Table of Contents - VMware · VMware AppDefense is a data center endpoint security product that protects ... • Snapshot the VM's Memory and Disk for forensic analysis • Suspend

Table of ContentsHOL-2042-01-NET - Secure Data Center Endpoints with VMware AppDefense .................2

Lab Guidance .......................................................................................................... 3Module 1 - Overview of VMware AppDefense (15 minutes) .............................................. 9

AppDefense Platform Overview ............................................................................ 10Module 2 - Exploring and Utilizing the AppDefense Platform (45 minutes).....................16

Prepare and Explore the Lab ................................................................................. 17Explore AppDefense in vCenter Server and AppDefense Appliance......................23Explore AppDefense Manager ............................................................................... 40Create and Delete an AppDefense Security Scope ............................................... 50Examine Security Scope........................................................................................ 58Learn New Behavior in Discovery Mode ................................................................ 64Move Security Scope to Protected Mode ............................................................... 70Examine AppDefense Integration with NSX .......................................................... 76Attack the Application and Validate Automated Response....................................82Upgrade Application Component ........................................................................ 102Conclusion........................................................................................................... 112

HOL-2042-01-NET

Page 1HOL-2042-01-NET

HOL-2042-01-NET -Secure Data Center

Endpoints with VMwareAppDefense

HOL-2042-01-NET


Lab GuidanceNote: There are only two modules in this lab.The expected time of completionis 45-60 minutes.

The Table of Contents can be accessed in the upper right-hand corner of theLab Manual.

VMware AppDefense is a data center endpoint security product that protectsapplications running in virtualized environments. Rather than chasing after threats,AppDefense understands an application's intended state and behavior, then monitorsfor changes to that intended state that indicate a threat. When a threat is detected,AppDefense automatically responds. This maximizes efficiency and effectiveness inSecurity Operations. It also streamlines the application security readiness review

process.

Lab Module List:

• Module 1 - Overview of VMware AppDefense (15 minutes) - Basic - This modulewill walk through the structure of the platform.

• Module 2 - Exploring and Utilizing the AppDefense Platform (45 minutes) - Basic -This module will walk through the creation of a security scope. Secondly, you willmonitor the application after various attacks have been made. Finally, you willperform remediation, quarantine, and upgrade actions.

Lab Captains & Support:

• Jitender Kumar, Staff Solution Architect - ACE• Wen Bin Tay, Solution Engineer

This lab would not have been possible without the dedication of the AppDefenseengineering team.Their support and assistance to make this something suitable for theVMworld HOL environment was instrumental. We would like to thank the followingmembers:

• Simon Momber, Senior Technical Marketing Architect• Nolan Karpinski, Senior Product Manager - NSBU Security• Heng Jun Tian, Staff Engineer - NSBU Security Mani Devarajan, Staff Engineer -

NSBU Security• Leanne Jones, Senior Content Architect

This lab manual can be downloaded from the Hands-on Labs Document site found here:http://docs.hol.vmware.com

This lab may be available in other languages. To set your language preference and havea localized manual deployed with your lab, you may utilize this document to help guideyou through the process:

HOL-2042-01-NET


http://docs.hol.vmware.com/

http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Location of the Main Console

1. The area in the RED box contains the Main Console. The Lab Manual is on the tabto the Right of the Main Console.

2. A particular lab may have additional consoles found on separate tabs in the upperleft. You will be directed to open another specific console if needed.

3. Your lab starts with 90 minutes on the timer. The lab can not be saved. All yourwork must be done during the lab session. But you can click the EXTEND toincrease your time. If you are at a VMware event, you can extend your lab timetwice, for up to 30 minutes. Each click gives you an additional 15 minutes.Outside of VMware events, you can extend your lab time up to 9 hours and 30minutes. Each click gives you an additional hour.

Alternate Methods of Keyboard Data Entry

During this module, you will input text into the Main Console. Besides directly typing itin, there are two very helpful methods of entering data which make it easier to entercomplex data.

HOL-2042-01-NET


http://docs.hol.vmware.com/announcements/nee-default-language.pdf

Click and Drag Lab Manual Content Into Console ActiveWindow

You can also click and drag text and Command Line Interface (CLI) commands directlyfrom the Lab Manual into the active window in the Main Console.

Accessing the Online International Keyboard

You can also use the Online International Keyboard found in the Main Console.

1. Click on the Keyboard Icon found on the Windows Quick Launch Task Bar.

<div class="player-unavailable"><h1 class="message">An error occurred.</h1><div class="submessage"><ahref="http://www.youtube.com/watch?v=xS07n6GzGuo" target="_blank">Try watching this video on www.youtube.com</a>, or enableJavaScript if it is disabled in your browser.</div></div>

HOL-2042-01-NET


Click once in active console window

In this example, you will use the Online Keyboard to enter the "@" sign used in emailaddresses. The "@" sign is Shift-2 on US keyboard layouts.

1. Click once in the active console window.2. Click on the Shift key.

Click on the @ key

1. Click on the "@ key".

Notice the @ sign entered in the active console window.

HOL-2042-01-NET


Activation Prompt or Watermark

When you first start your lab, you may notice a watermark on the desktop indicatingthat Windows is not activated.

One of the major benefits of virtualization is that virtual machines can be moved andrun on any platform. The Hands-on Labs utilizes this benefit and we are able to run thelabs out of multiple datacenters. However, these datacenters may not have identicalprocessors, which triggers a Microsoft activation check through the Internet.

Rest assured, VMware and the Hands-on Labs are in full compliance with Microsoftlicensing requirements. The lab that you are using is a self-contained pod and does nothave full access to the Internet, which is required for Windows to verify the activation.Without full access to the Internet, this automated process fails and you see thiswatermark.

This cosmetic issue has no effect on your lab.

Look at the lower right portion of the screen

HOL-2042-01-NET


Please check to see that your lab is finished all the startup routines and is ready for youto start. If you see anything other than "Ready", please wait a few minutes. If after 5minutes your lab has not changed to "Ready", please ask for assistance.

