APT Detection Use Cases

Summary:

The document outlines a method using ArcSight Enterprise Security Manager (ESM) for detecting Advanced Persistent Threats (APTs). It introduces two scenarios based on the Kill Chain Methodology, focusing on internal infection detection through malicious code download, C&C server connections, and data exfiltration. Key points include setting up rules to monitor suspicious activities such as multiple malware downloads, C&C communication, large file transfers, and scanning attempts, which are tracked using active lists with increasing scores based on the severity of threats detected. If combined scores exceed a certain threshold, it triggers an alert indicating potential APTs, prompting further investigation and response actions.

Details:

The article discusses using ArcSight Enterprise Security Manager (ESM) for detecting Advanced Persistent Threats (APTs). It introduces two scenarios based on the Kill Chain Methodology, which outlines the stages an attacker goes through to carry out an attack. These stages include finding a weakness in the target environment, infiltrating it, embedding, propagating, executing commands, hosting software or stealing IP, and finally defacing or adding to a botnet. **Scenario 1: Internal Infection (Using Score System)** This scenario focuses on detecting malicious code infection within an internal network. The process begins when the malware is first detected by an IPS/Proxy/Reputation alert, which triggers a rule that adds the IP address to a "Malware_Download_IP" Active List with a base score of 20. If additional malicious code downloads from this IP address more than three times within a short period (10 minutes), it is added to a second Active List called "Suspicious Activity," also assigned a base score of 20. Next, the rule looks for communication with Command and Control (C&C) servers on specified ports using IP addresses listed in the "Suspicious Activity" list. This action adds the IP address to the "C&C Connection" Active List and increases its score by another 20 points. If there is further communication from C&C servers back to this IP, it is added to the "Reverse Connection" Active List, with a corresponding increase in the score of the "Suspicious Activity" list. Lastly, if an IP address sends out more than 100MB of data outside the organization, it is added to the "100M_Transfer" Active List and its associated score on the "Suspicious Activity" list is increased by another 20 points if present in this list. This system helps in tracking suspicious activities within an internal network that may indicate an APT attack. The provided text outlines a series of detection rules and processes used in cybersecurity to identify and respond to potential threats. Here's a summary of the key points from each section: **6. Revealing Information (Exfiltration)**

• Rule and Trend monitors IP addresses sending data out of the organization exceeding 500MB, adding them to "500M_Transfer" Active List and giving a score of +20 if present in "Suspicious Activity" Active List.

• The cumulative scores are tracked in "Suspicious Score List" Active List. If any IP's combined score exceeds 80 after 30 minutes, the system identifies it as an Advanced Persistent Threat (APT) and initiates a workflow with a high confidence alert.

**7. Suspicious Activity Score**

• This section is not fully provided in the text snippet you sent. Please provide more context or details for this point if needed.

**Malware DL Detection - PC Download Active List**

• The Trend checks for more than 3 malware downloads from a single IP address, adding it to "Suspicious Activity" Active List and assigning a score of +20.

**C&C Connection Detection**

• Detects connections (SRC: 150.0.0.0/8, DPORT: 80|443|25) lasting over 1800 seconds, adding to "C & C Connection List" with a score of +20 if suspicious.

**Reserve Connection Detection**

• Detects reverse connections (SRC: 150.0.0.0/8, SPORT < 1024) lasting over 1800 seconds, adding to "Reverse Connection List" with a score of +20 for potential suspicious activity.

**Scanning**

• Monitors scanning activities from specific sources that perform more than 5 scans within the network, categorizing it as "Scanning" and assigning a score of +20 if identified as suspicious.

Please note that parts of this text are incomplete or lack details for certain points. If you can provide more information or corrections, I would be happy to update the summary accordingly. This document discusses a potential security incident involving an attempted server hacking, with details about scanning, infiltration, and data exfiltration. The scenario involves a SKT web zone IP address being targeted from external IPs through various methods including port scanning, vulnerability scanning, brute force attacks on IDs/passwords, reverse connections, internal server access, and data transfer for exfiltration. The document provides information on how to detect suspicious activities such as large file transfers (with BytesOut > 100M or more than 500M) which are linked to a Suspicious_Activity_List with scores calculated based on the SourceIP|ActType|Score over time, and then further analyzed in Suspicious_Score_List for grouping by SrcIP and summing up scores. If the summed score exceeds 80, it is considered an APT (Advanced Persistent Threat) indicating a potential server hacking attempt. The document also outlines how these activities are detected using various active lists, such as Port_Scan_List in the first layer, which further details the scanning activity targeting the web zone. The information provided here is subject to change without notice and highlights the importance of real-time monitoring and response mechanisms against potential threats like server hacking attempts. This text appears to be a series of numbered entries from a document about cybersecurity measures and processes at Hewlett-Packard (HP), which has since evolved into broader IT security practices. Each entry seems to describe different types of cyber threats or activities that may require monitoring, detection, or prevention within an organization's network. Here is a summary of each point: 15. Infiltration: This refers to the unauthorized access or infiltration of a system or network, which might involve detecting and analyzing traffic patterns for potential intrusions. 16. Web Attack: Describes a type of cyber attack where the web server attempts to connect to an external source at midnight, possibly indicating suspicious activity or automated attacks. 17. Multiple Login Failure: This could refer to multiple failed login attempts on user accounts, which might be indicative of brute-force attacks or compromised credentials. 18. Internal Server Access: Indicates that a web server is attempting to access the database (DB) server, suggesting potential unauthorized data retrieval or manipulation. 19. Reveal Information: Here, it's about the DB server accessing the web server, which could be part of an information disclosure attempt during a security breach. The text includes mentions of specific types of scans and connections between different layers of servers, such as Web Server to External and DB Server, suggesting that these entries might be related to network traffic analysis or intrusion detection systems within an enterprise environment. The document seems to emphasize the importance of real-time monitoring and quick response to detect potential security breaches, possibly through automated tools and processes. The numbered copyright notices at the end of each line are consistent with internal company documents, which often include such notations for legal and regulatory compliance in the documentation process. This is a legal copyright statement that says Hewlett-Packard (HP) can make changes to the information they provide at any time and doesn't need to tell anyone ahead of time.