entities, these can be added to the Allow List.
Go to Administration > Monitoring/Scanning > Deny List/Allow List, and then select the
Allow List. Add one of the following entities including File SHA-1, IP address, URL or
Domain into the Allow List.
Note that you must click Reload , in order for the new entry to take effect.
2 Here, you can also view the custom time period and the detection severity that you have set.
3 Click Export to export the detection logs and select one of the available time periods from the
drop-down, or alternatively select Custom range and specify the time range. If the time setting
range exceeds 31 days the following error will be displayed.
Note: As of this writing, the start date and end date of the Custom range cannot be over 31 days.
Therefore, to export all available logs exceeding this threshold, download the logs for each
month separately as shown below.
Select Custom range and specify a one month range of logs to export at a time. Click OK then
click Export.
4 The exported logs will be saved to an archived file called all_detection.zip inside the
default download folder that is configured for the web browser. For example,
C:\Users\<username>\Downloads.
6 Each file is CSV (comma separated values) text file that appears similar the following sample
section of the threats.csv file:
Deep Discovery Email Inspector stops targeted attacks and cyber threats that can lead to a data breach
by scanning, simulating, and analyzing suspicious links and attachments in email messages before they
can threaten your network.
Designed to integrate into your existing anti-spam/antivirus network topology, Deep Discovery Email
Inspector can act as a Mail Transfer Agent in the mail traffic flow or as an out-of-band appliance (with no
changes required to the normal operating environment) silently monitoring your network for cyber
threats.
Malicious
attachments
On-board Suspicious
sandbox links
Business
Email SPAM
Compromise
Deep Discovery Email Inspector also prevents spear-phishing attacks and cyber-threats, and provides
Business Email Compromise (BEC). Using Business Email Compromise (BEC) scams, an attacker gains
access to a corporate email account and spoofs the owner's identity to initiate fraudulent wire
transfers. The attacker typically uses the identity of a top-level executive to trick the target or targets
into sending money into the attacker's account. Also known as Man-in-the-Email scams, BEC scams
often target businesses that regularly send wire transfers to international clients and may involve the
use of malware, social engineering, or both.
Deep Discovery Email Inspector provides protection by investigating suspicious links, file
attachments, and social engineering attack patterns in email messages before they can threaten
your network.
After Deep Discovery Email Inspector scans an email message for known threats in the Trend Micro
Smart Protection Network, it passes suspicious files and URLs to the Virtual Analyzer sandbox
environment for simulation.
To assess threat risks, Deep Discovery Email Inspector uses a multi-layered approach using different
threat analysis technologies. Additionally, to help deploy more easily into your existing mail network,
Deep Discovery Email Inspector’s design can allow it to operate as a Mail Transfer Agent in the mail
traffic flow, or as an out-of-band appliance. All of this will be explored more during this training.
Custom Sandboxing
The Virtual Analyzer sandbox environment opens files, including password protected archives
and document files, and URLs to test for malicious behavior. Virtual Analyzer is able to find
exploit code, Command & Control (C&C) and botnet connections, and other suspicious behaviors
or characteristics.
Sandbox simulation and analysis is done using environments that precisely match your desktop
software configurations. Additionally, sandbox analysis of emails can be custom-controlled by
attachment type. For example, sandbox all PDF files.
Attachments are unpacked, decompressed, and unlocked using heuristic techniques and
customer-supplied keywords. Deep Discovery Email Inspector utilizes multiple detection engines
and sandbox simulation to investigate file attachments. Supported file types include a wide range
of executable, Microsoft Office, PDF, web content, and compressed files.
Deep Discovery Email Inspector utilizes reputation technology, direct page analysis, and sandbox
simulation on embedded URLs. Destination content is scanned and sandboxed as necessary to
discover malicious URLs, advanced malware, and exploits embedded in spear-phishing emails.
Email Encryption
Email Encryption allows Deep Discovery Email Inspector to perform the following tasks based on
policy settings:
• Decrypt messages encrypted using Trend Micro Identity-Based Encryption (IBE) for
scanning
• Encrypt messages for secure delivery in MTA mode
Deep Discovery Email Inspector can decrypt and encrypt messages regardless of the email client
or platform from which the messages originated.
Note: When Deep Discovery Email Inspector operates in TAP/BCC mode and receives an encrypted
message, it only decrypts and scans the message, it does not encrypt messages in TAP/BCC
mode.
Spam Scanning
Spam messages are generally unsolicited messages containing mainly advertising content. Deep
Discovery Email Inspector uses the following components to filter email messages for spam:
• Trend Micro antispam engine
• Trend Micro spam pattern files
The Trend Micro antispam engine uses spam signatures and heuristic rules to filter email
messages. Each scanned message is assigned a spam score based on how closely it matched
rules and patterns from the Trend Micro spam pattern file. Deep Discovery Email Inspector
compares the spam score to the selected spam detection level, or user defined detection
threshold. When the spam score exceeds the detection level or threshold, Deep Discovery Email
Inspector takes action against the spam message. For example, spammers often use many
exclamation marks or more than one consecutive exclamation mark (!!!!) in their spam emails. If
Deep Discovery Email Inspector detects this behaviour, it increases the spam score for the email
message.
The antispam engine also includes the email malware threat scan engine that performs advanced
threat scans on email attachments (including script files and Microsoft Office macroware) to
detect malware.
Graymail Scanning
Graymail refers to solicited bulk email messages that are not spam. Deep Discovery Email
Inspector detects marketing messages and newsletters, social network notifications, and forum
notifications as graymail. Deep Discovery Email Inspector identifies graymail messages in two
ways:
• Email Reputation Services scoring the source IP address
• Trend Micro Anti-Spam Engine identifying message content
Sender Filtering
You can configure the following sender filtering settings in Deep Discovery Email Inspector to
effectively block senders of spam messages at the IP address or sender email address level:
• Approved and blocked senders lists
• Email Reputation Services (ERS)
• Directory harvest attack (DHA) protection
• Bounce attack protection
• SMTP traffic throttling
Sender Authentication
Deep Discovery Email Inspector supports the following sender authentication standards to
effectively detect and fight against techniques used in email phishing and spoofing:
• Sender Policy Framework (SPF)
• DomainKeys Identified Mail (DKIM)
• Domain-based Message Authentication, Reporting & Conformance (DMARC)
In addition, you can configure Deep Discovery Email Inspector to sign outgoing messages using
DKIM signatures to prevent spoofing.
Content Filtering
You can create content filtering rules in Deep Discovery Email Inspector to:
• Block content that you specify as inappropriate from reaching recipients by analyzing
message content and attachments
• Detect and remove active content (such as macros) in Microsoft Office and PDF file
attachments
End-User Quarantine
Deep Discovery Email Inspector includes the End-User Quarantine (EUQ) feature to improve
spam management. Messages that are determined to be spam are quarantined and mail users
have the availability to review, delete, release, or approve for delivery. Deep Discovery Email
Inspector can be configured to automatically send EUQ digest notifications with in-line action
links.
With a web-based EUQ console, users can manage the spam quarantine of their personal
accounts and of distribution lists that they belong to, and add senders to the Approved Senders
list.
Social Engineering Attack Protection detects suspicious behavior related to social engineering
attacks in email messages. When Social Engineering Attack Protection is enabled, Deep
Discovery Email Inspector scans for suspicious behavior in several parts of each email
transmission, including the email header, subject line, body, attachments, and the SMTP protocol
information.
Password Derivation
Time-of-Click Protection
Time-of-Click protection protects against malicious URLs in email messages. When this feature is
enabled, Deep Discovery Email Inspector rewrites suspicious URLs in email messages redirecting
them to Smart Protection Network, to analyze a rewritten URL every time the URL is clicked and
apply specified actions based on the risk levels of that URLs. To activate Time-of-Click
Protection, you will require a Deep Discovery Email Inspector Advanced Threat Protection
Activation Code.
Time-of-Click protection rewrites URLs found in email to point to the Trend Micro web reputation
service. When the user clicks on the rewritten URL, the original URL instead is checked for
potential threats.
Time-of-Click protection is also responsible for making API calls to enable and configure CTP
protection. Parts of the configuration are stored locally, and others are stored in the SPN. Deep
Discovery Email Inspector makes use of web service API to access the CTP configuration in the
cloud.
As of Deep Discovery Email Inspector 5.1, the Time-of-Click protection feature allows you to
customize the redirect pages for detected URLs, and provides the ability to forward detected
URLs to Syslog.
Certificate management
You can manage certificates in Deep Discovery Email Inspector to enable secure console access
and SMTP communication in Transport Layer Security (TLS) environments.
Deep Discovery Email Inspector provides the email address modification feature that allows you
to:
• Rewrite sender or recipient addresses in message envelops or message headers
• Rewrite domains in email addresses
TLS communications has been enhanced in Deep Discovery Email Inspector to support the
following:
• TLS 1.3
• Secure connections for message transfer based on specified domains and IP addresses
Deep Discovery Email Inspector supports DANE (DNSbased Authentication of Named Entities) to
secure outbound messages by verifying SMTP server identity.
The policy management feature has been enhanced to provide the following settings:
• Send a blind carbon copy (BCC) of detected messages to specified recipients
• Change the recipients of detected messages
• Configure sender-recipient exceptions in policies
• Configure address groups as policy objects
• Internal email spoofing prevention
• Apply message stamps based on policy rules
Deep Discovery Email Inspector provides the following security settings to enhance inbound
message security:
• Reject messages from unknown sender IP addresses or domains
• Reject messages to unknown recipients
• Match message header FROM address for sender filtering
The Virtual Analyzer has been enhanced to include the following features:
• Open Document file type for sandbox analysis
• Windows 10 20H1 image support
Deep Discovery Email Inspector provides increased protection by improving its detection
capabilities. This release supports the following:
• ALG and EGG archive files for scanning
• Decryption of password-protected ALG and EGG archive files and Open Document files
for scanning
• URL extraction from Open Document files for scanning
• DLP forensic data display on the Detections screens
Configuration of the approved and blocked senders lists has been enhanced to include the
following:
• Sender list import and export
• Wildcard support for email domain setting
The license management feature has been enhanced to support gateway-only license on Deep
Discovery Email Inspector for gateway deployment.
Deep Discovery Email Inspector supports additional data ports with 10Gbps fiber NIC installation
on hardware models 7200 and 9200.
Deep Discovery Email Inspector supports integration with Deep Discovery Director 5.3.
Deep Discovery Email Inspector supports integration with Deep Discovery Analyzer 7.0 to enable
Linux ELF and shell script file submissions.
Deep Discovery Email Inspector supports virtual appliance installation on VMware ESXi 6.7 and
7.0.
Deep Discovery Email Inspector provides users with the option of automatically migrating the
settings from the following versions to 5.1:
• Deep Discovery Email Inspector 5.0
• Deep Discovery Email Inspector 3.6
Scanning Technologies
The detection technologies used in Deep Discovery Email Inspector are as follows:
• Advanced Threat Scan Engine (ATSE)
- Password Analyzer
- Embedded URL Extraction
• Trend Micro URL Filtering Engine (TMUFE)
- Script Analyzer Lineup (SAL)
• Predictive Machine Learning (TrendX)
• YARA Rules
• Trend Micro Antispam Engine (TMASE)
- Social Engineering Attack Protection Engine (SNAP/BEC)
- Email Reputation Service (ERS)
- Email Malware Threat Scan Engine
• Sandboxing by Virtual Analyzer
ATSE is used to detect zero-day threats, embedded exploit code, known vulnerabilities, and file
deformities.
Password Analyzer
Text in Subject or Use Reg Ex to find
Body of Email Password is’****’
Attachment
The Password Analyzer module in Deep Discovery Email Inspector, uses a variety of heuristics
and user-supplied keywords to:
• Decrypt password-protected Microsoft Office, PDF and archive files
• Extract URL information from encrypted documents
If the attachment is successfully decrypted, it is sent to the Virtual Analyzer for further scanning
if it meets the submission criteria.
Note: If an attachment cannot be decrypted, Deep Discovery Email Inspector does not extract the URL
or send the attachment to Virtual Analyzer. Instead it gives an option to the administrator to
apply a policy action using the web console (Policy > Policy > Other Actions)
Deep Discovery Email Inspector supports extraction on the following archive file types:
• 7z, rar, zip, bz2, gzip, tar, arj, zlib, cab, lha, msg, tnef, ace.
Microsoft Office and PDF files that are supported include: doc, docx, pdf, ppt, pptx, xls, xlsx
Aside from password decryption, ATSE is also capable of extracting URLs in Microsoft Office, PDF,
HTML, and HTM (Including plain text files with .HTML and .HTM extensions) file attachments.
Once a URL is detected, it is passed to TMUFE (as discussed in next section) for analysis.