HOL-2042-01-NET


Module 1 - Overview ofVMware AppDefense (15

minutes)

HOL-2042-01-NET


AppDefense Platform OverviewIn this section, you will read about VMware's new AppDefense security platform.

Description

AppDefense is a data center endpoint security product that embeds threat detectionand response into the virtualization layer regarding applications and data live.Leveraging VMware AppDefense delivers three key advantages over existing endpointsecurity solutions:

Authoritative knowledge of application intended state When you know whatsgood, you can detect whats bad.

From inside the vSphere hypervisor, AppDefense has an authoritative understanding ofhow data center endpoints are meant to behave and is the first to know when changesare made. This contextual intelligence removes the guesswork involved in determiningwhich changes are legitimate and which are real threats. AppDefense does not look at aguest workload in isolation. Instead, it manages workloads as part of broader SecurityScopes. These scopes allow AppDefense to have a deeper understanding of complexinteractive behaviour patterns in the data center as opposed to simply individualmachine behaviour.

Automated, precise threat response The right response at the right time. When athreat is detected, AppDefense can trigger vSphere and VMware NSX to orchestrate thecorrect response to the threat, without the need for manual intervention. For example,AppDefense can automatically:

• Alert you to this new behaviour• Block process communication• Snapshot the VM's Memory and Disk for forensic analysis• Suspend the VM• Shut down the VM

HOL-2042-01-NET


Isolation from the attack surface - Protect the protector. The first thing that mostmalware variants do when they reach an endpoint is disable anti-virus and other agent-based endpoint security solutions. The hypervisor provides a protected location fromwhich AppDefense can operate, ensuring that even if an endpoint is compromised,AppDefense itself is protected.

AppDefense in Action

AppDefense is a foundational security product that has a wide-reaching impact on anorganizations security strategy.

Application-centric alerting for the Security Operations Center (SOC)AppDefense doesn't produce a lot of alerts, but when it raises the alarm its smart tolisten. The authoritative alerts generated by AppDefense coupled with automatedresponse capabilities allow security administrators to focus on catching and eradicatingthreats from their environment, rather than sifting through noisy data and investigatingthreats that aren't there.

Transforming application security readiness reviews In the world of modernapplication development, applications are launched, changed, and decommissionedrapidly. By the time a security team learns of the existence of a new application, it hasoften already changed. AppDefense creates a common source of truth betweenapplication team and the security teams, streamlining the security review process.

Application-Centric Security with VMware

VMware has changed the face of network security with our network virtualizationplatform, VMware NSX, and its ability to enable micro-segmentation across the data

HOL-2042-01-NET


center. NSX architects network and security services such as firewalling directly into thehypervisor, enabling a least privilege model for the network. The net outcome is thatnetwork security teams can prevent threats from moving laterally within theirenvironments.

AppDefense layers in threat detection and response capabilities into another core areaof the infrastructure, enabling a least privilege model for data center endpoints. Shoulda threat make it onto an endpoint, AppDefense will immediately detect the threat andautomatically respond with precision. Together, NSX and AppDefense offer a robustsolution for securing the application infrastructure and thus, the applications and datathat live there.

Architecture

HOL-2042-01-NET


AppDefense Manager

The AppDefense Manager is a multi-tenant cloud service that delivers the completeAppDefense feature set. You can use the AppDefense Manager to define the intendedbehavior and protection rules of your applications and then monitor security events andalerts in real time. In addition to management capabilities, the AppDefense Managerprovides process reputation services, machine learning capabilities, and other additionalvisibility features for your environment.

AppDefense Plug-in

The AppDefense Plug-in provides improved life cycle management and real-timevisibility directly in the vCenter Server. The plug-in provides direct visibility intoprocesses and network connections running on a given virtual machine. It also providesreputation information to ensure that those behaviors are trusted. The AppDefense Plug-in works in concert with the AppDefense Service to provide visibility and control for theentire security team.

On-Premises AppDefense Appliance

AppDefense Appliance is an on-premises based control point for ingress and egress ofdata from and to the AppDefense Manager. It brokers connections to the VMwaremanagement components like vCenter Server and makes outbound connections to theAppDefense Manager.

AppDefense Host Module

The AppDefense Host Module is a standard VMware Integration Bundle (VIB) that isdeployed on the ESXi host in order to support AppDefense. The Host Module enablesvirtual machines (VMs) on that host to deploy and run AppDefense. For Windowsenvironments, the Host Module also monitors and ensures the integrity of the GuestModule installed on the VM.

AppDefense Guest Module

The AppDefense Guest Module is also required on each VM, delivered with VMware Tools(Windows-only) or a one-click installation. The Guest Module collects guest context fromthe VM and communicates directly with the AppDefense Host Module.

vCenter Server

vCenter Server is used to gather inventory data on the customers site. This inventorydata is used for the security scope assignment, guest readiness (based on OSinformation), and guest to the host assignment. AppDefense can also use vCenter

HOL-2042-01-NET


Server to perform remediation actions in response to security events, such assuspending a guest.

NSX Data Center for vSphere (Optional Component)

NSX can be used as an optional remediation channel for AppDefense. If any of theprotection rules are violated, NSX can be used to automatically or manually quarantinethe machines.

vRealize Automation (Optional Component)

vRealize Automation can be optionally used to capture the application context atprovisioning time from the Application blueprint.

AppDefense Capabilities

The AppDefense platform provides:

• Application Control - Comprehensive viewing and grouping of workloads in thedatacenter, their intended state, and allowed behaviour

• Run-Time Anomaly Detection & Control - Monitor the real time state of theOS and user application, alert and control process, network and kernel events

• Process Analysis - The built-in process analysis engine gives overall processmaliciousness rating as well as specific traits that are potentially suspicious

• Orchestrated Remediation - Full visibility into the virtual infrastructure, as wellas the guest OS and application stack provides a more effective way toorchestrate specific and relevant remediation during a security incident.

