We Got You Covered | How SentinelOne Protects Against CVE-2020-0601 (ChainOfFools/CurveBall)

The 14th of January was a busy, exciting, and concerning day for a lot of the world as Microsoft’s latest vulnerability CVE-2020-0601 has created quite a stir in the industry due to the critical nature of the vulnerability. While there’s no doubt about the seriousness of the flaw, let us offer some practical advice to keep things under control.

We will start by answering the two questions that are at the forefront of most organizations’ concern:

  • Do you have to install the Microsoft security update for this vulnerability?  Yes
  • Does SentinelOne protect you against threats that use this exploit?  Yes

First, as a security vendor and trusted advisor, we recommend that you install the Microsoft security update without delay. While SentinelOne detects and prevents all known samples related to this CVE found to date, proper patch management should always be applied. 

How We Protect Against Threats That May Exploit Vulnerabilities

SentinelOne’s Endpoint Protection Platform uses multiple detection engines to protect against threats. SentinelOne’s Behavioral AI monitors all running processes and is highly effective in mitigating attempted exploitation attempts and threats even if the exploit itself cannot be blocked. 

If an exploit is successful, attackers typically try one of the following approaches to leverage their toehold on the system –

  • Modify behavior of the service or application that they exploited with an intent to steal data or credentials
  • Live off the land by using PowerShell or other scripting engines to reconnoiter, move laterally, destroy or perform other malicious actions
  • Write a new executable to disk and set it to auto-run in an attempt to gain persistence
  • Attempt to turn off installed AV/EPP using escalated privileges
  • Move laterally to other services, applications or other systems

SentinelOne’s Behavioral AI engine (aka DBT-Executables) monitors all processes and network communications to detect all of the above attack patterns and is able to mitigate these threats automatically. We also recommend that you update to SentinelOne Windows agent version 3.6 (latest GA), but the principles described above hold true for all supported versions.

Here is a video showing how we detect a POC for CVE-2020-0601 using our Behavioral AI engine:

Don’t Forget About Visibility

Finally, SentinelOne’s Deep Visibility Threat Hunting module (part of the Complete package) provides an additional layer of safety by logging all the changes made on the system and automatically correlating these events to a TrueContextID, which groups all the variations of related processes together. In an extreme case of a missed threat, admins can watch for and hunt for Indicators of Compromise, mark a TrueContextID as a threat, and rollback all changes in a single-button click in addition to other advanced remediation capabilities. This multi-layered, single-agent approach makes SentinelOne a world-class protection product.  

We are here for you. Should you ever have a finding that you do not know how to respond to, reach out to your SentinelOne team and we will provide an immediate response.