HP SIEM Kill Chain v0.2_1

Summary:

The text you've provided outlines a structured method for detecting potential security threats within a network using specific rules and correlation techniques as part of a SIEM system. This process is designed to identify deviations that might indicate malicious activity, focusing on stages of an attack known as the Kill Chain. Here’s a summary and analysis of how these rules are interconnected: ### **Kill Chain Stage; Lateral Movement** This stage focuses on identifying events where unauthorized access has been extended within the network. The primary methods used to detect this include: - **Rule 1**: Audits Windows programs using netstat, adding IPs to shortlist2 if they exhibit signs of lateral movement through network connections. - **Rule 2**: Logs net use events that can indicate unauthorized sharing or access across systems. - **Rule 3** through **Rule 6**: These rules focus on specific tools and techniques used by attackers for persistence, including psexec, remote registry, WMI (Windows Management Instrumentation), and policy changes affecting the source IP address. All these lead to adding IPs to shortlist2 if they are involved in actions suggesting ongoing access without detection. ### **Correlation Rules** These rules help consolidate evidence across multiple sources to enhance the accuracy of threat detection: - **Correlation Rule 1**: If an IP appears on shortlist2 more than once, it is flagged as a potential incident, indicating persistence or repeated unauthorized access. - **Correlation Rule 2**: A strong indication of malicious activity when rules 1 through 6 all point to the same IP in shortlist1; this rule helps identify coordinated and persistent threats that might have been missed otherwise. ### **Kill Chain Stage; Establish Persistence** This stage involves maintaining unauthorized access within the network, often using legitimate-looking actions: - **Rule 1**: Monitors changes to Windows policy settings related to file and folder access that could suggest persistence mechanisms are being established. - **Rule 2**: Detects internal communications over unknown or specific communication channels like HTTPS, which might indicate ongoing presence within the network without detection. - **Rule 3**: Anomalies in netflow data indicating large outbound downloads from a host can suggest attempts at exfiltration of sensitive information, adding IPs to shortlist1 as potential indicators of compromise. ### **Summary and Significance** These rules form part of an integrated approach to cybersecurity that uses both rule-based detection and correlation techniques to enhance the SIEM system’s ability to detect threats effectively. By focusing on stages of the attack cycle, these rules help in narrowing down possible incidents and improving response times by prioritizing alerts based on the likelihood of being actual breaches rather than false positives or benign activities. The use of shortlists (shortlist1 and shortlist2) for potential incident IPs is a strategic way to manage alerts, ensuring that resources are directed towards the most critical issues first. This method helps in balancing between minimizing alert fatigue and promptly addressing genuine security threats within an organization’s network infrastructure.

Details:

