Skip to content

Active Response

Active Response is an analyst-led forensic tool designed to delve deeper into threats, granting direct access to endpoints. This empowers analysts to thoroughly investigate and respond effectively, providing crucial insights, confirming threats, and enabling manual remediation actions to neutralise threats and mitigate their impact.

Capabilities include retrieving suspicious files for in-depth analysis, deploying remediation scripts and files, terminating processes, isolating networks, and running cross-platform investigation scripts through a Python interpreter embedded in the endpoint agent.

Active Response is available on Windows and Linux endpoints.

Comprehensive audit trails of all activity are recorded.

Benefits

Active Response accelerates incident resolution, minimising damage and downtime by enabling a rapid response to threats, thus reducing the impact of a breach.

It helps reduce false positive volumes, enabling forensic-level investigations by providing security teams with direct, audited access to systems requiring investigation. This access can be extended to allow your 24/7 MDR provider to take action on your behalf.

How it works

Connectivity

Endpoints with the Universal Sensor installed and with Active Response enabled create a mutual TLS connection using a WebSocket to the analysis platform. No direct connection is made from Active Response users to the Active Response endpoints, all connections are via the SenseOn analysis platform. This means that no new firewall rules are required as it uses the same connectivity as the analysis platform.

Permissions

To use Active Response a user must have the Active Response role and the endpoint must be in a segment with Active Response enabled.

User permissions

Users can be assigned the Active Response role this can be done on the Team management page at Settings -> Team. The pressing the 'three vertical dots` to expand the menu and the permission can be granted/removed by a platform administrator.

Active Response User Settings

⚠ Enforced MFA: Users who have the Active Response role will have MFA enforced, this over rides the setting of the analysis platform have been changed to disable MFA.

Segment settings

Active Response must be enabled on a segment to enable users with the Active Response role to access the system. Segments can be created or modified at Settings -> Device Segments and the feature can be enabled under the segment configuration at Settings -> Device Configuration.

Active Response Segment Settings

Audit logging

A full audit log of Active Response activity which is attributable to a specific user is available and includes:

  • Authentication attempts against the service itself.
  • The start and stop of any active response session.
  • Execution of scripts including the full script payload.
  • Files uploaded and downloaded.

The Active Response Audit Log is only available to users with the Active Response role and the log can be viewed at Digital Estate -> Session History.

Active Response Audit Log

Quick Actions

A number of quick actions are available by selecting the hosts from the Active Response page and pressing the Actions buttons.

Active Response Quick Actions

Host isolation

Windows hosts can have outbound network traffic blocked using an Active Response action. This prevents all outbound traffic (except to the SenseOn analysis platform) but still allows inbound traffic to allow for investigation and for tools such as Remote Desktop to connect to the system. Isolated hosts can be unisolated using an Active Response action.

Hosts which are offline will have the Active Response action queued until they are online at which point they action will be performed. Active Response Isolation Pending

💡 Isolating non Windows devices: Non Windows systems can be isolated using Active Response but not via a Quick Action, this should be done in Python by making changes to the host based firewall.

Python Scripts

A Python interpreter embedded in into the endpoint agent which allows cross platform remediation investigation scripts. A Python module is provided within the virtual environment deployed to the hosts which allows access to additional functionality including: * File upload / download * Device isolation * Additional modules in development

💡 Script permissions: Scripts executed using Active Response run at the same privilege level as the endpoint sensor which is at a root or system level.

The following are example scripts which can be used with Active Response.

Active Response Script - Isolation Control

Active Response Script - Process Control

Active Response Script - Directory and File Access Control