Malicious URLs classified as suspicious and sent to the Virtual Analyzer if:
• Web Reputation Service rating result is “Unrated”, “New domain” or “sharing service”
Web reputation technology tracks the credibility of web domains by assigning a reputation score
based on factors such as a website's age, historical location changes and indications of suspicious
activities discovered through malware behavior analysis, such as phishing scams that are designed to
trick users into providing personal information.
To increase accuracy and reduce false positives, a reputation score is assigned to specific pages or
links within sites instead of classifying or blocking entire sites, since often, only portions of legitimate
sites are hacked and reputations can change dynamically over time.
The Script Analyzer Lineup (SAL) is a backend core dynamic rating solution that detects script
based web threats such as browser exploit, drive-by download and phishing.
PRE-FILTERING LOGIC
The SAL pre-filtering logic can be interpreted by separating it into three components:
• Redirect check: If a redirect URL is detected, DDEI follows the location header of the new
URL and keeps on fetching pages until it does not return a location header. The
"Effective URL" is the URL of the final page.
• Web Reputation Service (WRS) filter: After the redirect check, WRS filter performs a
query to get the rating of the URL. If the URL is unrated, it is sent to Script Analyzer
Lineup (SAL) filter for further analysis. In the case of rated non-normal URL, it is sent to
Virtual Analyzer for processing.
• Script Analyzer Lineup (SAL) filter: SAL filter analyzes the URL for suspicious content.
Once verified, it submits the content to the Virtual analyzer for examination
After detecting an unknown or low-prevalence file, the Deep Discovery Email Inspector scans the file
using the Advanced Threat Scan Engine (ATSE) to extract file features and sends the report to the
Predictive Machine Learning engine, hosted on the Trend Micro Smart Protection Network. Through
use of malware modeling, Predictive Machine Learning compares the sample to the malware model,
assigns a probability score, and determines the probable malware type that the file contains.
Deep Discovery Email Inspector can attempt to “Quarantine” the affected file to prevent the threat
from continuing to spread across your network.
Graymail is defined as any unsolicited bulk email that is not spam. This can include, marketing
messages and newsletters, social network notifications, forum notifications and so on. Deep
Discovery Email Inspector identifies Graymail messages using the Trend Micro Anti-Spam Engine
(TMASE) to identify message content, and Email Reputation Services (ERS), to assign a score to
source IP addresses.
Email Reputation Service (ERS) technology maximizes spam protection, by allowing Deep
Discovery Email Inspector to determine spam based on the reputation of the originating Mail
Transfer Agent (MTA). With ERS enabled, all inbound SMTP traffic is checked by the IP databases
to see whether the originating IP address is clean, or has been blocked as a known spam vector.
Note: For ERS to function properly, all address translation on inbound SMTP traffic must occur after
traffic passes through Deep Discovery Email Inspector. If NAT or PAT (Port Address Translation)
takes place before the inbound SMTP traffic reaches Deep Discovery Email Inspector, the local
address will always be treated as the originating MTA.
ERS only blocks connections from suspect MTA public IP addresses, not private or local
addresses.
When deployed as the edge MTA, Deep Discovery Email Inspector filters connections from
senders when establishing SMTP sessions based on the reputation of the sender IP addresses.
However, when deployed as a non-edge MTA, Deep Discovery Email Inspector filters connections
from senders of the last relay MTA based on the reputation of the sender IP addresses in the
email message header.
Additional engines that make up the Trend Micro Antispam Engine (TMASE) include the following:
SNAP protects against Business Email Compromise (BEC) by scanning email messages from
specified high-profile users to block social engineering attacks. SNAP checks sender and
recipient domain information to prevent email message spoofing. Business Email Compromise is
treated as phishing and has a high risk level.
The Email Malware Threat Scan engine, performs advanced threat scans on email attachments
including script files and MS Office files with macros detect emerging malware. Once the Trend
Micro Antispam Engine finds a macroware threat, it reports the following root attachment
information:
• Root-file sha1
• Root-file name
• Threat namefor
If an email is detected as macroware, the Mailtype will be listed as “emerging threat” but the
category will be listed as “unknown”. Also, the engine name shown for Identified By will appear as
“Email Malware Threat Scan” for any Trend Locality Sensitive Hash (TLSH)/Macroware detections.
Note: Trend Locality Sensitive Hash (TLSH) is an approach to LSH Locality Sensitive Hash, a kind of
fuzzy hashing that can be employed in machine learning extensions for allowlisting. TLSH can
generate hash values which can then be analyzed for similarities. TLSH helps determine if the file
is safe to be run on the system based on its similarity to known, legitimate files. Thousands of
hashes of different versions of a single application, for instance, can be sorted through and
streamlined for comparison and further analysis. Metadata, such as certificates, can then be
utilized to confirm if the file is legitimate.
Functions include in-depth tracking of malware actions and system impact such as:
• Network connections initiated
• System file/registry modification
• System injection behavior detection
The Virtual Analyzer in DDEI, identifies malicious destinations and command-and-control (C&C)
servers. Additionally, you can export from the VA reports forensics and PCAP files which helps in the
generation of complete malware intelligence to use for immediate local protection.
Unified Sandbox
Suspicious
attachments or
URLs Virtual Box
Scanner Virtual Analyzer
Agent
Severity Result
VM
Parsed Gateway
Result
Database
In the above diagram, the Unified Sandbox is the Deep Discovery Email Inspector built-in Virtual
Analyzer.
To increase accuracy and reduce false positives, Trend Micro Web Reputation Services assigns
reputation scores to specific pages or links within sites instead of classifying or blocking entire sites,
since often, only portions of legitimate sites are hacked and reputations can change dynamically over
time.
Specifications
Operating System
The Deep Discovery Email Inspector operating system is a hardened version of the CentOS Linux 7.1
Operating System with a specially built kernel, and a set of open source utilities used to run and
maintain the system.
As part of the Operating Systems customization, CentOS packages not required for the Deep
Discovery Email Inspector application are excluded from default installation. Deep Discovery Email
Inspector uses a custom-built 64-bit kernel based on Linux 3.10.x SMP using some CentOS tools.
Form Factors
You can deploy a Deep Discovery Email Inspector as a hardware appliance or virtual appliance in your
network.
Virtual Appliance
Messages per Virtual CPUs Virtual Memory Virtual Disk Virtual NICs DDAN Appliance
Day (GB)
300K 3 10 500 GB Refer to table 1 per 2 DDEI virtual
below appliances
700K 6 16 1 TB Refer to table 1 for each DDEI virtual
below appliance
Note: The virtual CPUs require a minimum speed of 2.3 GHz with hyper-threading support,
Virtualization Technology (VT), and 64-bit architecture.
Note: The virtual NICs require a minimum speed of 1000 Mb/s. Trend Micro supports only the VMXNET
3 network adapter on ESXi.
If you configure more than three virtual NICs for the virtual appliance, only the last two ports can
be used for SPAN/TAP mode.
Hardware Appliances
Trend Micro provides the following server models with Deep Discovery Email Inspector pre-
installed. No other hardware is supported for the DDEI appliance.
CPU Intel Xeon E5-2680 v3 @ 2.5GHz (12 cores) x 2 Intel Xeon E5-2620 v3 @ 2.4GHz (6 cores) x 2
Memory 128GB (RDIMM 16GB x 8, 2133 MHz) 64GB (RDIMM 16GB x 4, 1866 MHz) DDR4
NIC 4 on-board, 2 Intel Ethernet 1350 QP - 1GB 4 onboard, 2 Broadcom 5720 Dual Port (1GB)
network daughter card
Supported
DDEI 2.5 and later DDEI 2.1 and later
Version
Maximum VA
60 30
instances
Maximum VA
images 3 3
Built-in Firewall
Deep Discovery Email Inspector uses a firewall to protect itself from any intrusion. It is configured by
a script (rcFirewall) and uses the iptables software to block access to any port except those that are
used to accept external connections.
The firewall rules are stored in the file /etc/conf/fw.rules and can be modified from the administrative
console and CLI. This file has an XML structure and contains the access rules in the following format:
<port<Id> value="<Num>,<Protocol>,<Access>"/>
Deployment Modes
MTA Mode
This is the default operating mode of Deep Discovery Email Inspector. As an inline MTA, Deep
Discovery Email Inspector protects the network from harm by taking action on malicious email
messages in the mail traffic flow. Deep Discovery Email Inspector delivers safe email messages to
recipients. However, in this setup, any issue on Deep Discovery Email Inspector may affect the
production email.
In MTA mode, the upstream MTA (Current Mail Gateway) transfer the emails to Deep Discovery Email
Inspector for scanning. Deep Discovery Email Inspector then transfer the mails to downstream MTA
(Mail Server) after scanning.
BCC Mode
In BCC mode, emails are forwarded to end users directly by an upstream MTA without any delay. At
the same time, the upstream MTA needs to BCC these emails to Deep Discovery Email Inspector.
Which means for recipients, when they receive their emails, Deep Discovery Email Inspector is
scanning their emails at the same time.
Mail Servers
Note: If Deep Discovery Email Inspector finds a threat in an email, it records the event and sends a
notification to the administrator. After scanning, Deep Discovery Email Inspector drops these
email copies.
The following is a typical deployment scenarios for BCC mode. In this mode, Deep Discovery Email
Inspector needs to be integrated with an upstream MTA. That MTA blind copies (BCC) to Deep
Discovery Email Inspector, allowing it to scan these emails.
Sender: test@internet.com 2b 3b
Recipient: admin@DDEI.com
3a
Deep Discovery
Email Inspector User
4
Administrator
Note: Use a virtual domain for Deep Discovery Email Inspector if upstream MTA does not support
smart host with Priority.
3 The following occurs at the same time after MTA sends an e-mail:
a. Deep Discovery Email Inspector postfix sends the e-mail to Scanner module for scanning
If the upstream MTA has anti-virus capability but is unable to identify a threat, Deep Discovery
Email Inspector can still be used to detect it. The following links can be referenced for additional
information on configuring upstream MTAs with existing AV capability:
• TrendMicro InterScan Messaging Security Virtual Appliance (IMSVA)
- http://esupport.trendmicro.com/solution/en-US/1113257.aspx
• McAfee Email Gateway (MEG)
- http://esupport.trendmicro.com/solution/en-US/1113258.aspx
• Symantec Messaging Gateway
- http://esupport.trendmicro.com/solution/en-US/1113259.aspx
SPAN MODE
While in SPAN/TAP mode, Deep Discovery Email Inspector acts as an out-of-band appliance that does
not interfere with network traffic.
Deep Discovery
Email Inspector
In SPAN/TAP mode, existing SMTP routing does not need to be changed. An administrator can
configure a switch or network tap to send mirrored traffic to Deep Discovery Email Inspector.
Whenever a suspicious email message passes through the network, Deep Discovery Email Inspector
sends alert notifications. Deep Discovery Email Inspector discards all replicated email messages
after they are checked for threats. The replicated email messages are never delivered to the
recipients.
Note: For port mirroring, the speed of destination port must not be less than source port. For example,
if source port is Gigabit Ethernet, and destination port is Fast Ethernet, there will be possible
data loss. In this scenario, Deep Discovery Email Inspector may see a lot of damaged messages
due to incomplete captured SMTP traffic.
Summary
The different operation modes for Deep Discovery Email Inspector are summarized below:
• Does not affect current mail flow • Mail header info might be incorrect
BCC Mode
• Load Balancing • Cannot interrupt the mail delivery
Products/Services Version
Deep Discovery Director
5.3
(on-premise)
7.0
Deep Discovery Analyzer
6.9
Apex Central 2019
3.3
Smart Protection Server
3.2
Tipping Point Security Management 5.4
System (SMS) 5.3
In a network topology containing multiple Deep Discovery Email Inspector appliances, Deep Discovery
Director, or Apex Central, can aggregate log and suspicious objects data, generate reports, and update
product components.
Additionally, integration with Apex Central, supports single sign-on (SSO) to the management console of
any registered Deep Discovery Email Inspector appliance.
Information Provisioning
Before deploying Deep Discovery Email Inspector in your network, you will need to determine the
configuration for the following DDEI networks:
• Management Network (eth0)
• Custom (Malware) Network (eth1)
• Mail Network (eth2, eth3)
The Management Network, is used for communicating with the Deep Discovery Email Inspector web
console for administration and management. The Management port in DDEI is eth0.
The Custom (malware) Network is used for sandbox analysis. The sandbox port (eth1), must be connected
to an isolated network in order to prevent other networks from being affected when executing malware
for analysis.
The Mail Network is used for handling mail routing functions. The mail ports in DDEI are eth2 and eth3.
For each network, you will need to provision the following network information needed to complete the
configuration of your Deep Discovery Email Inspector.
