ArcSight Discovery Scenario-CodeRed 1

Summary:

ArcSight Discovery is a tool that aids organizations in assessing their ArcSight configuration by identifying normal versus suspicious network activities through pattern discovery. Utilizing the "3.1 Pattern Discovery - No Rules" profile, it automatically detects unique patterns specific to an organization's network environment, reducing false positives and enhancing monitoring efficiency. The profile includes 17 patterns like Code Red, which helps in proactive data mining to detect unknown threats. Key features of ArcSight Discovery include: - **Profile Configuration**: Users can set up profiles to look for patterns with at least two events observed twice within specified dates or adjusted time zones. - **Snapshot Functionality**: Allows taking snapshots for pattern management and includes a scheduling feature for regular monitoring. - **Pattern Discovery**: Utilizes AI and data mining to identify behavioral patterns from event data, displayed in a hierarchical tree structure across nodes. - **Demo Data Usage**: Designed with default demo data for evaluation purposes before application to real scenarios. To create and inspect hierarchical layouts of Code Red patterns: 1. Select the Hierarchical Layout icon to view initial tree structures. 2. Locate Code Red patterns under the PATTERN window, alongside visual representations in a tree structure. 3. To inspect events, right-click on pattern groups and select "INSPECT PATTERN." Visualize offending IP's by selecting "Show Event Graph." 4. Expand clusters to visualize attackers (red boxes) and targets (white boxes). 5. Use the rule automation tool to detect similar attempts in the future. 6. View CLOSED patterns selectively using the filter option on the PATTERN tab under NAVIGATION. This summary highlights ArcSight Discovery's effectiveness in automated pattern detection for cybersecurity, providing a structured approach to incident response and forensic analysis through its user-friendly interface and advanced data processing capabilities.

Details:

ArcSight Discovery is a tool that helps organizations validate and assess the effectiveness of their ArcSight configuration by discovering patterns of activity on their network. It allows users to determine what activities are normal or benign and what needs monitoring for suspicious behavior. By using "3.1 Pattern Discovery - No Rules" profile, which includes 17 patterns such as Code Red, users can proactively data mine events to identify unique patterns in their specific network environment. This helps avoid false positives and increases the effectiveness of monitoring unknown, suspicious activities. The provided text describes a process involving an "ArcNet Profiles" configuration within a tool (likely ArcSight) to discover patterns from event data. Here's a summary and breakdown of the key points discussed: 1. **Profile Configuration**: The profile is set up to look for patterns with at least two events and that these patterns must be observed at least twice. It evaluates events occurring within specified date/times or adjusted for the user’s time zone. 2. **Data Retention**: Results from this profile can be retained for a specified duration in "snapshot retention time". This data includes information about event order (record time order) and patterns based on pauses between events ("Split on Inactivity"). 3. **Snapshot Functionality**: The profile allows taking snapshots immediately, which can also be scheduled to occur regularly. Scheduled snapshots enable proactive pattern management. While a snapshot is being generated, the system performs data mining on specified events (excluding ArcSight events). 4. **Pattern Discovery**: Using artificial intelligence and data mining techniques, ArcSight's Pattern Discovery automatically identifies behavioral patterns from large sets of security event data, which are visualized in a pattern tree structure across multiple nodes. 5. **Demo Data Usage**: The process is demonstrated using default demo data with specified dates for evaluation. This setup allows users to familiarize themselves with the tool and its functionalities before applying it to real-world scenarios. In summary, this configuration helps in automating the discovery of significant patterns from event data, which can be crucial for cyber security analysis and proactive threat management. To create and inspect hierarchical layout of Code Red patterns in ArcSight, follow these steps: 1. **Select Hierarchical Layout Icon**: First, select the Hierarchical Layout icon to view the initial tree structure. 2. **Locate Code Red Patterns**: Identify the first tree branch on the left that contains Code Red patterns. If it's not visible, navigate through the hierarchy by selecting the second node from the top. You should see a view similar to the one described below. 3. **Pattern Window**: The Code Red patterns are located under the PATTERN window, alongside the tree visuals. 4. **Inspect Events**: ArcSight discovered a pattern with multiple Snort events related to Code Red. To inspect these events:

• Right-click on either of the groups under the Pattern window and select "INSPECT PATTERN." This will display the PATTERN INSPECTOR for the specific pattern.

5. **View Offending IP's**: On the right panel, you will see offending ATTACKER IP's and TARGETS. To visualize this:

• Right-click on the same group and select "Show Event Graph." This will display a visual representation of the events.

6. **Expand Clusters**: To expand each cluster, right-click on the cluster icon and select "Uncluster Selected Nodes." Repeat this process for all clusters to build the desired view. 7. **Visual Representation**: The red boxes represent attackers, while white boxes represent targets, facilitating easy distinction between them. 8. **Investigation**: Based on these events, you can determine that multiple attackers are attempting to exploit servers using crafted HTTP packets with a known CODE RED signature. 9. **Incident Response Analysis**: From this snapshot, you can perform an investigation on any node by right-clicking and selecting "INSPECT." This allows for the visualization of individual event channels based on various filter conditions (e.g., ATTACKER ADDRESS). 10. **Event Review**: In this example, SNORT detects crafted HTTP packets with a CODE RED signature related to WEB-IIS ISAPI .ida access. By following these steps, you can effectively create and inspect hierarchical layouts of Code Red patterns in ArcSight for efficient incident response and forensic analysis. To summarize, if you want to look at related events for a specific node in your investigation, choose the "RELATED EVENTS" option from the menu. You might notice that there are fewer events than before. Then, decide to be alerted when similar attempts happen again by using the rule automation tool. This will help create a correlation rule based on the details of the discovered pattern and visualize it in the rules editor. After creating the rule, you can annotate the pattern and mark its stage as CLOSED. Now, you can easily view only newly discovered patterns or those that have been classified as CLOSED by selecting the PATTERN tab under the NAVIGATION tab. Find the folder with the group of patterns you want to analyze, right-click it, and choose "VIEW PATTERNS WITH FILTER." You can then create a filter to see only CLOSED patterns.