This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
New SecOps Webinar May 14th! Learn about Gemini's generative AI within Google SecOps
Log in to ask a question

MSV Onboarding - Crafty way to establish the Cloud Hosted Actor Allow List

Posted on 07-02-2024 08:01 AM
ScottieJ
Staff
Reply posted on --/--/---- --:-- AM

Many MSV deployments include multiple on-premise actors and one or two Mandiant cloud hosted actors. Many use cases like data extraction or malicious file transfers (MFT) will require that the on-premise actors can communicate with the cloud hosted actor. Mandiant requires clients to submit a list of public IP addresses that the on-premise actors will use to communicate with the cloud hosted actor. The MSV operator often does not know this information and may resort to an internal ticket or inquiry to a network administrator to find this information out and that can take more time than wanted. A simple and faster alternative is to create Host-CLI actions utilizing the cURL utility to identify the egress IP address of each on-premise actor. Yes, this works on network actors as they are linux based and can run Host-CLI actions using a bash shell. An action for multiple shell types can be similarly created as cURL is supported on many OS platforms including windows (cmd.exe or powershell).

Example curl command displaying a hosts external / egress IP address using ifconfig.me

ScottieJ_8-1719932264494.png

There are several alternatives to ifconfig.me if needed, they include:

  • curl ifconfig.me/all;
  • curl icanhazip.com;
  • curl ipecho.net/plain;
  • curl ifconfig.co;

Example: Custom Host-CLI action using a Bash shell

ScottieJ_5-1719932133055.png

Example: Job results using custom Host-CLI action and viewing the "CLILog Output" displaying the egress IP address of the on-premise actor

ScottieJ_7-1719932182691.png

For information on creating custom Host-CLI actions see our documentation at: https://docs.mandiant.com/home/msv-adding-host-command-line-interface-actions

This method can be used during on-boarding to establish the allow list for which on-prem actors can run actions against the cloud hosted actor. After accumulating the egress IPโ€™s, an internal support request must be submitted requesting they be added to the cloud actorโ€™s allow list. You can choose to send specific IP addresses of the on-premise actors or submit a CIDR block(s) for the allow list. Just ensure the CIDR block is as limited as possible. Generally a /24 is about as large as youโ€™d want to submit.

 Helpful in Troubleshooting

In the event on-premise actors lose ability to communicate with the cloud hosted actor,  these custom actions can be used to verify if the egress IPโ€™s did change. 

3 0 138
Topic Labels
0 REPLIES 0