Corp App
Users
VPN Users
MTA mode
MTA mode
Web Proxy
To determine how best to integrate Deep Discovery Email Inspector in your existing mail network, it
advisable to review the summary of advantages and limitations for each operational mode. This is
included in the previous lesson.
Ports Used
For Deep Discovery Email Inspector to function correctly it must have access to the following ports.
Review this list before deploying your Deep Discovery Email Inspector.
The steps for installing Deep Discovery Email Inspector include the following:
1 Connect USB Keyboard and VGA screen to Deep Discovery Email Inspector.
2 Boot from CDROM DDEI 5.1.xxx (or latest available version).
In this step, if the system does not meet the minimum requirements the following will be
displayed:
6 Click Continue to proceed through the remaining screens displayed during the last phase of the
installation.
Note: A warning will display regarding disk partitioning, click [Continue]. If you inadvertently selected
the wrong disk, you can click [Select Disks] and select the correct disk you wish to use.
3 To modify the Deep Discovery Email Inspector IP settings, you will need to enter into privileged
mode as follows:
• At the command prompt, enter the CLI command enable, then enter the password
“trend#1”
• Set IPv4 address, subnet, gateway and DNS information, then enter “y” to save the
changes.
4 Once the above settings are configure, you will be able to access the Deep Discovery Email
Inspector web console using a supported browser (via HTTPS) by browsing to:
https://<ip address of DDEI>
To complete the final configuration tasks you must log into the Deep Discovery Email Inspector web
console at: https://<ip address of DDEI> using the default administrator user credentials: admin / ddei.
Once you have logged in to the administrative web console, you will need to configure the following Deep
Discovery Email Inspector settings:
• License
• System Time
• Import OVA image to run Sandbox
• Setting for Internal or External Sandbox
• Malware Network
• VA Connection Settings
• VA File Types
• Mail Network (Span mode, or BCC mode, or MTA mode)
• Operation Mode (Span mode or BCC mode,. or MTA mode)
Note: Any of the Deep Discovery Email Inspector operation modes can use the Virtual Analyzer to for
file analysis. When using Virtual Analyzer to analyze the files, the administrator must first
prepare the sandbox image, then import it into Deep Discovery Email Inspector using same
process as preparing a sandbox for use with Deep Discovery Inspector).
• Mail Settings for accepting mail traffic (BCC mode or MTA mode)
• Apply latest HF and Patches if any exist
• Proxy for updates and reputation query (Optional)
• Exceptions (for Messages, files, URL or Domain)
• Alerts
The steps to complete the above configuration tasks are described in the sections that follow.
License
To activate Deep Discovery Email Inspector, you must enter a valid license string as follows:
1 In the Deep Discovery Email Inspector web console, go to Administration > License.
2 Click New Activation Code for the module you are activating and copy and paste the license
string for that module
Note: Refer to the list of module features listed in License Management to review what is included in
each module. For MTA mode features you will need to have a Gateway Module activation code.
License Management
The License screen displays license information and accepts valid Activation Codes for the feature
sets in Deep Discovery Email Inspector.
• Advanced Threat Protection
• Gateway Module
The following table lists the features or services available for each feature set.
Network Configuration
To configure the network settings for Deep Discovery Email Inspector, go to Administration > System
Settings > Network. Note that the steps for completing the network configuration will vary
depending on which Deep Discovery Email Inspector operation mode is selected (for example, Span
mode, or BCC mode, or MTA mode). Each of these network configurations will be described later.
System Time
For normal system operations, it is very important that the system time be configured correctly for
your Deep Discovery Email Inspector appliance. If the system time is not correctly configured, this
can greatly affect the detection accuracy of Deep Discovery Email Inspector. Additionally, any
integration with third-party systems, such as SIEM, will not function if the time is not synchronized.
You can set the system time for your Deep Discovery Email Inspector appliance either manually, or
automatically from external NTP server.
1 Go to Administration > System Settings > Time and configure your timezone and NTP server.
Note: Time change settings will require restarting the DDEI services. To continue, select Save.
Notice in this page that Deep Discovery Email Inspector can send objects to Virtual Analyzer using
the following conditions:
• Send to Virtual Analyzer when ATSE has detected them as highly suspicious
• Always send to Virtual Analyzer
For example, to always analyze files (regardless if they are suspicious or not), you can select all file
types that are listed under the Always Analyze when highly suspicious column, and move them over
to the Always analyze column on the right. This however is not best practice. Always verify any
changes here with your security policies team.
Next, you will need to decide on whether to enable the option Do not analyzer files found to be safe
by CSSS. Recall, from earlier lessons that the Certified Safe Software Service (CSSS) is a cloud
database of known safe files. Enabling the option shown above for CSSS will prevent known safe files
from entering the Virtual Analyzer.
This saves computing time and resources and also reduces the likelihood of false positive detections.
(CSSS is enabled by default).
Mail Network
The steps for completing the mail network configuration for the Deep Discovery Email Inspector will
vary depending on which operation mode is selected. As already mentioned, the available
operational mode options include, Span/Tap mode, BCC mode, and MTA mode). The configuration
steps for all three operation modes are provided below, however, in this training, MTA Mode will be
the operation mode used to complete all student lab activities.
MTA Mode
In MTA mode, Deep Discovery Email Inspector will be included in the email delivery chain. In this
mode, malicious emails and attachments can be quarantined or removed. This mode requires you
to configure a Downstream email relay.
To configure network settings for a Deep Discovery Email Inspector that is being deployed in MTA
mode, the steps are as follows.
1 Go to Administration > System Settings > Network.
2 Specify an IP address for eth2. In this case, the management network and mail network are the
same network, so eth0 is being configured instead.
4 Next, for MTA only, you will need to go to Administration > Mail Settings and configure the
Connection Control settings for Deep Discovery Email Inspector to accept mail traffic:
• Set SMTP Interface
• Set the Connection Control permissions
• Set the Transport Layer Security (TLS) configuration
5 Configure settings for Relay Control and Permitted Senders of Relayed Mail to prevent Deep
Discovery Email Inspector from being used as an Open Relay.
Note: When deploying the Deep Discovery Email Inspector in MTA mode, it is very important to note
that the default for Permitted Senders of Relayed Mail configuration, is to allow all hosts in the
same subnet to relay email through Deep Discovery Email Inspector. This causes Deep Discovery
Email Inspector to become an open relay. To prevent this, you must change the Permitted
Senders of Relayed Mail configuration so that only the upstream MTA is allowed to relay email
through the Deep Discovery Email Inspector.
6 Additionally, you should select any options under the Relay Control section above that are
appropriate for your mail environment.
7 Next, go to Administration > Mail Settings and select the Mail Delivery tab. Here you will need to
specify the next hop MTA (downstream relay) for the domain you are configuring.
SPAN/TAP Mode
When the Deep Discovery Email Inspector is configured in SPAN/TAP mode, it can be fed with the
raw network data from the SPAN port or network tap. Deep Discovery Email Inspector will parse
the data and extract emails for further analysis. To enable this operational mode, the traffic
capture rules must to be configured. (By default, all traffic destined for the port tcp/25, will be
captured and analyzed.
To configure network settings for a Deep Discovery Email Inspector that is being deployed in
SPAN/TAP mode, the steps are as follows.
1 Go to Administration > System Settings > Network and specify the IP address for eth2. Specify an
IP address for eth2. In this case, the management network and mail network are the same
network, so eth0 is being configured instead.
3 Add a traffic capture rule that will be used to monitor SMTP traffic. A default one for port 25 is
provided already.
Note: Mail traffic is from mirror port on a switch. In SPAN/TAP mode, Email messages are analyzed for
threats, but are not blocked, quarantined or delivered. Additionally, Deep Discovery Email
Inspector is unable to send email notifications as the internal Postfix server cannot be used in
this mode. An external SMTP notification server must be configured in this mode.
BCC Mode
In BCC mode, Email messages are analyzed for threats, but are not blocked, quarantined or
delivered. Additionally, Deep Discovery Email Inspector is unable to send email notifications as
the internal Postfix server cannot be used in this mode. An external SMTP notification server
must be configured in this mode.
To configure network settings for a Deep Discovery Email Inspector that is being deployed in BCC
(blind copy) mode, the steps are as follows.
1 Go to Administration > System Settings > Network and specify the IP address for eth2. Specify an
IP address for eth2.
2 Next, select Operation Mode and enable BCC mode.
Component Updates
Go to Administration > Component Updates. If there are any component updates from Trend
Micro available for download to your Deep Discovery Email Inspector , the option to select
Update is provided.
In this case, if the update is successful, this validates that the Deep Discovery Email Inspector can
successfully connect to the Internet to receive updates. Thus, we can assume the network
settings have been configured correctly so far.
If the update fails due to a connection issue, a “No Internet Connection” error is displayed. In this
case, you can check:
• Firewall settings
• Proxy settings
Optionally, for validating your Deep Discovery Email Inspector network configuration, you can
use the Network Services Diagnostics utility. This will verify if Deep Discovery Email Inspector
services can be reached through the Internet.
To use this utility, go to Administration > System Maintenance > Network Services Diagnostics.
This will test connectivity to various network services used by Deep Discovery Email Inspector
including, the Proxy server (optional), SPS (optional), Certified Safe Software Service,
Community File Reputation and so on.
EICAR Sample
To test Deep Discovery Email Inspector detection functionality, you can send a test email using
EICAR as an attachment as follows:
1 Open a web browser and access the “eicar” web site at: http://www.eicar.org/.
2 Download the file eicar.com test file and then compress the file with a password.
3 Compose an email attaching the compressed file, and include the password as part of the body
text.
If the Deep Discovery Email Inspector has been configured correctly, this email should not be
delivered to your intended recipient, because of the virus attachment.
Detected Messages
Lastly, to ensure that Deep Discovery Email Inspector is able to detect message violations, you
should examine Detected Messages.
In the Deep Discovery Email Inspector web console, go to Detections > Detected Messages and
verify that the Deep Discovery Email Inspector lists message violation detections similar to the
following:
Each Deep Discovery Email Inspector user account that is created can be assigned one of the following
roles:
• Administrator
• Investigator
• Operator
The assigned role-based permissions for each role type include the following.
The default Deep Discovery Email Inspector administrator account, “admin” has full access to all
functions and settings in the Deep Discovery Email Inspector.
Note: Only the default Deep Discovery Email Inspector “admin” account can add new administrator
accounts. Administrator accounts created by the default admin, can be assigned full access to
functions and settings, excluding the ability to create administrator accounts.
The web console in Deep Discovery Email Inspector, is the main interface that is used to configure and
manage the appliance. The different menu options provided in the web console include:
• Dashboard: Includes a set of widgets for threats analysis and performance monitoring
• Detections: List of detected messages, Suspicious Objects and quarantined emails
• Policy: Setting policy actions, notifications, X-headers, message tags and policy exceptions
• Alerts/Reports:
- List of system and security alerts, management of admin notification rules
- List of stored reports, management of the reporting schedules, on demand reports
• Logs: List of the processed emails with assigned risk level, MTA log, system logs
• Administration: System, mail, logs and VA settings, updates, license management, user
management, system maintenance
• Help: Product manual, Threat Encyclopedia, information about the product
The widgets presented in the Dashboard are grouped into tabs to address specific topics or areas of
interest. There is an Overview, Threat Monitoring, Top threats, System Analysis, Virtual Analyzer,
and others can be added.
Play Tab Side Show (located under the Overview tab), initiates a closed loop of revolving widget
screens. This is useful for SOC (system on a chip) common wall-mounted monitors. You can also
modify the layout of the widgets, and the content on the current tab as needed, by using the Tab
Settings and Add Widgets buttons located in the top right corner of the Dashboard.
For some widgets, there can also be hyper-links for redirecting to other areas of the console to view
more information. For example, clicking the hyper-link View detected messages above, will redirect
to the Detections > Detected Messages page as follows:
Widgets that are not displayed in the Dashboard by default, can be added.
For example, adding the Quarantined Messages widget is useful to quickly see the volume of
quarantined emails. Although this widget belongs to the category Threat Monitoring, it can be placed
anywhere in your dashboard that suits your needs.
Another widget under the Threat Monitoring category is High-Risk Messages as shown below. This
widget shows the volume of malicious emails.
Again, any widgets provided in DDEI can be added in to customize your Dashboard as you see fit for
your specific work flow.
There are many other widgets available in DDEI that are not discussed in this training. For a
complete listing of all widgets you can refer to the DDEI On-line Help.
Managing Detections
For reviewing malicious emails detected by Deep Discovery Email Inspector, it is best to start out
with Deep Discovery Email Inspector web console menu item Detections > Detected Messages. In this
screen, you can filter by Threat type if there are a large number of entries.
You can view the various information that is available on the detected threats including the Message
ID , Recipient, Sender, Subject, Attachments/Links, Identified by (engine that detected threat),
Threat name, Risk Level, Filename, Filetype, Action, Message source and so on.
