Category Archives: McAfee

  • 0

Mastering the Endpoint, A Forrester Report

Category : McAfee

Organizations now monitor 10 different security agents on average, and swivel between at least five different interfaces to investigate and remediate incidents. Learn how to master endpoint security with these recommendations from Forrester.

Please  download the Forrester report.

  • 0

Network Security in the Amazon Web Services Cloud – It’s Your Responsibility!

Category : McAfee

There is a presiding notion that because established cloud providers such as Amazon deliver enterprise-class infrastructure, security is “taken care of.” When you set up your workloads in AWS, you hopefully configure available settings like access control and firewall port restrictions. That’s all good, and necessary! But outside of the cloud, would that ever be enough?

Hopefully your answer is no. And Amazon agrees. As a customer or prospective user of AWS, you should familiarize yourself with what is known as the “Shared Responsibility Model”, essentially stating where Amazon’s security ends, and your responsibility begins. Here’s their graphical representation:

Fig. 1 The AWS Shared Responsibility Model. For more visit

If you’re familiar with data center security, server security, or security for virtualized infrastructure, you’re probably not surprised with this breakdown. Encrypting data, running host-based anti-malware, and configuring access control are staples of your practice.

Let’s not forget – the cloud has a network too. And its susceptible to threats just like your own datacenter network, and more specific to the cloud. Advanced malware can reach your AWS workloads through network traffic, along with cross site scripting, botnet, and SQL injection attacks. Cloud infrastructure also has its own vulnerabilities – if one virtual server in AWS is compromised, the malware can potentially roam to other vulnerable servers in the same environment. This lateral path is known as “east-west” network traffic, and is much more prominent in virtualized environments. Additionally, there are unique management challenges in the cloud, like orchestrating security controls across a dynamically changing environment, and automating the process. Not to mention, simply gaining visibility into what workloads are being spun up by your organization!

Moving workloads to the cloud confidently means solving these security challenges as you plan your deployment, not after. If you’re responsible for data center and cloud infrastructure, bring your security team in early. Security professionals – don’t assume security in the cloud will hold back the agility your organization needs.

Stay tuned for part 2 of this short series on protecting cloud networks in AWS for our technology recommendations, and a new way to kick the tires with no investment required.



  • 0

New Surveillance Malware “FruitFly” Is a Nearly Undetectable Mac Backdoor

Category : McAfee

Mac malware outbreaks used to be viewed as a rarity. However, the last few years have seen Mac-focused threats steadily on the rise. In fact, our McAfee Labs Quarterly Threats Report showed instances of Mac malware growing by a huge 744% in 2016. Fast forward to the summer of 2017, and a new and powerful strain of Mac malware has hit the scene. Named FruitFly, the threat has only recently been detected by researchers, despite being around for years. The malware is highly-invasive and capable of taking complete control of an infected Mac.

FruitFly malware works as a traditional RAT (remote access trojan). Once it infects a Mac, this RAT creates a backdoor and helps the attacker control the infected device through the Command and Control server (C&C or C2) by sending its system commands. These commands include taking screenshots of the display, remotely switching on the webcam, and modifying files. What’s more — later versions of FruitFly seem to have the ability to control mouse movements and interactions with the infected machine.

Though powerful, FruitFly is primarily old fashioned. It partially utilizes the Perl programming language, which is not commonly used anymore. Additionally, the open source libjpeg code, which enables programmers to handle the JPEG image format, can also be found in FruitFly malware samples dating back to at least 1998. This all suggests the programmers have been around for some time.

Who has been impacted by FruitFly so far? Fortunately, only a small number of users are known to have been targeted by both old and new variants. Biomedical personnel were the main target of the first variant and users at home were the target of the later variant. However, smaller, tailored FruitFly campaigns may continue to persist for a while, which means all Mac users need to be vigilant. Additionally, much of the code written for FruitFly is cross platform, meaning that it can also run on Linux. While the current version does not run fully on Linux, there are only a few necessary changes to make it viable. This suggests a Linux variant may exist or is planned.

The good news is there are a few things users can do to stay protected from FruitFly. First off, users can protect against older variants just by updating a Mac to include the latest patch. Newer variants still require detection and prevention, which means users need to run up-to-date security products.

For McAfee customers – our solutions detect both the dropper and the sample itself from the both old and new variants. The latter is detected using our cloud technology Artemis.


Author: Charles McFarland

  • 0

Threats are changing. Your SOC should, too.

Category : McAfee

Analytics-driven. Human+machine teaming. The next evolution.

