The Cybereason Approach to Sensor Tamper Protection

Defense Evasion is a tactic that malicious actors use to avoid detection once they’ve gained entry into your network. One form of defense evasion involves the disabling of security software processes or services by deleting registry keys or log information. 

APT29 (also known as the Russian SVR) notoriously disables services associated with security products. MITRE has also documented that Cl0p attempts to uninstall or disable security products. These are just a few examples, and many more can be found on the MITRE ATT&CK website

The Cybereason Sensor is protected against tampering efforts from bad actors. Adversaries often intentionally avoid Cybereason and prematurely end their attacks to stay under the radar.

Cybereason leverages two distinct paths to protect deployed sensors in a customer environment. 

Path One: Self Protection

The first is to design a secure sensor with built-in capabilities for self protection so you can focus on your business instead of your security tool. At Cybereason, this looks like the following:

  • All communications between the sensor and the registration/detection servers occur over secure encrypted Transport Layer Security (TLS)
  • Only machine administrators can install or uninstall sensors on endpoints across the organization
  • Cybereason monitors the sensor and restarts it automatically if the sensor processes are killed
  • Preventing the sensor from being uninstalled using an uninstalled password for added security

Path Two: Intelligent and Proactive Sensor Protection 

The second path to sensor tamper protection is to enhance the sensor beyond self-protection. Intelligent and proactive sensor protection enables faster response times and provides automatic updates on events.

Cybereason accomplishes this through the following capabilities:

  • Proactive protection of the sensor processes and files against unauthorized or malicious modifications or kill attempts. 
  • Future improvements will protect processes, files, registries, and services against unauthorized or malicious modifications or kill attempts, and if any of these events occur, they will trigger a MalOp™ (Malicious Operation) if malicious activity is detected. The MalOp is Cybereason’s proprietary way of making order from chaos and consolidating a frenzy of alerts into a single alert with a chronological timeline of events and enriched information mapped to the MITRE ATT&CK Framework.

The best defense is often an intelligent and proactive offense. The risks of not properly securing your machines, networks, and devices are top of mind for CISOs and security organizations, but even the best cybersecurity tools need to protect themselves.

Cybereason is focused on providing the best in class protection for our customers to be more efficient and more effective. See what Cybereason’s tamper protection looks like for yourself.

Cybereason Sales Engineer Rob Chapman contributed to this article.

Cybereason is dedicated to teaming with defenders to end attacks on the endpoint, across the enterprise to everywhere the battle is taking place. If you want to know more about how Cybereason protects our customers to drive security team efficiency and effectiveness and would like a demo, please reach out here.

Cody Queen
About the Author

Cody Queen

Cody Queen is a Product Marketing Manager at Cybereason leading the go-to-market strategy for NGAV, endpoint protection and cloud workload security solutions. Before joining Cybereason, Cody led and supported product launches for Dell Technologies in their APEX Cloud and security business, primarily around managed data center services. He also brings over 10 years of experience in the public sector planning for, managing and responding to security threats against the United States.

All Posts by Cody Queen