BNI APT Use Case Report 1

Summary:

The document outlines the implementation of specific use cases and dashboards within Bank Negara Indonesia (BNI) to enhance their APT (Advanced Persistent Threat) defense capabilities using ArcSight Professional Services. Key points include: 1. **Use Cases**: Four primary use cases were developed focusing on inbound and outbound traffic from/to malicious sources, including external IP addresses, domains, and specific server farm activities. Each use case includes a set of filters, rules, stages, active channels, and dashboards for visualizing alerts. 2. **Filters and Rules**: Customized filters and rules are created to identify suspicious activities based on predefined criteria. These tools help in assessing potential threats from malicious IP addresses, domains, and server farm traffic. 3. **Stages and Active Channels**: A specialized stage called SOC Triage is designed for immediate alerting of security analysts about generated alerts by ArcSight. This involves adding annotations that correlate events across selected APT scenarios to facilitate faster response times. 4. **Dashboards**: Two dashboards are created: the APT Dashboard provides a snapshot of critical security metrics and related alerts, while Deploying Real-time Rules outlines how real-time rules should be deployed for enhanced threat detection. 5. **Deployment**: The ARB package is set up, and real-time rules are manually deployed to improve detection speed in response to potential threats as identified by ArcSight. This document provides a structured guide on leveraging ArcSight solutions to better detect and respond to advanced persistent threats within BNI's network environment.

Details:

The provided document is a report detailing specific use cases and dashboards for Bank Negara Indonesia (BNI) as part of their APT (Advanced Persistent Threat) use case engagement with ArcSight Professional Services. Here's a summary of its contents based on the structure provided: 1. **General Information**

• The purpose of this document is to detail the specific use cases and dashboards for APT use cases within BNI, focusing on enhancing security measures against potential threats using ArcSight solutions.

• It outlines the current status of all included use cases and provides recommendations for further development based on experience with similar customers.

2. **Use Cases**

• Several custom use cases were developed to meet business needs, addressing various types of suspicious activities:

• Inbound External Traffic from Malicious IP

• Outbound Traffic to Malicious Domain

• Outbound Traffic to Malicious IP

• Server Farm Outbound Firewall Traffic to Malicious IP

• Server Farm Outbound Firewall Traffic to Malicious IP (12MN – 6AM)

• Each use case includes a set of resources such as filters, dashboards, data monitors, active lists, rules, stages, and active channels.

3. **Filters**

• Not detailed in the summary provided but implied to be part of each use case for initial screening of suspicious events based on predefined criteria.

4. **Rules**

• Each use case requires a set number of rules (7) which are critical for identifying and assessing malicious activities within network traffic data.

5. **Stages and Active Channels**

• These would typically represent the stages of processing or analysis through which the data flows, potentially including real-time channels for immediate response to potential threats.

6. **Dashboards**

• Includes two main dashboards:

• **APT Dashboard**: A visualization tool that provides a snapshot of critical security metrics and alerts related to APT use cases.

• **Deploying Real-time Rules**: Details on how real-time rules are deployed to enhance the system's ability to detect and respond to threats in near real-time.

This document serves as a comprehensive guide for understanding and implementing effective security measures against advanced persistent threats within BNI's infrastructure, utilizing ArcSight solutions tailored to specific use cases. The provided text outlines a comprehensive approach to using ArcSight for threat detection, focusing on creating custom filters, rules, stages, active channels, dashboards, and deploying real-time rules. Here's a summary of the key points: 1. **Filters**: Customized filters were developed based on discussions to optimize data usage from external firewalls and Proxy Logs (though these are not available). These filters help in analyzing specific events and activities within the network environment. 2. **Rules**: Similar to filters, rules have been crafted for better utilization of ArcSight's capabilities. These rules focus on events related to activity inside and outside the firewall/proxy, with conditions, aggregation, and actions defined. 3. **Stages and Active Channels**: A custom stage called SOC Triage has been developed to alert security analysts about alerts generated by ArcSight. This stage includes adding annotations that are displayed through an active channel which correlates events from selected APT scenarios. 4. **Dashboards**: One dashboard was created to visualize alerts produced by ArcSight, focusing on firewall data such as attacker IP addresses, outbound bytes, and target IP addresses, with a secondary focus on malware activities. This visual tool helps in monitoring the network's health more effectively. 5. **Deployment of Real-time Rules**: After setting up the ARB package, real-time rules need to be deployed manually by right-clicking the rules or folders and selecting "Deploy Real Time Rule(s)". This step is crucial for immediate response to potential threats as detected by ArcSight. Overall, this document describes a structured methodology for enhancing security operations using advanced tools like ArcSight, with detailed steps on how to implement custom filters, rules, stages, channels, and dashboards based on specific needs identified during interactive discussions.