HP SIEM Attack Life Cycle Use Case Methodology: A Technical White Paper

Summary:

This text outlines a structured approach to cyber threat detection using HP's Attack Life Cycle methodology. Here’s an overview of the key points from the document: 1. **Initial Compromise** - Identifies potential malicious activities by monitoring peer-to-peer communications, HTTPS anomalies, beaconing activities, and multiple communications between desktops. IPs are added to a compromised host asset list if these rules indicate compromise. 2. **Lateral Movement** - Focuses on identifying events of transactions between devices using specific Windows programs like netstat, net logon, remote registry, WMI, policy editor, and psexec. Repeated IP addresses across stages 1 and 2 are considered security incidents. 3. **Establish Persistence** - Monitors changes to the local host such as policy event changes, internal communications anomalies, large data downloads from external hosts that don't match usual patterns. Netflow events correlated with proxy server queries detect anomalous traffic. IPs added here are moved to shortlist 2 and repeated or cross-listed indicate a security incident. 4. **Exfiltration** - Monitors Windows programs for sensitive information exfiltration, including NTbackup data backup, registry accesses, and changes in folder permissions across network shares. Violations lead to adding IPs to shortlist 2 and further incidents add them to the compromised host asset list. 5. **Incident Handling** - Correlated events that indicate potential compromise trigger incident alerts. Repeated appearances in multiple shortlists suggest a compromised IP, which is then added to the asset list for further investigation. The methodology also discusses setting up shortlists for suspicious IPs and using SIEM technology to monitor these lists for anomalies. The HP Attack Life Cycle supports the reuse of use case rules across various stages, providing defined threat coverage, reduced false positives, and enhanced situational awareness with actionable incidents. Lastly, the article mentions email gateway performance analysis for security control evaluation and how this methodology can be adapted to new threats efficiently while saving overhead during this process.

Details:

This technical white paper from HP discusses the concept of an "Attack Life Cycle" methodology, which is used to organize security events into a structured framework that focuses on both the attacker's actions and potential points of intrusion. The purpose of this method is to enhance analytic capabilities by combining different data sets related to attack vectors, payload delivery profiles, and intrusion compromise behaviors. This approach aims to reduce false negatives (events missed) and false positives (noise from point solutions), thereby improving situational awareness within a security information and event management (SIEM) system. The white paper outlines three distinct models of the Attack Life Cycle: Lockheed Martin Cyber Kill Chain, Malware Forensics Kill Chain Method, and HP Attack Life Cycle. It also introduces use cases that can be applied across various stages of an attack, such as phishing and data exfiltration, demonstrating how these can be developed using the ArcSight SIEM platform. The paper emphasizes the benefits of integrating security measures into a life cycle model rather than relying on standalone use cases, which often require manual review to validate indicators of compromise. The HP Attack Life Cycle methodology is designed to improve the development and deployment of use cases within an enterprise security environment, utilizing ArcSight SIEM capabilities for enhanced analysis and response to cyber threats. The diagram accompanying the white paper provides a visual representation of these attack life cycle methods, illustrating their stages and how they contribute to the overall process of detecting, preventing, and responding to cyber attacks. The HP Attack Life Cycle is a methodology used to describe security events in the context of stages for security intelligence and use case development. It helps understand risk in particular areas of the attack life cycle by breaking it down into distinct phases: Reconnaissance, Weaponization, Delivery, Exploitation, and Host Exploitation. 1. **Reconnaissance**: This stage involves researching, identifying targets, and gathering information non-intrusively (Lockheed Martin) or through inbound scanning events (SANS Institute Malware Forensics). The HP Attack Life Cycle adds a reconnaissance or anomaly communication phase where external sources communicate with target hosts considered attack vectors. 2. **Weaponization**: This involves using automated tools to couple remote access trojans with exploits into deliverable payloads, often in the form of client application data files (like Adobe Portable Document Format

