Red Cloak Endpoint Agent for VDI or Cloud Instance Deployments

integrations endpoints red cloak secureworks edr

Clone Overview ⫘

It is important to consider and understand your environment setup when leveraging the Red Cloak™ Endpoint Agent to help secure your pools of VDI clones or your cloud instances. Here, we use the VDI use case as an example; you can infer how this information is related to managing agent deployments in a cloud environment.

A standard VDI pool is provisioned from a “gold” base image that is prepared as a first step. Clones are also likely to be provisioned from in-memory; they share the system resources and details of a common host. The Red Cloak Endpoint Agent leverages multiple modules to gather telemetry from the system and provides added security efficacy for your organization. Knowing how the individual Red Cloak Endpoint Agent modules operate and how your VDI environment is set up helps identify the best agent configuration strategy. This configuration strategy needs to encompass both security and performance.

Before You Start: TEST, TEST, TEST ⫘

When a clone is provisioned from the base image, it starts up as an exact image of that gold base image. It is valuable to note and inform Secureworks support of what the average clone lifespan is: how long is a clone active for before it is refreshed back to the gold state? We recommend that the gold base image is properly set up with all required applications and settings before proceeding with the Red Cloak Endpoint Agent installation. The gold base image should also be validated as clean from any threats before proceeding. Once these initial steps are complete and the Red Cloak Endpoint Agent is installed on the gold base image, it is important to lock down or freeze the gold base image.

Continue Testing ⫘

After reading this document, our hope is that testing is at the top of your mind as you dive into deploying the Red Cloak Endpoint Agent to a VDI pool or to cloud instances. We recommend running the Red Cloak Endpoint Agent through multiple passes on a gold base image with a small number of clones. It is best to start simple, monitor the Red Cloak Endpoint Agent, and then adjust the settings as you go.

Test for Performance ⫘

1. Deploy the Red Cloak Endpoint Agent without asking Secureworks support to help with modifying the configuration or registry.
2. Provision a small pool of clones.
3. Monitor the clones’ performance and the Red Cloak Endpoint Agent's resource utilization during startup.
4. Run the clone for the standard amount of time before you plan to refresh it and simulate a standard load on the system.
5. Monitor the clones’ performance and the Red Cloak Endpoint Agent's resource utilization during startup.
6. If performance concerns are visible during steps 3 or 5, work with Secureworks support to adjust the Red Cloak Endpoint Agent configuration provided the information below, create a new installation package, and rerun the performance testing.

Test for Persistent Agent Identification ⫘

1. Deploy the Red Cloak Endpoint Agent without modifying the registry.
2. Provision a small pool of clones.
3. Do all the clones properly display in Secureworks® Taegis™ XDR?
4. Troubleshoot to determine why there are missing clones in XDR.
5. Refresh your clones back to the gold base image state.
6. Do all the clones properly display in XDR?
7. Troubleshoot to determine why any clones do not properly display in XDR. If you see multiple agents representing a single clone, use the registry information below to adjust the identification method for the Red Cloak Endpoint Agent.

Red Cloak Endpoint Agent Configuration ⫘

Each Red Cloak Endpoint Agent module functions with different intentions and in slightly different manners. For this reason, you may need to work with Secureworks support to configure a custom installation package before proceeding with a VDI installation:

Groundling ⫘

The Groundling module captures all persistent programs and monitors persistence locations for any modifications. When a persistence change is detected, the agent collects information related to the change and sends a message to XDR. Persistent programs should be analyzed on the gold base image before provisioning a pool of clones. The clones mirror the persistent programs that exist on the gold base image.

Ignition ⫘

Ignition acts as the updater for the Red Cloak Endpoint Agent. It is installed as a separate application when you deploy the Red Cloak Endpoint Agent MSI installation package. For the Ignition module, we recommend asking Secureworks support to:

• Increase the intervals and jitter to their max settings to reduce any minor performance impact on individual clones.
• Do NOT include VDI clones in your remote update groups. The gold base image should be updated when a new agent version is made available—and per the recommendation above, the gold base image should be validated as clean of threats and locked down (aka, frozen) after any software updates are applied.

Inspector ⫘

The Inspector module collects telemetry that helps with our detection. It runs multiple system scans during agent startup; these scans are then run again on a cadence every 12 hours. Knowing this behavior and aligning it with what we know about VDI clone behavior is a valuable key to our recommendation to run the agent with the Inspector module disabled. When provisioning clones from a clean gold base image, an Inspector module scan at startup provides minimal security value if you have validated the gold base image as clean of threats before provisioning the pool of clones. Recurring Inspector scans every 12 hours also provides minimal security value if the clone is active for less than 12 hours before each refresh back to the gold base state. For these reasons, we recommend that you work with Secureworks support to disable the Inspector module in the Red Cloak Endpoint Agent configuration so that your clones and hypervisor host are not negatively impacted by Inspector module scans.

Red Cloak Endpoint Agent Installation ⫘

The Red Cloak Endpoint Agent collects system information when determining an identifier for a device. Because VDI clones share the same system information as the hypervisor host, the Red Cloak Endpoint Agent is likely to duplicate clone identification and produce "inactive" agents in XDR as each clone is refreshed back to a "gold" base image state. We recommend using the following steps to install the Red Cloak Endpoint Agent to help with VDI deployments.

When setting up the gold base image, pre-install the Red Cloak Endpoint Agent with the service disabled. This will prevent the agent from starting when clones are provisioned and started up.

First Startup of a New Clone ⫘

1. When the clone starts up, delete the values id and id_noise from HKU\S-1-5-18\Software\Dell SecureWorks.

2. Enable and start the Red Cloak Endpoint Agent’s service.

3. Save the new id and id_noise values in the above .reg file.

Subsequent Refreshes and Restarts of the Clone ⫘

1. When the clone starts up, delete the values id and id_noise from HKU\S-1-5-18\Software\Dell SecureWorks.

2. Import the previously save .reg file from above with the values for the registered agent ID.

3. Enable and start the Red Cloak Endpoint Agent’s service.

Automating the Agent Identification Process ⫘

Below is a sample script that can be leveraged to help automate the agent identification steps above.

#Create the objects and variables needed
Set objShell = CreateObject("WScript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")
#Check for an existing host ID
If objFSO.FileExists("h:\programdata\RCHostID.reg") Then
#Host ID found, restore ID and enable service
strCMD = "regedit /s h:\programdata\RCHostID.reg ""HKEY_USERS\S-1-5-18\Software\Dell SecureWorks"""
objShell.Run(strCmd)
strCMD = "sc config ""redcloak"" start= auto"
objShell.Run(strCmd)
#Delay and then start service
WScript.Sleep 5000
strCMD = "sc start ""redcloak"""
objShell.Run(strCmd)
Else
#No host ID, enable service and export new ID
strCMD = "sc config ""redcloak"" start= auto"
objShell.Run(strCmd)
#Delay and then start service
WScript.Sleep 5000
strCMD = "sc start ""redcloak"""
objShell.Run(strCmd)
#Wait for service to start and create ID, then export it
WScript.Sleep 10000
strCMD = "regedit /s /e h:\programdata\RCHostID.reg ""HKEY_USERS\S-1-5-18\Software\Dell SecureWorks"""
objShell.Run(strCmd)
End If
#Clear objects
Set objShell = Nothing
Set objFSO = Nothing