- New Information Supplement: Payment Page Security and Preventing E-Skimming
- 7 reasons Kindles are still a great buy, even without downloads
- How to clear the cache on your Windows 11 PC (and why it's important to do so)
- Meta's latest limited edition Ray-Ban smart glasses are here - and they're fancy
- Surge in Malicious Software Packages Exploits System Flaws
Understanding the Windows Filtering Platform (WFP): A Quick Overview
What is it?
The Tripwire Enterprise Critical Change Audit rules provide customers with the ability to monitor for critical events that could have a significant impact on a system. Monitoring for critical events can help administrators identify malicious and/or unexpected changes within their environment.
Changes To CCA
Additional rules were added to the Critical Change Audit rule set. These rules provide customers the ability to monitor for changes to the firewall, installed certificates, expiring/expired certificates, USB devices (i.e. keyboards), WFP Filtering, and HTTP Proxy.
Firewall Status
Firewalls monitor network traffic and use rules to block or allow traffic. Allowing services that are not normally accessible to the network could cause unnecessary risk. Monitoring the Firewall state ensures that the firewall is currently active and not tampered with. These new rules monitor for changes made locally or via group policy on Windows as well as UFW and nftables on Linux.
Local Firewall (Windows)
Group Policy (Windows)
Linux (Ubuntu)
Certificates
TLS certificates allow for secure communication. An expired certificate can interrupt TLS communication and potentially expose sensitive data. Monitoring for changes in the state of certificates allows administrators to ensure that TLS-based communication continues to be secure. These new rules monitor for newly added, expiring, or expired certificates on both Windows and Linux.
Installed Certificates (Windows)
Expired Certificates (Windows/Linux)
Expiring Certificates (Windows)
USB Devices/Keyboards
Rubber Duckies are devices that look like an innocent USB drive but deliver a malicious payload. Rubber Duckies that interact with the system by typing characters try to install a new keyboard. The Tripwire Enterprise CCA rule set now monitors for newly added keyboards.
WFP EDR Silencer Rule
Endpoint Detection and Response (EDR) Silencers are tools that utilize the Windows Filtering Platform (WFP) to block EDR agents from communicating with servers. WFP has an API that provides a way to filter network traffic. Tripwire Enterprise now monitors for additional entries that block traffic for applications.
Netsh Interface Portproxy [coming soon]
Netsh interface portproxy functions as proxies between IPv4 and IPv6 networks and applications. This allows malicious users/applications to pivot and access networks/services that are not usually accessible. These new rules report when a new port proxy is added to the system.
Summary
In order to have access to this new content, Tripwire Enterprise users must install the latest version of the Critical Change Audit rule set. Once installed, these changes will allow a Tripwire Enterprise admin to determine if a critical event has occurred.
Interested in the difference between a critical change audit and a change audit? Click here!
If you’d like to learn more about our services, you can contact us by following this link.
