Response setup leveraging Lumu detections with Symantec Endpoint Protection

Requirements

1. Symantec Endpoint Protection Manager.
1. You need access to your Symantec Endpoint Protection Manager Console with version 14MP1 or higher. An admin user is required.
2. Lumu Defender API key.
3. Scripting host with Python v3.6+.
   
1. The host must be able to reach both Symantec Endpoint Protection Manager REST API and Web Services (ports 8446 and 8443), and Lumu Defender REST API endpoints.
   
4. Script package.
1. Contact the Lumu support team to request the package we created to deploy the required files.
   

Response alternatives

Maintain a fingerprint list

Symantec will only block executable files related to the hashes uploaded into the fingerprint list.

Quarantine devices after an adversarial contact

Please consider having your organization’s security team doing the pertaining incident investigation before quarantining a device. This enforcement alternative may cause denial of service for the compromised workstation preventing any investigation procedures. Please be careful when using this alternative.

Set up Symantec Endpoint Protection Manager

Maintain a fingerprint list

You can create or load a file fingerprint list according to the guide. Alternatively, you can have the script create it for you. If you use the latter, remember to associate the Fingerprint list with your System Lockdown policy.

Quarantine devices after an adversarial contact

You must define a rule to block all traffic from any application to any network. The device must be completely isolated. 

Deploy the scripts

Scripts location

Install requirements

Response method: Fingerprint list

Each time the script runs, it will overwrite existing hashes into the fingerprint list defined in the script arguments.

Task: query and add SHA256 hashes related to Lumu incidents

By default, the integration will query and push hashes related to Lumu incidents in MD5. If you need to push the hashes in SHA256 format, you can use the argument --hash-type sha256.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --hash-type sha256

Support for SHA256 hashes was included in Symantec Endpoint Protection Manager 14.3 RU4 and later. For earlier versions, you can work with MD5.

If you find issues changing an existing fingerprint list from one hash type to another, it's recommended to delete the list first to recreate it using the integration.

Task: query and add indicators related to Lumu incidents with contacts in the last X days

Use the following command to fetch and push to Symantec Endpoint Protection Manager hashes related to incidents found in your organization by Lumu with contacts in the last X days.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --days X

All previously created block lists will be replaced, even if they correspond to incidents with contacts before X days.

Task: query and add hashes related to Lumu incidents of specific types

By default, the script queries open and closed incidents of all adversary types (Phishing, Malware, DAG, Spam, and others). If you need to collect specific types of incidents, you can use the argument --adversary-types ADVERSARY_TYPE. If you need to get two or more adversary types, you only need to append a new instance of the argument.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --adversary-types Phishing --adversary-types Malware

In this example, the adversary types queried are Phishing and Malware.

Task: clean all changes made by Lumu integration

If you need to delete the fingerprint list created by the integration, use the --clean flag with the authentication arguments.

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --clean

Task: save log output to file

By default, you will see the execution log on the screen console. 

python sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key> --logging file

This file is useful for scheduled tasks or processes running in the background. When you open this file, you will see the following. The information displayed aids in checking the execution progress.

Task: use a configuration file to run the integration

You can run the integration using a configuration file where you can save the required arguments in form of <argument_name>=<value>, one argument per line. In the integration root path, save a file named .config with your configuration. Following, you have a sample of the format of the file.

## Sample config file
# Lumu
company_key=<lumu_company_key>
# SEPM
host=<sepm_host_or_ip>
username=<sepm_username>
password=<sepm_password>

# Misc    
adversary_types=<adversary_type_1>
...
adversary_types=<adversary_type_n>
days=<days>
logging=<screen|file>

The file .config_sample in this repo can be tailored according to your needs. Remember to rename it to .config.

if you need to add flags (arguments without values like -v or --clean, those need to be added on the command line)

Other tasks

According to your needs, you can combine the examples shown.