Disrupting the Disruptors, Art or Science?

A study of more than 700 IT and security professionals around the world found that 71% of the most mature SOCs closed threat cases in less than a week, compared with less mature SOCs that took an average of one to four weeks to close investigations. In our “Disrupting the Disruptors, Art or Science?” report, learn how the more advanced SOCs have added proactive threat hunting capabilities and adopted an automated and analytics-driven approach that disrupts cybercriminals and throws them off their game.

Please complete the form to download the report.

  • 0

Disrupting the Disruptors, Art or Science?

Category : McAfee

Security professionals are in a fight every day to track down criminals who would disrupt governments, businesses, institutions, and lives. Attackers nearly always have the element of surprise in their favor.

But is there a way to turn the tables on these digital thieves? Can we learn how to disrupt the disruptors? New evidence shows that, as security operations teams add proactive
threat hunting capabilities and mature their security infrastructure with an automated and analytics-driven approach, they can begin to throw the attackers off their footing.

A study of more than 700 IT and security professionals around the world provides some useful insights and lessons for organizations that are looking to better understand and
enhance their threat hunting capabilities. Threat hunting is loosely defined in practice, and most organizations believe they have threat hunters, though many lack formal programs
and prioritize other activities over hunting.

Disrupting the Disruptors

  • 0

McAfee June Threats Report

Category : McAfee

Malware evasion techniques and trends

Malware developers began experimenting with ways to evade security products in the 1980s, when a piece of malware defended itself by partially encrypting its own code, making the content unreadable by security analysts.
Today, there are hundreds, if not thousands, of anti-security, anti-sandbox, and anti-analyst evasion techniques employed by malware authors.
In this Key Topic, we examine some of the most powerful evasion techniques, the robust dark market for off-the-shelf evasion technology, how several contemporary malware families leverage evasion techniques, and what to  expect in the future, including machine learning evasion and hardware based evasion.

Hiding in plain sight: The concealed threat of steganography

Steganography has been around for centuries. From the ancient Greeks to modern cyberattackers, people have hidden secret messages in seemingly benign objects. In the digital world, those messages are most often concealed in images, audio tracks, video clips, or text files. Attackers use digital steganography to pass information by security systems without detection.
In this Key Topic, we explore the very interesting field of digital steganography. We cover its history, common methods used to hide information, its use in popular malware, and how it is morphing into networks. We conclude by providing policies and procedures to protect against this form of attack.

The growing danger of Fareit, the password stealer

People, businesses, and governments increasingly depend on systems and devices that are protected only by passwords. Often, these passwords are weak or easily stolen, creating an attractive target for cybercriminals. We dissect Fareit, the most famous password-stealing malware.
In this Key Topic We cover its origin in 2011 and how it has changed since then; its typical infection vectors; its architecture, inner workings, and stealing behavior; how it evades detection; and its role in the Democratic National Committee breach before the 2016 U.S. Presidential election. We also offer practical advice on avoiding infection by Fareit and other password stealers.

McAfee Labs Threats Report June 2017

  • 0

The Power of an Integrated UEBA/SIEM Solution

Category : McAfee

If you’ve read our previous blog, “Leveraging UEBA Capabilities in Your Existing SIEM,” you understand how McAfee Enterprise Security Manager can perform many essential UEBA functions leveraging its built-in advanced analytics and behavior modeling.

Doing It Better Together

For several specific use cases, you may find that you need a third-party UEBA product. Fortunately, through the McAfee ecosystem approach to security, you can integrate UEBA solutions from other vendors for expanded visibility of McAfee Enterprise Security Manager’s user monitoring and analytics. Such tight integrations with McAfee Enterprise Security Manager optimize security operations by:

  • Adding user and entity threat data to McAfee Enterprise Security Manager’s threat and contextual parameters to trigger rapid response actions, such as policy changes, alerts, and escalations.
  • Leveraging response activities for deeper forensic investigations.
  • Enabling enhanced reporting, visibility, and management. Data collected by the UEBA solution can be sent to the McAfee Enterprise Security Manager reporting engine, which can then create visualizations of that information and synthesize it within its existing operational reports, dashboards, and workflows.

The McAfee and UEBA Vendor Partnerships

McAfee Security Innovation Alliance partnerships include numerous UEBA vendors that offer an advanced UEBA solution with a flexible analytics engine covering insider threats, targeted attacks, and unknown threats. These smart and powerful platforms utilize machine learning and advanced analytics models that are well suited for large, complex enterprise environments.

