Damballa Failsafe CEF Certified Configuration Guide

Summary:

The "Common Event Format Configuration Guide for Damballa Failsafe" is a guide that helps organizations configure the Damballa Failsafe Connector to collect syslog events on Windows, Linux, and Solaris platforms. It requires version 4.0 or higher and is designed to help regain control over networks by isolating threats such as botnets or Advanced Persistent Threats (APTs). The configuration involves logging into the Failsafe Management Console, navigating to "Setup | Integration Settings," selecting "ArcSight SIEM" from the settings menu, and configuring ArcSight settings. The connector provides events related to suspicious hosts suspected of illicit communication with criminal Command-and-Control (CnC) infrastructure. The guide includes mapping between Damballa's specific event definitions and ArcSight's data fields, specifying that vendor-specific events are mapped to corresponding ArcSight data fields in the Common Event Format (CEF). The provided table lists these mappings for the Damballa Failsafe Connector Field Mappings. An example ArcSight event related to a suspicious or compromised asset involves details such as version string, signature ID, device severity, category, custom labels and strings, asset information, and event timing. This format is crucial for interpreting and analyzing events related to compromised hosts within a network, providing detailed information about the incident's severity, type, timestamp, involved devices, and other relevant attributes. The document explains that engaging in communications with Command and Control (CnC) servers during a cyber attack scenario involves using tools and techniques to communicate directly with malicious entities controlling compromised machines during an attack. This communication enables the attacker(s) to coordinate and direct attacks on multiple targets through infected hosts, making it crucial for security teams to monitor such activities and implement effective countermeasures to protect against ongoing threats.

Details:

The "Common Event Format Configuration Guide for Damballa Failsafe" outlines instructions on how to configure the Damballa Failsafe Connector for syslog event collection, supporting Windows, Linux, and Solaris platforms. It specifies that version 4.0 or higher is required. This guide helps enterprise organizations regain control over their networks by isolating and terminating threats like botnets or Advanced Persistent Threats (APTs) using network-based Command-and-Control (CnC). The configuration process involves logging into the Failsafe Management Console, navigating to "Setup | Integration Settings," selecting "ArcSight SIEM" from the settings menu, and configuring ArcSight settings including enabling publishing with the hostname and port details. The connector provides two types of events: suspicious hosts that exhibit behavior indicative of illicit communication with criminal CnC infrastructure. The document outlines the mapping between Damballa's specific event definitions and ArcSight's data fields. It specifies that when vendor-specific events are sent to the ArcSight SmartConnector, they are mapped to corresponding ArcSight data fields. The table provided lists these mappings for the Damballa Failsafe Connector Field Mappings, including details such as supported CEF version, device vendor, device product, and more. This mapping is crucial for interpreting and analyzing events related to compromised hosts within a network, providing detailed information about the event's severity, type, timestamp, involved devices, and other relevant attributes. The provided document outlines a detailed description of an ArcSight event related to a suspicious or compromised asset identified as part of a botnet. The event, formatted in Common Event Format (CEF), contains various fields such as version string, signature ID, device severity, and more, all aimed at providing a comprehensive view of the incident. Key details include: 1. **Version String**: Indicates Version 4.0. 2. **Signature ID**: Uniquely identifies the event with an ID corresponding to suspicious activity or compromised status. 3. **Device Severity**: Rated as Integer 5 (indicating a medium-level severity) and has a score reflecting its criticality. 4. **Event Category**: Described as "suspicious / compromised" under the category of device events. 5. **Custom Labels and Strings**: Features custom strings for labels and additional details, including botnet name and hostname. 6. **Asset Information**: Includes IP address, MAC address, source IP address, and host information (hostname) associated with the suspicious or compromised asset. 7. **Event Timing**: Specifies both event receipt time and start time of the reported incident. 8. **Notes and Other Information**: Clarifies that while primary details are mapped to source fields in CEF, secondary data like timestamps and other info will appear in target fields post-processing by ArcSight. The document also highlights Failsafe's reporting on hosts potentially involved in a botnet situation. This passage discusses an attempt to communicate with Command and Control (CnC) servers during a cyber attack scenario. Here's a summarized explanation of what it means by "engaging in communications with CnC servers": In the context of cybersecurity, particularly when dealing with cyber attacks, organizations often utilize technologies like ArcSight for monitoring network traffic and detecting suspicious activities. When an organization suspects that their systems have been compromised or targeted by attackers, they may attempt to engage in communications with Command and Control (CnC) servers. A CnC server is essentially a malicious entity controlled by the cyber attacker responsible for directing and coordinating multiple malware-infected machines known as "compromised" or "infected" hosts during an attack. These compromised hosts, without direct communication with the attackers' command center (the CnC), are unable to perform their assigned tasks effectively. Therefore, in this scenario, engaging in communications with Command and Control servers involves using specific tools and techniques to communicate with these malicious servers, enabling the attacker(s) to control or manipulate the compromised machines as part of an ongoing cyber attack. This engagement is often critical for understanding the nature and progress of a cyber-attack, allowing security teams to implement appropriate countermeasures to mitigate its impact or prevent further damage. In summary, engaging in communications with Command and Control servers during a cyber attack refers to attempts to communicate directly with malicious entities controlling compromised machines during an attack. This communication enables the attacker(s) to coordinate and direct attacks on multiple targets through infected hosts, making it crucial for security teams to monitor such activities and implement effective countermeasures to protect against ongoing threats.