Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to Determine Cipher Matching Between Endpoint and Server

EDR: How to Determine Cipher Matching Between Endpoint and Server

Environment

  • EDR Server: All Versions
  • EDR Sensor: All Versions
  • Operating System: All Types

Objective

How to determine matching Ciphers to complete the handshake between Sensor and Server

Resolution

EDR Server

  • With the cb-enterprise services running, run this command to find the enabled Ciphers for port 443
    nmap --script ssl-enum-ciphers -p 443 <serveripaddress>

Sensor/Endpoint


Additional Notes

  • You need at least one Cipher suite to match in order to complete the TLS handshake. If they do not, you have two options
  • On-Prem EDR defaults to an /etc/cb/cb.conf configurartion of 'UseIncreasedSecurityCiphers = true' and 'UseWeakCBCSecurityCiphers = false' which only has the following 5 ciphers enabled:
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048)
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1)
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048)
    • TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048)
  • Hosted EDR uses the following cipher suites to accommodate endpoints on older OS's:
    • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
    • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_RSA_WITH_AES_256_GCM_SHA384

Related Content


Labels (2)
Tags (3)
Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎09-10-2018
Views:
2652
Contributors