Combating Advanced Persistent Threats with ArcSight

Summary:

Here's a detailed summary of the document based on your description: Title: Detection of Malware and Rootkit Behavior in Enterprise Security Environments Date/Event: June 2013 (Las Vegas) Source: Hewlett-Packard (HP) **Key Points:** 1. **Introduction to Malware and Rootkit Threats:** The document begins by introducing the concepts of malware and rootkit, explaining how these threats can infiltrate enterprise networks, manipulate system files, and establish a persistent presence on compromised systems. It highlights that such intrusions are often difficult to detect using traditional antivirus software alone due to their sophisticated evasion techniques. 2. **Detection Techniques:** HP discusses several detection methods used in enterprise security environments to identify malware and rootkits: - **Black List Correlation:** The use of pre-defined blacklists containing IP addresses, domains, or other entities associated with malicious activity is crucial for identifying known threats quickly. - **GeoLocation +/ OR Data Model:** Incorporating geographical location data into the analysis model helps in understanding the network's structure and traffic patterns more effectively, aiding in the detection of malware that might be attempting to localize its presence or communicate with command and control servers. - **Netflow Graph Analysis:** By analyzing netflow data through graphs, HP can detect anomalies in source-to-destination traffic, which may indicate suspicious activity such as attempts by malware to exfiltrate data from the network. - **Source to Destination Traffic Spike Detection:** The document mentions detecting sudden spikes in traffic between specific nodes on the network as a telltale sign of potential malware or other security incidents. - **Light Dart Malware Example:** Specific mention is made of "Light Dart" malware, explaining that this type of malware sends out "Put request outbound to CC server," which could be an indicator of malicious intent and continued exploitation within the enterprise network environment. 3. **Incident Response and Reporting:** The document emphasizes the importance of a robust incident response plan and detailed reporting mechanisms for effectively dealing with detected threats. It notes that these should include not only technical measures but also procedural adjustments to enhance overall security posture in large enterprises. 4. **Conclusion:** The document concludes by reiterating the multi-faceted approach needed to combat malware and rootkit threats, emphasizing continuous monitoring, proactive detection methods, and a coordinated response from all stakeholders within an organization. **Implications for Security Operations:** This document serves as a guide or reference for HP's enterprise security teams on how to detect and respond to potential malware and rootkit threats in their environments. It underscores the importance of integrating various data sources and utilizing advanced analytical tools like ArcSight for more comprehensive threat detection and response. The principles discussed are applicable across different sectors, emphasizing the need for robust network security practices against sophisticated cyber threats. This document is a valuable resource for anyone interested in understanding how enterprise-level organizations can effectively identify, detect, and mitigate malware and rootkit threats using advanced security analytics tools like ArcSight, reflecting HP's expertise in cybersecurity solutions.

Details:

