Home >
Enterprise >
Participants >
Sophos > Carbanak+FIN7 Configuration
|
Sophos Configuration
Product Versions
Sophos Intercept X Advanced with EDR
Product Description
Intercept X Advanced with EDR is built on top of the world’s best endpoint protection, Intercept X stops breaches before they start. Intercept X Advanced with EDR allows you to ask any question about what has happened in the past, and what is happening now on your endpoints. Hunt threats to detect active adversaries, or leverage for IT operations to maintain IT security hygiene. Powerful, out-of-the-box, customizable SQL queries access up to 90 days of data on disk and in the cloud, giving you the information you need to make informed decisions. When an issue is found remotely respond with precision.
For additional information, please read the Sophos Intercept X datasheet or the Sophos Intercept X Advanced with EDR datasheet.
Product Configuration
Policy Configuration
- All prevention layers were disabled to allow the simulated attack to proceed with only EDR monitoring enabled
- Application control was configured to alert on the use of applications but to not perform any blocking
Detect ONLY Deployment
We had to turn off ALL protection capabilities.
With this configuration potential block events DO NOT generate a notification.
Threat protection policy:
The only features left enabled are:
- Enable Threat Case creation
- Allow computers to send data on suspicious files, network events, and admin tool activity to Sophos Central
Peripheral Control policy:
This policy was set to MONITOR but not block all peripheral device connection
Application Control
This policy was set to MONITOR but not block all applications
Data Loss Prevention
This policy was left OFF
Web Control
This policy was set to MONITOR but not block all applications
MITRE PROTECTION Configuration
By default, on install protection features are default enabled unless they are part of an early access program. For this test we enabled the early access features.
Threat protection policy:
Features in EAP that were enabled include
Peripheral Control policy:
This policy was set to block all peripheral device connections
Application Control
This policy was set to block controlled applications with the following exceptions as specified by MITRE for the test
- 7-zip
- Microsoft Office 2016
- Microsoft WSH CScript
- Microsoft WSH WScript
- Microsoft SQL Management Studio
- MS Remote Desktop Connection
- Remote Desktop Connection (V7 and higher)
- Remote Desktop Connection 6.0
- Remote Desktop Connection Manager
- Microsoft Powershell
- Microsoft Powershell ISE
Data Loss Prevention
This policy was left OFF
Web Control
This policy was set to BLOCK all web categories, and block all risky download types.