AppDefense's operation from within the hypervisor also provides protection andabstraction not available with traditional end-point protection platforms creating themost effective least-privilege model for the application layer.

Protection of the Protector in a Separate "Trust Zone"

• Full code and data protection on the VMware kernel module early during bootsequence

• Monitoring of pre-loaded drivers and code pages that are inserted by the OS priorto the module starting in the guest OS

Kernel Level Monitoring

• Monitor every load/unload event in the guest• Verify signatures of loaded modules and compare code state in memory to disk

state to prevent tampering• Place a memory trace on every bit of kernel code pages for instant notification of

tampering

HOL-2042-01-NET


Memory and Process Monitoring

• Monitor guest physical/virtual page table mapping to ensure a consistent viewfrom both inside and outside the guest OS

• Keep a shadow copy of the guest process tables in the hypervisor to ensure guestconsistency

Unlike other endpoint security products, AppDefense is isolated from the attack surfacewithout sacrificing the context necessary to provide accurate security alerts.Furthermore, AppDefense works with NSX and other infrastructure control points toautomate the response to detected threats, minimizing the potential for data exfiltrationand the impact to the business.

Conclusion

Congratulations on completing Module 1 -- An overview of the VMware AppDefensePlatform.

Proceed to the next module.

Lab Module List:

Module 1 - Overview of VMware App Defense (15 minutes) - Basic - This module willwalk you through the structure of the platform.

Module 2 - Exploring & Utilizing the AppDefense Platform (45 minutes) - Basic - Thismodule will walk you through the creation of a security scope. Secondly, you willmonitor the application after various attacks have been made. Finally, you will performremediation, quarantine and upgrade actions.

How to End Your Lab

If you would like to end the lab now, you can simply click the "End" button in the upperpart of your screen. Otherwise, please proceed to Module 2.

HOL-2042-01-NET


Module 2 - Exploring andUtilizing the AppDefense

Platform (45 minutes)

HOL-2042-01-NET


Prepare and Explore the LabIn this section, we will be preparing the lab for us to learn more about AppDefense.While we are preparing the lab, we will explore the environment (hosts and VMs) in thelab.

Open Google Chrome

1. Open Google Chrome on the desktop

HOL-2042-01-NET


Perform Student Check-In

1. Click on Student Check-In2. Enter your email address3. Click on Search4. Click on Click here to start the preparation workload

The preparation workflow will invoke a script to configure the parameters on theAppDefense appliance.

HOL-2042-01-NET


Start Preparation Workflow

A new window will pop up, showing the status of the preparation script. It will takeapproximately 5-7 minutes for the preparation workflow to complete.

IMPORTANT: Do not close the window or refresh the browser.

Let's access vSphere Web Client and review vCenter Server Inventory while we wait.

Access vSphere Web Client - vCenter Server

1. Open new browser tab2. Click on vSphere - vCenter

HOL-2042-01-NET


Login to vSphere Web Client

1. Enter [email protected] as the user name2. Enter VMware1! as the password3. Click on Login

HOL-2042-01-NET


Review vCenter Server Inventory

These are the following objects in vCenter Server inventory:

• One logical datacenter named RegionA01• One logical cluster named RegionA01-COMP01• Two ESXi hosts named esx-01a.corp.local and esx-02a.corp.local• Five Virtual Machines named app-01a, app-01b, core-A, db-01 and web-01

Nested Virtualization: For the purpose of this lab, the two ESXi hosts are actuallyNested Virtualization. Nested Virtualization means the ESXi are running inside VMsinstead of bare-metal servers. Although Nested Virtualization is not supported forproduction, it is sufficient for running this lab which is meant for learning AppDefense.

Corde's Cord App: In this lab, we have also provisioned a three-tier web applicationnamed Corde's Cord App. The VMs used in this three-tier web application are as follows:

• Web Tier - web-01 (192.168.110.175)• App Tier - app-01a and app-01b (192.168.110.176 and 192.168.110.175)• DB Tier - db-01 (192.168.110.178)

As we proceed with this lab, you will have a hands-on experience of AppDefense'scapabilities in alerting, monitoring and integration with NSX as we perform unauthorizedand malicious actions on Corde's Cord App.

HOL-2042-01-NET


Preparation Workflow Has Completed

The window will show that preparation workflow has completed. We can startperforming the steps in this module to learn more about AppDefense.

HOL-2042-01-NET


Explore AppDefense in vCenter Serverand AppDefense ApplianceIn this section, we will exploring the AppDefense Plugin in vCenter Server andAppDefense Plugin.

Return to vSphere Web Client

1. Click on vSphere Web Client

HOL-2042-01-NET


Access AppDefense Plugin

1. Click on Menu2. Click on AppDefense

HOL-2042-01-NET


AppDefense Dashboard

Online Trust Analysis - Helps in the analysis of the processes to display the reputationfor all the processes that are monitored by AppDefense. The status is displayed as:

• Connected: If status is connected, online trust analysis collects reputation fromthe Internet. Available for online and SaaS connectivity mode.

• Disconnected: Offline mode displays disconnected status.

AppDefense - Displays connection status with the AppDefense Manager when yourconnectivity mode is SaaS.

Hosts and VMs

• Hosts status can be: Connected, Disconnected or Unsupported• VM status can be: Unsupported, Installed, Needs Upgrade

HOL-2042-01-NET


AppDefense Widgets

1. You may need to scroll down to see all four widgets

There are four widgets in the AppDefense Plugin in vCenter Server:

• Process Reputation• Critical Vulnerabilities• Windows ML Analysis• Windows Integrity Checks

In the next few steps, we will explore Process Reputation and CriticalVulnerabilities.

HOL-2042-01-NET


Access Process Reputation

1. Click on VIEW ALL

Note: If you don't see suspicious behaviour, read through the image below and proceedto the next steps

HOL-2042-01-NET


Access VM with Suspicious Process

You may need to scroll down to see the VM:

1. Click on app-01a

HOL-2042-01-NET


Review VM - Guest Monitoring

You will be able to review the processes running in the VM. Let's look at the suspiciousprocess:

1. Click on powershell.exe

Review Suspicious Process

In this view, you will be able to review the details of the suspicious process.

