ArcSight ESM Pattern Discovery v3.5_01012006 - CodeRed_1

Summary:

ArcSight Pattern Discovery is a software tool designed to help organizations assess and validate their security configurations by identifying potential threats through pattern analysis. It assists in determining whether default rules are effective in detecting cyber threats and aids security analysts in distinguishing between normal (benign) and malicious network activities, reducing false positives. As organizations customize their ArcSight configurations over time, it is crucial to periodically validate these changes using Pattern Discovery, which helps ensure that the customizations remain effective in a constantly evolving threat landscape. The tool uses artificial intelligence and data mining techniques to analyze large sets of security event data from networks, automatically identifying patterns and differentiating between normal and malicious activities. Organizations can utilize ArcSight's multi-vectored security approach, which includes scanning for known vulnerabilities, restricting unauthorized access, analyzing traffic for known attack methods, and using anomaly detection software like Pattern Discovery to detect unknown threats. By adopting this comprehensive defense strategy, organizations can reduce the risk of cyber threats and protect their digital assets more effectively. ArcSight's benefits include its ability to discover network activity patterns, differentiate between normal and malicious activities, and plan future monitoring activities accordingly, thereby minimizing false positives while enhancing overall security posture. In summary, ArcSight Pattern Discovery is a powerful tool that helps organizations assess the effectiveness of their cybersecurity measures by identifying potential threats through pattern analysis. It supports a multi-vectored security approach that includes various detection methods to reduce vulnerabilities and contain potential cyber threats in an ever-evolving threat landscape.

Details:

ArcSight Pattern Discovery is a software tool used by organizations to validate their security configurations and identify potential threats. It helps in assessing the effectiveness of default rules provided by ArcSight for detecting cyber threats. The tool assists security analysts in identifying patterns of activity within the network, distinguishing between normal (benign) and malicious traffic, which can prevent false positives. The document outlines that as organizations customize their ArcSight configurations over time, it becomes essential to validate these customizations periodically. This is achieved through Pattern Discovery, where John Bradshaw formatted and verified the tool's configuration to version 3.5 SP1 on March 17, 2006. The document also highlights the importance of adopting a multi-vectored security approach that includes scanning for known vulnerabilities, restricting unauthorized access, analyzing traffic for known attack methods, and using anomaly detection software like ArcSight's Pattern Discovery module to look ahead at unknown threats. This comprehensive defense strategy is crucial in reducing vulnerabilities and containing potential threats in an ever-evolving cyber threat landscape. The benefits of using ArcSight Pattern Discovery include the ability to discover network activity, differentiate between normal and malicious patterns, and plan future monitoring activities accordingly, thus minimizing false positives and enhancing overall security posture. The demonstration setup involves using ArcSight's "Pattern Discovery" module to analyze pre-loaded events that may include malicious activities such as Code Red Variants, Frontpage, and MS Blaster attacks. This analysis is performed without the use of predefined rules or filters, focusing solely on detecting patterns in the data set. No specific reports or dashboards are utilized during this demonstration. The aim is to demonstrate how ArcSight can be used to proactively identify previously unknown suspicious activities by analyzing benign events more effectively. This passage is about using a software called "ArcSight" for detecting patterns in security events, such as cyber attacks or suspicious activities. The process involves setting up a profile with specific rules and parameters to analyze event data over a defined time period. The ArcSight software uses artificial intelligence and data mining techniques to automatically find patterns from large sets of security event data. Once the "Pattern Discovery" profile is configured, it can be used to take snapshots of the analyzed events at regular intervals or on demand. These snapshots help analysts continue assessing observed patterns over time. To use this feature, go to the specific section in ArcSight's resource tree, expand certain profiles and double-click a particular one (in this case, "3.1 Pattern Discovery - No Rules"). Use default demo data with specified dates or adjust for your local timezone. The profile allows you to set rules like recording time order and split on inactivity based on the occurrence of events within specified date/times. Data resulting from the profile can be retained for a defined "snapshot retention time". The overall pattern tree is generated by ArcSight, which will consist of two or more nodes when viewed hierarchically. This process helps in detecting various patterns and anomalies in cyber security related data that can be crucial in safeguarding digital assets against potential threats. To summarize the steps provided in your description: 1. Open Snort events and observe patterns within the "Pattern" window. 2. Adjust the display by closing Navigator, Inspecting/Editing panels to free up screen space. 3. Resize the Patterns window to view detailed patterns. 4. Refresh the display using Hierarchical Layout for better visualization. 5. The pattern viewer will isolate associated patterns between the Snapshot and Pattern viewers. 6. Identify Code Red patterns on the left branch of the tree, with other distinct patterns on the right branch. 7. Inspect a specific pattern (e.g., Code Red 3) by right-clicking and selecting "INSPECT PATTERN." 8. The INSPECT/EDIT panel will provide details such as attacker IP addresses and target locations. 9. Visualize this information using the Event Graph, where red boxes represent attackers and white boxes represent targets. 10. Determine that there are multiple attackers attempting to exploit servers based on these events. 11. Further analyze by right-clicking the pattern again and selecting "Event Graph." 12. Expand clusters by right-clicking cluster icons and selecting "Uncluster Selected Nodes" to visualize node relationships clearly. 13. Rearrange nodes for a clearer view of connections between attackers, targets, and other related events. 14. Use this visual representation for further investigation or discussion on specific nodes within the snapshot. By following these steps, you can effectively analyze network traffic patterns and identify potential security threats such as Code Red attacks by examining detailed event graphs and node relationships. The provided text outlines a method for analyzing network traffic using Snort and examining specific events related to a known attack pattern, such as Code Red. Here’s a step-by-step summary of the process: 1. **Selecting Nodes and Creating a Channel View**: From a snapshot or log file, select one or more nodes and right-click to investigate, which will display an active channel view of the related events. You can filter these events by various conditions, such as the attacker's address. 2. **Filtering by Attacker Address**: Use the "Attacker Address" filter option (e.g., 209.153.5…165) to view all events originating from a particular IP address related to the attack. In this case, Snort detects crafted HTTP packets associated with the known Code Red signature. 3. **Investigating Specific Events**: Select the event labeled "WEB-IIS ISAPI.ida access" and right-click for reference information. This action opens a local page that provides details about the detected signature from Snort's public database. 4. **Reviewing Related Events**: To focus on specific events related to the selected node, use the "Related Events" option after hovering over the nodes you previously chose. This will display fewer but more focused events compared to a full investigation. 5. **Creating a Correlation Rule**: To automatically alert on further attempts based on this pattern, create a correlation rule from the Snort patterns window by right-clicking on the Code Red 3 pattern and choosing "Create Rule." A rules editor will appear where you can configure the rule parameters. This method allows for efficient analysis of known attack patterns without requiring internet access, leveraging locally stored reference pages, and providing tools to automate alerting mechanisms based on detected patterns. The process of creating rules in ArcSight involves several steps to ensure effective management and tracking of these rules. Once a rule has been created, it can be annotated by annotating the pattern, assigning it to a responsible user, and setting its stage to CLOSED. This helps in viewing only newly discovered patterns on subsequent discoveries. To perform this process: 1. Right-click over the Code Red 3 pattern and select "Annotate Pattern." 2. In the Annotation window:

• Set the Stage to Closed.

• Assign it to a user responsible for SOC (hkf-soc).

• Enter a comment, such as "Rule Created – Code Red Variant (3)".

• Hit OK to complete the annotation process.

To view CLOSED patterns or newly discovered patterns: 1. Select the PATTERN tab under the NAVIGATION tab. 2. In the Navigator Panel, go to Pattern Discovery and select the 3.1 Pattern Discovery – No Rules folder. 3. Right-click and choose "View Patterns With Filter." 4. Under "Select A Stage," choose CLOSED. 5. Hit OK twice to view the closed patterns. At this time, you can open up for questions or further discussions on the matter.