Each detection has a severity Risk Level that ranges from “Low” to “High”.
From Detected Messages, you can view a list of detected malicious emails with comprehensive search
and filtering mechanisms.
Detected messages can be viewed by the recipient, attack source and email subject.
Sample Detection
The following is a sample detection in Deep Discovery Email Inspector. Here you can see the
number of malicious URLs that were detected in the email (none), the number of malicious
attachments that were detected (one), and so on.
Then, by expanding the detection, you can reveal more information to help you better
understand the threat. For example, at the bottom of the page you have options for accessing
additional information including:
• Reports: All detections can be exported in CSV or PDF format.
• Forensics Information: You can select the provided links shown next to Forensics to
obtain a compressed package containing complete emails with all attachments, or you
can obtain a simple screen shot of the information you are currently viewing. All
detections can be exported in CSV format and these can be sent for forensics research.
• Global Intelligence: By clicking the link next to Global intelligence, you can access the
Threat Connect web site to obtain any information on the threat that is already known by
Trend Micro.
The general work flow for analyzing a detected message is provided below:
2 If a malicious URL was detected, view Site Category determine why the detection was made.
3 For more information, select View in Threat Connect view information provided by Trend Micro.
For example, clicking on View in ThreatConnect above for this event provides the following
ThreatConnect output:
4 Additionally, examine the Virtual Analyzer report which will be available for suspicious threats
including files or URLs.
Threat Types
Threats that can detected by Deep Discovery Email Inspector include the following.
Targeted Malware
Targeted malware, is a more advanced version of malware made to look like they come from
someone a user expects to receive email messages from, possibly a boss or colleague. A Targeted
Malware detection is a known-malware (detected in a file attachment) that is identified by the
ATSE engine through an AV pattern match. Some threat names that you might see in the Deep
Discovery Email Inspector web console under Detected Messages include WORM_XX, or TROJ_:..
and so on. A known malware is not sent to Virtual Analyzer for analysis hence there is no Virtual
Analyzer report for this type of detection.
Malware
Malicious software used by attackers to disrupt, control, steal, cause data loss, spy upon, or gain
unauthorized access to computer systems
Malicious URL
Similarly to above, a Malicious URL is a known malicious URL that is identified by WRS (Web
Reputation). Because the threat is identified already by WRS, it is not sent for virtual analysis and
so there is no Virtual Analyzer report for this threat type. An example of a threat name you might
see listed for this detection type is: FRAUD_SCAM.WRS.
Suspicious File
This detection is a potentially malicious file attachment that is based on/identified through
Virtual Analyzer analysis results. The Virtual Analyzer report is available which can be examined
to see the notable characteristics of the file that Virtual Analyzer used to classify the object as
suspicious. Some examples of threat names you might see listed for these detection types
include:
• CSO_<SUSPICIOUS_FILE>
• YARA_<rule_name>,
• EMERGING-THREAT_XXX
• VAN_<xxx>
• Ransom.win32.TRX.XXX etc.
Suspicious URL
This detection is similar to above except the detected suspicious object in this case is a
suspicious URL. Some examples of threat names you might see listed for these detection types
include: CSO_<SUSPICIOUS_URL>, VAN_<xxx>, etc.
Phishing
A phishing email seeks to fool users into divulging private information by redirecting users to
legitimate-looking web sites.
Spam/Graymail
Spam is any unsolicited spam email messages, often of a commercial nature, sent
indiscriminately to multiple individuals whereas, graymail refers to solicited bulk email messages
that are not spam.
DLP Incident
A DLP incident, is an email message that contains any content that goes against your
organization's digital asset policies.
Content Violation
A content violation is similar to a DLP incident, but instead includes ANY information that your
organization deems inappropriate, such as personal communication or large attachments.
Advanced Filters
Detected malicious emails can be filtered using the following search criteria.
Suspicious Objects
From the Detections tab you can also list the Suspicious Objects (SOs). Suspicious Objects (SO) are
generated by the Virtual Analyzer (sandbox), which can be a file SHA1 hash, hostname or URL,
detected inside of a malicious email.
Quarantine
When in MTA mode, Deep Discovery Email Inspector is able to quarantine malicious emails.
If email is quarantined, it can be kept in the quarantine, released to the recipient or deleted without
delivery to the recipient.
Resume Process will continue processing the selected spam email messages or email messages with
content violations in the quarantine.
Unlock and Reprocess to open password-protected files in unscannable messages using the
specified password and the entires on the File Passwords screen, and perform threat scans on
messages.
Policy Management
The default policy applies to All Senders and All Recipients and includes the rules shown below.
• Content Filtering: Scan and Quarantine messages if attachment is an executable
• DLP: N/A
• Antispam: Scan and Quarantines messages considered spam or graymail
• Threat Protection: Scan for viruses and other malware such as spyware and worms. Quarantine
messages with High/Medium risk, and just Tag messages with Low risk
A configured policy can include multiple Content Filtering, DLP or Antispam rules, but can ONLY include
ONE Threat Protection Rule.
For spam protection configure an Antispam rule and activate Sender Filtering.
Note: A Gateway Module activation license is required to obtain Content Filtering and Antispam
functionality.
Policy Objects
Deep Discovery Email Inspector provides many different policy object types. You can define Policy
Objects for your policies to configure settings for notifications, replacement tags, stamps, redirect
pages, and many others for customizing the Deep Discovery Email Inspector traffic handling
behavior. Some common object types are described below.
Notifications
Notifications create messages to notify a recipient or email administrator that Deep Discovery
Email Inspector took action on a message, or that a message violated a Deep Discovery Email
Inspector rule scanning condition(s). The Subject and Body of the notification email that is sent
to the recipient is configured in Policies > Policy Objects > Notifications.
Replacement File
A replacement file can be used in the case of a stripped attachment. In this case, the attachment
is replaced with a text message that is configured under Replacement File.
Stamps
With stripped attachments, you also add a Stamps to every email the Deep Discovery Email
Inspector processed.
For example, the stamp specified here can be used to add an “End stamp” at the end of every
processed email message to notify a recipient that Deep Discovery Email Inspector has
processed the email.
With this configuration, the recipient of an email with stripped attachment will see the following
end stamp in the email message:
Redirect Pages
Configured policy actions determine if a redirect page blocks or warns users from opening
suspicious links. The presented redirect page can be customized with your own logo, message
body, and administrator contact information.
Archive Servers
If you are configuring archive policies, you can configure an archive server. When an email
messages matches the archive policy, DDEI will send a copy of the matched message to the
server that is specified here. You can configure a max of 10 archive servers. If a message
matches multiple archive policies, DDEI sends a copy of the message to each archive server.
Data Identifiers
Data identifiers are any expression, file attribute or key word, that is applied by Content Filtering
and DLP policy rules in Deep Discovery Email Inspector. You can created your own custom data
identifiers, import data identifiers from other sources, or use the built-in identifiers as shown
below.
DLP Templates
DLP templates include the data identifiers and logical operators used in DLP Policy Rules.
Address Groups
Address groups are collections of user email addresses in your organization. They are used to
help simplify policy creation. Instead of creating policies to apply to each address individually,
you can create an address group to apply the policy rules to several email addresses at the same
time.
Policy Exceptions
Policy Exceptions can be used to reduce false positives. Creating a policy exception, allows you to
classify certain email messages as safe. Exceptions can be added for Messages, Objects (IP
addresses, Files, URLs and Domains), URL Keywords, Graymail and Email Encryption.
Go to Policies > Exceptions to configure policy exceptions in Deep Discovery Email Inspector.
Message Exceptions
A message exception can be used in cases where an administrator trusts all emails from a
particular user, or users. For example if bryan_smith@msn.com is trusted email sender,
then an administrator can add this user to the Policies > Exceptions > Messages > Senders list.
Once added to the Senders list, all messages from this user will be bypassed by Deep Discovery
Email Inspector for scanning and/or any configured policy actions.
Object Exceptions
Object exceptions can be used for cases when an application file triggers a false positive
detection in Deep Discovery Email Inspector (that is, the file was safe but got detected as
suspicious by Deep Discovery Email Inspector). In this scenario, an administrator can add the
file’s SHA1 value to into Policies > Exceptions > Objects exceptions list so that Deep Discovery
Email Inspector no longer processes it.
Deep Discovery Email Inspector only bypasses investigation for email messages containing safe
objects including files, URLs, IP addresses, and domains).
URL Keywords
An administrator can also for example, go to Polcies > Exceptions > URL Keywords and configure
various keywords for URLs that are deemed safe. URLs that contain any of the specified
keywords are considered one-click URLs, and will not be processed by Deep Discovery Email
Inspector or sent to the Virtual Analyzer for analysis.
If an email message contains one safe URL and another unknown URL, Deep Policies DDEI
investigates the unknown URL. Virtual Analyzer also ignores safe files and URLs during sandbox
analysis.
Graymail Exception
To bypass graymail inspection for messages sent from trusted IP addresses, you can configure
Graymail exceptions under Policies > Exceptions > Graymail Exceptions.
Deep Discovery Email Inspector does not encrypt or decrypt messages that meet the thresholds
or conditions you specify in the Email Encryption Exception configuration.
Approved lists
Wildcard (*)
of Files, URLs, IP,
support
Domain
Wildcard (*)
support on URL
objects only
Note: In BCC and SPAN/TAP mode, email messages that match Exceptions are discarded.
In MTA mode, the message is delivered to the recipient without being processed.
Policy Actions
When Deep Discovery Email Inspector makes a detection based on a configured policy, it will perform
the configured action for the matched policy rule. Depending on the operation mode, the result of
the action taken on an actual email may differ.
Configured policy actions can be “terminal” such as Delete message, Block and quarantine, and
Deliver directly.
For policies with multiple rules, Deep Discovery Email Inspector will only apply one terminal action on
detected messages. In this case, Deep Discovery Email Inspector applies all non-terminal actions on
messages for matched rules before delivery, or until a terminal action is applied.
If more than one policy applies to a recipient or sender, Deep Discovery Email Inspector matches the
enabled policy with the highest priority.
Policy actions are configured inside the policy rules. This is the content filtering rule that is
configured for the Default Policy. The action is set to Block and Quarantine.
Action types that can be selected for a content filtering rule include the following:
• Block and quarantine
• Change recipient
• Delete message
• Deliver directly
• Encrypt message
Note: Action types will vary by filtering rule that is configured. For example, Content Filtering, DLP,
Antispam, Threat Protection.
It is also possible to define actions to messages with unscannable attachments (for example,
password protected) or messages where attachments are stripped, or URLs are redirected.
To configure this action type, edit the policy rule and select settings under the option Unrated
Risk.
An action type can also be set for objects that could not be analyzed by Virtual Analyzer. For
example, due to a system time out, or unsupported file type, etc. This action is set in the policy
rule under Unknown reason.
Additionally when stripping attachments, or using redirect pages, you can set actions as well. You
can set the option to attempt to clean the attachment before stripping, and if it cannot be
stripped, you can also select to quarantine the message.
These options are all located under the Advanced Settings section of the policy rule.
Policy Rules
Policy rules are used to enforce your organization’s antivirus and other security goals. An
administrator can create the following policy rules in Deep Discovery Email Inspector.
• Content filtering rules: Evaluates message contents to prevent undesirable content from
being delivered to recipients and remove active content (such as macros) from Microsoft
Office or PDF file attachments
• DLP rules: Prevents the transmission of digital assets through email messages
• Antispam rules: Scans messages for spam or graymail
• Threat protection rules: Scans messages for viruses and other malware such as spyware and
worms
Note: A predefined policy rule can be copied and an administer can edit the copy to create a new policy
rule.
With Content filtering, Deep Discovery Email Inspector can prevent content that violates your
organizational policies from reaching recipients.
Note: Fuzzy matching is like approximate string matching which is a technique of finding strings that
match a pattern approximately (rather than exactly).
Content filtering will perform configured rule-based actions and apply configured notifications.
To configure the content filtering rules, go to Policies > Policy Management >Content Filtering
Rules.
Note: Deep Discovery Email Inspector checks the Content filtering rules before antispam or threat
protection rules in the policy scanning sequence. Consequently, if a message is matched by a
content filtering rule, then the message will not be scanned by the antispam or threat protection
rules.
DLP Rules
DDEI evaluates a file or data against a set of Data Loss Prevention (DLP) rules in policies. DLP
rules determine files or data that requires protection from unauthorized transmission and the
action that DDEI performs after detecting a transmission.
DLP rules determine files or data that requires protection from unauthorized transmission and
the action that DDEI performs after detecting a transmission.
Antispam Rules
Deep Discovery Email Inspector uses antispam rules to scan messages identified as spam or
graymail.