HOL-2042-01-NET


Now we will use App-defense plugin to investigate servers with known vulnerabilities..."This is the same for all widgets described in page 41



HOL-2042-01-NET


Access Critical Vulnerabilities

1. Click on VIEW ALL

HOL-2042-01-NET


Review Critical Vulnerabilities

1. Click on Critical2. Click on Windows OS3. To see details of vulnerability CVE-2014-411, Risk score

◦ Click on the "Down Arrow" to see the affected VMs for the statedvulnerability numbe

4. Expand Affected VMs5. Click on db-01

HOL-2042-01-NET


Review VM - Vulnerabilities

In this view, you will be able to review the vulnerabilities of this VM.

HOL-2042-01-NET




HOL-2042-01-NET


AppDefense Widgets

We have explored Process Reputation and Critical Vulnerabilities.

For Windows Integrity Checks widget, you may want to review it after completing alater section named "Attack the Application and Validate Automated Response"in this module. In that section, we will compromise the OS integrity of DB-VM, henceyou will be able to see the alerts on Windows Integrity Checks widget.

Next, we will explore the AppDefense Appliance.

Close vSphere Web Client

We will not need the vSphere Web Client until later in the lab, so let's close the browsertab.

HOL-2042-01-NET


1. Click on Close icon

Access AppDefense Appliance

1. Open new browser tab2. Click on AppDefense Applia...

Proceed to AppDefense Appliance

1. Expand Advanced

HOL-2042-01-NET


2. Select Proceed to appdefense.corp.local (unsafe)

Login to AppDefense Appliance

1. Enter admin as the user name2. Enter VMware1! as the password3. Click on SIGN IN

HOL-2042-01-NET


Review AppDefense Registration

1. Click on Registration

NOTE: You may need to scroll down to see the NSX details.

Review the parameters configured by the preparation workflow:

• SSO lookup configuration

HOL-2042-01-NET


• vCenter Server details• AppDefense Manager• NSX details

IMPORTANT: Take note of the Manager UUID under the AppDefense Manager section.We will verify the Manager UUID when we login to the AppDefense Manager in the nextsection.

HOL-2042-01-NET


Explore AppDefense ManagerIn this section, we will be exploring the AppDefense Manager.

Access AppDefense Manager

1. Open new browser tab2. Click on AppDefense Manag...

HOL-2042-01-NET


AppDefense Manager Login Page

This is the login page for AppDefense Manager. Next, we will retrieve the email andpassword required for login.

HOL-2042-01-NET


Retrieve Username for Login

1. Return to the Student Check-In page2. Copy the email address for AppDefense's login

IMPORTANT: Your assigned email address may be different from the above screenshot.Please use the email address assigned for your lab.

HOL-2042-01-NET


Show Password for Login

1. Return to the desktop and double-click on SHOW PASSWORD

Retrieve Password for Login

A window will pop-up for you to retrieve the password.

1. Press Enter to see password2. Copy the password for AppDefense's login (the password is only six

characters)3. Press Enter to close the window

HOL-2042-01-NET


IMPORTANT: Please only copy the characters highlighted in green. Your passwordshould only have six characters.

Login to AppDefense Manager

1. Return to the AppDefense Manager page2. Paste the assigned email address3. Paste the password4. Click on SIGN IN

IMPORTANT: Your assigned email address may not be the same. If your login fail,please check your password. Your password should only have six characters.

HOL-2042-01-NET


Review AppDefense Dashboard

The AppDefense Manager is a multi-tenant cloud service that delivers the completeAppDefense feature set. You can use the AppDefense Manager to define the intendedbehavior and protection rules of your applications and then monitor security events andalerts in real time. In addition to management capabilities, the AppDefense Managerprovides process reputation services, machine learning capabilities, and other additionalvisibility features for your environment.

However, the AppDefense Manager is running in a local instance within the VMwareHands-on Labs environment. Your assigned user is also created in it's own tenant.

In the dashboard view, you are able to review the protection coverage, scopes indiscovery, alerts, and provisioning events.

Close Information Pane

HOL-2042-01-NET


1. Select Close icon after acknowledging the information

Navigate to AppDefense Appliance

Move your mouse to the left-hand navigation bar and:

1. Click on Inventory2. Click on Appliances

Review AppDefense Appliance

HOL-2042-01-NET


You may need to scroll right in the browser to see details of the AppDefense Appliance.

AppDefense Appliance is an on-premises based control point for ingress and egress ofdata from and to the AppDefense Manager. It brokers connections to the VMwaremanagement components like vCenter Server and makes outbound connections to theAppDefense Manager.

Review and validate configurations of AppDefense Appliance:

• Status: Active• Can connect to vCenter: Yes• NSX Configured: Yes

The UUID is the same as the UUID shown in the AppDefense Appliance shown in theprevious steps.

Review Inventory

1. Click on Host to view inventory of ESXi Hosts2. Click on VMs and then Assigned to view inventory of VMs

HOL-2042-01-NET


In this lab, we did not provision any container hence there is no inventory on containers.

Review Unassigned Members

1. Click on Unassigned

This view shows the VMs and containers in the inventory that are not assigned to anysecurity scopes in AppDefense. It will also show the operational status of the host andguest modules of the unassigned VMs and containers.

The orange and red areas represent VMs and containers that are either in discoverymode or under protection.

Review Downloads

1. Click on Downloads

You may need to scroll right in the browser to see details of the Downloads.

HOL-2042-01-NET


The On-Prem build of the AppDefense Manager used in this lab does not supportautomatic downloads, so the image on this step is from the actual production cloudbased AppDefense Manager. You can see that all documentation, OVA files, VIBs andguest modules are available in the management portal itself.

HOL-2042-01-NET


Create and Delete an AppDefenseSecurity ScopeA Security Scope in AppDefense is the foundational component that establishes whatthe intended state and specific allowed behaviors of an application should be. In thissection, we will walk through the steps involved in creating and deleting an AppDefenseSecurity Scope.

