SentinelOne(S1) vs. Cylance, McAfee, Tanium and Traditional AV vendors...
Good info from a corporation that got hit by WannaCry and how S1 passed with Flying Colors! See the links at the bottom of the article for more info...
More good info on SentinelOne vs. WannaCry…
Complementing the MRG-Effitas test, New York Times today published an article that further highlights security gaps in not just Cylance but a few other vendors. This article interviews Golan Ben-Oni, global chief information officer for a corporation. Based out of New Jersey. They are in the telecommunications space with $1.5B in revenue and 1000+ employees.
Two weeks before the WannaCry outbreak, IDT was hit by a cyber attack exploiting the same vulnerability as WannaCry - EternalBlue. Hackers not only locked up data for ransom but additionally stole employee credentials. The attack bypassed 4 different tools installed by the company - McAfee, Microsoft, Cylance and Tanium! And hundreds of intelligence feeds - free and paid, that amounted to $500K annually for subscription!
To directly quote the article - "But in this case, modern-day detection systems created by Cylance McAfee and Microsoft and patching systems by Tanium did not catch the attack. Nor did any of the 128 publicly available threat intelligence feeds that the company subscribes to. Even the 10 threat intelligence feeds that his organization spends a half-million dollars on annually for urgent information failed to report it. He has since threatened to return their products. “Our industry likes to work on known problems ” Mr. Ben-Oni said. “This is an unknown problem. We’re not ready for this.”
How is the attack related to WannaCry?
Both the attack and the WannaCry attacks exploit the same MS17-010 vulnerability in Microsoft Windows. This exploit was dubbed EternalBlue.
How is the attack different from WannaCry?
While WannaCry seems to have primarily employed EternalBlue exploit and encrypt data, the attack used also utilized a DoublePulsar backdoor. The use of DoublePulsar allowed the attackers to steal credentials in addition encrypting data and demanding ransom!
What’s special about a backdoor?
Attackers install backdoors on compromised systems to allow them to gain remote access to the systems. Malware installed on systems for this purpose is often called a remote access Trojan, or a RAT and can be used to install other malware on the system or exfiltrate data. In other words, you stand to lose a lot more with a backdoor and might not even realize its existence. DoublePulsar is a special kind of backdoor that can run in kernel mode and grants hackers a high level of control over the computer system.
How big was this attack?
While the specific details aren’t clear beyond the attack, Perlroth highlights that tens of thousands of computer systems all over the world have been “backdoored” by these weapons. And several security researchers believe the infected computers are connected to transportation networks, hospitals water treatment plants and other utilities. As Perlroth puts it "Sean Dillon, a senior analyst at RiskSense a New Mexico security company was among the first security researchers to scan the internet for the N.S.A.’s DoublePulsar tool. He found tens of thousands of host computers are infected with the tool which attackers can use at will. More distressing, Mr. Dillon tested all the major antivirus products against the DoublePulsar infection and a demoralizing 99 percent failed to detect it."
What was the summary of the MRG-Effitas test?
- SentinelOne passed this test with flying colors. In the words of MRG-Effitas:, "SentinelOne 1.8.4.6202 was able to block every malicious payload DLL or shellcode introduced to the system via the Eternalblue exploit, by blocking it in a generic way. They also go on to say, Both original Eternalblue with Doublepulsar and Metasploit port was tested. SentinelOne not only blocks the Meterpreter payload but the original Peddlecheap payload as well. As more and more tests were ongoing typically next-gen but not the Peddlecheap one.”
- Cylance failed to detect the exploit! In the words of MRG-Effitas: "The interesting part of the video starts at 5:00. The Doublepulsar backdoor is already installed and this means the system is already compromised and it would appear that Cylance did not realise this.” The video referenced here is Cylance's video on WannaCry protection
What can I share with the customer?
Point the customer to the MRG-Effitas blog as well as the NYT article. Share with partners and social media. Additionally, we’ve also published a SentinelOne blog online in case you wish to share that with your customers.
The customer should never test with vendor-supplied files.
Complete ASPM (AST + Application Security Posture Management)
7 年This article and the MRG comments are not accurate. Cylance is not an exploit prevention tool so it allows DoublePulsar which we've never said we block, but it does prevent the payload whether it be an executable or an attack on memory. WannaCry, Petya(today), Shamon2 others were all blocked by our model created in 2015 and the technology has only improved. In the case of EternalROCKS Cylance does protection against the attack on memory when the product is deployed in blocking mode which is recommended in every Cylance deployment: https://www.cylance.com/en_us/blog/cylance-vs-eternalrocks-worm.html We encourage every prospect to trust no vendor and test for themselves in full production blocking mode. Gartner Peer Insights is a great reference for those considering endpoint security solutions: https://www.gartner.com/reviews/market/endpoint-protection-platforms