This document outlines a methodology for creating use cases using HP SIEM (Security Information and Event Management) tools, focusing on the "kill chain" concept. The kill chain is a model that helps in understanding how an intrusion occurs step-by-step from reconnaissance through exfiltration. It consists of several stages including: 1. **Reconnaissance** - Involves gathering information about the target before any penetration (external to inbound scan or anomaly communication). 2. **Weaponization** - Creation of exploit code tailored for the specific target system. 3. **Delivery** - Deploying the weaponized code, which can be through email attachments, malicious software updates, etc. 4. **Exploitation** - The actual use of the exploited vulnerability to gain access into the network (external to internal inbound exploit). 5. **Host Exploitation** - Further actions taken on compromised hosts to establish a presence and gather more information or install additional tools. 6. **Command and Control (C2)** - Establishing communication between the attacker's control server and the compromised systems. 7. **Actions on Objectives** - Performing various activities on the targeted system(s), including infection scanning, local compromise, lateral movement, establishing persistence, and exfiltration of data. This methodology is designed for advanced users who are familiar with ArcSight use case capabilities and general security products. The document provides a structured approach to creating detailed and effective security use cases that can be implemented using HP SIEM tools. The article discusses a method for detecting cyber threats that involves not relying solely on point solutions like intrusion prevention systems (IPS) which often generate too many false positives or negatives. Instead, it suggests using multiple event indicators to improve detection accuracy and reduce the impact of such errors. This approach is particularly relevant in today's cybersecurity landscape where attacks are increasingly complex and multi-stage, involving stages like initial breach, lateral movement, collection of additional credentials/privileges, and data exfiltration. The method involves analyzing k vector attack payload delivery profiles and intrusion compromise behaviors to uncover events that might be overlooked by traditional security tools. This helps in avoiding false negatives (ignoring potential threats) and managing the noise generated by too many alerts from IPSs which can lead to false positives. The goal is to use these indicators as clues of a possible compromise, allowing for better threat detection through event correlation and enhancing situational awareness with post-correlation analysis to define more complex cyber attacks like command and control (C2) or data theft events. The article also references industry discussions and analyses of high-profile breaches such as the RSA and Sony incidents, which revealed that these attacks followed a distinct multi-stage approach to infiltrating organizations' networks. While much attention is paid to stopping an initial breach, less focus is given to following through on a staged compromise process. The article outlines each stage of a kill chain attack: starting with breaching the network perimeter, establishing a backdoor connection for toolkits and payloads, moving laterally across the network to collect more credentials or elevate privileges, and finally collecting and exfiltrating data. This methodology is similar to Mandiant's published cyber kill chain analysis. To summarize, Hewlett-Packard (HP) has developed its own methodology called the "ArcSight SIEM Kill Chain" to enhance their ArcSight SIEM's capabilities for use case development and security event analysis. This methodology is based on three different kill chain models: Lockheed Martin Cyber Kill Chain, Malware Forensics Kill Chain as described by SANS Institute, and HP SIEM Kill Chain. The Lockheed Martin Cyber Kill Chain includes phases such as Reconnaissance (researching targets without intrusion), which involves gathering information about a target network; Weaponization (creating an attack tool for the malware); Delivery (transferring the weaponized code to the target's system); Exploitation (using vulnerabilities in the software to execute malicious actions on the target's system); Installation (installing malware onto the target system); Command and Control (establishing communication between the attacker and the compromised system); Actions on Objectives (the final stage involving data theft or other harmful activities). The Malware Forensics Kill Chain includes phases such as Reconnaissance External to Inbound Scan, where an active reconnaissance scan is performed on a target network; Inbound Scan, which involves detecting any detectable reconnaissance scans that could be detected as events in the malware forensics process. The SANS Institute's Malware Forensics Kill Chain also includes phases such as Reporting and Storage of Incident Data, Analysis of Incident Data, and Response to Incidents. The HP SIEM Kill Chain focuses on security event analysis within specific stages for intelligence gathering and use case development. It includes a reconnaissance phase that involves initial communications from an external source (considered attack vectors) to target hosts, followed by exploitation of vulnerabilities in the software to execute malicious actions. The phases are: Reconnaissance or anomaly communication from an external source to target host(s), Exploitation using vulnerabilities, Installation of malware, Command and Control for establishing communication between attacker and compromised system, Actions on Objectives (harvesting data or causing other harmful effects). Each kill chain method is designed to help understand use case risks in a particular area within the overall kill chain methodology. The phases are interconnected and provide different perspectives on how cyber threats evolve and can be detected using SIEM tools. The article discusses various methods used to reconnoiter networks and their potential threats, including weaponization and delivery mechanisms. It highlights that while external sources such as the internet may be considered when securing network perimeters, internal insiders or compromised hosts can also pose significant risks. Techniques for reconnaissance include very slow scanning that doesn't trigger specific alerts in firewalls or intrusion prevention systems, communication from known bad or blacklisted source addresses, unusual geo-location sources, and deviations from normal network communication patterns (white listed or expected). The article then moves on to discuss weaponization, which involves bundling a remote access trojan with an exploit within a payload, often through automated tools like weaponizers. The delivery of such weapons is crucial in this stage, where the primary vectors are email attachments, malicious content hosted on websites, and USB devices. These methods can lead to significant false positive events due to the complexity and variety of tactics used by attackers. In conclusion, understanding and addressing these reconnaissance techniques, weaponization methods, and delivery mechanisms is crucial for