Scopes

1. Move your mouse over to the left-hand navigation bar and click Scopes

HOL-2042-01-NET


Review Security Scopes

You will notice that a security scope named Corde's Cords App has been createdduring the preparation workflow. We will review Corde's Cords App in the next section.In this section, you will create a new security scope and add members to the securityscope. Finally, you will also learn how to delete the security scope.

1. Click on Plus icon (+)

A Security Scope defines the relevant configuration elements to protect an applicationand its constituent workloads. These configuration elements constitute a "blueprint" or"birth certificate" for the application. It contains a description, member workloads, rulesand behaviors.

This is fundamental to the AppDefense philosophy. By focusing on applications asopposed to just indvidual endpoints, AppDefense derives a greater contextualknowledge of the intended state of the application.

Enter Name for Security Scope

1. Enter HOL-App as the Scope Name2. Click on CREATE

HOL-2042-01-NET


Create a Service

1. At the bottom of the page, click Add Service

HOL-2042-01-NET


Provide Details for Service

1. Enter Core Tier as the Service Name2. Select Other from the drop-down list3. Click on NEXT

In the Service Description, you can specify other information of your choosing. This isnot mandatory, but can be useful in operational environments to denote additionalrelevant information on the service.

HOL-2042-01-NET


Select Members of Service

1. Select core-A2. Click on FINISH

HOL-2042-01-NET


Understand Behaviors of Service

Behaviors are process executions (CLIs) and network activities (inbound and outboundconnections) exhibited within a service.

Once scopes and services are created, AppDefense enters Discovery Mode. AppDefensecreates a list of allowed behaviors (for example ports and processes) to build a blueprintor a whitelist of the natural state of the application. The system dynamically populatesallowed behaviors based on a runtime view of the application over a period. During thistime, all relevant activity is recorded as the application is functioning.

During this time, no action is needed as AppDefense is learning the environmentautomatically.

In cases where you want to specifically define allowed behaviors, you have the option toEXPORT or ADD a behavior.

1. Note, you can click the X to clear the update message.

HOL-2042-01-NET


Scopes Dashboard

1. Click on Scopes

Delete HOL-App Scope

Click the three dots under the Actions menu for HOL-App

Select Delete Scope

HOL-2042-01-NET


Confirm Deletion of Security Scope

1. Click on DELETE

You have deleted your security scope as it is not needed in the other sections of the lab.In the next section, we will review Corde's Cords App, a security scope that wascreated during the preparation workflow. Corde's Cords App is also pre-assigned withmembers and pre-populated with allowed behaviors.

HOL-2042-01-NET


Examine Security ScopeIn this section, we will explore a security scope named Corde's Cords App which hasbeen created during the preparation workflow. Corde's Cords App is also pre-assignedwith members and pre-populated with allowed behaviors. We will now examine Corde'sCords App.

Review Security Scope

1. Click on Corde's Cords App

A security scope defines the relevant configuration elements to protect an applicationand its constituent workloads. These configuration elements are like a blueprint or abirth certificate for the application. It contains a description, member workloads, rules,and behaviors. Security scopes are a grouping of data center assets (VMs, Containers,and so on) that make up an application or a regulatory scope.

HOL-2042-01-NET


Review Application Topology

You may need to move around the Topology Canvas to see Web, App and DB Tiers'services.

1. Click on Application Topology2. Click on circle to view Web Tier's services3. Click on circle to view App Tier's services4. Click on circle to view DB Tier's services

NOTE: Due to the screen resolution of the lab, you may need to move around thetopology to see all the services.

IMPORTANT: Legend provides explanation of the graphics used in the topology map.

The Topology tab enables viewing large amount of complex application behavior dataeasily in an interactive graphic. A graphical visualization illustrates application behavior,showing the relationships of the services within the application and also therelationships of the connected components (VMs, private address, public address, andso on) to each other. Remote nodes and connectivity information is also graphicallydisplayed in a way to enable users to focus on the application servers that are causal ormay have the greatest impact. The tab represents the rules in a graphical manner byusing symbols to show how services are related to each other depending on the allowedbehaviors and connection rules set for each of the services. The data displayed on thetab is read-only. Any changes made on the Services tab gets reflected on the Topologytab.

HOL-2042-01-NET


Review Services

1. Click on Services2. Click on App Tier

AppDefense creates a list of allowed behaviors (e.g. ports, processes, etc.) to build a"blueprint" or "whitelist" of the intended state of the application. AppDefense can createthis blueprint with assistance from provisioning interfaces such as vRealize Automation,vRealize Orchestrator, Puppet, or similar engines.

However, when the application is already deployed, AppDefense can also "learn" thesebehaviors. After a Security Scope is created and applied to an application, it defaults to"Learning Mode". During this time, all relevant activity is recorded as the application isfunctioning.

HOL-2042-01-NET


Once reviewed, this master list of intended activity can be validated and/or modified bya security operations team or application owner. After the final intended state isdetermined, the security scope is placed into "protected mode".

Once the scope is moved into this mode, AppDefense will use the allowed behavior listto enforce the correct security context and posture for the workload against anydeviation from that list.

IMPORTANT: Do not click on VERIFY AND PROTECT. Normally, the learning period fora workload or application is a recommended 7-14 days. Since we do not have thattimeframe from within the HOL lab environment, we have automated most of the"allowed processes" into the creation of the service.

Review Behaviors

1. Scroll down and search for service named CompatTelRunner.exe2. Click on CompatTelRunner.exe

HOL-2042-01-NET


CompatTelRunner.exe CLI

1. Click on CLI drop-down

Upon creation, scopes are placed into Discovery Mode. In this mode, when AppDefenserecognizes a virtual machine exhibiting a new behavior, it adds it to the allowedbehavior list for the associated service. Normally, the learning period for a workload orapplication is 7–14 days, although it can vary depending on the workload. Learnedbehaviors include process executions, command-line arguments, network connections,and more. This information is organized into a process-specific card view in the Servicestab.

