Open a web browser of your choice and navigate to LOG IN.

If you do not already have an account please reference the instructions found here.

Enter your TestDrive Username and Password and select ENTER.

Next, locate the VMware Carbon Black Workload product under the Intrinsic Security tab and click LAUNCH.

LAUNCH VIA WORKSPACE ONE.

A new tab will open with Workspace ONE. Enter your TestDrive username and password, then hit Sign In.

Next, search for the Carbon Black Cloud desktop. Click to open into the desktop either via HTML access or Horizon Client access.

Now you'll be on the Carbon Black Cloud desktop. At this point, you can begin the walkthrough steps listed below.

A Carbon Black plug-in within vCenter allows for a shared truth on vulnerabilities and risk for those residing in vSphere/infrastructure as well as team members more focused on security or the Carbon Black Cloud console. Through this unique approach, we can eliminate the trade-off between security and operational simplicity by providing a single source of truth for Infrastructure and Security teams to accelerate response to critical vulnerabilities and attacks, while enabling collaboration and reducing friction. The Carbon Black Workload Plug-in provides deep visibility into your data center inventory and end-to-end life-cycle management for the components.

VMware Carbon Black Workload contains two components that are integrated into vCenter:

• Carbon Black Workload Plug-in in vCenter
• Carbon Black Workload Appliance

For purposes of this lab experience, Carbon Black Workload is already installed and configured. For information on installing and configuring CBWL in under 15 minutes see the following video:

On the desktop, launch on the shortcut named “vCenter Server”.

Log in with the following credentials:

• Username:  (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)
• Password:  (listed in text file Carbon_Black_Demo_Credentials.txt on the Carbon Black desktop)

Once logged in, to view the Carbon Black Workload Plug-in, click Menu at the top left to expose menu options. Then select the Carbon Black icon in the drop-down menu.

On accessing the plug-in you will be brought to the Summary, or "Dashboard", tab. The Carbon Black Workload Plug-in Summary tab contains widgets on appliance health, inventory status, and critical vulnerabilities:

• Appliance Health: The Workload appliance facilitates communication between your vSphere environment and the Carbon Black Cloud. Appliance Health displays the status of the workload appliance. For more information on appliance status see the following page: https://docs.vmware.com/en/VMware-Carbon-Black-Cloud-Workload/1.0/carbonblack_workload/GUID-66E2A35A-4754-43F6-A5AD-C611D35EDD44.html 
• Inventory Status: Inventory management for workloads; shows the coverage of Carbon Black through vSphere environment (is Carbon Black enabled, if there are updates to Carbon Black agent available, are assets eligible for Carbon Black, assets unsupported by Carbon Black, etc.) 
• Affected Assets: Displays how many assets are affected by vulnerabilities, broken down by OS 
• Critical Product Vulnerabilities: Displays how many critical vulnerabilities are present in the environment by vulnerability type (Windows OS, Windows App, Linux OS, Linux App) 

The Vulnerabilities page displays vulnerabilities present in your vSphere environment. Click "Vulnerabilities" to navigate the vulnerability page.

An overview of vulnerabilities is shown at the top of the page - including filters based on vulnerability severity. Severity scoring allows for administrators to understand and mitigate risks in a prioritized, realistic method. Higher severity scores indicate that the vulnerability should be prioritized. There are four severity categories… 

• Low: Score from 0.0 – 3.9 
• Moderate: Score from 4.0 – 6.9 
• Important: Score from 7.0 – 8.9 
• Critical: Score from 9.0 – 10.0  

As a vCenter Server administrator, you want to have visibility of known vulnerabilities in your environment to understand your security posture and schedule maintenance windows for patching and remediation. With the help of vulnerability assessment, you can proactively minimize the risk in your environment. 

Vulnerabilities can be viewed in Asset View or Vulnerability View:

• Asset View displays workloads covered by Carbon Black Workload and allows you to look at all vulnerabilities affecting the workload of interest. 
• Vulnerability View displays all vulnerabilities based on type (Windows OS, Windows App, etc.).

Carbon Black Cloud looks into vulnerabilities related to:

• Operating System (OS) of the virtual machine.
  • Windows OS: Displays OS-level vulnerabilities for Windows VMs. The system looks for OS details and the security patches applied on each VM. When the security patch associated with the vulnerability is not applied, the VM is flagged as vulnerable.
  • Linux OS: Displays OS-level vulnerabilities for Linux VMs. The system looks for OS details with the list of all installed packages. The system determines the vulnerable packages installed on the VM and reports the CVEs against those packages.
• Applications are installed on the virtual machine.
  • Windows Apps: Displays application-level vulnerabilities for the Windows VMs.
  • Linux Apps: Displays application-level vulnerabilities for the Linux VMs.