Note: To maximize spam protection, configure Deep Discovery Email Inspector to use Email
Reputation Services (ERS) technology. For more information, enabling email reputation services,
refer to DDEI Online Help.
Additionally, Graymail exceptions can be configured in Deep Discovery Email Inspector to bypass
graymail scanning for messages from trusted IP addresses.
You can create threat protection rules to scan messages for viruses and other malware such as
spyware and worms.
Configuring Alerts
Deep Discovery Email Inspector can trigger system and security alerts and send email notifications.
Alerts severity levels can be Critical, Important, and Informational.
Alerts are configured under Alerts/Reports/Rules as illustrated below. Here you can define the alert
email content and a list of recipients.
Generating Reports
Deep Discovery Email Inspector can generate reports on demand or periodically. Generated reports can
be accessed from the Deep Discovery Email Inspector web console in the Reports screen. Scheduled
reports can also be sent over to designated email addresses.
Additionally, reports can be generated instantly and at any time. It is possible to generate on
demand report for 1 day, 1 week, or 1 month, starting at any given point in time that the Deep
Discovery Email Inspector first came into operation.
On demand reports will be stored in the Generated Reports screen. If you have specified a
recipient’s email address(es), the generated report will also be emailed accordingly.
Deep Discovery Email Inspector provides a complete set of filters for the Message Tracking events
view. In busy networks, these filters ensure efficient and fast security operations with real-time
instant searches on relevant data. The events in Message Tracking Logs, can also be exported in CSV
format if needed.
Note: In BCC/TAP mode, the status “Delivered” means that the message has been Discarded and the
status “Queued for delivery” means that it has been Queued to be discarded.
Click on any event in the Message Tracking logs to obtain details on the analyzed email such as,
Source IP of the sender if available, processing history, and optionally actions.
The View in Quarantine and Release from Quarantine actions will only appear when the Status
indicates “Quarantined”. Additionally, the View in Detected Messages action will appear when the
Risk Level is equal to “Low”, “Medium” or “High”.
MTA Logs
The MTA logs record all the Mail Transport Agent (MTA) events.
These logs can be consulted to help troubleshoot postfix mail delivery issues on the Deep Discovery
Email Inspector appliance. MTA logs show all postfix messages including smtpd, qmgr, master,
postfix-script, cleanup events. To see specific events, you can use the Description field to specify a
search file and click Query. Additionally, you can export all of the events listed to a CSV formatted
file for external processing.
System Logs
The System Logs record Deep Discovery Email Inspector System operation related events.
The System Logs can be used to help troubleshoot and/or audit Deep Discovery Email Inspector
appliance operational issues or system events. System Logs including user audit trails, system
maintenance, engine and patterns updates and others can be viewed through the System Logs.
To focus in on a specific events, you can narrow the search down by Time period.
You can search for queued messages, or select to deliver, reroute and delete them.
System Administration
Important system administration and management functions for Deep Discovery Email Inspector can be
accessed from the Administration tab in the web console.
The sections that follow identify common administrative and management tasks that administrative
users are likely to perform in their daily functions.
Component Updates
Patterns and engines updates can be scheduled and can be forced manually. If required all engines
and patterns can be rolled back to the previous version stored in the appliance.
The versions listed under New Version indicate the latest versions that are available as compared to
the current versions listed.To update the components, click the Update option.
Note: A full update may take up to 15 minutes depending on the appliance’s geographical location and
available network bandwidth.
Component updates are generally performed by scheduling them. Scheduling options are illustrated
below:
Note: By default, Scheduled Update is enabled and DDEI checks for patterns and engines updates every
15 minutes.
You can select Source to view the location from which updates will be fetched. By default, all
updates will be fetched from the standard Trend Micro Active Update server.
In certain cases, administrators may have a requirement to set the update source to custom
update server address. (This is usually a special case.)
A Hot Fix file is a compressed file ( *.tgz.tar file ) which has to be uploaded in the Deep Discovery
Email Inspector from the administrator’s computer through the web interface.
Note: The installation process of the hot fix or patch can take several minutes and could require a
system restart. Therefore, updates should be planned during off-business hours.
Deep Discovery Email Inspector patches and fixes can be obtained from the Trend Micro Download
Center (downloadcenter.trendmicro.com).
Updating Firmware
From the Product Updates page in the web console, you can select Firmware to upgrade your
Deep Discovery Email Inspector appliance to the latest version.
The Firmware update file is a compressed file (*.tgz file) which has to be uploaded into Deep
Discovery Email Inspector from your computer using the web interface.
Mail Settings
The following sections describes additional mail settings that can be configured to enable specific
mail features in Deep Discovery Email Inspector such as:
• Time-of-Click Protection
• Business Email Compromise
• File Passwords
• Sender Filtering / Authentication
• End-User Quarantine
Time-of-Click Protection
Deep Discovery Email Inspector registers to the Time-of-Click protection server the first time the
license activation code is entered into the Deep Discovery Email Inspector license page. If for any
reason the registration fails on the first attempt, Deep Discovery Email Inspector will keep trying
in the back-end to register until the registration is successful. It will do this without displaying
any error or warning messages to the administrative users.
Although Time-of-Click actions are set in the Deep Discovery Email Inspector web console, the
configurations are actually stored in the Smart Protection Network CTP server. Deep Discovery
Email Inspector calls the CTP web service APIs to retrieve and update these configurations.
For each URL risk level (High, Medium, Low and Unrated URLs), the action carried out when a
user clicks on that URL can be:
• Bypass: redirect to original URL
• Warn: show block page but still allow access to the original URL
These Time-of-Click protection actions can be configured from the Deep Discovery Email
Inspector web console under Administration > Scanning / Analysis > Time-of-Click Protection as
shown here in the screen capture. The default value for high-risk URLs is Block. Recall that High
risk URLs are suspected to be fraudulent or possible sources of threats.
While Trend Micro actively tests URLs for safety, users may encounter unrated pages when
visiting new or less popular websites. Blocking access to unrated pages can improve safety but
can also prevent access to safe pages.
Deep Discovery Email Inspector includes Business Email Compromise (BEC) protection to
protect organizations against sophisticated scams, For example, wire transfers to international
clients.
BEC scams usually exploit vulnerabilities in different email clients and make an email message
look as if it is from a trusted sender.
You can configure the following settings in Deep Discovery Email Inspector to effectively protect
your organization against BEC scams:
• Scan email messages from/to specified high-profile users to block social engineering/
phishing attacks
• Check sender and recipient domain information against Internal Domains list to prevent
email message spoofing
File Passwords
In order to analyze emails containing archive or file attachments that have been password
protected, you will need to specify a list of passwords which will be used to decrypt them.
Passwords can be imported from a text (.txt) file (one password per line) or they can be added in
manually.
Sender Filtering/Authentication
If you are using Sender Filtering, note that the Sender Filtering settings will block senders of
spam messages at the IP address, or sender email address level, before the message enters the
scanning process. In other words, Sender Filtering does not work at the policy level.
• Email Reputation
• Approved Sender (Allow List)
• Blocked Senders (Deny List)
• DHA (Directory Harvest Attack) Protection
• Bounce Attack Protection
• SMTP traffic Throttling
• SPF
• DKIM Authentication
• DKIM Signatures
Note: The Approved Senders list takes precedence over entries in the Blocked Senders list.
End-User Quarantine
End-User Quarantine functionality allows web console access for end-users to manage
quarantined detections for example, decide whether an email is really a spam or not, and
consequently release the message if necessary.
End-User Quarantine console access can be enabled under Administration > End-User
Quarantine.
Once it has been enabled, the link for end-users to access the End User Quarantine web console
is: https://<DDEI server IP address>:4459
EUQ digest is a notification that Deep Discovery Email Inspector sends to inform user about
email messages that were detected as spam and temporarily stored in the End user quarantine.
System Settings
Deep Discovery Email Inspector system settings can be configured on a per interface basis or system
wide.
Per Interface
Network interface settings for your device are configured from the Network tab under
Administration > System Settings as described below.
• Network interfaces can be configured here with IP address and subnet mask
• Both IPv4 and IPv6 are supported
• At least Management Interface (always eth0) has to be set with IP and subnet mask
• Management Interface has to be set via CLI before DDEI web interface can be used. Later it
can be changed via web interface in this screen
• The status of each interface is indicated by icon next to interface name.
System Wide
Additionally, any system wide settings can be configured from the Network tab under
Administration > System Settings. These include:
• Host name, default gateway and primary DNS server for IPv4 are mandatory and have to
be set
• Optionally, a secondary DNS server for IPv4, and all default gateway and DNS servers for
IPv6 can be configured.
Deep Discovery Email Inspector requires Internet access to perform various functions including
updates to patterns and engines for example. If the Deep Discovery Email Inspector system
does NOT have direct Internet access, you must configure a proxy server as illustrated below.
In the web console under System Settings > Proxy, configure the proxy settings needed for
access to the Internet. Available options are: HTTP, SOCKS4 and SOCKS5.
SMTP
If using email notifications, you must configure settings for an internal or external SMTP server
under System Settings > SMTP.
Note: In BCC and SPAN/TAP mode, Deep Discovery Email Inspector can only use an EXTERNAL SMTP
server for sending notifications.
Syslog Integration
Remote syslog servers can be configured to share system, detection and VA log data.
Remote syslog server can be configured on any port and supports UDP/TCP/SSL protocols. For
out of box integration with Arcsight, Qradar, Splunk and other SIEM products data can be
formated in CEF, LEEF or Trend Micro Event Format (TMEF). Under Scope, you can select
individual logs to include or exclude.
Storage Maintenance
To free up some storage space on the Deep Discovery Email Inspector appliance, use the
settings under Administration > System Maintenance > Storage Maintenance.
From here, you can delete all logs data older than a certain number of days (default is 3 days).
Additionally, you can configure the quarantine folder sizes, and tolerance margin for free space
before automated clean ups are performed.
Debug Logs
Debug log data can be requested by a Trend Micro support team member for troubleshooting
purposes. The log settings are located under Administration > System Maintenance > Debug
Logs. Here you can select the number of days of debug logging you wish to export.You can
additionally set the Log Levels to Error or Debug.
When exporting the debug logs, the Log data will be exported to a compressed file with the
name: CDT-YYYYMMDD-HHMMSS.zip.
Note: The debug log export process can take up to one hour.
Once the file has been exported a Download button will appear. Clicking it will download the
export file to the local workstation. The maximum number of days available to export is 10.
To troubleshoot detection issues, you can use the Network Services Diagnostics tool under
Administration > System Maintenance to test network connectivity to the Proxy server, SPS, SPN
services used by Deep Discovery Email Inspector.
For proper detection functionality, the Deep Discovery Email Inspector must be able to connect
to these services.
Documentation
This selection opens a new browser connection to the Trend Micro download portal where you
can download product administrator guides and other reference guides.
Online Help
This selection opens a new browser connection to the Deep Discovery Email Inspector product
HTML help.
Threat Encyclopedia
This selection opens a new browser connection to the Trend Micro Threat Intelligence portal. It
includes recent important security news and information on recent web attacks, malware,
vulnerabilities, spam, and malicious URLs.
About
This selection shows product name, version, build number, latest installed hotfix, and a short
product description with a copyright information. There is also a link for information on
third-party software that is used in Deep Discovery Email Inspector.
Key Features
Deep Discovery Director can simply management within your Deep Discovery environments by
providing the following key benefits:
• Centralized deployment of Virtual Analyzer images
• Shared folder and SFTP Virtual Analyzer image upload
Deep Discovery Director now supports deployment of Linux-based Virtual Analyzer images to
managed Deep Discovery appliances.
Deep Discovery Director now supports syncing of Network Asset settings to managed Deep
Discovery Inspector and Deep Discovery Director - Network Analytics products.
Deep Discovery Director can now send alert notifications when correlated events have been
found for user-defined suspicious objects.
The Domain Exceptions, Priority Watch List, Registered Domains, Network Groups, and
Registered Services Network Analytics settings can now be found under the menu Appliances >
Network Assets.
Note: Network Analytics status information and data source configuration screens remain under
Administration > Network Analytics.
System Requirements
Deep Discovery Director is only available as a Virtual appliance supported on a VMware platform. Some
requirements for installing Deep Discovery Director include the following:
Hardware Requirements
• Network interface card: 1 with E1000 or VMXNET 3 adapter
• SCSI Controller: LSI Logic Parallel
• CPU: 1.8GHz (at least 4 cores)
• Memory: 8GB
• Hard disk: 135GB (thin provisioned
Note that the CPU, memory, and hard disk requirements increase with the number of Deep Discovery
appliances that Deep Discovery Director is expected to aggregate detection logs from. The following
table can be used as a general sizing guideline.
1 30 4 8 135
5 90 4 8 225
5 180 4 8 315
15 180 8 16 665
25 180 8 16 1010
Note: Deep Discovery Director (Consolidated Mode) does not support the VMXNET 2 (Enhanced)
adapter type. For port binding, specify the same adapter type to use for all network interface
cards.