The following types of information are displayed:

Path: Path is the location where the process was launched from within the OS filestructure.

Hash: Hash value on the process. This is an extra protection, in case a rogue processusing a trusted name is launched.

Behavior analysis: Behavior analysis can be Unknown, Anomalous, or Verified.Analysis for behaviors is displayed for all scopes irrespective of mode.

Reputation: Process reputation can be Good, Bad, or Unknown.

Trust Score and Threat Score: The Trust Score and Threat Score values are providedby a back-end integration with a third-party reputation service for Windows-basedservices. This integration provides insight into behaviors that are learned which security

HOL-2042-01-NET


team might not know. For Linux based systems, these scores are derived by integrationfrom various package deployment sites.

Package: Metadata might be populated based on integration with orchestrationplatforms such as Puppet.

Outbound and Inbound Connections: These sections provide information on whatports and addresses are being listened to and communicated across.

Sometimes for a scope, you can see UnknownProcess and UnknownCLI for thefollowing reasons:

• Short-lived connections in which the process is closed while the network alarmprocessing is being done and alarm is being sent. The probability is greater withUDP connections on Linux.

• Kernel modules making connections for which process information is notavailable.

Review Members

1. Click on Members

A member is a virtual machine (VM) within a service. Members or VMs in a service musthave an identical operating system (means within a service, all the VMs must behomogeneous – either all Microsoft or all Linux). In this lab, there are two app VMs in theApp Tier service.

HOL-2042-01-NET


Learn New Behavior in Discovery ModeIn this section, we will examine the Discovery Mode of AppDefense.

Upon creation, scopes are placed into Discovery Mode. In this mode, when AppDefenserecognizes a virtual machine exhibiting a new behavior, it adds it to the allowedbehavior list for the associated service. Normally, the learning period for a workload orapplication is 7–14 days, although it can vary depending on the workload. Learnedbehaviors include process executions, command-line arguments, network connections,and more. This information is organized into a process-specific card view in the Servicestab.

Access Web-VM

1. Click on Putty icon on taskbar

HOL-2042-01-NET


Access Putty

1. Select Web-012. Click on Load3. Click on Open

Review Python Versions on Web-VM

1. Type the following command to see the version of python

HOL-2042-01-NET


/usr/bin/python --version

2. Type the following command to see the version of python3

/usr/bin/python3 --version

You will notice that Python 2.7.5 and Python 3.5.1 are installed on Web-VM.

Review Web Tier Services on AppDefense

HOL-2042-01-NET


1. Return to AppDefense Manager2. Click on Web Tier3. Click on Behavior

Examine all Python Behaviors in Web-Tier

1. Search for python in the search bar to identify all python behaviors

You will notice that there is only python2.7 behavior but no python3 behavior inWeb Tier. This is because python3 was newly installed and has not been used before.

Attempt Outbound Connection for Python 3 in Web-VM

1. Return to the desktop and double-click on Outbound for Python on WEB-Tier

HOL-2042-01-NET


Review Outbound Connection Attempt

The Putty session will run a script in Web-VM. The script runs for about a minute anddoes the following:

• Python3 in Web-VM attempted an outbound connection to python.org• Outbound connection timed out as this is an unauthorized action

IMPORTANT: Do not close the Putty Session until prompted to "Press Enter to closethis putty session".

Identify Python 3 Behavior in Web-Tier

1. Click on Refresh icon2. Scroll down and click on python3

HOL-2042-01-NET


Python 3

1. Expand CLI to see the outbound connection attempt

python3 in Web-VM has attempted an outbound connection to python.org. Since thesecurity scope is still in Discovery Mode, AppDefense recognize this new behavior(python3) and adds it to the allowed behavior list for Web-Tier.

HOL-2042-01-NET


Move Security Scope to ProtectedModeIn this section, we will move the security scope to Protected Mode. After which, we willreview and edit the rules associated with the scope.

Move Scope to Protected Mode

1. Click on VERIFY AND PROTECT

Once the allowed behaviors learning is satisfactory, you can move the scope and allservices within the scope to the Protected Mode by clicking on "VERIFY ANDPROTECT". Protected Mode marks the golden image of the application state and beginslocking down the behavior. After moving to Protected Mode, rules are applied. You canview the applied rule under the Rules tab, and any violations generates an alarm.

HOL-2042-01-NET


Verify and Protect Scope

1. Click on VERIFY AND PROTECT

Review Rules

HOL-2042-01-NET


1. Click App Tier2. You will notice that there is a "Rules" tab after the scope has been moved to

Protected Mode. After the security scope is in the Protected Mode, you can stillreview and edit services associated with the scope.

There are five vectors that are used to alert and remediate. By default, the only actionfor the Remediation rules is set to Alert and the enforcement is automatic. You can editthe rule settings based on the action that you want AppDefense to take.

Enforce Process Monitoring: How do you want AppDefense to monitor a processexecution?

Enforce Outbound Connections: If AppDefense sees a new outbound connectionfrom an allowed process, what do you want it to do?

Enforce Inbound Connections: If AppDefense sees a new inbound connection froman allowed process, what do you want it to do?

Enforce Guest OS Integrity: Windows-only. If AppDefense detects that the integrity ofyour operating system (OS) has been compromised, what do you like it to do?

Enforce AppDefense Module Integrity: Windows-only. If AppDefense detects theintegrity, the AppDefense Module has been compromised (potentially turned off), whatdo you like it to do?

You cannot set automatic remediation action for the Guest module down alert.Remediation for this action can only be taken manually.

HOL-2042-01-NET


Change Rule Behavior

1. Click on DB Tier2. Click on Rules3. Click on Edit

HOL-2042-01-NET


Review Rules of DB Tier

1. Click on Rules2. Under Enforce Guest OS Integrity

◦ Select Quarantine from drop-down list◦ Select Manually from drop-down list

3. Click on UPDATE

This will change the default behavior for Guest OS integrity issues to provide aManual Quarantine option for the VM using an NSX policy. The other remediationactions (e.g. Suspend, Power Off, & Snapshot) are done directly at the vSphere/vCenterlevel.

