Advanced Correlation Scenarios

Summary:

This document outlines an Advanced Correlation Scenarios training session presented by HP ESP Education's Javier Inclan and Gary Whitsett. The session covers Skills on Demand, a program offering various modules designed for Security analysts and ESM administrators to enhance their skills in threat intelligence use cases, building complex correlations, managing system health, and more. The session focused on developing content for detecting malicious code through an analysis of malware's command and control (C&C) server communications. A "CandC Servers" active list is created using blocklists from sources like Zeus Tracker to identify IPs associated with known C&C servers used by common malware types. This helps in creating a rule to detect internal hosts communicating with these IPs, potentially triggering alerts or blocking traffic based on the detected patterns. Additionally, the document discusses assessing damage caused by malware by visualizing bot communications through an "Event Graph Data Monitor" and analyzing network asset impacts. The session also hints at related sessions at a conference for further action rules and response strategies against malware threats. The document concludes with feedback invitation via a survey after the event and copyright notices from Hewlett-Packard Development Company, L.P., acknowledging that information may be subject to change without notice.

Details:

"Advanced correlation scenarios" is a training session presented by Javier Inclan, Global Delivery Manager at HP ESP Education, and Gary Whitsett, Technical Trainer. The agenda covers what Skills on Demand is, hands-on activity demonstration, questions and answers. Skills on Demand is an educational program that builds on formal training, allowing learners to achieve a higher level of competence by "learning by doing." It offers various modules including Analyst, Hosted lab (Incident Handling on Active Attacks and Advanced Correlations Scenarios), Administrator (System health monitoring and troubleshooting), eMentor (Security and Authentication, Network Model Management) for both Security analyst and ESM administrator tracks. The available Skills on Demand modules include: Incident handling on active attacks, Building advanced correlation scenarios, Creating advanced data monitors, Advanced connector configuration and management, and Advanced database troubleshooting. These are designed to help learners develop skills in threat intelligence use cases, building complex correlations between events, creating content based on network models, and managing system health. As part of the training session, a sample activity from SOCs was presented: developing content for addressing a Threat Intelligence and Damage Assessment use case for branches located in New York City. This document outlines a threat intelligence use case for detecting malicious code, specifically focusing on malware directed by a command and control (C&C) server. The main points discussed include the increasing difficulty in detecting malicious code due to anti-virus products lacking adequate signatures and malware being controlled by C&C servers. The use case involves creating a "CandC Servers" active list, which includes IP addresses of known C&C servers used by common types of malware. This list is populated from blocklists obtained from sources like Zeus Tracker. The next step is to create an internal active list tracking internal hosts that communicate with IPs in the CandC Servers active list, capturing details such as internal host IP address, name, and zone. A rule named "Malware Communication Detected" is used to identify internal hosts communicating with IPs in the CandC Servers active list. The conditions for this rule involve aggregation of detected malware communication patterns. Actions taken might include blocking traffic or triggering alerts based on these conditions. This document outlines a use case for assessing the damage caused by malware infections, focusing on identifying network assets accessed during the infection process. To facilitate this assessment, an "Event Graph Data Monitor" filter is created to visualize bot communications and narrow down further investigation. The event graph data monitor helps in creating a "Bot Communications Event Graph," which can be used for more detailed analysis of the malware's impact on network assets. The document provides information about attending related sessions at an unspecified conference, where attendees can gain further insights into taking action based on the kill-chain rules and ensuring effective response to malware threats. The session titles mentioned are "Pulling the triggers: when to take action" and a generic placeholder for contact with sales reps or visiting the HP security university website for more information. The document concludes by emphasizing that feedback is valuable, encouraging attendees to complete a session survey after the event. It also includes copyright notices from Hewlett-Packard Development Company, L.P., indicating that the information contained herein may be subject to change without notice and providing contact details for further inquiries or updates.