ATI Demo Script 1

Summary:

The ArcSight Threat Intelligence (ATI) Solution Accelerator is a tool for organizations using Enterprise Security Manager (ESM) version 4.5 or above, released on February 24, 2012. It aims to use open-source threat intelligence to enhance network security without expensive third-party subscriptions. ATI automatically collects and imports threat information into active lists within ESM, which then identifies systems attempting to access known malicious URLs and IP addresses associated with malware and other threats. The document provides a step-by-step guide for demonstrating the features of ATI: 1. Load the ARB (ArcSight Resource Bundle) file containing the ATI content. 2. Download a replay file for demonstrating events. 3. Replay demo events to show threat intelligence in action. 4. Display and discuss the Threat Intelligence Active Lists, IP and Domain Scraper, Identified Malware Events, Malware Dashboard, Malware Query Viewer, Malware Summary Report, and Malware Accounting Active List. The demonstration involves loading an ARB file named "5.0.sp1.6572ati_demo.arb," downloading the "ATI.replay.events" file, transferring it to a connector for replaying events, reviewing active lists for malicious IP addresses, domains, and websites, and cross-referencing these items to detect malware within the network. The SANS Internet Storm Center (ISC) provides free analysis and warning services related to internet attacks and transitions into real-time threat intelligence. Abuse.ch operates several projects aimed at tracking and combating specific types of malware: Zeus Tracker, SpyEye Tracker, AMaDa Malware Database, and Project HoneyPot. These projects offer tools such as Identified Malware Events, Malware Dashboard, Malware Query Viewer, Malware Summary Report, and Malware Accounting Active List for providing situational awareness about malware incidents within organizations.

Details:

The ArcSight Threat Intelligence (ATI) Solution Accelerator is designed for customers using ESM versions 4.5 and above, released on February 24, 2012. This solution aims to leverage open-source threat intelligence available online without the need for expensive third-party subscriptions. ATI automatically collects and imports threat information into active lists within ESM, which then identifies systems attempting to access known malicious URLs and IP addresses associated with malware, advanced persistent threats, botnets, and other potentially harmful activities. **Demo Contents:** The demo showcases how to: 1. Load the ARB (ArcSight Resource Bundle) file containing the ATI content. 2. Download a replay file for demonstrating events. 3. Replay demo events to show threat intelligence in action. 4. Display and discuss the Threat Intelligence Active Lists, IP and Domain Scraper, Identified Malware Events, Malware Dashboard, Malware Query Viewer, Malware Summary Report, and Malware Accounting Active List. This document provides a step-by-step guide through the demonstration of these features, highlighting how ATI leverages open-source threat intelligence to enhance security measures within an organization's network infrastructure. This document outlines a demonstration process for utilizing an ARB (Asset Repository Browser) containing various resource types such as active lists, rules, report templates, queries, dashboards, datamonitors, file resources like ATI_demo.events and integration commands. The demo involves loading the ARB, downloading specific replay files, replaying events with a connector, displaying threat intelligence from active lists, discussing the IP and Domain Scraper script responsible for collecting malicious information, and cross-referencing these items to detect malware within customer networks. To begin, load the ARB named "5.0.sp1.6572ati_demo.arb" by navigating to the specified URI base in your asset repository browser. Next, download the "ATI.replay.events" file contained within the ARB as a resource. Transfer this replay file to the $ARCSIGHT_HOME/TestAlert connector's current directory and use it to re-play events through the connector. To display threat intelligence from active lists, review the malicious IP addresses, domains, and websites stored in these lists. The IP and Domain scraper script runs daily, searching public sites for harmful IPs and domains connected with malware distribution. This information is sent as CEF events to a syslog connector where rules generate entries into the mentioned active lists. The SANS Internet Storm Center (ISC) was established in 1998, initially focusing on research about internet attacks before transitioning into providing real-time threat intelligence and incident response services. The ISC (Internet Security Center) offers a free analysis and warning service to thousands of Internet users and organizations following the successful detection, analysis, and widespread warning of the Li0n worm. They are actively working with Internet Service Providers to combat malicious attackers. Additionally, abuse.ch operates several projects aimed at tracking and combating specific types of malware: 1. **Zeus Tracker**: This service by abuse.ch tracks ZeuS Command & Control (C&C) servers and malicious hosts that host ZeuS files. It helps system administrators block known ZeuS hosts to prevent infections in their networks. 2. **SpyEye Tracker**: Similar to the Zeus Tracker, this project tracks SpyEye C&Cs but is specifically for SpyEye malware. It provides blocklists for various uses like Squid Web-Proxy or iptables to prevent infected clients from accessing the C&C servers. 3. **AMaDa Malware Database**: This database, also by abuse.ch, serves as a platform for posting security blogs and maintaining a database of malware. 4. **Project HoneyPot**: As the first distributed system designed to identify spammers and their bots that scrape addresses from websites, Project HoneyPot helps in combating spam activities. The ISC and related projects also feature tools such as:

• **Display Identified Malware Events**: This function shows active channels where rules are triggered due to malware events.

• **Malware Dashboard**: A dashboard providing situational awareness and summary information about malware incidents, including top accessed URLs that correspond to malware events and infected systems categorized by business roles.

The text describes a series of visualizations and reports designed to provide insights into the spread and impact of malware within an organization, categorized by various attributes such as business role, host type, location, and specific files involved. Here's a summary of each component: 1. **Malware Query Viewer**: This tool is used to visualize detailed situational awareness about malware incidents, focusing on key metrics including the top sources (hosts initiating connections), access locations by country, and infected hosts based on their role in connection initiation. 2. **Top Sourcing Hosts**: Highlighted are the most significant hosts that start connections to known malicious IP addresses and domains, indicating potential entry points for malware into the network. 3. **Top Access Locations by Country**: This feature maps out which countries have been accessed most frequently by malware instances, helping in understanding where the threats are predominantly active. 4. **Malware Summary Report**: A more comprehensive report that provides a snapshot of all malware incidents across various dimensions:

• Malware events categorized by zone, reflecting how malware spreads within different network segments.

• Counts of connections made to known malicious IPs and the number of infected hosts involved in such connections.

• The total count of unique malware filenames accessed is also tracked, providing a detailed view into which files are most impacted.

5. **Malware Accounting Active List**: This list maintains a real-time record of all malware interactions within the network, serving as a foundational database for both the query viewer and summary report to generate insights from historical data. Each of these components is designed to provide increasing levels of detail and granularity about malware incidents, enabling more informed decision making and proactive security strategies.