ArcSight ESM 3.5 - Repeated FTP Attempts to Untrusted Servers

Summary:

This document describes a cybersecurity scenario involving repeated failed FTP attempts to multiple untrusted servers, which could suggest malicious activities such as an insider threat or potential Trojan programs attempting to mimic legitimate traffic. To address this risk, organizations should restrict FTP access through firewall rules, allowing only outbound file transfer if permitted by policy. ArcSight can be used to monitor for policy violations and alert when there is a suggestion of malicious behavior. The document also mentions the use of replay agents and event files from a NetScreen Firewall Deny Events setup to demonstrate these concepts.

Details:

This document discusses an insider threat scenario where a high priority alert is raised by ArcSight due to repeated failed FTP attempts to multiple untrusted servers, which could indicate malicious activity. The threat involves sensitive information being transmitted outside the network without administrators' awareness and potential Trojan programs attempting to mimic legitimate traffic. To mitigate this risk, organizations can restrict FTP access through firewall rules, allowing only outbound file transfer if permitted by policy. ArcSight can alert to such policy violations that may suggest malicious behavior. A demonstration setup using replay agents and event files from a NetScreen Firewall Deny Events helps illustrate these concepts. The text outlines a scenario involving cybersecurity measures implemented within an organization, specifically focusing on the use of ArcSight for monitoring and alerting based on predefined rules and configurations. Here’s a summary of the key points mentioned in the text: 1. **Investigation**: The system is responsible for investigating events related to external access via FTP (File Transfer Protocol) that leads to firewall denies. This includes not only direct denials but also any misconfigured firewalls that could be at fault. 2. **Reporting and Dashboards**: There are no pre-defined reports or dashboards used in this scenario, indicating a need for flexibility and customization based on the specific events being monitored. 3. **Data Monitors and Active Lists**: These features are not applicable in this setup since they rely on predefined configurations that aren't present here. 4. **Issues and Rule Refinement**: The rule set should be refined to specifically alert on any FTP external access, rather than just focusing on firewall denials. This broader scope ensures the detection of misconfigurations across firewalls and other potential security lapses. Additionally, there’s an error in the current rule setup where the category/behavior is incorrectly specified; it should be adjusted to directly monitor for access events. 5. **Rule Configuration**: The specific rule named "Insider Threat – Repeated FTP Attempts To Untrusted Servers" targets repeated attempts at accessing FTP servers outside of the ArcNet domain, which are not allowed according to site policy. This is based on firewall access denies and configuration settings that restrict such external accesses. 6. **Data Monitor Configuration** and **Asset Groups Configuration**: As mentioned, these aren't applicable in this scenario due to their reliance on predefined settings that haven’t been specified here. 7. **Demonstration Steps**: The demonstration showcases how ArcSight can gather event information from various sources, react to specific events like repeated FTP attempts to untrusted servers (which lead to firewall denies), and alert when company policy is violated. This involves running a set of predefined or demo events to show the system's functionality in action. In summary, this setup emphasizes real-time monitoring using ArcSight with custom rules tailored for specific organizational policies regarding external FTP access, ensuring compliance and security measures are upheld effectively. This summary highlights the efficiency and functionality of ArcSight, a security information and event management (SIEM) tool, in managing large volumes of events through simple mouse clicks for filtering and drill-down capabilities. By using this tool, over 2,000 events were reduced to just 58 High Priority events requiring attention, primarily by applying the Correlation Event filter and selecting from a dropdown menu labeled "High Priority Events." ArcSight allows users to investigate specific incidents in detail through detailed chains of related events. For example, you can right-click on an event that triggered a rule and select 'Correlation Options (Detailed Chain)' to see all events connected to the rule's firing, such as several NetScreen Deny events leading to "Insider Threat – Reported FTP Attempts To Untrusted Server." Moreover, ArcSight supports automated case management where rules can automatically create or add to cases when triggered, bundling all related event information. In this example, you would go to the 'Cases' section in the Navigator Panel and select a specific case like "ArcNet Cases/Insider Threat/Repeat FTP Attempts From 10.0.111.24 (date)." This summary underscores how ArcSight simplifies large-scale security analysis by providing intuitive interfaces for filtering, detailed investigation of incidents, and automated case management, thereby enhancing the efficiency and effectiveness of security operations.