In this article, you will learn everything you need to know about the Threat Prevention - Endpoint module. Threat Prevention - Endpoint is based on the DarkLayer Guard engine, the world’s most advanced endpoint DNS threat hunting tool and boasts our Threat to Process Correlation technology allowing you to spot processes, users, URLs, and attacker origins used to infiltrate your network. Threat Prevention - Endpoint makes the DarkLayer Guard - Endpoint work in tandem with our VectorN Detection AI-based traffic pattern recognition engine to also give you HIPS/HIDS and IOA/IOC capabilities and spot hidden malware, complete autonomous of code and signatures.
1. Description
2. How does DarkLayer Guard - Endpoint work?
3. HEIMDAL Agent - DarkLayer Guard
4. Threat Prevention - Endpoint view
5. Threat Prevention - Endpoint settings
DESCRIPTION
Threat Prevention - Endpoint is responsible for filtering all network packages based on DNS request origin and destination. It replaces the manual or DHCP set DNS values with IP Addresses from the Client Host IP Address range, thus, effectively telling the computers to resolve the DNS requests themselves. The original DNS values from the network card settings are not lost but are saved under GUIDs in the Windows Registry and used when DNS requests are made towards internal resources (print servers, local file servers, or anything that has a private IP Address assigned) or external resources. The traffic filtering engine, which blocks malicious packages from communicating across the network prevents man-in-the-browser attacks, detects zero-hour exploits, protects from data or financial exfiltration, and prevents data loss or network infections.
- Here is an example of how DarkLayer Guard's multi-layered protection works against malware, social engineering scams, and drive-by attacks:
Threat Prevention - Endpoint blocks malicious websites by making sure that users do not establish untrusted connections. If a connection is made, an attacker is able to open backdoors into a PC by using zero-day exploits or by executing remote shellcodes. The module also makes sure that data is not automatically filled into online forms, belonging to fraudulent websites.
- An example of how DarkLayer Guard - Endpoint protects users from financially exploiting malware (banking trojans) can be seen below:
The DarkLayer Guard - Endpoint filter receives more than 800.000 new weekly updates to keep up with cybercriminals’ threats. A filter update is provided every 2 hours. The update is based on a wide range of data, such as newly registered domain names, reverse engineering of advanced malware, monitoring of criminal network sinkholes, and data gathered during e-crime analysis. This insight into cybercrime enables Heimdal to block data from a PC or network from being sent to a hacker-controlled server, therefore protecting corporate or personal data from exfiltration.
HOW DOES DARKLAYER GUARD WORK?
When the Threat Prevention - Endpoint module is enabled, DarkLayer Guard - Endpoint creates a local DNS Server that will work as a filtering engine before resolving the DNS Query performed by the user. The DarkLayer Guard DNS Server highjacks the DNS IP Address on the active Network Adapter(s) to scan for malicious websites and other web locations (servers, online ads, etc) that can potentially install malware or be used as gateways for cyber-attacks.
The DarkLayer Guard - Endpoint engine will change the DNS (Domain Name System) IP Addresses on IPv4 and IPv6.
- On IPv4, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to 127.7.7.x (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed;
- On IPv6, it will change your DNS IP Address from Obtain DNS server addresses automatically (set by a DHCP) or from an already set static DNS IP Address to fe80::xxxx:yyyy:xxxx:zzzz (the DarkLayer Guard DNS IP Address). Your initial DNS IP Address will be backed up in the Windows Registry to be used to solve the DNS Queries after being allowed.
Once the DNS IP Address is set, every web location you access via the Internet will be processed through a database that is set locally in the HEIMDAL Agent installation path. This database is about 15 MB in size and 95% of the websites blocked are located here.
If the website is identified as being infected, the DarkLayer Guard - Endpoint engine will block it and you will see this block page (in the browser):
Additionally, if you perform nslookup on a malicious domain, the resolving IP Address will be 52.166.12.23 (our HEIMDAL Security block page):
If the website is not blocked after being processed through the local database it will pass but there is a second step. The website will be parsed through another database, in the cloud (about 6GB in size) where it will be checked again. If it’s found to be malicious, DarkLayer Guard - Endpoint will block it. If it’s safe, you’ll just be able to access the website normally.
IMPORTANT
All this filtering process takes place in milliseconds and will not affect your internet connection speed.