Management Console
• Google Chrome(TM) 46.0 or later
• Mozilla(TM) Firefox(TM) 41.0 or later
• Microsoft(TM) Internet Explorer(TM) 11.0
• Recommended resolution: 1280 x 800 or higher
Port Requirements
• TCP 443 (Deep Discovery Director connection)
• UDP 123 (default NTP server connection)
Planning a Deployment
Components
Deep Discovery Director use the following components to enable centralized deployment of product
updates, product upgrades, and Virtual Analyzer images, as well as configuration replication and log
aggregation.
Note: If you plan on uploading and deploying multiple larger Virtual Analyzer images (20GB to 30GB),
set the hard disk size accordingly. A general recommendation is to set the Local Repository
server hard disk size to the same as the Central Repository server hard disk size.
IMPORTANT: Local Repository servers download all update, upgrade, and Virtual Analyzer image
files from the Central Repository server. Setting the Local Repository server hard disk size lower
than the Central Repository server hard disk size may cause Local Repository servers to be
unable to download and send files required to execute plans to managed appliances.
All Deep Discovery Director components run on a in a single platform. In previous versions of Deep
Discovery Director, there was the option to either install each component on a dedicated server
(Distributed Mode) or install all components on a single server (Consolidated Mode) depending on the
requirements of your network and organization. This is no longer the case. If you are using the latest
version of Deep Discovery Director (v 5.3), you can only deploy Deep Discovery Director in
consolidated mode. This provides a more straightforward approach to the management and
maintenance of your Deep Discovery Director.
DDD
h ps (443)
4 Next, in the Deep Discovery Director Components screen select the option Install all components.
5 When the License Agreement screen appears, click Accept to proceed with the installation.
6 Next, in the Disk Selection screen, select a disk that meets the minimum requirements for Deep
Discovery Director based on how many appliances you will have. Click Continue.
7 The Hardware Profile screen willn appear if the system hardware check is successful.
If however, the hardware check fails because the VM you are installing on does NOT meet the
minimum hardware requirements, then you will see the following screen:
You will need to cancel the installation in this case, and re-attempt the install once you have
configured the correct requirements for your VM.
8 Once the system hardware check passes, you will need to configure the log space for Deep
Discovery Director for the following Disk Space Configuration screen.
9 Click Continue. The Deep Discovery Director will now proceed with the installation. This process
will take a few minutes.
Once the installation has completed, you will be prompted to log into the Pre-Configuration
console to configure some initial system settings for the Deep Discovery Director.
3 In the Main Menu screen select Configure network settings and then press ENTER.
4 Next from the Configure Network Settings screen you will need to configure the following
settings for Deep Discovery Director:
Note: Only IPv4 settings can be configured from the Pre-Configuration console. To configure IPv6 and
port binding, you can use the Network menu from the Deep Discovery Director’s web-based
management console.
5 Once you have configured the above network settings, press TAB to navigate to Save, and then
press ENTER.
The Main Menu screen will reappear after the settings are successfully saved.
After a successful login, the Deep Discovery Director console will appear as follows:
Once you have obtained the Deep Discovery Director’s API key you can complete the following
process for connecting your Deep Discovery appliances to Deep Discovery Director. In this
example, Deep Discovery Inspector is being added as a managed product to Deep Discovery
Director.
1 Log on to Deep Discovery Inspector and go to Administration > Integrated Products/Services >
Deep Discovery Director.
2 Enter the Deep Discovery Director Management Server IP address and API Key, then click
Register.
3 Under the Appliance Details, ensure that the Deep Discovery Inspector appliance is registered
and connected.
Note: If Deep Discovery Director is not directly reachable, a proxy server can be configured to establish
a connection to it.
4 Once you have successfully registered your Deep Discovery device with Deep Discovery Director,
the device will be added to the Unmanaged device list under Appliances > Directory page as
follows:
To begin managing this device through Deep Discovery Director, you will need to move this
device from the Unmanaged group into the Managed group as described next.
5 Click the device name that appears under the Unmanaged folder, then click on the 3 vertical dots.
6 Next select move and from the pop up, select the folder Managed then click Move.
Once the appliance has been moved to the Managed group, Deep Discovery Director will now be
able to begin managing it. However, if necessary, you should edit the device name for easier
identification, especially if the device is using the default host name “localhost”.
Note: Adding a name for the managed device does not change the host name of the device itself.
In this example, the DDI device being managed appears with the default host name “localhost” because a
host name was not specified when this DDI was configured. Editing an appliance and adding a descriptive
name for it tells you exactly which device in your organization it is.
You can also create separate folders under the Managed folder to organize the managed devices in a
more structured way that reflects your network and/or organization for example.
The maximum folder depth is four levels (three sub folder levels under the Managed folder. This is
very useful for larger deployments with hundreds of devices to manage. In this case, you could
structure your devices by Region, or Business Unit, or Network Profile etc.
Note: Newly added appliances that are still in the Unmanaged folder cannot be managed (added to
deployment plan etc.) unless they are moved to the Managed folder (or sub folders within it).
Additionally, by clicking the drop down for the All filter, you have the ability to further filter your
devices by product type as follows:
User Accounts
A user account is needed for accessing the web console and managing Deep Discovery Director.
Although there is a default admin account that can be used, separate user accounts should be
created for access to Deep Discovery Director, to control access and permissions.
For details, on AD and SAML Authentication, you can refer to DDD Online Help resource.
Roles
Roles allow administrators to control which management console screens and features can be
accessed by Deep Discovery Director users. Administrators can also create custom roles to
control which appliances a role can see and manage.
Note: The “Investigator” role is able to download malicious sample files, the investigation package, and
the PCAP file for threat analysis.
Administrators can additionally create custom roles that define the scope of permissions for
appliance management. An administrator can customize the role permissions for specific operation
requirements.
To add a new syslog server, go to Administration > Integrated Products/Services > Syslog and click
Add.
Before you are ready to start creating deployment plans and running them, you will first need to populate
the Deep Discovery Director Repository by uploading all the components that will be needed for planned
deployments to your managed devices including Hotfixes, Critical patches, new Firmware images, Virtual
Analyzer images etc.
The Deep Discovery Director Repository can be accessed from the Deep Discovery Director web console
under Appliances > Repository. For example to upload the latest patch for Deep Discovery Analyzer, click
Upload > Select.
Next, browse to the folder on your local computer where you have downloaded a copy of the Deep
Discovery Analyzer patch and select Upload. After the patch has been uploaded into the Deep Discovery
Director, it will be listed in the Repository.
For example, to deploy a firmware update to a Deep Discovery Analyzer device that is currently being
managed by Deep Discovery Director the process is as follows:
• Go to Appliances > Plans.
• Click + Add to add a new deployment plan
• Within the Add Plan screen in the Details section, configure the following:
• Expand the Hotfix /Critical Patch /Firmware section and select the radio button to enable the
DDAN hotfix:
• Scroll down to and expand the Targets section and enable the checkbox to select the device
that will require the update. In this example, the DDAN is selected:
• Scroll down to the Schedule section, and select one of the following options:
As with all the Deep Discovery solutions previously discussed, the Detections management functions in
Deep Discovery Director are the same, including custom columns, advanced search queries, and hyper-
links to related events. The value provided by Detections in Deep Discovery Director, is that now you have
access to all detections across all devices connected to Deep Discovery Director, providing a more holistic
view for better threat management .
Here on the Affected Hosts page, you can view all the hosts that have been involved in one or
more phases of a targeted attack.
On the Network Detections page, you can see the hosts with detections from all event logs,
including global intelligence, user-defined lists, and other sources.
Clicking on the number hyper-links redirects you to the Detections page where you can view all the
details that exist for these detected events.
For example, clicking on the hyper-link number “2” for detections of potential threats shown above,
redirects to the following Detections list (filtered by Potential Threats) for easy access to these
related events.
Deep Discovery Email Inspector assigns a risk rating to each email message based on the
investigation results. In the Deep Discovery Director, you can query detected email messages to:
• Better understand the threats affecting your network and their relative risk
• Find senders and recipients of detected messages
• Understand the email subjects of detected messages
• Research attack sources that route detected messages
• Discover trends and learn about related detected messages
• See how Deep Discovery Email Inspector handled the detected message
Configuring Alerts
Email alerts can be used to notify Administrators of important Email Security events (Deep Discovery
Email Inspector) and Network Detections (Deep Discovery Inspector). Triggered alerts are located in
the DDD web console under Alerts > Triggered Alerts.
When this alert is triggered a notification email can be sent to all accounts if SMTP settings
have been configured for your mail server.
Details for the triggered alert can be viewed in the email notification using the provided URL that
redirects you to the Deep Discovery Director web console.
The default Built-in Rules are shown below. Under Status, you can see which of the alert rules are
enabled by default.
Notice that all the Email Security rules are enabled by default, except for Watchlisted recipients
at risk.
In the above illustration, clicking + Add Rule provides the following configuration settings for a new
alert rule:
Threat sharing is really important because it allows integrated products and services to act on defined
threat objects if encountered. This provides security analysts with a more comprehensive defense
against advanced persistent threats and targeted attacks.
Indicators of Compromise
An Indicator of Compromise (often abbreviated to IoC) is a condition or behavior observed in the
network or in an operating system during forensics that strongly indicates a computer intrusion or
network attack.
Typical IoCs are virus signatures and IP addresses, MD5 hashes of malware files or URLs or domain
names of botnet command and control servers.
After IoCs have been identified in a process of incident response and computer forensics, they can be
used for early detection of future attack attempts using intrusion detection systems and antivirus
software.
When suspicious objects are collected from the Virtual Analyzer during the run-time of sandbox
simulation, Deep Discovery Inspector can send information about the threat object (IP, URL, SHA-1,
Domain) to Deep Discovery Director for local sharing.
Other Deep Discovery products can synchronize with Deep Discovery Director to obtain updated
Suspicious Object Lists. These products, in turn, will send incident logs back when those objects are
detected.
Suspicious objects can also be submitted to the Trend Micro Smart Protection Network for public
sharing if Smart Feedback enabled.
Virtual-Analyzer detected Suspicious Objects are collected from Virtual Analyzer detection
during run-time sandbox simulation in the Deep Discovery Inspector internal Virtual Analyzer,
Deep Discovery Analyzer, or Deep Discovery Email Inspector internal Virtual Analyzer. Available
Suspicious Object types include: IP, URL, Domain, SHA-1, SHA-256. These can be found in Threat
Intelligence > Product Intelligence > Synchronized Suspicious Objects. As an administrator, you
have the option of setting the expiration on SOs synced from the integrated products using the
gear icon located in the top-right corner of the page.
User-defined Suspicious Objects can be added by users manually, pulled from subscription feed,
or pushed by TAXII clients.
The following shows a user-defined suspicious object being added through the Deep Discovery
Director web console. Available Suspicious Object types include: IP, URL, Domain, and SHA-1.
C&C Callback Addresses are collected from Deep Discovery Inspector detection logs. Available
Suspicious Object types include: IP, URL and Domain.
Exception Lists
Exception lists are used to configure conditions that can be exempted from the configured
detection rules. Exceptions help to reduce false positives.
Configured exceptions are exchangeable across any Deep Discovery products. Available
Suspicious Object types include: IP, URL, Domain, and SHA-1 (hash of file object).
YARA Rules
YARA rules are malware detection patterns that are fully customizable to identify targeted
attacks and security threats specific to your environment.
A YARA rule is defined using its own data presentation/types unlike the other IOC categories.
Note: YARA rules on connected devices will be overwritten when syncing with DDD. If needed, they
should be exported and added into to Deep Discovery Director.
YARA rules are added under Threat Intelligence > Custom Intelligence. Additionally, to access
detections for matched YARA rule, use the hyper-links in the last two columns as follows:
This redirects to the Detections page where more information can be obtained. In this case, the
detection was an email message:
The details for the detection provides information about the detection. Note the Identified By
column.
Trend Micro products (for example Apex One etc.) synchronize with Apex Central to obtain updated
Suspicious Object Lists. These products, in turn, send incident logs back when those objects are detected.
Deep Discovery Director is able to share and receive threat intelligence objects with these products and
services including:
• Suspicious Objects and C&C Callbacks
• Custom Intelligence – Yara, STIX, User-Defined
• External TAXII Feeds
• Intelligence Sharing – TAXII, Web, COTS integration
This allows integrated products and services to act on these threat objects if encountered which provides
a more comprehensive defense against advanced persistent threats and targeted attacks.
Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Indicator
Information (TAXII) are standard formats that can be used to more quickly analyze and exchange threat
information between organizations. These are described in the following sections.