The Inventory page displays workloads for which you have enabled and not enabled Carbon Black Workload. You can manage workloads from this page. 

CBWL provides a streamlined agent deployment process. The Carbon Black agent installer is provided as part of the VMware Tools package. Deployment to workloads is simplified to a ‘click to enable’ process. Simply select the workload for which you would like to enable CBWL and click ‘Enable’. Initial assessment begins within 24 hours of enabling, and then occurs daily, automatically from that point forward.  

Sensor updates can be pushed by selecting workload(s) and clicking the Update button. Updates can be done individually or on multiple/all workloads.

Carbon Black Cloud partners with Kenna Security to leverage the largest database of vulnerability, exploit, and event threat data in the industry. This data is distilled into three main measures of risk:

• Active Internet Breach: Presence of near-real-time exploitation.
• Malware Exploitable: Availability of an exploit module in a weaponized exploit kit.
• Easily Exploitable: Availability of a recorded exploit.

There are metrics defined for Common Vulnerability Scoring System (CVSS). A few of the metrics are about the attack method itself, whereas the others depend on how the application assesses impact - the direct consequence of a successful exploit. To learn more about CVSS, visit https://www.first.org/cvss/specification-document.

Every vulnerability is assigned a risk score of between 0.0 (no risk) and 10.0 (maximum risk). The risk score range and severity are defined as follows.

While logged into vCenter, click on the Menu button at the top left of vCenter and then navigate to and click on the Carbon Black plug-in. For more information on accessing and navigating the plug-in see section 3.2.

Navigate to the Vulnerabilities page within the plugin. The Vulnerabilities page displays information on vulnerabilities affecting the environment with intuitive filtering capabilities to give administrators a prioritized, realistic method to look at risk and threat.

On the top of the page severity level filters can be used to view vulnerabilities in a prioritized manner. For this lab, we will focus on Critical vulnerabilities, with a severity score of 9.0 to 10.0. For more information on how risk is scored see Section 3.3.

• If not currently selected, click the Critical filter at the top of the page to view only critical vulnerabilities

We should now see only Critical High-Risk score CVE’s, these are CVE’s that are exploitable within this environment. This means an attacker (external or internal) could gain access to a workload by leveraging one of these CVE’s in an attack if discovered.

• Scroll down to view vulnerabilities
• Click the Vulnerability View to view all vulnerabilities based on the type

Vulnerability types include Windows OS, Linux OS, Windows App, and Linux App. Select a vulnerability type of interest. Due to the nature of this lab, a specific vulnerability will not be selected as vulnerabilities will change across the environment.

A vulnerability will display:

• Severity: Criticality of a vulnerability 
• Risk Score: Score denoting severity; ranges from 0.0 (no risk) to 10.0 (maximum risk) 
• OS Name: Name of OS affected by the vulnerability 
• OS Version: Version of OS affected by the vulnerability 
• CVE ID: Identifier of the specific vulnerability 
• Fixed by: If applicable, links to KB article denoting update/patch that fixes a vulnerability 
• Vendor (if App vulnerability): Name of the vendor of application w/vulnerability 
• Product Name (if App vulnerability): Name of application w/vulnerability for reference 
• Version (if App vulnerability): Version of App vulnerability is fixed by 
• Assets Affected: Number of workloads in your environment that are affected by this vulnerability

• Click the arrow next to a vulnerability to expand additional information

Expanding a vulnerability will show:

• A plaintext description of the vulnerability
• Link to the National Vulnerability Database
• Asset(s) affected by the vulnerability
• Risk details (Kenna variables affecting severity score)
• CVSS score information
• CVSS vector details

• Click the link to the National Vulnerability Database

Carbon Black Workload directly links to the National Vulnerability Database (NVD) page for the selected vulnerability. This allows for an easy workflow to get more background on the vulnerability and how to resolve it directly in your vSphere environment. 

• Review information on NVD
• Click the vSphere tab to return to the CBWL plug-in
• Click the plus to expand Affected Assets
• Click one of the Affected Assets

When viewing a workload, on the Monitor tab, a Carbon Black Vulnerabilities page is available. You can view all vulnerabilities affecting a particular workload from this page. 