McAfee Enterprise Security Manager and UEBA vendor integrations increase visibility to:

  • Insider threats across endpoints, servers, networks, and log data: It connects high-risk actions to users and provides clear context.
  • Privileged accounts: Time, authentication, access, application usage, and data movement are monitored and compared to baseline behavior parameters.
  • Targeted attacks: It quickly surfaces attack paths as they unfold, including malware that propagates laterally.
  • Healthcare compliance: Policy violations and risky user behaviors are identified by monitoring users, files, applications, and all types of medical and computing devices.

UEBA solution integrations with both the McAfee Enterprise Security Manager SIEM solution and the McAfee Data Exchange Layer threat intelligence sharing fabric can identify indicators of attack and feed those back into the SIEM to facilitate threat hunting. False positives are minimized, and analysts can focus on high-priority actionable items. In effect, these integrations create a closed-loop system, with continuous interaction between the products. Integration with McAfee Data Exchange Layer enables and accelerates communication of threat intelligence across multiple security solutions. This can dramatically speed detection and remediation across the entire enterprise security ecosystem, supporting the entire threat lifecycle.

Learn more about how McAfee Enterprise Security Manager can be leveraged to perform UEBA functions in our white paper, Entity Behavior Analytics for McAfee Enterprise Security Manager. Also, explore the UEBA vendors who are part of the McAfee Security Innovation Alliance.



  • 0

Defending against the latest Petya variants

Category : McAfee

60 minute pre-recorded webinar on-demand.

New variations on old attacks have challenged cybersecurity professionals in recent days. Get the latest on how to protect your business from the modified version of Petya ransomware.
McAfee engineers, Mo Cashman, and Martin Ohl along with McAfee Labs VP, Vincent Weafer have recorded this late breaking and most up-to-date discussion on the situation—along with best practice advice for future protection. In this session, they cover:

  • The attack timeline
  • What makes this ransomware attack unique
  • Technical analysis of the attack and defense
  • Future strategies for protection.
Read McAfee’s current analysis of the Petya variant attack on our Securing Tomorrow blog.

  • 0

Security for Amazon Web Services (AWS)

Category : McAfee

Advanced Security for Amazon Web Services

Moving infrastructure to the cloud makes you more agile, delivers scalability that is unfathomable on your own, and takes away the need to maintain the physical elements of your servers. Amazon Web Services (AWS) solves a lot of your problems, but what about security?

AWS covers a lot, specifically security “of” the cloud, essentially the backbone. You are, however, responsible for security “in” the cloud, including your operating systems, applications, and data traffic. Amazon explains this shared responsibility model here. Firewall configurations are important, but relying on these basic controls alone can leave you open to advanced malware, along with new vulnerabilities specific to the cloud such as lateral, east-west intrusion across workloads.

Extending advanced security to cloud infrastructure in AWS doesn’t have to mean a completely new security practice. With McAfee, you can use a familar security management interface, like McAfee Network Security Manager (NSM), to extend security to the AWS cloud. Managed by NSM, McAfee Virtual Network Security Platform (vNSP) can be deployed to cloud networks to prevent threats like zero-day malware, SQL injection, east-west lateral intrusion, and much more. If you’ve already invested in on-premises McAfee Network Security Platform technology, you can manage everything from NSM to give you complete visibility and control over your networks, from data center to cloud.

Get Free Trial

Protect Your AWS Cloud with McAfee

Access our limited-time free trial to test drive McAfee Virtual Network Security Platform (vNSP) with an Amazon EC2 workload for a hands-on experience running advanced security in the public cloud.

Get Access

A 72-hour trial gives you access to live instances of both McAfee Virtual Network Security Platform and Amazon EC2.

Set Up

Set up is automated. Once you launch the test drive, the system will take just a few minutes to spin up your instances.

Test Drive

Begin by completing the free trial form, which will kick off your access to the test drive experience. Access approvals will be completed within 24 hours.

Get Free Trial

  • 0

How to Protect Against Petya Ransomware in a McAfee Environment

Category : McAfee

A new variant of the ransomware Petya (also called Petrwrap) began spreading around the world on June 27. Petya is ransomware that exploits the vulnerability CVE-2017-0144 in Microsoft’s implementation of the Server Message Block protocol. This ransomware encrypts the master boot records of infected Windows computers, making the machines unusable.

The initial attack vector is unclear, but aggressive worm-like behavior helps spread the ransomware. (Read McAfee’s detailed technical analysis of the Petya ransomware.)