STIX
Structured Threat Information Expression (STIX™) is an open source structured language for
describing Cyber-Threat Information so that it can be shared, stored, and analyzed in a consistent
manner. STIX describes the following:
• What a specific threat looks like
• What kind of infection area or capabilities this threat is capable of
• Potential mitigations plans for this type of threat
Contributing and ingesting Cyber-Threat Intelligence becomes a lot easier with STIX. All aspects of
suspicion, compromise and attribution can be represented clearly with objects and descriptive
relationships.
STIX information can be visually represented for an analyst or stored as JSON to be quickly machine
readable. STIX's openness allows for integration into existing tools and products or utilized for your
specific analyst or network needs.
STIX Objects
The STIX language uses objects to categorize each piece of information with specific attributes
to be populated. Chaining multiple objects together through relationships allow for easy or
complex representations of Cyber-Threat Intelligence.
indicates indicates
targets attributed-to
Note: Complete information for STIX 2 is available on the OASIS Cyber Threat Intelligence (CTI)
Technical Committee (TC) website: https://www.oasis-open.org/committees/
tc_home.php?wg_abbrev=cti
STIX Relationship
Description
Objects (SROs)
Used to link together two SDOs or SCOs in order to describe
Relationship how they are related to each other.
STIX Structure
STIX objects are represented in JSON. The following is a JSON-based example of a STIX 2.1
Campaign object:
{
"type": "campaign",
"id": "campaign--8e2e2d2b-17d4-4cbf-938f-98ee46b3cd3f",
"spec_version": "2.1",
"created": "2016-04-06T20:03:00.000Z",
"modified": "2016-04-06T20:03:23.000Z",
"name": "Green Group Attacks Against Finance",
"description": "Campaign by Green Group against targets in the
financial services sector."
}
STIX information that is imported from STIX files added through Deep Discovery Director web
console (or downloaded from an external TAXII source), will always be merged into the
User-Defined Suspicious Objects pool.
STIX objects are handled the same way as User-Defined Suspicious Objects are handled during
the synchronization process with other Deep Discovery products.
STIX information in this section provided by OASIS Cyber Threat Intelligence (CTI) Technical
Committee (TC) website. List of references used include the following:
• https://oasis-open.github.io/cti-documentation/stix/intro
• https://oasis-open.github.io/cti-documentation/examples/
visualized-sdo-relationships
• https://oasis-open.github.io/cti-documentation/stix/intro
• https://oasis-open.github.io/cti-stix-visualization/
• https://stixproject.github.io/about/
TAXII
Trusted Automated Exchange of Intelligence Information (TAXII™) is a standards-based transport
protocol that simplifies and speeds up the process for securely exchanging cyber- threat information
over HTTPS.
TAXII defines a set of services and message exchanges that when implemented enable sharing of
actionable cyber- threat information across departmental organization or companies for the
detection, prevention and mitigation of cyber- threats. TAXII eliminates the need for custom IOC
sharing and is ideal for widespread automated exchange of cyber-threat information.
TAXII also defines a RESTful API (a set of services and message exchanges) and a set of requirements
for TAXII Clients and Servers.
TAXII defines two primary services to support a variety of common sharing models:
Collections and Channels can be organized in different ways. For example, they can be grouped to
support the needs of a particular trust group.
A TAXII server instance can support one or more API Roots. API Roots are logical groupings of
TAXII Channels and Collections and can be thought of as instances of the TAXII API available at
different URLs, where each API Root is the “root” URL of that particular instance of the TAXII
API.
TAXII relies on existing protocols when possible. In particular, TAXII Servers are discovered within
a network via DNS Service records (and/or by a Discovery Endpoint, described in the next
section). In addition, TAXII uses HTTPS as the transport for all communications, and it uses HTTP
for content negotiation and authentication.
TAXII was specifically designed to support the exchange of threat intelligence represented in
STIX, and support for exchanging STIX 2.1 content is mandatory to implement. However, TAXII
can also be used to share data in other formats. It is important to note that STIX and TAXII are
independent standards: the structures and serializations of STIX do not rely on any specific
transport mechanism, and TAXII can be used to transport non-STIX data.
TAXII design principles include minimizing operational changes needed for adoption; easy
integration with existing sharing agreements, and support for all widely used threat sharing
models: hub-and-spoke, peer-to-peer, source-subscriber.
While STIX is a descriptor format (similar to pattern files used by traditional security products),
TAXII provides a way of subscribing as well as publishing the actual STIX descriptors using the
network. For example, a company can use the National cyber security and Communications
Integration Center’s (NCCIC) STIX feed by subscribing to it. Once subscribed, they will be able
obtain all the latest signatures from that US-Cert STIX feed.
Note: Today, most vendors are supporting STIX and TAXII. Trend Micro publishes STIX-based threat
information (on top of its regular pattern files and signatures).
This section provided by OASIS Cyber Threat Intelligence (CTI) Technical Committee (TC)
website. List of references used include the following:
• https://oasis-open.github.io/cti-documentation/
resources.html#taxii-21-specification
Furthermore, Deep Discovery Director is able to take detection information and publish it downstream to
additional STIX/TAXII clients that can also consume this information.
Using STIX and TAXII in Deep Discovery Director, Central Security Office Center (SOC) teams can
automatically publish STIX information between different departments to rapidly send and receive
samples and also carry out response plans more quickly.
Deep Discovery Director is able to operate as a STIX and TAXII exchange. This means that Deep
Discovery Director is able to subscribe to STIX feeds like USCert for example.
To enable the TAXII server in Deep Discovery Director so that it can exchange of threat
intelligence with integrated products, the following setting must be enabled through the web
console under Threat Intelligence > Sharing Settings.
Deep Discovery Director includes the following support for STIX 2.0 and TAXII 2.0:
• Users can import STIX 2.0 from the Deep Discovery Director web console
• Users can also import STIX 2.0 files to the writable collection of TAXII 2.0 server in Deep
Discovery Director
• A TAXII 2.0 server has been added to share imported STIX 2.0 files and those generated
from Suspicious Objects
• In the TAXII feed management configuration, users can subscribe to TAXII 2.0 servers
Lesson Objectives:
Introduction
In many organizations, the broadened attack surface along with the volume and complexity of threats
have complicated the job of the security analyst. Investigating and dealing with malware, threats and
attacks is complicated even further by silos of visibility. While Endpoint Detection and Response (EDR)
functionality in desktop security applications, like Trend Micro Apex One, can provide detailed visibility
into suspicious activities on endpoint computers, attacks rarely stay siloed within the endpoint
environment. Malware can move throughout the environment, possibly affecting servers, cloud
workloads, email systems and more. If separate siloed views of security alerts for network traffic analysis,
server and cloud workloads, email and endpoints are in place, it can be difficult for the security team to
piece together viewpoints of these silos to figure out what has happened and what areas were affected
by the attacks.
Each of these silos of security details may be sending an overwhelming volume of alerts to the SIEM
without any context or correlation with other events. This makes it difficult to decide what is important
and how alerts are related.
An Extended Detection and Response (XDR) approach delivers faster detection and response across the
entire environment since it breaks down these different silos of visibility and it tells a story of the attack
without making the Security Operations team dig through a huge collection of noisy alerts. XDR collects
telemetry from endpoints, servers in the data center or the cloud, email, and the network. Using artificial
intelligence, automation and big data analysis techniques, XDR builds a story view, saving time for
investigators tasked with protecting the organization from digital attack. XDR finds attacks within the
noise of alerts and telemetry with powerful detection models. Security teams can detect threats faster,
understand more easily what happened and shut down an attacker sooner. With correlated detection,
better alerting, and an ability to investigate leads, organizations are less likely to suffer bottom line
results in business risks.
Trend Micro XDR works by correlating all the detection and activity data gathered from an organization's
environment across all security layers:
• On endpoint computers: Since attacks commonly target end users, XDR can help find threats
hidden amongst endpoint telemetry to identify what happened on the endpoint and determine if
and how a threat propagated.
• Within email: Since an overwhelming amount of malware is targeted to users through phishing
messages, XDR can help identify who else received this email message or similar threat. In
addition, it can identify compromised accounts sending internal phishing emails.
• Within cloud or server workloads: Servers running corporate application are critical to the
operations of the business. Sensors on these cloud, physical and virtual servers collect additional
activity data to tell a more complete story of what's happening within the workload.
• Within the network: Sensors within the network expose blind spots to identify how the attacker
moved across the organization.
Research has shown that organizations using an XDR approach are better protected and suffered half as
many successful attacks over a one-year period. Detection of attacks is accelerated, and the organization
is 2.2X more likely to detect a data breach or successful attack in a few days or less. In addition, they are
60% less likely to report that attack re-propagation has been an issue.
When you have the bigger picture, you can understand the full impact and not only respond faster but
more completely. There are fewer blind spots that allow for a resurgence of attacks.
Trend Micro Vision One is not just an EDR solution with added functionality, as with other competitive
solutions. Instead, the Trend Micro XDR solution through Vision One provides a complete threat defense
platform for the Security Operations Center (SOC). It has a deep understanding of the data across
network, endpoints, server, cloud, and email with more telemetry available than would be possible from
vendor-vendor API solutions.
Distinctive data sources provide in-depth coverage across the infrastructure. Email integration at the
application level provides mailbox visibility. An email gateway would only see the inbound email in transit
and cannot determine whether a threat is still in an inbox or related attacks in inboxes or if it was an
internally sent email from a compromised account. API integration provided through Vision One can find
and quarantine related emails.
Trend Micro Vision One's visibility into server workloads and desktop operating systems has the broadest
platform support that extends across endpoints, email, networks, servers, virtual machines, public or
private cloud workloads and containers. While other vendors may support Windows, Mac and a few
versions of Linux, Vision One provides support for over 90 operating system versions. This support
includes current and legacy operating systems, including Windows and Linux, including Red Hat, CentOS,
Oracle, SUSE, Ubuntu, CloudLinux, Amazon Linux, and more. In addition, it is increasingly popular to build
applications using containers with Kubernetes and Docker; understanding the activity data from the
containers is needed as well. This ensures that Trend Micro XDR can detect and correlate workload data
regardless of where or what operating system they are deploying on.
Trend Micro Threat Research provides a competitive advantage for Vision One. Our extensive network of
experienced researchers maintains and writes new detection models which Vision One can take
advantage of to automatically sweep your environment for indicators of compromise.
Trend Micro Vision One allows analysts to identify trends within threat alerts over time and provide
visibility into SaaS application usage and risk level.
Key Features
Correlated Detection
Advanced detection models in Vision One correlate low-level activities within or across security
layers to find undiscovered attacks and generate alerts. The detection models combine multiple
rules and filters using a variety of analysis techniques (for example, data stacking, machine
learning, etc.) You can turn on and off individual models as appropriate for the organization's risk
tolerance and preferences.
Alerts, referred to as Workbenches in Vision One, allow you to drill down for further visibility.
Workbenches are the investigation results for a detection; from here you can view the execution
profile, identify the scope of impact and take response actions. From the workbench, analysts can
prioritize and process the alerts, and track what has been done (new, in progress, closed).
Attack Visualization
Analysts can understand the story of an attack with an interactive visual representation of
events. The Execution Profile Analysis displays the threat actions within an endpoint, server, or
cloud workload. Network communications can be replayed to highlight details of an attacker's
command and control communications or lateral movement.
Search/Threat Hunting
Proactively search through endpoint, email, network, and cloud workload activity data using the
query builder. You can run indicators of compromise (IoC) sweeps, search on multiple parameters
or filter down into results using additional criteria. You can respond, or generate an Execution
Profile from the results, as well as save threat hunting queries for reuse.
Vision One indicators of compromise published by Trend Research can help detect threats sooner
through automatic searching of the network. If there is a detection, built-in threat intelligence
can help identify the associated campaign, target platform, associated MITRE ATT&CK™ TTPs,
and can even provide links to related intelligence blog posts if available.
Threat detection techniques are mapped to the MITRE ATT&CK framework to help quickly
understand and communicate what is happening in your environment. MITRE ATT&CK is a
globally-accessible knowledge base of adversary tactics and techniques based on real-world
observations that is used as a framework for the development of specific threat models and
methodologies in cyber security products and services. Hyperlinks in the workbench links to the
documentation in MITRE ATT&CK. Visit mitre.org for more information on MITRE ATT&CK).
Contextually aware response choices provide quick actions from within the platform allowing you
to quickly respond by right-clicking objects in the workbench (or within threat hunting search
results) to initiate and track endpoint, email, server, and network responses.
Zero Trust Secure Access protects internal and cloud applications and environments from any
user, device, location. Risk and security health is based on a continuous assessment of users,
device, app and content. Secure connections are made based on health assessment each time
devices or users access corporate resources.