Once the administrator has patched or resolved the vulnerability, the reassess function on top right will help to view the asset health in real-time.

We have now completed a workflow looking into a critical vulnerability directly in vSphere. CWP provides built-in vulnerability assessment capabilities in your vSphere console. 

The Carbon Black Cloud console is web-based with one lightweight agent deployed to endpoints.

The console is accessed through a supported web browser: 

• Windows: Chrome, Edge, Firefox 
• macOS: Chrome, Firefox, Safari 

Login to Carbon Black Cloud: 

• URL: https://defense-prod05.conferdeploy.net/
• User: (listed in text file on the Carbon Black Cloud desktop)  
• Password: (listed in text file on the Carbon Black Cloud desktop)

• Click the "Carbon Black Cloud" Chrome Link, a webbrowser with the Carbon Black URL will automatically populate
• Login with credentials listed in text file on the desktop

If you are an existing VMware Carbon Black Cloud customer using the NGAV, EDR, container security, or other solution, the Carbon Black Workload solution lives in the same cloud-based console. Workload vulnerability information lives in the Vulnerabilities tab.

• On the left side navigation menu, click Harden to expose menu options
• Click Vulnerabilities to view vulnerability information

Carbon Black Workload gives teams a shared truth of risk, minimizing friction between teams such as infrastructure and security. Teams have the same visibility and understanding of vulnerabilities whether they are viewing information in the Carbon Black Cloud or within the vCenter plug-in.

Click on Show graphs on the top right to expand the vulnerabilities dashboard.

Vulnerabilities can be explored within the Carbon Black Cloud in the same method used in Section 4.

To gather stateful information which is correlated to vulnerabilities, another part of the Carbon Black Solution suite is leveraged called Audit and Remediation. Audit and Remediation allows administrators to ask questions on the environment across hardware, software, and network variables at scale. Carbon Black Workload customers have access to the full Audit and Remediation solution beyond its use in vulnerability assessment. This portion of the experience will walk through using Audit and Remediation.

If you are not currently logged in to the Carbon Black Cloud console see section 5.1 for how to log in.

• On the left-hand navigation menu click Live Query to expand the menu
• Click New Query menu option

Numerous queries are pre-built and come OOTB with Audit and Remediation - called recommended queries. Pre-built queries full under IT Hygiene, Vulnerability Management, Threat Hunting, and Compliance use cases. Recommended queries can be filtered by selecting a use case, filtering by applicable OS, or searching for keyword(s).

Queries can be run on a one-off basis or scheduled to run automatically (daily, weekly, monthly, etc.). Query results can be viewed in the console or exported.

• Click Vulnerability Management to review queries falling under this use case.

Carbon Blak Workload and Audit and Remediation give administrators a greater understanding of what they are securing. We will review a recommended query to better understand the information Audit and Remediation can provide.

• Scroll down to the Installed Windows Applications query
• Click the 'plus' to expand and view SQL

The Installed Windows Applications query returns information about applications installed by msiexec.exe. By expanding a query you can view the SQL code used in the query. Audit and Remediation leverages osquery and standard SQL syntax. 

Beyond recommended queries, administrators can create their own, custom queries to suit any number of use cases. Queries are built using standard SQL syntax and the previously linked osquery schema.

• Review the osquery schema at https://osquery.io/schema/4.5.0 to understand available tables
• Scroll to the top of the page; click the SQL Query tab

We will create a custom query that looks at the value for the 'LimitBlankPasswordUse' registry key. The value for this registry key can be 1 or 0; 1 being recommend as this prevents netconns from accessing endpoint with a blank password. An attacker could change the registry key to gain access to an environment.

This query comes from the Carbon Black Query Exchange. The query exchange is an open forum for Carbon Black customers to share queries they've created - or leverage queries others have created. The Query Exchange is linked on the top right of the page. Note that only Carbon Black customers can access the Query Exchange.

Queries can be run environment-wide or on a specific endpoint(s) or policy group. Let's run this query on a specific workload.

• Click 'Endpoints' hyperlink to expose endpoint selection
• Type in 'cb-win-10' and select the workload

• In the 'SQL' textbox copy and paste the following query

• In the 'Query Name' text box enter 'YOUR NAME - TD'
• Click 'Run' to run your newly created query

Query results can be viewed in the console or exported.

• Click 'Query Results' on the left-hand menu under the parent 'Live Query'
• Select your query to view results by clicking on the name hyperlink
• You can refresh the page in a couple of seconds to see the query results after the sensor has collected all information