HEIMDAL Agent - DarkLayer Guard
The HEIMDAL Agent displays information about the Prevented Attacks, the Targeted Processes, and the VectorN Detections.
The information displayed on the HEIMDAL Agent - Threat Prevention section is reported to the HEIMDAL Dashboard -> Threat Prevention - Endpoint view.
THREAT PREVENTION - ENDPOINT view
The Threat Prevention - Endpoint view displays all the information collected by HEIMDAL Agent that is running on the endpoints in your organization. The collected information refers to the DNS queries that are filtered by the HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Analyzed Traffic Requests, the number of Prevented Attacks, the percentage of Prevented Attacks, and the number of Category Blocks.
The collected information is placed in the following views: Standard view, Threat Type view, Hostname/Latest Threats view, TTPC view, Category Blocks view, and Full Logging view.
- Standard view
This view displays a table with the following details: Hostname, Username, IP Address, Analyzed Requests, Prevented Attacks, and Risk Level. - Threat Type view
This view displays a table with the following details: Threat Type, Number of matches, Most Targeted Hostname, and Username. - Hostname/Threats view
This view displays a table with the following details: Hostname, Username, Domain Blocked, Threat Type, and Number of matches. - Latest Threats view
This view displays a table with the following details: Hostname, Username, Threat Type, Threat Type, Threat Source, TTPC, and Date. - TTPC view
This view displays a table with the following details: TTPC Detections, the Number of matches, Most Targeted Hostname, Username, Most Frequently Detected Infected Domain, and Last Match. - Category Blocks view
This view displays a table with the following details: Hostname, Username, IP Address, and Category Blocked Domains. - Full Logging view
The Hostname view displays a table with the following details: Hostname, Allowed Requests, Prevented Attacks, and Risk Level.
The Domain view displays a table with the following details: Domain and the Total Hits. - Investigate view
This view allows you to get DNS-related statistics on any domain you input in the search field. The view is split into 3 subsections:
a. Global Threat Intelligence - displays a top 3 of most accessing processes, the TPE matches (the number of times, in the selected timeframe, the domain has been intercepted via TPE), the Global TPE matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE in the Global Heimdal Security database), the domains/URLs related to the same IP Address, the TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN), the Global TPE + TPN matches (the number of times, in the selected timeframe, the domain has been intercepted by TPE and TPN in the Global Heimdal Security database);
b. Predictive DNS Score - displays a maliciousness score based on an Artificial Intelligence algorithm (ranging from 0 to 100) that is corroborated with the presence of domain (in question) on the Threat Prevention Endpoint blacklist (blacklist match). The higher the score, the higher the probability that the domain in question is infected. The Predictive DNS Score will showcase a Risk Level (None, Low, Medium, High, Critical) based on the above-mentioned score;
c. DNS Statistics - displays a graphical representation of the daily number of hits for the chosen domain (the blue
the line shows that the queried domain was found clean at the time of the query, while the red line shows that the queried domain was found infected at the time of the query);
d. Requester distribution - displays a map and statistics of top public IP Addresses that called the domain in question (the origin of the DNS query to the domain in question). - App Discovery view
This view displays a list of the applications discovered by the DarkLayer Guard engine in your environment and the following details: Application Name, Vendor, Risk Level, and Installed Endpoints.
The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
The Filters functionality allows you to filter entries by Operating System.
THREAT PREVENTION - ENDPOINT settings
By enabling the DarkLayer Guard engine, the HEIMDAL Agent will enable the network filter that will protect the computer from accessing malicious domains or URLs.
DarkLayer Guard - turn ON/OFF the DarkLayer Guard DNS Filtering;
General Settings
Force DHCP DNS usage - this feature sets the DNS on the Network Interface Card(s) to Automatic (DHCP) behind the DarkLayer Guard engine. If the DarkLayer Guard engine fails to add 127.7.7.x or fe80::yyyy:yyyy:xxxx:xxxx on the NIC(s) it will revert to Automatic DNS (set automatically by the DHCP). This option is recommended to be enabled if:
- You are using VPN connections in your organization;
- Nobody from your organization uses a static DNS IP Address.