or Microsoft Office documents). 3. **Delivery**: The weapon is transmitted to the target environment through various means: email attachments, websites hosting malicious content, and USB removable media. HP Attack Life Cycle considers events related to delivery like spear phishing emails exploiting weaknesses in browsers or other third-party applications. 4. **Exploitation**: After delivery, exploitation triggers the intruder's code by targeting vulnerabilities in applications, operating systems, or leveraging user actions that auto-execute code. Installation of a remote access trojan or backdoor provides persistence within the environment. Detection includes exploiting hosts through open service ports, malicious email attachments, infected P2P media, and drive-by-download infections from malicious websites. 5. **Host Exploitation**: This phase involves monitoring events from third-party vendor products like Intrusion Prevention Systems (IPS), Antivirus, and Antimalware, as well as anomalies in network communications that deviate from normal patterns. This methodology aids in understanding the lifecycle of cyber attacks by identifying potential vulnerabilities at each stage, enabling proactive security measures to be implemented before more severe consequences occur. This document discusses various aspects of a remote access trojan or backdoor being installed on a victim system, which allows an adversary to maintain persistence inside the environment. The attack life cycle includes several stages: 1. **Installation**: An adversary installs a remote access trojan or backdoor, enabling them to stay in the compromised environment. 2. **Internal to External Binary Acquisition**: This stage involves communicating with the source of the attack and downloading a malicious binary payload to install on the compromised host. 3. **Binary Installation**: The attacker detects events released to known attack payload delivery profiles, such as adding registry settings or increasing Windows processes, which are not detected by point solutions like antivirus software. 4. **Command and Control (C2)**: Compromised hosts must establish a C2 channel by beaconing outbound to an Internet controller server, requiring manual interaction rather than automatic activity. 5. **Internal to External C&C Communication**: The infected machine establishes a listen port to accept new binary updates or commands, scanning other external victims for lateral movement within the botnet. 6. **Command and Control (C2) Continued**: Identifying communication with malicious code on computers, focusing on blacklisting malicious websites and IP addresses. 7. **Actions on Objectives**: After progressing through the initial stages, the adversary may aim to exfiltrate data from the victim environment or use the compromised host as a stepping stone to other systems for lateral movement. 8. **Internal to Internal and/or External Outbound Infection Scanning**: The infected host begins interacting with a larger botnet, scanning other external victims on behalf of the botnet to spread infection. 9. **Local Compromise**: Reviewing events of local compromise, focusing on actions like creating local accounts, privilege escalation, and altering file/folder permissions. 10. **Internal Recon**: The compromised host profiles the network to find other vulnerable targets or locate target data of interest. 11. **Lateral Movement**: Moving from the initial compromised host to other hosts within the network, using tools like netstat to identify communication events. This life cycle is part of a technical white paper and focuses on use cases related to HP's Attack Life Cycle methodology, aiming to address specific aspects such as correlation of communications for command and control activities, detection of malicious binaries, and protection against advanced persistent threats. The HP Attack Life Cycle is a model that outlines the stages of an attack, from initial compromise through data exfiltration. In this context, persistence refers to the actions taken by an attacker to establish and maintain their presence within a network. This might involve setting up new communication services (e.g., HTTPS), finding unknown processes on multiple hosts, or adding new binaries to compromised systems. Phishing attacks are a significant business risk, as they target specific users with malicious emails containing harmful attachments or URLs. These use cases focus on filtering and correlating events from various point solutions to detect potential threats more effectively. For instance, the HP Attack Life Cycle use case for phishing involves defining rules that capture email attachments containing potentially harmful file types (e.g., Microsoft Excel, PDF documents) when sent by untrusted sources or internal IPs. The stages in this use case include: 1. Reconnaissance/anomalous communications from external to target hosts triggered by malicious emails. 2. Attack Delivery: Identifying opened attachments that are potentially harmful but accepted for everyday business use. 3. Host Exploitation and Binary Installation: Detecting events where antivirus or anti-malware software raises alerts, correlated with IP addresses found on shortlist 1. Specific rules include registry changes and unknown process spawns. 