This text discusses Advanced Persistent Threats (APTs), which are defined as adversaries with high levels of expertise and resources that use multiple attack vectors, such as cyber, physical, and deception, to achieve their objectives within targeted organizations. These objectives usually involve establishing a foothold in the organization's IT infrastructure for purposes like exfiltrating information or undermining mission, program, or organizational goals. APTs are characterized by their persistence in pursuing objectives over an extended period, their adaptability to defender efforts, and their determination to maintain interaction necessary for execution of their objectives. This document outlines a comprehensive analysis of Advanced Persistent Threats (APTs) and their potential risks. APTs are sophisticated cyber attacks aimed at long-term data theft, typically targeting high value targets such as corporations or government entities. The types of attacks include emails containing malware, infected attachments, compromised web services, peer-to-peer networking, instant messaging applications, news groups, USB drives, video and social media platforms. The risks associated with APTs are significant: they can lead to financial loss due to theft of intellectual property or ransomware demands; damage to brand reputation from data leaks; leakage of customer data compromising trust in the company; potential misuse of company assets for further malicious activities such as distributed denial-of-service (DDoS) attacks. APT breaches are often identified by external parties, with customers being a relatively minor factor in detection. The investigation phase is lengthy, taking over three months in 66% of cases. Recent studies indicate that about two-thirds of data breaches were detected by an outside party, while only 9% were spotted by customers. Furthermore, it takes longer than expected for organizations to detect and respond to these threats once they are known; more than three quarters of the time is spent investigating breaches after their detection. To defend against such threats, a multi-layered approach like defence in depth is recommended with various security measures including but not limited to firewalls for perimeter protection, VPNs, and regular vulnerability assessments. This comprehensive strategy aims to protect organizations from sophisticated cyber attacks. The passage discusses various methods and practices for protecting information systems, including firewall rules, antivirus software, disk encryption, email filtering, proxy services, and compliance with standards like PCI DSS and ISO 27001. It also addresses exceptions and challenges in real-life scenarios where traditional security measures may not be effective or applicable due to specific needs or constraints. This document highlights several critical points about cybersecurity within organizations, suggesting that relying solely on traditional security measures like firewalls, antivirus, and compliance tools may not be sufficient to protect against advanced persistent threats (APTs). The author emphasizes the importance of a Security Information and Event Management (SIEM) system for detecting and responding to potential cyber-attacks. The document argues that while individual security components such as firewalls and IPS are useful, they have limitations. For instance, local firewalls may not prevent attacks via email or media, disk encryption only protects against physical theft of devices, and antivirus software's effectiveness depends on the type of malware encountered by its last user. The document also provides a breakdown of APT (Advanced Persistent Threat) behaviors: from discovering weaknesses in an environment to executing malicious activities like stealing intellectual property or adding devices to botnets. It lists various communication methods used by attackers, including standard services on non-standard ports and communications between different types of devices such as desktops and servers. The document concludes with a call for organizations to adopt a SIEM system that can monitor these behaviors continuously, providing real-time threat detection and response capabilities, which are essential in the face of increasingly sophisticated cyber threats. To combat APT (Advanced Persistent Threat) and malware behaviors, the following strategies are employed by HP in their security measures: **Use of Blacklists:**

• **Outbound Network Communications:** The organization uses blacklisted IP addresses to correlate with network events. This helps detect known malicious patterns from services like HTTP web servers on port 80 or email servers (SMTP) that do not function as relay servers.

• **Firewall Information and Anomalies:** They monitor firewall logs for deviations, which can indicate unusual activity such as a database server sending significantly more data than usual to an unrelated country.

**Handling Unknown Threats:**

• **Understanding Services:** Although they deal with unknown threats, the organization has a clear understanding of what specific services are supposed to do: HTTP servers on port 80, email servers for inbound and outbound mail, and business VPN connections.

• **Whitelist Usage:** They utilize whitelists for known service types and also employ Netflow anomalies and firewall information to identify suspicious activities that might not fit typical patterns.

**Correlating Threats:**

• The organization investigates its threat landscape, creating correlation rules around these threats. These rules include expected behaviors from services like the specific port usage by HTTP servers or the non-existence of certain services (e.g., SNMP service on an IP address that shouldn't host it).

**Mitigating False Positives and Negatives:**

• The process involves continuous monitoring, analysis, and updating of correlation rules to minimize false positives (Type I errors where normal activity is mislabeled as malicious) and false negatives (Type II errors where actual malware or APT activities are not detected).

By systematically addressing known and unknown threats through these methods, HP aims to enhance their security posture against advanced persistent threats. This text appears to be a document or part of a document related to cybersecurity and threat detection in an enterprise environment, possibly from Hewlett-Packard (HP) or similar technology company. It discusses a system for detecting potential threats using IP addresses and network data after users open email attachments, leading to the addition of these IPs to active lists and subsequent analysis based on various conditions and events. The process starts with user interaction where an email attachment is opened, triggering a warning in Outlook due to possible security risks. Despite this alert, the user proceeds to accept the risk and opens the attachment. This action registers as an event, causing the IP address to be added to a temporary active list for 30 minutes. Subsequent rules are then applied based on correlations:

• Rule 1 Correlation involves looking at geographical location (GEO Location) in addition to other factors such as browsing events and host/user account activity, which leads to adding the IP address to a second active list or watchlist.