Use default loopback address - this feature makes the DarkLayer Guard will set the DNS on the Network Interface Card(s) to 127.0.0.1 instead of 127.7.7.x (for IPv4) and ::1 instead of fe80::yyyy:yyyy:xxxx:xxxx (for IPv6). This will enforce the DarkLayer Guard engine to intercept traffic from a single adapter. This setting helps ensure compatibility between Heimdal™ Threat Prevention and certain VPN products, as well as other software you may use, such as virtualization products;
Force NCSI fix - this feature will fix the Network Connectivity Status Indicator that causes the connected globe in the Tray menu when running alongside DarkLayer Guard. The HEIMDAL Agent sets the value 1 (default is 0) on the following path Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActive Probing, and adds a Microsoft IP Address in the hosts file (C:\Windows\System32\drivers\etc);
Improve TTPC accuracy - installs and updates the Sysmon service (if not installed already) to improve the interception of processes that perform malicious DNS requests;
- You can find the Sysmon logs in Event Viewer Logs -> Application and Service Logs -> Microsoft -> Windows -> Sysmon -> Operational. The Event ID used for DNS request logging is 22;
- When the DarkLayer Guard - Endpoint ending gets the process ID from Sysmon and it queries the Window processes, there is a risk that the process was already killed or stopped. If this happens, DarkLayer Guard - Endpoint will not be able to get the process information so a generic “-” will be displayed in the HEIMDAL Dashboard;
- There is a 2-minute wait time when the same domain it’s accessed and this will result in displaying only one entry for that specific domain even if it was accessed several times in that time interval. In the Event Viewer Logs, an entry will show up every time a domain is accessed.
Full logging - get enriched information on the DNS requests made from the endpoints (we will log all the DNS requests made in your environment);
Disable DarkLayer Guard for IPv6 - allows you to disable DarkLayer Guard filtering on IPv6;
DoH Compatibility Mode - this feature will prevent your active browser (Google Chrome or Mozilla Firefox) from employing DNS over HTTPS packages, replacing the more comprehensive DNS traffic filtering provided by HEIMDAL™ Threat Prevention;
Cisco Anyconnect/Fortinet compatibility mode - this feature will reroute traffic from IPv6 to IPv4 on a Cisco Anyconnect adapter, to solve a known bug in Cisco Anyconnect/Fortinet IPv6 filtering;
Use supported VPN forwarders - makes the DarkLayer Guard engine use the DNS IP Addresses provided/set by the VPN adapter on all the adapters of the endpoint;
High Compatibility Mode – this feature sets a 15-ms delay in applying the DarkLayer Guard filter over the Network Interface Card that currently has internet access, in order to allow all relevant Microsoft Windows services to start up normally. The services which are allowed to start up normally are in charge of vital extended environment tasks like domain discovery, network drives authentication, etc.
Pause DarkLayer Guard when Cisco Anyconnect or Fortinet is detected - this feature will pause the DarkLayer Guard engine while the endpoint is connected to Cisco Anyconnect/Fortigate. The DNS filtering with automatically re-enable after disconnecting from Cisco Anyconnect/Fortigate;
DNS server response validation - the DarkLayer Guard will test the DNS Resolvers and alternate them in case any of them fail (we change the 1st DNS with the 2nd one until the 1st one is up and running again);
Check Interval - allows you to set the time interval of the DarkLayer Guard engine to check for new updates of the filtering database;
Domains whitelist – this feature allows the HEIMDAL Dashboard Administrator to whitelist a domain that is blocked by the Heimdal™ Threat Prevention. You can whitelist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma):
Block by Category - this feature allows you to block groups of domains that are included in a category (example: Social, Sports, Gambling, Finance, Health, and others):
Block by Category Schedule - this feature is available only when Block by Category is enabled and allows you to schedule specific time intervals when the Block by Category feature applies;
Domains blacklist - this feature allows the HEIMDAL Dashboard Administrator to blacklist a domain that Heimdal™ Threat Prevention - Endpoint does not consider a threat or to block the access to a specific domain. You can blacklist domains, subdomains, top-level domains (.com, .co.uk, etc.) or event multiple domains at once by uploading a CSV file (the domains need to be divided by "," comma)
Custom block pages – this feature allows you to add a custom HTML block page that will replace the default Heimdal block page when Threat Prevention - Endpoint intercepts and blocks access to a malicious domain (or blacklisted domain):
IMPORTANT
Do not use the DarkLayer Guard - Endpoint engine in combination with another DNS traffic scanning application because they might conflict with each other and none of them will work correctly. We recommend you disable other traffic scanning applications installed locally before you enable Heimdal's DarkLayer Guard engine.