Alert Notifications
Vision One provides email notifications when new alerts are detected. When Trend Micro threat
experts identify alerts in your environment that seem critical or interesting, they work directly
with regional resources to notify you. (Notification will be at the discretion of the threat expert
team since it is impossible to review all alerts for all customers.)
API Integrations
APIs provide integration with various Security Information and Event Management (SIEM) and
Security Orchestration, Automation and Response (SOAR) tools. Vision One provides a SIEM
connector for alerts to be pulled into Splunk. This Splunk add-on calls the Vision One API to get
the list of alerts/workbenches. Simply click on the alert from within Splunk to access the
associated workbench in the Vision One console for additional visibility and investigation.
Software-as-a-Service Solution
Vision One is hosted and managed in the cloud by Trend Micro to benefit from Cloud computing
technologies, and eliminate any overhead associated with managing local hardware.
With Trend Micro Vision One sitting on top of all relevant Trend Micro products in your environment, you
can obtain expert security analytics for alert correlation, and consolidated visibility and investigation of
events across each security layer. This leads to earlier detection and faster response to potential threats
targeting your network.
By integrating your Deep Discovery Inspector with Vision One, you can gain all the benefits and
capabilities that the Trend Micro Vision One platform provides for greater context that leads to greater
understanding, across multiple products. If you have Trend Micro Vision One, it is highly recommended to
connect it with your Deep Discovery Inspector to fully utilize all the valuable functionality that Trend
Micro Vision One provides.
The following sections describe the necessary processes, steps, and requirements for integrating Deep
Discovery Inspector with Trend Micro Vision one.
With Vision One, the steps to provision a new Deep Discovery Inspector are as follows:
1 Downloading the Deep Discovery Inspector image
2 Creating a Virtual Machine for DDI on VMware ESXi
Note: If there is already a Deep Discovery Inspector device in the infrastructure, this process can be
skipped and you can proceed to the section “Connecting an Existing Deep Discovery Inspector to
Trend Micro Vision One” on page 487.
• Next, if you plan to deploy the virtual device in your on-premises environment, select New
appliance then accept the End User License Agreement.
• After the download has completed, it is a good idea to check the DDI ISO image’s SHA-256
hash value to ensure that the ISO image is not corrupt. This can be done by selecting Copy
disk image SHA-256 hash value.
At this point, a third-party tool (that you are comfortable) should also
be used to calculate the SHA-256 hash value of the DDI ISO image that
you can then compare to the SHA-256 hash value provided by Vision
One to confirm that the file is valid.
• To now ensure that the downloaded DDI ISO image is valid, simply compare the SHA-256
hash value obtained by this command, to the value calculated by Vision One, and ensure that
both values are the same.
Note: The steps provided in this section are for creating the Deep Discovery Inspector virtual machine
on VMware ESXi. The steps are similar for Microsoft Hyper-V. If you are using AWS, the steps can
be obtained from: https://docs.trendmicro.com/en-us/enterprise/trend-micro-xdr-online-help/
inventory-management_001/network-inventory/using-the-network-in/deploying-a-deep-
dis_001.aspx
Note: The virtual CPUs require a minimum speed of 2.5 GHz with hyper-threading support,
Virtualization Technology (VT), and 64-bit architecture.
• Virtual Memory: 32 GB
• Virtual Disk: 1000 GB
• Virtual NICs: 3
Once the Deep Discovery Inspector ISO image has been uploaded to VMware (in this case, VMware
ESXI 7.0) you will need to create a new VM in VMware for DDI.
1 In the VMware ESXi console, select Create/Register VM > Create a new virtual machine, and
click Next:
2 Select a name for the new virtual machine, set Guest OS Family to Linux, and choose Centos 7
(64-bit) as the Guest OS version. Click Next to proceed.
3 Select the storage to use. In this example, there is only one available. Click Next.
4 Specify an appropriate amount of resources for the hardware to allow the Deep Discovery
Inspector to function correctly. Note that the illustration below is from a test lab environment
and is intended to provide an example only. This does not reflect realistic resource amounts for
Deep Discovery Inspector. Also, under any circumstance (test environment, or other) there must
be at least two network interfaces for the Deep Discovery Inspector to use. In the configuration
below there is only one NIC currently, but a second will be added in the next step.
Note: For the latest information on specifications you can refer to the Deep Discovery Inspector IDG
(Implementation and Deployment Guide): https://docs.trendmicro.com/all/ent/ddi/v5.8_sp1/en-
us/ddi_5.8_sp1_idg.pdf.
5 To add a second NIC card click Add network adapter. This will display a new adapter called New
Network Adapter under Network Adapter 1. Click Next to continue.
6 In this step, review th configuration, then click Finish if there are no changes required.
Note: The following steps illustrate the Deep Discovery Inspector installation process on VMware.
1 Mount the Deep Discovery Inspector ISO image on VMware and start the virtual machine. The
Installation DVD screen appears as illustrated below. By default, a system requirements check will
be performed when installing Deep Discovery Inspector. This check can be skipped in cases
where DDI is being tested in a controlled environment before installing it on the network. To
disable the system requirements check, type 2 and then press ENTER:
2 (Optional) To obtain installation logs (for troubleshooting installation related issues), type 3
before beginning and the installation process and press ENTER. A list of storage devices will be
displayed on the Export Installation Logs screen.To save the exported installation logs, perform
the following tasks:
- Select a storage device and press ENTER
- When the installation log file name appears, press ENTER.
Best Practice: (Trend Micro recommends saving exported installation logs to sda11.
- Record the file name for future reference. The file name is in the following format:
install.log.YYYY-MM-DD-hh-mm-ss
3 Next, to begin the Deep Discovery Inspector installation, type 1 then press ENTER. Optionally,
5 Once the installation completes, the Management Port Selection screen appears as follows.
Select the appropriate option for your environment and network configuration, then select OK.
Note: Deep Discovery Inspector automatically detects the active link cards (indicated by Link is UP)
available for use as a management port.
6 If the preferred device is not listed, verify that it is connected to the appliance by doing the
following:
- Verify that the network port status and the actual port status match. If a status conflict
exists, select Re-detect and press ENTER.
- To determine which active link card is connected to the management domain, perform
the steps listed on the Management Port Selection screen.
- Select an active link card and press ENTER.
7 Once the correct link has been selected for the management port, the installation process will
continue. Wait until the initialization process completes.
8 Once the installation process is completed, click OK to reboot the Deep Discovery Inspector VM.
Note: You will need to ensure that the ISO is unmounted to prevent re-installation at boot-up.
The virtual machine will automatically restart and the Deep Discovery Inspector pre-
configuration console will be displayed.
2 Select the second option, 2) Device Settings and configure the IP configuration.
3 Specify a static IP configuration or select Dynamic to get an IP from DHCP, then save the
configuration by pressing Return to main menu.
4 Next select the option Log Off with Saving confirm the configuration, and wait a few seconds.
5 Within a few seconds the changes will be saved and you will be prompted with the login screen,
that includes the updated IP address:
Note: ISO images are customized with the license code and token to connect automatically to Trend
Micro Vision One.
Both Trend Micro Vision One and the Network Inventory service should display as Connected.
In this case, the administrator must have access permissions to both the Deep Discovery Inspector and
Trend Micro Vision One consoles to perform this operation. It is highly recommended that the Deep
Discovery Inspector device be upgraded to the latest version before attempting the connection to Trend
Micro Vision One.
2 In the right-hand pane that is displayed, select Deployed Deep Discovery Inspector, then select
your Deep Discovery Inspector version and the local IP address/FQDN/URL of this device.
Click Go and Trend Micro Vision One will re-direct to the IP/FQDN/URL provided in the
connection settings.
3 The redirection includes a token that is shared with Deep Discovery Inspector. Administrators will
not need to copy and paste a token, as it is shared transparently.
Note: Remember that the administrator executing this task must have the required permissions to be
able to access Deep Discovery Inspector locally.
5 It will take a few moment to complete the connection to Trend Micro Vision One. Do not refresh
the browser.
6 After a few moments, a Successfully registered to Trend Micro Vision One message is displayed in
the Deep Discovery Inspector console, and both Trend Micro Vision One and Network Inventory
will display as Connected.
7 Next, you will need to enable the Network Sensor through the Trend Micro Vision One console as
follows:
• Go back to NETWORK SECURITY OPERATIONS > Network Inventory then select Deep
Discovery Inspector Appliances.
• Select Deep Discovery Inspector device from the list then from the Configure Network
Sensor drop-down select Enable Network Sensor:
After a few minutes, the Network Sensor status, for the selected Deep Discovery Inspector
should be displayed as Enabled.
The Trend Micro Service gateway provides other functionality as well, but in this section, the main focus
will be on using it for sharing threat intelligence. By connecting through the Trend MIcro Service Gateway,
Deep Discovery Inspector will be able to share its Sandbox SO findings to Vision One. The advantage here
is that Vision One will then be able to share this information with other Trend Micro Solutions or
Third-Party products like Firewalls.
The Trend Micro Vision One Service Gateway is provided as a VMware virtual appliance downloaded from
the Trend Micro Vision One console.
Deploying a Trend Micro Service Gateway virtual appliance includes the following tasks:
• Install the virtual appliance on Microsoft Hyper-V or VMware ESXi server
• Add the Trend Micro Service Gateway to the Service Gateway Inventory
• Configure the service settings in the Trend Micro Vision One console
The complete steps for performing these tasks are provided below.
1 In the Trend Micro Vision One console, go to Inventory Management > Service Gateway
Inventory and select + Download Virtual Appliance located in the top-left corner of the screen.
2 A vertical window will appear on the right. Accept the End User License Agreement to continue,
then select Download Disk Image to download the virtual appliance from the Service Gateway
Inventory app and record the Registration token.
3 Once the file is downloaded, select File Details and verify the hash using the same steps
discussed earlier.
4 Create a virtual machine in VMware ESXi or Microsoft Hyper-V using the downloaded virtual
appliance file as follows. Select the OVF/OVA option.
5 Specify a clear name for the VM to make is easy to identify. For example, Service Gateway.
7 Configure the required network access for connecting to Vision One and accept the default Disk
provisioning “Thin”.
8 Review the VM configuration for the Service Gateway and then click Finish to continue.
9 Once the VM has been created, the console will be displayed as follows.
10 Next, log in to the new Service Gateway virtual appliance and configure an IP address for SSH
access to the Service Gateway as follows:
- Log in using the default credentials admin/V1SG@2021
- Re-enter the default password when prompted, and change the password
- After password has been reset, enter the command Enable in the console
From this point forward, SSH connections can be made to the Trend Micro Service Gateway using
the credentials that were configured above.
12 To connect using SSH, you can use Putty or the Windows native CMD with Open SSH.
13 From the here, enter the command Enable to execute administrative commands.
14 Finally, enter the command register followed by the token that was copied previously in an
earlier step.
After a few moments, the service gateway will initialize and the console will appear similar to the
following:
15 Once installed, you can verify the status of the Service Gateway through the Vision One console
through the WORKFLOW AND AUTOMATION > Service Gateway Management app as follows:
Note: For complete steps on deploying the Service Gateway on VMware ESXi or on Microsoft Hyper-V
you can visit the following support article:
https://success.trendmicro.com/dcx/s/solution/000288058?language=en_US
Note: This is not supported if Deep Discovery Inspector uses Deep Discovery Director on-premises to
connect to Trend Micro Vision One. For more details, see the Vision One console Online Help.
The steps for connecting a Service Gateway for your DDI that is integrated with Vision One are as follows:
1 In the Vision One console, go to NETWORK SECURITY OPERATIONS > Network Inventory.
2 Enable the checkbox for Deep Discovery Inspector to connect to the Service Gateway, then from
the Configure Service Gateway drop-down, select the option Connect Service Gateway.
3 The selected Deep Discovery Inspector will attempt to connect to the Service Gateway. Notice
that the Service Gateway column for the selected Deep Discovery Inspector now indicates
“Processing”.
4 After approximately 10 to 15 minutes, the connection will be established and the Service Gateway
column displays the Service Gateway host name information as follows.
If the steps above were completed successfully, the Deep Discovery Inspector web console will
display the following blue banner (underneath the menu), indicating that suspicious objects will
now be synchronized with Trend Micro Vision One.
If the Deep Discovery Inspector is registered to a on-premise Deep Discovery Director, the steps
for registering Deep Discovery Inspector to the Network Inventory Service and connecting to the
Service Gateway are as follows:
1 Unregister Deep Discovery Inspector from Deep Discovery Director on-premises version.
2 Register Deep Discovery Inspector to Network Inventory Service (refer to previous steps).
3 Connect Deep Discovery Inspector to Service Gateway (refer to previous steps).
Note: For more information refer to the KB article: Configuring Deep Discovery Inspector (DDI) to
integrate with Trend Micro Vision One using Deep Discovery Director (DDD) On-Premises.