HOL-2042-01-NET


Review Guest OS Integrity

You will notice that the remediation action in case of violation is to Quarantine the VM.To use the Quarantine action, AppDefense must be integrated with VMware NSX. In thenext section, we will examine the NSX Security Group and Policy that are used forAppDefense.

HOL-2042-01-NET


Examine AppDefense Integration withNSXIn this section, we will explore the integration between AppDefense and NSX. We willreview the NSX Security Group and Policy that are used for AppDefense.

Open vSphere Web Client

1. Open new browser tab2. Click on vSphere - vCenter

Login to vSphere Web Client

1. Enter [email protected] as the user name

HOL-2042-01-NET


2. Enter VMware1! as the password3. Click on Login

Access Networking and Security (NSX)

1. Click on Menu2. Click on Networking and Security

HOL-2042-01-NET


Review NSX Security Tag

1. Click on Groups and Tags2. Click on Security Tags3. Search for "appdefense"

The AppDefense.AnomalyFound (Security Tag) was automatically created when theAppDefense Appliance was integrated with NSX Manager during installation.

HOL-2042-01-NET


Review Security Group and Policy

1. Click on Service Composer2. Click on Security Groups3. Click on AppDefense Quarantine Group

The AppDefense Quarantine Group was automatically created when the AppDefenseAppliance was integrated with NSX Manager during installation. There is currently no VMbeing quarantined because there is no violation on Guest OS Integrity.

HOL-2042-01-NET


Review AppDefense Quarantine Policy

1. Click on Security Policies2. Click on AppDefense Quarantine Policy

The AppDefense Quarantine Policy was automatically created when the AppDefenseAppliance was integrated with NSX Manager during installation.

HOL-2042-01-NET


View Firewall Rules

1. Click on Firewall Rules

When there is a violation of Guest OS Integrity, these firewall rules will be applied to thequarantined VM.

HOL-2042-01-NET


Attack the Application and ValidateAutomated ResponseNow that you have defined the intended state of your application, you will use toolsprovided to attack the application and observe the results.

Brief Workflow

At this point, you have reviewed the installation of AppDefense and its integration withNSX and vCenter. You have created a security scope and added the web and db servicesto it.

In addition, we have modified rules of the Guest OS Integrity of the DB service so that itwould require a manual interaction prior to being quarantined by an NSX policy that wasautomatically built by AppDefense.

In this section, we will generate an outbound network connection attempt which willgenerate an alarm against our security scope. Then we will use scripts to simulateattacks on the kernel and host level AppDefense modules . Once the attacks areexecuted, we will validate the alarms in AppDefense Manager and perform a Quarantineof the VM. Finally, we will test to ensure the DB VM is isolated.

Access DB-VM

1. Return to the desktop and double-click on DB-Tier.rdp

DB-Tier.rdp will provide remote desktop access to DB-VM of the application.

HOL-2042-01-NET


Open TCP Connection on DB-VM

1. Double-click on Open TCP Connection.cmd on the desktop of DB-VM

Open TCP Connection.cmd will run a script to simulate an outbound connection.

HOL-2042-01-NET


Run Script for TCP Connection

1. Click on Run

Run Script Once for TCP Connection

HOL-2042-01-NET


1. Enter R to run the script

The script executed the following command in an attempt to simulate an outboundconnection:

powershell -File Open-TCP-Connection.ps1 -dest www.google.com -port 443

As this attempt is an unauthorized outbound connection, the command prompt showsan "Timeout!" output. We will return to AppDefense Manager to review the events thatwere captured by this attempt.

Minimize RDP to DB-VM

1. Click on Minimize icon to return to Main Console

Access Alerts on AppDefense Manager

1. Access AppDefense Manager◦ Login to app defense manager again if you are logged out

2. Click on Alerts3. Review the alerts generated in the right pane4. If you don't see any alerts under uncleared alerts pane, click the refresh Icon. It

may take a while for the alerts to appear.

HOL-2042-01-NET


Clear the alerts

Although the unauthorized outbound connection is benign, it is not a permitted behaviorin the DB-VM. Hence we shall not allow the behavior to be added to AppDefenseManager for DB-VM. This way, we will get updated again if anyone tries to perform anunauthorized outbound connection.

Next, we will clear the unauthorized outbound connection alerts triggered from theprevious steps.

1. Check the newly triggered alerts2. Click on the Actions menu and select Clear the alerts

Clear Alerts

1. Click on CLEAR

HOL-2042-01-NET


Access DB-VM

1. Click on existing DB-Tier.rdp connection

Return to the DB-VM.

Perform OS Integrity Attack on DB-VM

1. Double-click on OS Integrity Attack.cmd on the desktop of DB-VM2. GIRogue: OS Integrity Attack.cmd will execute scripts to do the following:

◦ Install GIRogue on DB-VM◦ Run the GIRougue service on DB-VM◦ Attack the OS Integrity of DB-VM

HOL-2042-01-NET


GIRogue is a process that can be used to simulate different attacks at both the Guestand Host level. The details and specifics of this tool are beyond the scope of this lab.

Run Script for OS Integrity Attack

1. Click on Run

HOL-2042-01-NET


Review Script Output

HOL-2042-01-NET


HOL-2042-01-NET


Two Command Prompt windows will appear. You may need to expand the CommandPrompt windows to see the outputs of the scripts.

OS Integrity Attack.cmd executed scripts to do the following:

1. GIRogue is installed successfully2. GIRogue service is running3. OS Integrity of DB-VM is being attacked and compromised successfully

View Alerts on AppDefense Manager

1. Click on Minimize icon to return to Main Console

Review Alerts

1. Click on AppDefense Manager2. Click on Alerts

HOL-2042-01-NET


Select Alert

1. Click on Refresh icon if there is no alert - it may take a while for the alert toappear

2. Click on newly triggered alert

Select Alert Details

1. Click on Alert ID

Note that your Alert ID may be different.