• Rule 2 Correlation uses Netflow data including IP and bandwidth communication anomalies, DNS queries, and specific TCP packet sizes to assess high-degree correlation and potential threats.

For each rule, there are conditions that need to be met for further analysis:

• For Rule 1, the condition is based on increased probability derived from factors like looking at IPs through a proxy or using different ports (22, 80, 443).

• Rule 2 involves assessing certainty by examining anomalies in IP and event interactions.

After initial user interaction in the first event stage gate, additional events can be triggered:

• Antivirus events related to email usage

• Failed login attempts linked to email activity

• Propagation of firewall ports through emails

• Intrusion Prevention Systems (IPS)/Intrusion Detection Systems (IDS) events indicating possible data exfiltration with specific classification categories

• Online Certificate Status Protocol (OCSP) status for added security insights

• Use of Google Safe Browsing API to check the safety of websites accessed via email attachments

• Analysis of new services that may be spawned by the user's actions in response to the email content

• Geographical location data from where the user accesses the network, which can provide clues about the origin or potential threat source.

Bandwidth anomalies are also monitored as part of this process, with specific internal device interactions being tracked using Windows Management Instrumentation (WMI). The document concludes by mentioning that aggregation and analysis should be applied when users reach a second event stage gate after opening an email attachment, which could involve multiple aspects including antivirus events, failed login attempts, firewall port propagation, IPS/IDS alerts, OCSP status checks, Google Safe Browsing API interactions, netflow data on bandwidth usage, new service launches, geographical location details, and any observed anomalies in bandwidth. This text provides a detailed framework for how an organization might detect potential threats through user behavior influenced by email attachments, leveraging multiple technological and network-based indicators to assess risks at various stages of user engagement with suspicious content. The provided text discusses the "Desktop-based Threat Landscape" and its characteristics. It outlines that this landscape involves unknown entry and exit points due to users not being within a restricted area (DMZ). The threat is mainly focused on deviations from corporate policy, which includes various user actions such as using USB drives, DVD/other media, or accessing email clients like MSN without explicit permission. The environment is characterized by diverse desktops connected to the internet via non-corporate networks, often bypassing traditional firewalls and relying heavily on policies that are user-driven rather than centrally managed. The information contained herein suggests a lack of granular controls within this dynamic threat landscape, where business applications may have known vulnerabilities, but there's no clear classification for desktop systems or users regarding their security level. Furthermore, the text refers to specific technologies and practices: 1. It mentions that desktops often do not contain diverse software or initiate network traffic, relying heavily on user policies to control internet access via browsing. 2. Applications are grouped without individual privileges, which can lead to vulnerabilities due to improper classification of users' roles within the system. 3. The text also describes the IP address ranges used by the company and its partners for VPN connections, along with other measures like risk exception registers and mitigation strategies. 4. Lastly, it differentiates between static (simple) rules in security systems versus dynamic rules that are more complex to implement but can adapt to changing conditions or threats. Overall, this summary highlights the complexity of managing a desktop-based threat landscape where users have varying degrees of access based on policies and lack of granular controls, with potential vulnerabilities arising from deviations and a general lack of detailed classification for both desktops and users. The text provided is a summary of various aspects related to network security, specifically focusing on detection and response mechanisms using ArcSight software. Here's an overview based on the text: 1. **Traffic Analysis for Anomalies**: If the traffic volume on a specific port exceeds the standard deviation from historical patterns, it may indicate an anomaly such as a new worm, bot, or application attack. This triggers further investigation. 2. **Threat Detection Rules**: There are dynamic rules based on the severity of the attack (e.g., destructive attacks like Buffer Overflow versus a SYN scan), the importance of the target asset (critical server vs. workstation), and the reliability of the reporting device (SourceFire RNA or uncalibrated Snort). These factors determine whether to open a threat alert or escalate an existing threat instance. 3. **Alarm States**: The text describes different states alarms can go through in ArcSight, including triggered, dropped, and not triggered based on multiple events within 20 seconds or during specific phases of event occurrence. 4. **Dynamic Rule Correlation**: These rules help categorize threats as critical, major, minor, warning, or no alarm based on the stage of event occurrences. This helps in prioritizing responses effectively. 5. **Implementing ArcSight Solutions**: To apply these principles with ArcSight:

• Develop a comprehensive asset model including zones, ranges, assets, services, and vulnerability data.

• Integrate log sources like firewalls, IPS/IDS systems, email filters, and identity management systems.

• Create rules and formulas based on the asset model to prioritize threats effectively.

• Use whitelists for exceptions and blacklists as needed.

This summary provides a concise framework for understanding how network security measures can be implemented using advanced monitoring tools like ArcSight, focusing on proactive detection and response strategies tailored to different types of threats and assets. This text outlines several key points regarding network communications and compliance with policies within a network environment: 1. Network Communications from DMZ should not initiate connectivity into Datacentres or further into the network, ensuring that sensitive areas are protected. 2. Communications originating from public IP addresses (excluding B2B VPN) should only access designated public facing infrastructure as per asset range or category, with any deviation considered a policy violation. 3. Network communications from the printer VLAN should not be initiated from this VLAN to maintain security and prevent unauthorized use. 4. DataCentre 1 and 2 Client VPN Infrastructure is restricted to communication within their respective datacentre zones only. 5. DataCentre 1 and 2 B2B VPN Infrastructure can only communicate with the DMZ in Datacentre 1 and 2, maintaining a clear separation of functions. 6. Reporting and dashboard statistics are required for monitoring Client VPN Infrastructure communicating with the Management network. 7. Accessing devices such as printers, servers, firewalls, routers (from non-management networks) using default usernames is considered a policy deviation; raising the priority if it involves public IP addresses or specific VPNs. 8. Assets designated as finance-related should only be accessed via specified desktop DHCP ranges and management network access is restricted to these financial systems. Packard Development Company, L.P., which provides significant insights into asset management and network security, emphasizes the importance of maintaining a secure environment for POS (Point of Sale) applications exposed to the internet. To ensure robust security measures are in place, they have implemented several key policies and procedures outlined as follows: 1. **Security Measures for POS Applications**: The company recommends that there should be no vulnerabilities on the POS applications visible from the internet. This involves regular monitoring and ensuring that access controls are strictly managed to prohibit unauthorized access. 2. **Network Segmentation**: All user access to the point of sales system database and webservers is restricted to the management network, which helps in limiting potential threats by segmenting critical systems from external networks. 3. **Account Access Control**: Only the service account from the database server may login to the POS web servers from within the internal DMZ (Data Management Zone) to the POS internal DMZ, further restricting access and reducing risk. 4. **Network Traffic Controls**: The management network is the only segment allowed to initiate connectivity to the database server. This ensures that all interactions with sensitive data are tightly controlled and monitored. 5. **Baseline Network Flow for Anomalies**: A baseline network flow should be established to detect anomalies or unusual traffic patterns, which can include whitelisting of expected traffic types such as HTTP Post requests from internal networks to external servers and TCP SYN packets used in the initial phase of establishing a connection between systems. 6. **Data Traffic Analysis**: Monitoring trends in data sizes for both HTTPS (encrypted web traffic) and SQL (Structured Query Language) traffic helps in identifying potential security breaches or unusual activities that may indicate malicious activity. To effectively manage these risks, Packard Development Company, L.P., utilizes the ArcSight toolset, which supports migration strategies to reduce risk through enhanced visibility and automated correlation of multiple event sources. This not only aids in detecting single events but also aggregates useful information from similar events, providing a more comprehensive understanding of potential threats and vulnerabilities. In summary, the document highlights the importance of network security for POS applications, emphasizing strict access controls, network segmentation, and proactive monitoring using advanced analytics tools like ArcSight to identify and mitigate risks effectively. This text discusses the use of ArcSight for event correlation and threat detection in a network environment. Key points include: 1. **Event Correlation**: ArcSight allows for complex correlations by utilizing Active Lists, Session Lists, and correlated rules to analyze data from multiple sources. 