Microsoft released a set of critical patches on March 14 to remove the underlying vulnerability in supported versions of Windows, but many organizations may not yet have applied these patches.

How McAfee products can protect against Petya ransomware

As with WannaCry and other similar attacks, a layered, integrated cyber defense system that combines advanced analytics, threat intelligence, signatures, and human expertise is the best way to protect your business against emerging threats. McAfee’s collaborative cyber defense system leads the way for enterprises to protect against emerging threats such as Petya ransomware, remediate complex security issues, and enable business resilience. By empowering integrated security platforms with advanced malware analytics and threat intelligence, our system provides adaptable and continuous protection as a part of the threat defense life cycle.

Attacks like Petya and its future variants cannot win against a collaborative cybersecurity ecosystem that works as a team and empowers protective tools to make better decisions at the point of attack.

McAfee offers early protection for components of the initial Petya attack in the form of advanced malware behavior analysis with Real Protect Cloud and the brand-new Dynamic Neural Network (DNN) analysis techniques available in McAfee Advanced Threat Defense (ATD). ATD 4.0 introduced a new detection capability using a multilayered, back-propagation neural network (DNN) leveraging semisupervised learning. DNN looks at certain features exercised by a malware to come up with a positive or negative verdict to determine whether the code is malicious.

Whether in standalone mode or connected to McAfee endpoint or network sensors, ATD combines threat intelligence with sandbox behavior analysis and advanced machine learning to provide zero-day, adaptable protection. Real Protect, part of the Dynamic Endpoint solution, also uses machine learning and link analysis to protect against malware without signatures and provide rich intelligence to the Dynamic Endpoint and the rest of the McAfee ecosystem. Real Protect combined with Dynamic Application Containment provided early protection against Petya.

Multiple McAfee products provide additional protection to either contain the attack or prevent further execution. This post provides an overview of those protections with the following products:

McAfee Endpoint Security

Threat Prevention

Thus systems using McAfee ENS 10 are protected from known samples and variants with both signatures and Threat Intelligence.

Adaptive Threat Protection

  • Adaptive Threat Protection (ATP), with rule assignment configured in *Balanced mode” (Default in ATP\Options\Rule Assignment setting), will protect against both known and unknown variants of the Petya ransomware.
  • The ATP module protects against this unknown threat with several layers of advanced protection and containment:
    • ATP Real Protect Static uses client-side pre-execution behavioral analysis to monitor unknown malicious threats before they launch.
    • ATP Real Protect Cloud uses cloud-assisted machine learning to identify and clean the threat, as shown below:

  • ATP Dynamic Application Containment (DAC) successfully contains the threat and prevents any potential damage from occurring (DAC events noted below):

Advanced Threat Defense

  • McAfee Advanced Threat Defense (ATD) 4.0 with Deep Neural Network and Dynamic Sandbox identified the threat and proactively updated the cyber defense ecosystem:

McAfee Enterprise Security Manager 

McAfee Enterprise Security Manager (ESM) is a security information and event management solution that delivers actionable intelligence and integrations to prioritize, investigate, and respond to threats. The Suspicious Activity Content Pack and Exploit Content Pack for McAfee ESM have been updated with WannaCry-specific rules, alarms, and watchlists so you can find and identify possible infections. These updates will also help protect against Petya. Both packs are available for download in the McAfee ESM console at no cost. Default correlation rules in McAfee ESM can also alert users of increased levels of horizontal SMB scans.

Similar to WannaCry, the Petya attack presents a learning opportunity for security operations center analysts. Understanding and automating these best practices will help you handle the next fast-moving attack.

McAfee Web Gateway

McAfee Web Gateway (MWG) is a product family (appliance, cloud, and hybrid) of web proxies that provides another potential layer of protection against Petya variants delivered through the web (HTTP/HTTPS) using multiple real-time scanning engines. Known variants will be blocked by GTI reputation and antimalware scanning as web traffic is processed through the proxy.

The Gateway Anti-Malware (GAM) engine within MWG provides effective prevention of “zero-day” variants that have not yet been identified with a signature through GAM’s process of behavior emulation, conducted on files, HTML, and JavaScript. Emulators are regularly fed intelligence by machine learning models. GAM runs alongside GTI reputation and antimalware scanning as traffic is processed.

Coupling MWG with ATD allows for further inspection and an effective prevention and detection approach.

McAfee products using DAT files

McAfee released an Extra.DAT to include coverage for Petya. McAfee also released an emergency DAT to include coverage for this threat. Subsequent DATs will include coverage. The latest DAT files are available via Knowledge Center article KB89540.