HOL-2042-01-NET


Review Alert

You will be able to see the details of the Alert on this page.

HOL-2042-01-NET


Quarantine DB-VM from AppDefense Manager

1. Click on ACTIONS2. Click on Quarantine

HOL-2042-01-NET


Confirm Quarantine of DB-VM

1. Click on QUARANTINE

HOL-2042-01-NET


Review Alerts

You will notice that the remediation status is shown as "Queued: Appdefense-Quarantine". It may take a while for the remediation to be completed.

1. Click on Alerts

Review Quarantined DB-VM on NSX Manager

1. Click on Refresh icon if the remediation status is shown as "Queued:AppDefense- Quarantine" - it may take a while for the event to appear

Once the Last Remediation Action is shown as "Action taken: Appdefense -Quarantine", we can proceed to the next step.

HOL-2042-01-NET


Review Service Composer

1. Click on vSphere Web Client tab2. Click on Service Composer3. Click Security Groups4. Click on AppDefense Quarantine Group

You will notice that db-01 is being quarantined.

Access Web Portal

1. Open new browser tab2. Click on Home

HOL-2042-01-NET


Website Encountered An Error

You will notice that the website encountered an error and cannot be loaded. This isbecause the DB-VM is being quarantined.

Remove Quarantine of DB-VM

1. Return to vSphere Web Client - Networking and Security2. Click on Groups and Tags3. Click on Security Tags4. Search for "appdefense"5. Check AppDefense.AnomalyFound

HOL-2042-01-NET


6. Click on DETACH VM

Detach Security Tag from DB-VM

1. Select db-012. Click on Right-Arrow icon3. Click on OK

HOL-2042-01-NET


Verify No VM in Security Tag

You will notice VM Count is 0. This means that DB-VM has been removed from thequarantine. Let's try and access the Web Portal now.

Return to Web Portal

1. Click on 192.168.110.175 browser tab2. Click on Refresh icon

HOL-2042-01-NET


Refresh Web Portal

With the DB-VM removed from quarantine, the website loads properly as seen in thescreenshot above.

HOL-2042-01-NET


Upgrade Application ComponentIn this section, we will examine how upgrades of application components are identifiedand processed with the AppDefense platform.

Access Web-Tier Services in AppDefense

1. Click on AppDefense Manager browser tab2. Click Scopes3. Click on Corde's Cords App

HOL-2042-01-NET


1. Click Services2. Click on Web Tier3. Search for python34. Click on python3

HOL-2042-01-NET


Review Python3 Behavior

Take note of Hash values of MD5 and SHA256. These Hash values will change after weperform the upgrade of Python3.

Install Latest Python3 on Web-VM

1. Return to the desktop and double-click on Install Python on WEB-Tier

HOL-2042-01-NET


Python Upgrade

You will notice that Python3 version 3.5.1 is currently installed on Web-VM. Thisscript will upgrade the Python3 from version 3.5.1 to 3.6.8 in Web-VM.

Attempt Outbound Connection for Python 3 in Web-VM

1. Return to the desktop and double-click on Outbound for Python on WEB-Tier

HOL-2042-01-NET


Outbound Connection Initiation

The Putty session will run a script in Web-VM. The script runs for about a minute anddoes the following:

• Python3 in Web-VM attempts an outbound connection to python.org• Outbound connection times out (as the Web-VM has no internet connectivity)

IMPORTANT: Do not close the Putty Session until prompted to "Press Enter to closethis putty session".

HOL-2042-01-NET


View Events on AppDefense Manager

1. Click on AppDefense Manager2. Click on Events3. Click Upgrade

Refresh UI

HOL-2042-01-NET


1. Click on Refresh icon if there is no upgrade event - it may take a while for theevent to appear

When the upgrade event appears, you will see that AppDefense has captured Python3upgrade from version 3.5.1 to 3.6.8 in Web-VM.

Review Python3 Behavior

HOL-2042-01-NET


1. Click on Scopes2. Click on Corde's Cords App

1. Click Services2. Click on Web Tier3. Search for python34. Click on python3

HOL-2042-01-NET


Verify Hash Value

You will notice the Hash values of MD5 and SHA256 have changed. This is because theversion of Python3 has changed from version 3.5.1 to 3.6.8. The Hash values arebased on the current version (3.6.8) of Python3 installed on Web-VM.

Verify Old Version of Python3

1. Click on drop-down list to choose the different Python3 versions

HOL-2042-01-NET


2. Click on older date and time if you wish to see details of the previous version ofPython3

You will be able to see the Hash values based on the older version (3.5.1) ofPython3.

HOL-2042-01-NET


ConclusionIn this module, you went through the basic workflow of creating/deleting securityscopes, service definitions and remediation policies. You then simulated an attack on atest application and observed VMware AppDefense quarantine the virtual machine usingVMware NSX security policies. Finally, you upgraded a application component to seehow AppDefense deals with upgrade scenarios in an intended state model.

If you would like more information on VMware's AppDefense, please check out ourproducts page at: www.vmware.com/appdefense

You can proceed to any module in the lab below.

(15 minutes) - Basic - This module will walk you through the structure of the platform.

(45 minutes) - Basic - This module will walk you through the creation of a security scope.Secondly, you will monitor the application after various attacks have been made.Finally, you will perform remediation, quarantine, and upgrade actions.

If you want to download the manual for this or any other Hands on Lab, please visithttp://docs.hol.vmware.com

How to End your Lab

1. To end your lab, Click the END

HOL-2042-01-NET


http://www.vmware.com/appdefense

http://docs.hol.vmware.com

ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.

Lab SKU: HOL-2042-01-NET

Version: 20200326-221045

HOL-2042-01-NET


http://hol.vmware.com/

Documents

Table of Contents - VMware · VMware AppDefense is a data center endpoint security product that protects ... • Snapshot the VM's Memory and Disk for forensic analysis • Suspend