effectively managing network security using HP's SIEM kill chain approach. This includes considering internal threats and balancing the potential for high numbers of false positives with the need to detect real threats. The text discusses various aspects related to exploitation and malware within computer systems, focusing mainly on stages involved in their lifecycle. These include external to inbound exploit detection, host exploitation, and installation phases. External to Inbound Exploit Detection involves monitoring for events such as open service ports being exploited directly, malicious email attachments, infected P2P media files, or drive-by downloads from malicious websites. This process is crucial in identifying potential threats that might infiltrate a system. Host Exploitation within SIEM (Security Information and Event Management) kill chains involves considering various events such as those detected by third-party security tools like Intrusion Prevention Systems, Antivirus, and Antimalware, changes to the operating system including new or stopped processes, and communications traffic across networks. This stage also takes into account correlated vulnerability information and network asset model data for a comprehensive view of potential threats. Installation is another phase in the malware lifecycle where an adversary installs remote access trojans or backdoors on the compromised host to maintain persistence within the system environment. Following this, Internal to External Binary Acquisition involves downloading malicious payloads from the attacker's source after initial compromise. This sequence highlights how these stages form a continuous loop of potential threats and detection efforts in cybersecurity measures. The text describes various stages in the lifecycle of malware infections, particularly focusing on how they can be detected and mitigated through tools like SIEM (Security Information and Event Management) systems or antivirus software. It outlines a process starting from initial compromise of a host, such as via exploits targeting Windows DCE/RPC ports, to establishing a Command and Control (C2) channel with an external server. In the "Binary Installation" stage, specialized detection methods are used that go beyond standard antivirus software, looking for unknown or known malicious binaries by analyzing events against attack payload delivery profiles. This includes checking for changes in registry settings, increased process count, termination of protection software services, and other heuristic indicators like memory usage. During the "C2" stage, once a host is compromised, it needs to establish communication with an external server (the C2 channel) to continue its activities. APT malware typically require manual interactions for further actions. Once established, this connection allows direct interaction within the target environment, providing access similar to having physical control of the keyboard and mouse. The final stage described is "Internal to External C&C Communication," where the infected machine sets up a port to receive updates or commands from its command center (C2). It also scans other networks for potential victims to expand the botnet through lateral movement, which can be monitored by analyzing source-destination communication. This phase involves identifying and blocking malicious IP addresses and domains used for C&C communications as part of malware prevention efforts. The text discusses various aspects of cybersecurity related to threat detection and response. It focuses on the stages of an attack known as the Kill Chain, which is part of the Lockheed Martin methodology. These stages include registration, reconnaissance, weaponization, delivery, exploitation, installation, command and control, and exfiltration. The text also mentions HP's recommendations for detecting compromised domains used by attackers for command and control purposes. It suggests using whitelists and asset models based on use cases to flag deviations from expected behaviors. After the initial phases of an attack, known as Actions on Objective, data exfiltration may occur where information is collected, encrypted, and extracted from a victim's environment. Furthermore, the text describes internal aspects of an infection such as botnet scanning for external infections and local compromise which involves reviewing events to understand how the system was compromised. The stage also includes reconnaissance activities by a compromised host to profile the network in search of other vulnerable targets. The HP SIEM (Security Information and Event Management) Kill Chain is a model that outlines the stages an attacker goes through after gaining access to a network. This includes initial access, establishing persistence, lateral movement, executing actions for exfiltration of data, and more. Use cases within this framework are designed to identify specific events related to these stages, such as using command line tools like netstat to track communications or looking for unusual activities like new service spawns or encrypted data transfers. The main goal is to filter out false positives by analyzing multiple correlated events in the context of each stage, ensuring that potential security threats are accurately identified and addressed before they can cause significant damage. This summary outlines a scenario involving phishing attacks within a business environment, emphasizing how automated rules can help detect such threats effectively. Initially, malicious emails containing harmful attachments or URLs are noted in increased instances. These emails may pass through various security devices with inconsistent actions, potentially leading to undetected malware on the network. To combat this, specific rules for email attachment handling were established: 1. **Reconnaissance or Anomaly Communications**: Emails with harmful attachments should be intercepted if they come from unknown sources (excluding trusted addresses) or internal IPs and pass through the email gateway. The attachments are checked for potentially harmful file types including Excel, Document, JPEG images, PDF documents, M4A files, M4P files, MP3 audio files, and Movie files. 2. **Attack Delivery**: For emails with harmful content but accepted file types like those mentioned above, capture the event by IP address on a shortlist for further monitoring. 3. **Host Exploitation and Binary Installation**: Ensure all antivirus and anti-malware software events are escalated as incident alerts to detect potential threats more effectively. These rules help in reducing false negatives by focusing on specific indicators of phishing attempts, ensuring that potentially harmful communications are not overlooked or misclassified within the automated security systems. The document outlines a method for identifying and responding to potential cyber threats by establishing rules based on specific activities that indicate compromise, such as changes in registry settings or creation of new processes. These actions are used to populate shortlists containing source IP addresses involved in suspicious activity. From there, the system applies additional rules to further analyze these IPs: 1. **Compromised Host Identification**:

• Rule 1: Detects registry changes such as those in \Runonce, adding the source IP address to shortlist1.

• Rule 2: Identifies new unknown processes spawning from the host, also adding the source IP to shortlist1. These rules fall under the "Command and Control" stage of the Kill Chain, aimed at detecting if a source IP communicates with known malicious servers.

2. **Local Compromise**:

• Rule 1: Monitors creation of local accounts.

• Rule 2: Monitors elevation of privileges through actions like creating new user accounts or modifying existing ones.

• Rule 3: Detects changes in group policy settings, which could indicate increased administrative capabilities.

• Rule 4: Alerts if Antivirus or Anti-Malware software processes are terminated, suggesting bypassing security measures. All these rules add the source IP to shortlist2 and correlate them for potential threats.

3. **Internal Reconnaissance**:

• Rule 1: Analyzes peer-to-peer communications looking for abnormal patterns that might indicate attempts to evade detection or communicate with malicious entities.

• Rule 2: Scrutinizes HTTPS communication between desktop servers where this protocol is not typically used, signaling potential reconnaissance activities.

• Rule 3: Identifies beaconing in network communications attempting to establish an internet route, often a sign of active exploitation and may trigger firewall alerts due to attempts to bypass security measures.

These rules collectively aim to cover various stages of a cyber threat lifecycle, from initial compromise through internal reconnaissance and command execution, providing a structured approach to cybersecurity monitoring and response. The described document outlines rules and correlations for detecting potential security incidents during different stages of the kill chain, specifically focusing on lateral movement and establishing persistence phases. Here’s a summary of the key points from this text: **Rule 4:** This rule pertains to multiple communications where both the source and destination network zones are desktops. If such communication occurs between devices within the same network zone (e.g., desktop to desktop), it is correlated with rules that involve IP addresses appearing on shortlist1 or shortlist2. If an IP address matches these criteria, it is flagged as a potential incident, and the IP is added to the compromised host asset list. **Kill Chain Stage; Lateral Movement:** This stage involves identifying events of communication between devices within the network that could indicate lateral movement after initial access. The rules for this phase include:

• **Rule 1:** Audits Windows programs where netstat has been used, adding the source IP to shortlist2.

• **Rule 2:** Logs net use events, adding the source IP to shortlist2.

• **Rule 3:** Records remote registry events affecting the source IP and adds it to shortlist2.

• **Rule 4:** Monitors remote WMI (Windows Management Instrumentation) events involving the source IP, also adding it to shortlist2.

• **Rule 5:** Tracks changes in the remote policy editor that involve the source IP, further adding it to shortlist2.

• **Rule 6:** Audits Windows programs where psexec has been utilized, again adding the source IP to shortlist2.

**Correlation Rules:** These are additional checks for potential incidents:

• **Correlation Rule 1:** If a single source IP address appears on shortlist2 more than once, it is considered an incident and flagged accordingly.

• **Correlation Rule 2:** When rules 1 through 6 all point to the same IP in shortlist1, this indicates a potential issue and should be treated as such.

**Kill Chain Stage; Establish Persistence:** This stage focuses on maintaining access and presence within the compromised system. The rules for this phase include:

• **Rule 1:** Monitors changes to Windows policy events related to file and folder access.

• **Rule 2:** Identifies internal communications between hosts within the same network zone over unknown or specific communication channels, such as HTTPS.

• **Rule 3:** Detects large data downloads from external hosts that are not typically accessed; this could include monitoring netflow events for anomalies.

This document provides a structured approach to cybersecurity by detailing how to detect and respond to potential breaches in network communications during defined stages of an attack, ensuring proactive measures against security threats. This text discusses a method for detecting potential security threats using a set of rules within an information security management system (SIEM). The goal is to identify deviations and correlate them into coherent patterns that might indicate malicious activity. Here's the breakdown of each rule used in this process: 1. **Rule 1**: Triggered by audit events from the NTbackup program on Windows systems, suggesting a backup operation has taken place. This adds the source IP address to shortlist 2. 2. **Rule 2**: Detects access to specific registry locations associated with user account and security information (SAM file), which is indicative of unauthorized access or actions. This also leads to adding the source IP address to shortlist 2. 3. **Rule 3.1**: Looks for correlations between movement across network shares and changes in folder permissions from the same host. If both conditions are met, it adds the source IP address to shortlist 2. 4. **Rule 4**: Monitors Netflow data anomalies where destinations have unusual geolocation settings. This helps identify potential data exfiltration attempts by adding the source IP addresses to shortlist 1. 5. **Rule 5**: Correlates access events on systems containing sensitive information with email sending activities that involve unknown recipients, potentially indicating data theft or unauthorized access. This adds the source IP address to shortlist 1 if multiple related emails are detected. The rules collectively aim to cover stages of a potential cyber-attack as part of the HP SIEM kill chain methodology. By correlating these events and adding them to shortlists for further review, potential threats can be identified more effectively with an aim to reduce false positives by ensuring that patterns indicate malicious activity rather than normal system operations or user errors. This text discusses enhancing incident response by using human analytics and overcoming limitations in detecting potential threats, particularly focusing on malware-compromised hosts. The approach involves leveraging global correlation rules that cross-correlate data from various sources to identify patterns or connections between different incidents. These rules help filter out false positives and negatives by checking if the source IP addresses are listed on specific watch lists. This method allows for a more comprehensive analysis of incident history, enabling better prioritization within the SIEM (Security Information and Event Management) system. If, for example, malware-compromised hosts also trigger an exfiltration event, the priority of this incident would be elevated accordingly in the SIRT (Short Interval Rapid Response Team).