HP SIEM Kill Chain v0.1

Summary:

The passage provided offers a detailed and structured method for detecting compromised hosts within a network environment using a set of rules within a Security Information and Event Management (SIEM) system. This methodology is based on the Kill Chain framework, which has been adapted from Lockheed Martin's approach to malware forensics and intrusion detection. Here’s an overview of how this method works across different stages: ### Reconnaissance - **Identify anomalies in communication**: The first stage involves detecting any unusual outbound communications from the compromised host to external sources. If there is evidence that a system has attempted to send attachments containing harmful file types or if such actions are initiated by untrusted entities, relevant source IP addresses should be added to a shortlist for further monitoring. ### Attack Delivery - **Capture events of potential harm**: This stage involves looking for instances where potentially malicious files (like those in formats like Microsoft Excel or PDF) are opened on the compromised host despite being standard business file types. The same rule applies regarding untrusted sources, and if these conditions are met, the source IP should be added to a shortlist. ### Host Exploitation and Binary Installation - **Enhance alerting for unauthorized software**: Triggered by events suggesting that unauthorized or malicious software is being installed on the compromised host, this stage involves enhancing existing alerts from antivirus or antimalware solutions by cross-referencing these with other suspicious activities such as changes in registry settings and spawned processes. IP addresses added to a second shortlist should be monitored for any signs of further compromise. ### Command and Control - **Detect C2 transactions**: This stage involves identifying when the compromised host communicates with known malicious command and control (C2) servers. If detected, an alert is raised, and the IP address associated with this communication is added to a list indicating that the host has been compromised. ### Local Compromise - **Monitor local system logs**: The focus here is on unauthorized activities such as account creations, privilege escalations, changes in group policies, or termination of antivirus/antimalware processes. If these conditions are met and the IP address appears consistently suspicious, an incident alert should be raised. ### Internal Reconnaissance - **Look for network communication anomalies**: This stage involves identifying deviations from normal patterns such as peer-to-peer communications, use of HTTPS not typically configured on business systems, attempts to establish connections outside the network, or repeated internal interactions without logical purpose. If these conditions are met and the IP address is in a shortlist, an incident alert should be raised. ### Lateral Movement - **Identify transactions between devices**: Utilizing specific Windows events like netstat for tracking program usage or remote registry/WMI for policy changes, this stage involves detecting how compromised hosts communicate with other network devices. If the rules are triggered and IP addresses appear multiple times in a shortlist, an incident alert is raised to indicate significant compromise. ### Summary of Key Elements: - **Rule-based detection**: The method relies on predefined rules that trigger alerts based on specific conditions related to policy modifications, internal unauthorized communications, unusual data downloads, registry accesses, and more. - **Shortlists for tracking**: Two shortlists are used – one for network anomalies (shortlist1) and another for host-level anomalies (shortlist2), both of which track IP addresses involved in suspicious activities. - **Global correlation against watch lists**: False positives or negatives are filtered out through global rules that check the presence of these IP addresses on predefined watch lists, ensuring a more accurate identification of potential threats. - **Goal to enhance detection and reduce false alarms**: The overall objective is to improve threat detection while minimizing the number of false positive alerts, providing a robust framework for detecting and responding to potential security breaches in real-time.

Details:

The provided text outlines a methodology and version control log for an HP SIEM (Security Information and Event Management) product, focusing on creating use cases based on the "HP SIEM Kill Chain." Here's a summarized breakdown of the document's content: 1. **Table of Contents** - Provides navigation points within the document. 2. **Document Control** - Details administrative information such as authorship and update history. 3. **Version Control Log** - A log showing version numbers, authors, changes made, and dates of updates. 4. **Introduction** - Explains the purpose of the document, which is to introduce the HP SIEM kill chain methodology for use case creation. 5. **Kill Chain** - Outlines various stages involved in a cyber attack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2 (Command and Control), Actions on Objectives, and Stage and Exfiltration. 6. **Document Storage** - Specifies the document's storage location and versioning details. 7. **Version 0.1 Details** - Lists specific information about Version 0.1 of the document, including its creation date and author. 8. **Document Circulation** - Not explicitly detailed in the summary but implied by the organizational chart referenced under "Introduction." This document appears to be a part of a larger series or manual for utilizing HP SIEM products effectively in cybersecurity operations, particularly focusing on creating effective use cases based on the kill chain model derived from real-world cyber attacks. The article discusses the concept of "kill chains," which are models designed to analyze security events in context with attacker behavior and actions. These kill chains help group disparate security events into meaningful contexts such as attack vectors, payload delivery profiles, and intrusion compromise behaviors. By integrating data sets related to these factors, false negatives (events ignored) or false positives (unnecessary investigation of irrelevant events) can be reduced. The article also mentions the application of kill chain methodology in practical scenarios, using examples from high-profile cyber attacks like the RSA and Sony breaches. These incidents followed a multi-stage approach where attackers initially breached network perimeters to establish access and further move laterally within networks to collect sensitive data and eventually exfiltrate it. The article introduces three different kill chain methodologies: Lockheed Martin's Cyber Kill Chain, Malware Forensics Kill Chain (as described by SANS Institute), and HP SIEM Kill Chain. Each methodology describes distinct stages such as reconnaissance, external inbound scan, anomaly communication, etc., to analyze security events. The purpose of these methods is to provide a structured approach for use case development in cybersecurity tools like ArcSight and helps understand risks associated with specific areas within the kill chain framework. In summary, the article explains how using kill chains can improve analysis of cyber attacks by providing context to disparate security data sets and reducing inaccuracies such as false positives and negatives. It introduces various methodologies for implementing this approach in practice and demonstrates its application through examples from real-world cybersecurity incidents. The provided text outlines a detailed description of various stages in a hypothetical cyber attack process as seen through the lens of HP's SIEM (Security Information and Event Management) kill chain. It breaks down these stages into specific components, detailing how each part contributes to the overall strategy. 1. **Weaponization**: This stage involves creating a payload that includes a remote access trojan linked with an exploit, often using automated tools to embed this in common file types like Adobe Portable Document Format (PDF) or Microsoft Office documents. The effectiveness of weaponization is dependent on third-party products recognizing malicious binaries for coverage within the SIEM kill chain. 2. **Delivery**: This stage covers how the created weapon is transmitted to the target environment, with three primary methods identified as email attachments, websites hosting malicious content, and USB devices. These vectors help in spreading malware from an external source to a targeted internal network. 3. **Exploitation**: After the payload reaches the victim host, exploitation triggers the execution of malicious code targeting either software vulnerabilities or user weaknesses that allow automatic code execution. This stage often involves installing remote access trojans or backdoors for long-term persistence within the compromised system. 4. **Host Exploitation** is a combination of Lockheed Martin and SAN Institute methodologies, focusing on events detected by various security tools such as Intrusion Prevention Systems (IPS), Antivirus software, and changes in operating systems like new processes starting or stopping. 5. **Installation**: This stage involves the installation of remote access trojans or backdoors to maintain persistence within the compromised system environment after exploitation. 6. **Internal to External Binary Acquisition** follows once a host is compromised, where the malware communicates with its source to download and install additional malicious software on the victim's machine through specific ports like TCP 135 for Windows systems. 7. **Binary Installation**: This stage involves detecting unusual events related to binary payloads that might indicate the presence of unknown or well-known malicious binaries, which are not detected by point solution tools but can be inferred from changes in system behavior or process usage. 8. **C2 (Command and Control)**: Once a host is compromised, it communicates with an Internet controller server to set up a C&C channel, allowing for manual interaction within the target environment. This stage requires significant user interaction compared to automatic malware activity. 9. **Internal to External C&C Communication** describes the continuation of communication between the compromised system and the external source during the command and control phase, continuing the malicious activities post-exploitation. Each stage is crucial in understanding how a cyber attack progresses from initial access to maintaining a persistent presence within a network, highlighting the various aspects that need to be monitored and analyzed for effective security measures. In the HP SIEM Kill Chain methodology, a newly infected machine takes the next step to establish a listener port for accepting new binary updates or commands and begins scanning other external victims on behalf of the botnet for lateral movement. This process involves identifying command and control (C2) transactions by correlating source to destination communication, which is similar to Lockheed Martin and SAN's malware forensic methods. HP recommends creating use cases to flag deviations from expected system behaviors using whitelists and asset models, as well as looking for anomalies in network communications that might indicate data exfiltration or other malicious activities. The goal of these strategies is to reduce false positives while not missing critical security events. The document outlines a multi-stage process for detecting malicious activity within a business network, particularly focusing on the stages of reconnaissance, attack delivery, exploitation, command and control, local compromise, and lateral movement. It includes specific rules for each stage: 1. **Reconnaissance**: Identify anomalies in communication from external sources to target hosts. If an email attachment contains harmful file types or is sent from untrusted sources, add the source IP address to a shortlist. 2. **Attack Delivery**: Capture events when potentially harmful files are opened by users despite being accepted business file types (e.g., Microsoft Excel, PDF documents). Also, add the source IP address to the shortlist if these conditions are met. 3. **Host Exploitation and Binary Installation**: Enhance antivirus or antimalware software alerts by cross-referencing events that suggest unauthorized software installation. If rules 1 (registry changes) and 2 (spawned processes) are triggered, add the source IP to a second shortlist. 4. **Command and Control**: Detect if an IP address communicates with known malicious command and control servers. If detected, raise an alert and add the IP to the compromised host list. 5. **Local Compromise**: Monitor local operating system logs for signs of unauthorized account creation, privilege escalation, group policy changes, or terminated antivirus/antimalware processes. Add source IPs to a shortlist if these conditions are met, and raise an incident alert if the IP appears more than once. 6. **Internal Reconnaissance**: Look for network communication anomalies that deviate from standard profiles, such as peer-to-peer communications, HTTPS usage not configured on business systems, attempts at beaconing to route traffic outside the network, or multiple internal communications without logical purpose. If these conditions are met and the IP is on a shortlist, raise an incident alert. 7. **Lateral Movement**: Identify transactions between devices using specific Windows events (e.g., netstat for program usage, remote registry/WMI for policy changes). Add IPs to a shortlist if triggered by these rules. If the same IP appears multiple times on a shortlist, raise an incident alert. This multi-stage approach helps in progressively identifying and mitigating potential security threats within the network. The passage describes a method for detecting compromised hosts using a set of rules within a Security Information and Event Management (SIEM) system, specifically designed to follow the Kill Chain methodology developed by Lockheed Martin. This process is aimed at identifying stages in an attack where persistence has been established, such as changes to local host policies, internal communications anomalies, unauthorized data exfiltration, and more. The method involves creating shortlists for correlated events, raising incidents when specific rules are triggered, and using global correlation rules to filter out false positives or negatives based on the presence of IP addresses in predefined watch lists (shortlist1 and shortlist2). The key elements include:

• A series of rules that detect changes such as policy modifications, internal unauthorized communications, unusual data downloads, and registry accesses.

• Correlating these events to identify potential threats by raising incidents when certain conditions are met.

• Using shortlists (shortlist1 for network anomalies and shortlist2 for host-level anomalies) to track IP addresses involved in suspicious activities.

• Automatically filtering through false positives or negatives using global correlation rules that check against watch lists.

• The overall goal is to enhance threat detection while reducing the number of false alarms, providing a more comprehensive approach to detecting potential breaches before they can cause significant harm.