2. **Threat Detection Tools**: The text mentions creating Black Lists, White Lists, active lists, session lists, and bringing user and application context information into rules for more accurate detection. 3. **Industry Rebranding**: The industry is rebranding this process as ArcSight/Tipping Point have been doing it for years, indicating a standardized approach to event correlation in cybersecurity. 4. **Trends to Detect**: The focus includes detecting anomalies related to network services and bandwidth, with the ability to correlate these issues across multiple sources. 5. **White Lists**: There are alternative methods for application context deviations, such as white lists, which can help in identifying normal behavior within an environment. 6. **Correlation Techniques**: The text highlights the use of correlation techniques to detect threats more effectively, including both positive and negative correlations as indicated by "+/ OR". Overall, the passage emphasizes the importance of using advanced analytics and contextual information from multiple sources to improve threat detection in a networked environment, with an emphasis on flexibility and adaptability through industry rebranding. This document appears to be related to cybersecurity and network analysis, specifically discussing a "Black List" and potential malicious activities detected by Hewlett-Packard (HP). Here's a summary of the key points found in this text: 1. **Multiple Entries with Copyright Notice**: Each page starts with a copyright notice from HP Development Company, L.P., indicating that the information is subject to change without notice. This suggests ongoing updates or changes in the content which might be related to network security measures or alerts. 2. **Correlation and Black List**: The text mentions "Black List Correlation" several times, implying a list of items (possibly IP addresses, domains, or other entities) that are considered suspicious or malicious based on certain criteria being correlated with potential threats. This could be part of an incident response system where HP tracks networks and systems linked to security incidents. 3. **GeoLocation +/ OR Data Model**: It refers to "GeoLocation" which could mean geographical location data, possibly used in conjunction with a data model that helps understand the network's structure or traffic patterns by incorporating geographic information. This might be part of an advanced threat detection system where localizing suspicious activity is crucial for analysis and response. 4. **Netflow Graph**: The term "Netflow" could refer to a type of flow data used in network monitoring, which helps track the movement of data across networks. A graph related to Netflow might represent visualizations or analyses derived from this data showing traffic patterns, spikes, or anomalies indicative of malicious activity. 5. **Source to Destination Traffic Spike**: This phrase suggests detecting an unusual increase in traffic between specific nodes (sources and destinations) on the network, which could be a sign of malware or other cyber threats attempting to communicate or exfiltrate data from the system. 6. **Light Dart - Malware**: Specifically mentioning "Light Dart" as malware indicates that this is not just any generic threat but a known malicious software identified by HP for its potential impact on network security. The mention of "Put request outbound to CC server" suggests an attempted action where data was being sent out from the system possibly towards another command and control (CC) server, indicating persistence or further malicious intent. 7. **Conclusion**: These entries highlight different aspects of detecting and analyzing cyber threats using HP's tools and methodologies. The list seems to be a part of their internal documentation for understanding and reacting to potential security incidents on their networks. Overall, this text appears to be related to the internal processes or reports used by Hewlett-Packard in their cybersecurity operations, focusing on identifying and dealing with malicious activities such as malware threats through detailed analysis and reporting mechanisms. This document is from Hewlett-Packard (HP) and discusses topics related to malware and rootkit behavior in the context of enterprise security. It appears to be a presentation or report from HP, possibly delivered at an event in June 2013, as indicated by "Las Vegas - June 2013". The information within is copyrighted and subject to updates without prior notice, adhering to standard copyright practices for ongoing information dissemination.