Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > Author: Michael Gotham

As cloud deployments continue to gain popularity you may find the need for running the RSA NetWitness Platform in Google Cloud.  The RSA NetWitness Platform is already available for AWS and Azure, however is not "officially" available in Google Cloud as of 11/2018.

 

In this blog post I will walk through how to get the RSA NetWitness Platform running in Google Cloud.  This is NOT officially supported, however it does work and has been deployed in the field.

 

The rough steps are:

 

  1. Install NetWitness to a local virtual machine using the DVD ISO (Use single file for vmdk rather than split)
  2. After startup edit /etc/grub/default
  3. Install ca-certificates via yum
  4. Add repo for Google and install a few more RPM's (https://cloud.google.com/compute/docs/instances/linux-guest-environment)
  5. Copy ISO to the VM (You can also use a Google storage bucket and gcfuse in place of this step)
  6. Install Google SDK on your local machine (https://cloud.google.com/compute/docs/gcloud-compute/)
  7. Upload vmdk from deployed machine to Google Cloud Storage bucket
  8. Run import tool (Importing Virtual Disks  |  Compute Engine Documentation  |  Google Cloud )
  9. (Skip this step if you copied ISO in step 5) Add gcfuse
  10. (Skip this step if you copied ISO in step 5) Use gcfuse to mount ISO
  11. Make a directory to mount the ISO
  12. Mount the ISO
  13. Remove existing ntp rpm (Skipping this step will cause bootstrap to fail)

 

  1. Use VMWare Workstation or vSphere to create a new virtual machine.  Follow sizing instructions here: Virtual Host Setup: Basic Deployment 
    1. Choose to install Operating System Later
    2. Adjust the VM to sizes needed
    3. Ensure you are using one file for the vmdk rather than splitting into multiple disks.  Converting split disks is not in scope for this blog
    4. For the CD/DVD ensure the option "Connected" is checked
    5. Select use ISO image and browse to the path of your 11.x DVD  ISO.  Please note there are both DVD and USB ISO's.  The instructions provided here used the DVD ISO.
    6. Finish and power on the Virtual Machine
    7. Follow the prompts to install NetWitness
  2. Google has very specific instructions on what kernel arguments are allowed for imported, bootable images.  More details here: Importing Boot Disk Images to Compute Engine  |  Compute Engine Documentation  |  Google Cloud 
    1. You'll want to change your Grub command line arguments to exclude any references to splash screens or quiet 
    2. For NetWitness 11.1 ISO I used the following for /etc/grub/default:
    3. GRUB_TIMEOUT=5

      GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"

      GRUB_DEFAULT=saved

      GRUB_DISABLE_SUBMENU=true

      GRUB_TERMINAL_OUTPUT="console"

      GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=netwitness_vg00/root rd.lvm.lv=netwitness_vg00/swap biosdevname=1 net.ifnames=0 rd.shell=0 console=ttys0,38400n8d"

      GRUB_DISABLE_RECOVERY="true"

  3. If DHCP did not automatically assign all network settings, assign gateway, ip and subnet in ifcfg file for the interface and ensure the machine has connectivity to the CentOS repos (https://www.cyberciti.biz/faq/howto-setting-rhel7-centos-7-static-ip-configuration/ )
  4. Run the following and accept any gpg keys if prompted.  The latest version of ca-certificates is required or the daisy converter service will fail when you run the import.
    1. yum install ca-certificates

  5. Add the Google yum repo
    1. vi  /etc/yum.repos.d/google-cloud.repo

    2. Paste contents below

      [google-cloud-compute]
      name=Google Cloud Compute
      baseurl=https://packages.cloud.google.com/yum/repos/google-cloud-compute-el7-x86_64
      enabled=1
      gpgcheck=1
      repo_gpgcheck=1
      gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg
      https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg

    3. Run command to clean up yum repos

      yum clean all

  6. Install Google Cloud helper rpm's.  Permanently accept any gpg keys so they are stored.  Also install any prerequisite rpm's.  This will prevent errors during the conversion.
    1. yum install python-google-compute-engine

      yum install google-compute-engine-oslogin

      yum install google-compute-engine

  7. Copy the 11.x (Same ISO you used to build) into /tmp via scp.  This will be used for mounting the local yum repo for bootstrap.  You can also use gcfuse in place of this step, however we will not cover that here.
  8. Shutdown the VM and copy the vmdk to Google Cloud Storage bucket accessible to account used with the Google Cloud SDK.  Instructions can be found here: https://cloud.google.com/compute/docs/gcloud-compute/
  9. Run the import tool (Importing Virtual Disks  |  Compute Engine Documentation  |  Google Cloud )
    1. If your vmdk was named nw11.vmdk and your storage bucket is called netwitness the import command would be:

      gcloud compute images import nw11 --source-file gs://netwitness/nw11.vmdk --os centos-7

    2. This process can take up to a few hours
    3. Once the conversion is complete you will now have an image you can use to make NetWitness VM's
  10. Start the VM, switch to user root and mount the ISO that was copied to the vmdk before the conversion. My ISO copied was 11.2 and named rsa-11.2.0.0.3274.el7-dvd.iso
    1. su root

      mkdir /mnt/nw11gce

      mount -t iso9660 -o /tmp/rsa-11.2.0.0.3274.el7-dvd.iso /mnt/nw11gce

  11. Uninstall ntp and install version on NetWitness ISO so bootstrap will successfully complete.  Google installs a newer version of ntp rpm.  The version NetWitness uses can be reinstalled from the ISO you just mounted in step 10
    1. yum remove ntp

      rpm -e ntpdate

      rpm -Uvh /mnt/nw11gce/Packages/11.2.0.0/OS/ntpdate*.rpm

  12. Run nwsetup-tui to complete the install

 

You should now have a working NetWitness image you can build from.  One thing I have noticed is during some upgrades of kernels (which are included in service packs, patches and major versions of NetWitness software updates) additional arguments are added that can cause the instance to lose ssh connectivity and the software to not function correctly.  After any upgrade and BEFORE reboot I recommend checking to ensure additional kernel arguments have not been added.  I'd also recommend upgrading in a lab or small instance as well as take snapshot prior to upgrade so you can return to a known good state if needed.

On Friday, May 12th 2017, one of the largest ransomware attacks in history was launched using WannaCry infecting more than 230,000 computers in 150 countries in a matter of days.  Attackers are demanding ransom payments using Bitcoin, with amounts increasing as time goes on. The attack has been described by international organizations like Europol as unprecedented in scale.

 

When executed, the malware first checks for a specifically generated kill switch domain . If it is not found, then the ransomware will begin to encrypt data on the computer.  WannaCry has a second stage that attempts to exploit the SMB vulnerability MS17-010 to spread out to random computers on the Internet, and laterally to computers within an organization.

 

RSA Netwitness Endpoint can not only help detect this activity (WannaCry from the RSA NetWitness Suite's Perspective ), but also proactively block it to stop the spread and reduce further damage from infection.

 

****DISCLAIMER****

Customers should take caution when blocking files with Netwitness Endpoint.  Netwitness Endpoint will not block files signed by Microsoft or the RSA Netwitness Endpoint (ECAT) driver.  However any other SHA256 hashes entered via blacklisting in the GUI with the blocking option enabled or directly into the NWE database will be blocked.  Netwitness Endpoint has safeguards in place, including prevention of blocking if a module is present on more than "x" number of systems.  This is configurable.  Also blocking must be enabled at the group level and globally.  Machines by default will inherent this setting from their group, but can also be enabled or disabled at the individual machine.

 

Blocking Global Parameters


The attached SQL query can be run to block 241 different variants of WannaCry.  Additional SHA256 hashes can be added to the block list by following the same format in the SQL query.  It needs to be run in SQL Server Management Studio against the NWE database (By default this is named ECAT$PRIMARY).

 

SSMS Query

 

After this is completed make sure to select Tools->Force Blocking Status Update to push the changes to the NWE agents.  

 

 

You can verify this is successful by checking the "BlockingHashes" table on the NWE database as well as the agents in c:\Program Data\ecatservice

 

Confirm Hash DB Update

Filter Blog

By date: By tag: