ArcSight ESM v4.0_06052007: Zero Day and Zotob Worm Attack

Summary:

This text provides a comprehensive overview of how ArcSight, a security management software, can be used to effectively detect, analyze, and respond to worm outbreaks or other cyber threats. The process involves configuring rules based on specific events such as network sweep and target port activity by an attacker, which triggers the system to take automated actions like quarantine or isolation. This helps in minimizing disruptions to the network operations while managing risks associated with security incidents. The text also highlights ArcSight's capability to automatically implement remedial actions in response to worm attacks, such as adding firewall rules or isolating infected systems, through its integrated threat response management (TRM) system. Additionally, it emphasizes the importance of content subscription updates that provide specialized rule packs and reports tailored for specific malware outbreaks like Zeroday WORM or Zotob Worm, aiding analysts in quickly identifying and addressing these threats with minimal research time. Furthermore, this text outlines a detailed process for remediating a sysadmin's system in response to an outbreak using ArcSight features such as executing connector commands for threat response and utilizing the integrated case management system for event annotation and tracking. The use of automated actions like "counteract.quarantine" helps mitigate threats automatically or with approval, aligning with the role of a sysadmin in maintaining cybersecurity posture. In summary, this text underscores how ArcSight's capabilities enable proactive threat detection and efficient handling of security incidents through its rule-based system and automation tools, ensuring minimal disruption to network operations while effectively managing risks associated with cyber threats like worm outbreaks or other zero-day attacks.

Details:

The document outlines a scenario involving a Zero Day Worm Attack, specifically referred to as Zotob Worm Attack, targeting a network service owned by John Bradshaw. The worm exploits vulnerabilities in mission-critical services essential for organizational functioning. To combat such threats, firewalls are often bypassed or insufficiently protected against zero-day attacks, and IDS/IPS systems may not catch all attempts at penetration. Consequently, security analysts require tools to identify, diagnose, and isolate worm traffic effectively. The threat posed by worms like SQL Slammer, MS Blaster, and Witty Worm involves exploiting vulnerabilities in network services such as the resolution service of MS SQL or MSDE (for SQL Slammer), and the MSRPC DCOM routine (for MS Blaster). These exploits enable the worms to propagate and infect systems across a network. The worm's ability to self-propagate, gain access through unchecked buffers, execute code with administrative privileges, and spread rapidly qualifies it as a significant security threat in the realm of internet security. The article discusses a defensive strategy in computer security where, when traditional tools are unavailable or ineffective for identifying the progression of a malware like a worm, security teams revert to manual methods. These methods involve shutting down parts of the network to try and contain and prevent further spread of the worm. However, these actions can cause more damage than the original worm itself, leading to extended downtime while networks are cleaned up manually. The introduction of Arcsight offers a solution that improves detection capabilities. By collecting event information from various devices including routers, firewalls, and security devices like IDS/IPS and virus protection software, Arcsight can detect characteristics of a worm attack even if no specific alerts are triggered by traditional intrusion detection products. This real-time visibility allows for quicker identification, isolation, and remediation of infected networks, significantly reducing potential damage from zero-day attacks. To demonstrate the capabilities of Arcsight, a setup involves using replay agents configured with event files containing information about worm outbreaks (like Worm Outbreak_200epm.events) and another file for simulating Zotob attacks (Zotob_500epm.events). These events are sourced from an illegal user SSH Buffer Overflow attack on a Unix system and traffic traversing the network as indicated by Cisco Router access logs. The demonstration highlights how these logs can provide crucial information about worm activities, showcasing Arcsight's effectiveness in handling such security challenges. Point A: When intrusion detection systems (IDS) or intrusion prevention systems (IPS) fail to detect an attack, analysts must rely on other network devices such as firewalls, routers, or logs from operating systems and applications to gather clues about the nature of the attack. Point B: If a worm infects the internal network without any firewalls between subnets, there may be no way for it to transmit data effectively due to lack of appropriate sensors. In this scenario, the only source of information would be the event logs from the operating system or specific application on infected machines. Rules and Resources: Searching for rules and other resources related to worm outbreaks can be done by running a keyword search using "worm" in available databases. Restricting searches to resource type rule might also yield valuable results, providing detailed guidelines and strategies against such incidents. Filters: When accessing the system as an admin, use the ArcSight console user for this demonstration. This setup allows focusing on managing filters within the reporting and dashboard features of the platform. Data Monitors: Be mindful of event rates and other running programs when dealing with scenarios involving high churns in events; these conditions might lead to performance issues that need addressing through regular updates or improvements. Rules Configuration: The Possible Network Sweep rule is designed to identify systems making many connections within a minute, excluding infrastructure services like mail, domain, and proxy servers. It focuses on unique target addresses while noting the same attacker address and target port for these types of activities indicative of worm activity. Worm Outbreak: This correlation rule triggers when both Possible Network Sweep and Target Port Activity are observed with identical attacker and target ports in each event. The purpose is to detect outbreaks based on multiple instances of unusual network activity. Data Monitor Configuration: The Target Port Activity data monitor provides a graphical representation of the port activities using moving averages, offering insights into potential worm infections or other malicious activities by analyzing variations in connection patterns across different systems. The demonstration will focus on highlighting the benefits of using ArcSight, a software solution for managing security information and event management (SIEM), in detecting and responding to worm outbreaks within an organization's network. To effectively demonstrate these capabilities, it is crucial to address common challenges faced by IT teams during such incidents and how ArcSight can mitigate them. The speaker will begin by asking the audience about their typical approach to handling worm outbreaks. This question serves to contextualize the discussion around the effectiveness of current methods against advanced threats like worms. The goal is to establish a baseline understanding of how these events are typically managed within the organization, which helps in highlighting ArcSight's advantages. Next, the speaker will pose questions related to identifying infected hosts and isolating them during a worm outbreak. These questions aim to elicit pain points from attendees who have experienced such incidents firsthand, providing concrete examples of the difficulties they faced without adequate tools for detection and response. Finally, the demonstration will shift focus to ArcSight's capabilities in handling worm outbreaks efficiently:

• It will explain how the system can quickly identify a significant increase in traffic directed at specific ports across multiple destination IPs during an outbreak, triggering correlation rules that eventually lead to the "Worm Outbreak" rule. This not only helps in detecting the worm activity but also allows for detailed investigation through tables and graphs displaying triggered rules, associated events, and event details.

• A visual representation of how the worm is propagating across different networks (Worm Propagation by Zone) and targeting individual systems (Worm Propagation by Host) will be shown to provide a clear picture of the spread and progression of the worm within the organization's infrastructure.

• The demonstration will conclude with an overview of the "Worm Infected Systems" feature, which provides a last state monitor displaying hosts as they are infected by the worm, enabling quicker action to isolate these systems before further propagation occurs.

By following this structured approach, ArcSight’s ability to detect zero-day attacks and effectively manage worm outbreaks will be showcased, demonstrating its potential in enhancing network security posture against sophisticated threats like worms. To summarize, this document outlines a method for demonstrating worm outbreak detection using replay agents with Smart Agents in ArcSight. The process involves starting the replay of "Worm Outbreak" events several minutes before presentation to ensure the dashboard is fully populated. The replay agent simulates sending events as if it were a live device, which allows real-time processing by the manager and enables zero-day attack detection without relying on IDS/IPS or IPS systems. The manager processes these events in real-time, storing them for later analysis. Detection of worm outbreaks relies solely on router accept/deny decisions and OS/application event logs. ArcSight provides a system for important event notifications that can be escalated if necessary; during an outbreak, these notifications appear in the Pending tab. Notifications are sent via email, pager, or text messaging and serve as a starting point to demonstrate how critical events should be handled in Security Operation Centers. An analyst can investigate related events by selecting notification alerts and using the Inspect / Edit window to view detailed event information. The document concludes that notifications are crucial for alerting on important events when there isn't always 24x7 staff available to monitor consoles. Overall, this method provides a structured approach to simulating worm outbreaks for demonstrating real-time detection capabilities in cybersecurity tools like ArcSight. This passage discusses how to use ArcSight for monitoring and managing network security incidents, with specific focus on the Worm Outbreak Dashboard. The article explains the importance of quickly acknowledging notifications to prevent escalation in alerts, as automated escalation is essential for timely response by team members and management. It details the various monitors within the dashboard, such as Target Port Activity, which tracks increases in activity indicative of a worm attack. To visualize this data effectively, users can adjust field set selections and explore base and aggregation event counts to understand the progression of the worm outbreak. The passage underscores the value of having critical information at an analyst's fingertips during an active worm attack, as each second wasted may allow the worm to penetrate deeper into the network, potentially causing severe data breaches or system disruptions. This passage is about using ArcSight, a software for monitoring networks, to detect and analyze a computer worm attack. Here's a summary of key points: 1. **Worm Attack on Vulnerable Port**: A worm attacks the same vulnerable port, compromising systems which then replicate the worm’s activity. This includes spreading through multiple systems across different subnets (subnet by subnet), as shown in the Worm Propagation By Zone event graph. 2. **ArcSight Features**: The ArcSight console can display statistics and rules that have fired in real-time, helping analysts to quickly view correlated events related to the graphs and displays in data monitors. 3. **Event Graphs**:

• **Worm Propagation By Zone**: Illustrates how the worm has spread across different network zones using a "spoke and wheel" diagram that shows which networks have been penetrated by the worm.

• **Worm Propagation by Host**: Shows individual hosts being compromised, with infected systems represented by red and blue squares indicating the progression of the worm from host to host.

4. **Strategies**: Instead of shutting down entire network portions or ports, analysts can focus on isolated and remediated only those hosts that are infected by the worm. This allows for more precise targeting and analysis of the infection. Overall, this passage emphasizes using visual tools in ArcSight to track and understand the spread of a worm attack across a network, with an emphasis on targeted responses rather than broad sweeps that could disrupt other parts of the system. The provided text outlines a method for monitoring and analyzing worm attacks using data monitors and visual tools. Here's a summary of the steps involved in this process: 1. **Monitor Worm Propagation**: Use a data monitor to track how the worm spreads across different hosts. Maximize the size of the host data being monitored, focusing on areas displaying red attackers and their targets. 2. **Zoom and Focus**: Zoom into specific sections where the attacker is most active by selecting the area showing red attackers and targets. Increase magnification until you can see labels associated with each item. 3. **Isolate Target Port**: Select only the blue circle representing the targeted port (e.g., 22) and drag it outside the circle to improve visibility. 4. **Use Last State Data Monitors**: Analysts should use this tool to display a list of infected hosts based on recent events. Float the Worm Infected Systems Data Monitor to view a list of affected systems. 5. **Drill-Down Analysis**: Easily drill down into specific infected host details by double-clicking the IP address (e.g., 10.0.111.39) in the Worm Infected Systems Data Monitor. This allows for detailed analysis of worm outbreak events. 6. **Create Channels for Investigation**: Use right-click options to create on-the-fly channels for viewing detailed information or filter relevant data, helping to isolate specific details about the IP address involved in the worm attack. 7. **Utilize Tools and Custom Queries**: Demonstrate the use of tools like ping and nslookup to further analyze the situation. Additionally, encourage custom tool development using Google search queries and SQL database queries based on IP addresses to retrieve comprehensive asset information. By following these steps, analysts can effectively monitor and respond to worm attacks, leveraging data monitors and visual tools to gain insights into the spread of the malware and the targeted systems affected. The article describes a process for using ArcSight software to categorize and analyze security events. Here's a summary of the steps involved: 1. **Event Selection**: Users can quickly view event details by selecting any event displayed in a grid interface. For example, an analyst might see that a userid "test" was used to target the sshd login service, which ArcSight categorizes as an Illegal User event. 2. **ArcSight Categorization**: The software categorizes events based on behavior, outcome, and object/tuple description. This enables easy rule creation by analyzing incidents and filtering through defined rules. 3. **Event Detail Viewing**: By double-clicking on specific events (e.g., Illegal User events), analysts can view detailed information such as the userid and process name. Scrolling up to the category section allows users to see how each event is categorized. 4. **Notification and Event Review**: In the Notifications Tab, analysts can review acknowledged notifications where previously acknowledged notifications like "Worm Outbreak" can be viewed in detail. This includes checking graphs that display event details of underlying rules. 5. **Event Graphs**: Analysts can create event graphs to visualize events either visually or through grid displays. This helps in understanding the relationship between different correlation rules and selecting specific items of interest based on visual queues. 6. **Rule Condition Viewing**: If an analyst wants to understand why a rule fired, they can easily view the rule conditions. This aids in better understanding the event categorization and justification for rule activation. Overall, this process leverages ArcSight's capabilities to efficiently analyze security events, categorize them based on predefined criteria, and provide visual tools to aid in decision-making processes. This text discusses ArcSight rules and their functionalities for event aggregation and action automation in threat detection and response management (TRM). Specifically, it highlights how rules can be configured to trigger based on specific events occurring simultaneously (e.g., a worm outbreak requires both possible network sweep and target port activity by an attacker within the same time frame). The text also explains how ArcSight allows for rule aggregation, ensuring that related events are collected under specified conditions (such as identical user identities or IP addresses), which aids in effective correlation of data across systems. Additionally, the text describes the capabilities of automated actions within ArcSight rules. These include overriding field values, sending notifications, executing commands, and transferring information to third-party systems like Remedy. The example given is adjusting priority levels or sending notifications based on event findings. Finally, it mentions the integration of TRM with ArcSight Threat Response Management systems, which can automatically implement actions in response to a worm attack, such as adding firewall rules or isolating infected systems. Overall, this text underscores how ArcSight's rule-based system and automation capabilities facilitate proactive threat detection and efficient handling of security incidents like worm outbreaks, ensuring minimal disruption to network operations while effectively managing risks. To summarize, this text provides a step-by-step guide on how to remediate a sysadmin's system in response to an outbreak, such as the Zeroday WORM or Zotob Worm. The process involves several actions and tools provided by ArcSight, including executing connector commands for threat response and using their case management system for event annotation and tracking. 1. In the Actions tab, click "Add" and select "Execute Connector Command." Under Select Connector, choose ArcSight Threat Response, then under command, select "counteract.quarantine." This step helps to automatically or with approval mitigate threats like a sysadmin would. 2. Event Annotation allows analysts to annotate events for workflow management without creating a case. Steps include selecting multiple events, right-clicking and selecting Annotate Events, setting Assign To and Stage, writing comments, and adding the annotation to the Active Channel Column Display. This can be optional or customized based on user needs. 3. The integrated case management system allows users to assign and track incidents by selecting series of events, right-clicking and selecting "Add to Case." This helps in performing research efficiently as all related events are part of a single case. 4. ArcSight provides content subscription services that include the latest rule packs, reports, and specialized content for regulatory compliance issues. For example, it offers specific content tailored to Zotob Worm outbreaks, helping analysts quickly identify and address the malware with minimal research time. Steps involve launching related event types in ArcSight, accessing specific dashboards like the Zotob and Variants Counts Bozori Dashboard, and using graphical representations (bars) to represent infected systems under outbreak conditions. ArcSight, a security management software, can still detect a worm outbreak even if it hasn't been updated, thanks to its zero-day rules designed for identifying new and previously unknown threats. This capability allows users to investigate potential attacks by right-clicking on the attacker's IP address (e.g., 10.0.112.19) and creating a channel for detailed investigation. ArcSight is crucial for organizations seeking to stay ahead of emerging security threats, as it helps in promptly detecting, researching, and assisting with incident remediation when zero-day attacks occur. The effectiveness of its detection methods is further enhanced by content subscription updates that enable customers to identify and implement specific remedial actions against known attack types, thereby reducing the time required to neutralize the threat.