4. Command and Control: Checking if the source IP address communicates with known malicious command and control servers, raising an incident alert and adding the IP to a compromised host list. 5. Local Compromise: Monitoring local operating system logs for events such as account creation, privilege escalation, group policy changes, or termination of antivirus/anti-malware software processes. All these rules add the source IP address to shortlist 2. Overall, this methodology aims to provide a comprehensive approach to detecting and responding to potential threats by reducing false positives through event filtering and correlation. This text outlines a methodology for detecting and responding to potential cyber attacks using HP's Attack Life Cycle model. It involves setting up rules based on network communications anomalies that can indicate different stages of an attack such as internal reconnaissance, lateral movement, establishing persistence, and exfiltration. Here are some key points from the text: 1. **Internal Reconnaissance**: Rules focus on detecting deviations from known white list profiles in network communications. Specific rules include monitoring peer-to-peer communications, HTTPS anomalies between desktop servers without a service, beaconing activities trying to access the internet (which might show as firewall drop events), and multiple communications where both source and destination are desktops. If these rules indicate compromise, IP addresses are added to a compromised host asset list. 2. **Lateral Movement**: This stage involves identifying event transactions between devices rather than just communications. Rules include monitoring Windows programs that use netstat, net logon, remote registry, WMI, policy editor, and psexec. If an IP address appears more than once on shortlist 2 or if it's also on shortlist 1, this is considered a security incident. 3. **Establish Persistence**: The rules in this stage focus on detecting changes to the local host such as policy event changes, internal communications anomalies, and large data downloads from external hosts that don't match usual patterns. Netflow events are correlated with proxy server queries to detect anomalous traffic. Any IP address indicated by these rules is added to shortlist 2, and if it appears repeatedly or on shortlist 1, an incident alert is raised. 4. **Exfiltration**: At this stage, the focus is on consolidating data and exfiltrating it from the network. Rules include monitoring Windows programs that use NTbackup for data backup, registry accesses indicating sensitive information (Windows SAM file), and changes in folder permissions across network shares. If any of these rules are violated, the IP address is added to shortlist 2, and multiple incidents can lead to adding an IP to a compromised host asset list. 5. **Incident Handling**: Any correlation event found from these rules that indicate potential compromise will trigger an incident alert, and if the same source IP appears in multiple shortlists, it's considered compromised and added to the asset list for further investigation. The text does not provide a diagram or visual representation, but it outlines a structured approach to cyber threat detection using predefined rules based on HP's Attack Life Cycle methodology. This document outlines a methodology for addressing perimeter attacks on DMZ hosts within an organization's network, focusing on risk mitigation using SIEM technology and security operations. The approach involves setting up rules based on specific indicators of compromise (IoCs) to detect malicious activities in the attack life cycle stages of reconnaissance and attack delivery. Key components include: 1. Setting up shortlists for events of interest, such as IP addresses that exhibit packet anomalies or are known bad IPs attempting connections. These are added to a "suspicious IP address short list" which is monitored through firewall and intrusion prevention system logs. 2. If an IP appears multiple times on the suspicious list, it may be added to a threat intelligence active list to filter false positives. 3. Rules for reconnaissance include detecting network scans and external attempts to make connections (SYN, ACK, FIN packets) that are anomalies. For attack delivery, rules focus on exploitation attempts and those targeting sensitive or high-priority assets with known vulnerabilities. 4. All detected events trigger alerts that add the source IP address to a suspicious list for further review in the SIEM system. The methodology emphasizes quick triage and action based on priority and sensitivity of affected assets. The HP Attack Life Cycle use case methodology is designed to improve threat detection by layering events and using indicators of compromise throughout the attack lifecycle stages. It includes rules for adding compromised hosts and suspicious IP addresses to active lists, triggering alerts when outbound communication matches these lists, and reducing false positives through a layered security approach. Benefits include defined threat coverage, reduced false positive rates, fewer false negatives, enhanced situational awareness with actionable incidents, event visualizations, and metrics for continuous improvement of threat actors. The article discusses the use of email gateway performance analysis to assess security controls by examining a filtered list of events called the "shortlist" or "active list." This method enables quantitative evaluation and comparison of an email gateway's effectiveness in filtering out harmful attachments. Furthermore, it highlights how the HP Attack Life Cycle supports the reuse of use case rules across various stages of the attack life cycle for multiple risks. This approach positions each phase of the attack life cycle as a compensating security control that can be assessed within a risk framework. The advantages include time and resource efficiency in adapting use case rules to new threat vectors, as well as saving overhead during this process. The article concludes with information about HP's services at hp.com/go/espservices, encouraging readers to sign up for updates or share their feedback on the document. It also informs that copyright is held by Hewlett-Packard Development Company, L.P., and that changes in information may occur without notice. The only warranties mentioned are those set forth in accompanying warranty statements.