Response method: Quarantine device

Script details

Use the following command to show all options available for the package:

python sepm_lumu_quarantine.py --help

Usage: sepm_lumu_quarantine.py [options

Options	Description
-h, --help	show this help message and exit
--config CONFIG	Load options from config file
--company-key COMPANY_KEY --company_key COMPANY_KEY	Lumu Company Key (Defender API).
--proxy-host PROXY_HOST --proxy_host PROXY_HOST	Proxy host (if required)
--proxy-port PROXY_PORT --proxy_port PROXY_PORT	Proxy port (if required)
--proxy-user PROXY_USER --proxy_user PROXY_USER	Proxy user (if required)
--proxy-password PROXY_PASSWORD --proxy_password PROXY_PASSWORD	Proxy password (if required)
--logging {screen,file}	Logging option (default screen).
--verbose, -v	Verbosity level.
--host HOST	Symantec Endpoint Protection Manager host.
--username USERNAME	Symantec Endpoint Protection Manager username.
--password PASSWORD	Symantec Endpoint Protection Manager password.
--domain DOMAIN	Symantec Endpoint Protection Manager domain (default 'empty').
--adversary-types {C2C,Malware,DGA,Mining,Spam,Phishing} --adversary_types {C2C,Malware,DGA,Mining,Spam,Phishing}	Lumu adversary types to be filtered.
--unquarantine, -u	Unquarantine hosts included in the quarantine report (use with caution).

Usage Examples

Task: quarantine all affected endpoints related to open incidents in Lumu

Use the following command to fetch all affected endpoints related to open incidents and issue the quarantine command to the Symantec Endpoint Protection Manager.

python sepm_lumu_quarantine.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key>

To keep control of quarantined devices, the script will maintain a report in a file called quarantine.json . This file will contain the information of the quarantined devices, the result, and the date of the process.

Task: quarantine all affected endpoints related to Lumu open incidents filtering by adversary type

To filter your query to specific types of adversaries, you can use the option --adversary-types ADVERSARY-TYPE. If you need to set more types of adversaries, you can repeat the option as follows:

python sepm_lumu_quarantinelumu-sepm-quarantine.py --host <sepm-host> --username <sepm_usernamesepm-username> --password <sepm_passwordsepm-password> [--domain <sepm_domain>]  --company-key <lumu_company_keylumu-defender-api-key> --adversary-types C2C --adversary-types Mining

For this example, the script will fetch affected endpoints related to adversaries of types C&C and Mining.

Task: un-quarantine devices quarantined by the script

(Use with caution) If you need to un-quarantine all devices quarantined by the script, use the flag -u or --unquarantine.

python sepm_lumu_quarantinelumu-sepm-quarantine.py --host <sepm-host> --username <sepm_usernamesepm-username> --password <sepm_passwordsepm-password> [--domain <sepm_domain>]  --company-key <lumu_company_keylumu-defender-api-key> --unquarantine

The script will use the devices recorded in quarantine.json . All devices un-quarantined will be removed from the report after the process finishes.

Expected results

Response method: Fingerprint list

After the script’s execution, the Fingerprint list will be populated with new hashes. After the policy is updated in every protected host, the execution of binaries that match the uploaded hashes will be restricted.

Response method: Quarantine device

After a device is quarantined, the device will be isolated from the corporate network. The isolated device will show the following status:

Isolated device message

Further considerations

Set up Lockdown Policy in Symantec Endpoint Manager Console

After running the integration for the first time, you need to associate the Lumu fingerprint list with your System Lockdown policy. To do so, follow these steps:

To run the script on a timely basis, consider implementing a Scheduled job in Windows or a cron task in Unix-based systems. According to your enforcement needs, we recommend scheduling these tasks to run 2 or 3 times per hour (with a frequency of 20 to 30 minutes).

1. With an administrator user, log in to your SEPM console. Go to Clients and select the desired scope.
   
   
   
2. Under the selected scope, go to the Policies tab. Click on the System Lockdown link under the Policies section. The System Lockdown for <scope> window will appear. Set the Application File Lists to Deny Mode. Finally, add the fingerprint list Lumu and click on the OK button.
   
   
   

Schedule periodic execution of the integration

To run the script on a timely basis, consider implementing a Scheduled task in Windows or a Cron task in Unix-based systems. If you are pushing hashes, the integration could take longer to run. We recommend that the scheduled job runs every 30 minutes.

Following, you have an example of how this Cron job should look using the recommended time.

*/30 * * * * python3 <repo_root>/sepm_lumu.py --host <sepm_host_or_ip> --username <sepm_username> --password <sepm_password> [--domain <sepm_domain>] --company-key <lumu_company_key>

It's recommended to add the --logging file argument to any scheduled task. It will record all the output in the log file for further reference. If you have created a configuration file, your crontab entry doesn't need any arguments. It should look as follows:

*/30 * * * * python3 <repo_root>/sepm_lumu.py

If you need to work with another scheduling time, you can use the crontab guru.

To avoid race conditions, you can run only one instance. If you have one running, others will be terminated immediately.

Troubleshooting and known issues