The 14th of January was a busy, exciting, and concerning day for a lot of the world as Microsoft’s latest vulnerability CVE-2020-0601 has created quite a stir in the industry due to the critical nature of the vulnerability. While there’s no doubt about the seriousness of the flaw, let us offer some practical advice to keep things under control.
We will start by answering the two questions that are at the forefront of most organizations’ concern:
First, as a security vendor and trusted advisor, we recommend that you install the Microsoft security update without delay. While SentinelOne detects and prevents all known samples related to this CVE found to date, proper patch management should always be applied.
SentinelOne’s Endpoint Protection Platform uses multiple detection engines to protect against threats. SentinelOne’s Behavioral AI monitors all running processes and is highly effective in mitigating attempted exploitation attempts and threats even if the exploit itself cannot be blocked.
If an exploit is successful, attackers typically try one of the following approaches to leverage their toehold on the system –
SentinelOne’s Behavioral AI engine (aka DBT-Executables) monitors all processes and network communications to detect all of the above attack patterns and is able to mitigate these threats automatically. We also recommend that you update to SentinelOne Windows agent version 3.6 (latest GA), but the principles described above hold true for all supported versions.
Here is a video showing how we detect a POC for CVE-2020-0601 using our Behavioral AI engine:
Finally, SentinelOne’s Deep Visibility Threat Hunting module (part of the Complete package) provides an additional layer of safety by logging all the changes made on the system and automatically correlating these events to a TrueContextID, which groups all the variations of related processes together. In an extreme case of a missed threat, admins can watch for and hunt for Indicators of Compromise, mark a TrueContextID as a threat, and rollback all changes in a single-button click in addition to other advanced remediation capabilities. This multi-layered, single-agent approach makes SentinelOne a world-class protection product.
We are here for you. Should you ever have a finding that you do not know how to respond to, reach out to your SentinelOne team and we will provide an immediate response.