HP SIEM Kill Chain v1.0

Summary:

The passage provided outlines several key points related to handling IP addresses and raising alerts in cyber attacks, as well as improving email security through HP SIEM kill chain methodology. Here's a breakdown of these concepts: 1. **Handling Suspicious IP Addresses:** - **Reconnaissance Stage:** IPs that establish unusual TCP/UDP connections are added to the suspicious list and monitored across firewalls and IPS systems. - **Network Scans:** IPs from external sources initiating scans are also flagged for review. - **Threat Intelligence:** Known bad IP addresses attempting to connect to a DMZ asset trigger alerts, with frequent occurrences adding them to the threat intelligence active list. - **Short-term List (Suspicious IP Addresses):** Used in real-time monitoring and response; if an IP appears suspiciously often across different events, it is added to this list for longer-term monitoring. 2. **Attack Delivery Stage:** - **Exploit Attempts:** IPs of hosts attempting exploits are added to the IPS shortlist due to potential exploitation actions detected by the system. - **Targeted Assets:** Alerts are raised for source IPs targeting sensitive or critical assets as per predefined asset models. 3. **Compromised Hosts and Threat Intelligence List:** - If an IP attempts to exploit a host with a known vulnerability, both the source and destination assets are added to respective lists (threat intelligence active list and compromised hosts list). 4. **Benefits of HP SIEM Kill Chain Methodology:** - Enhances threat coverage by providing a more comprehensive view across multiple vectors. - Reduces false positives by not relying solely on single event analysis from tools like IPS. - Focuses on actionable incidents and enhances situational awareness, leading to faster responses. 5. **Improving Email Security:** - Analyzing harmful attachments detected by desktop antivirus and malware software helps in improving the email gateway's performance. - Quantitative analysis is used to assess effectiveness against shortlisted (active list) filtered events of malicious content. 6. **HP SIEM Kill Chain for Reuse:** - Allows the reuse of existing use case rules for new threat vectors, saving time and resources while reducing overhead and investment. In summary, this methodology provides a structured approach to handling cyber threats by focusing on multiple stages of an attack (Reconnaissance, Delivery) and using shortlists or active lists to improve efficiency in security operations. It aims to reduce false positives and negatives through comprehensive analysis and situational awareness, enhancing the overall effectiveness of security controls.

Details:

The document titled "HP SIEM Kill Chain v0.2" is a comprehensive guide that introduces the concept of a Cyber Kill Chain methodology, which outlines a structured approach to understanding cyber attacks from initial reconnaissance through to exfiltration. This methodology helps in creating use cases for detecting and responding to security threats effectively using HP's SIEM (Security Information and Event Management) tools. **Table of Contents:**

• **Document Control:** Details the version history, author, update details, and circulation information.

• **Introduction:** Explains the purpose of the document and its relevance in understanding the Cyber Kill Chain methodology.

• **Kill Chain:** Defines what a kill chain is and how it applies to cyber attacks.

• **Cyber Kill Chain Use Cases:** Describes various stages from reconnaissance through exploitation, command and control (C&C), actions on objectives, infection scanning, lateral movement, establishing persistence, and finally stage and exfiltration of data during an attack.

• **Example 1; HP SIEM Kill Chain Phishing Use Case:** A detailed example showing how the kill chain can be applied in a phishing scenario using HP SIEM tools.

• **Example 2; HP SIEM Kill Chain Reusable Use Cases:** Examples demonstrating more generic use cases that can be adapted and reused across different threats or scenarios.

• **Summary Benefits of a Kill Chain:** A discussion on the advantages of employing a kill chain methodology, including improved threat visibility, faster response times, and better resource management during incident handling.

This document is intended for advanced users who are familiar with ArcSight use case capabilities and general security product functionalities, as it assumes knowledge of specific tools like Windows registry and Malware forensic events which are customizable within the HP SIEM toolset. The primary goal is to provide a structured approach to creating effective use cases that can be applied in real-world cybersecurity scenarios using HP's SIEM technology. The article discusses how using a "kill chain" methodology can enhance security intelligence by integrating and correlating network and host-based security events based on attack vectors, payload delivery profiles, and intrusion compromise behaviors. This approach helps in identifying threats more effectively by reducing false negatives (ignored events) and false positives (noise from devices like IPS). By treating data sets as indicators of a compromise, the system can detect threats better and provide situational awareness to operations staff for further investigation. The article also references high-profile cyber attacks such as the RSA and Sony breaches, which followed a multi-stage approach to penetration and data theft. The kill chain methodology is used to analyze these stages in detail: starting with an initial breach of the perimeter, followed by exploiting vulnerabilities, installing backdoors, establishing a presence, moving laterally through the network, collecting sensitive information, and finally exfiltrating data. The focus has been largely on stopping the first stage of a breach but lacks attention to following this multi-stage approach in detail. The integration of security event management (SIEM) with a kill chain analysis provides actionable intelligence by grouping events according to specific attack phases, which can lead to more informed decision-making and better threat detection capabilities. The article describes how an attacker gains access to a network by establishing a beachhead, downloading toolkits and payloads from an external site, and then moving laterally within the network to collect more credentials or escalate privileges. Once inside, the attacker can collect and exfiltrate data. To manage this process more efficiently, security organizations use SIEM technology with individual use cases that are linked through a kill chain methodology. This allows for easier grouping and post-correlation of events, reducing the need for manual analytics. Three main kill chain methods are mentioned: Lockheed Martin's Cyber Kill Chain, Malware Forensics Kill Chain by SANS Institute, and HP SIEM Kill Chain. These methodologies help in understanding use case risks and developing security events within a specific context. The text describes different phases of a methodology, which can be understood as stages in a process used for gathering intelligence about potential targets before an attack. Here's the summary of each phase mentioned in the text: 1. **Reconnaissance** - This stage involves researching, identifying, and selecting targets by exploring websites like conference proceedings and mailing lists to gather information on specific technologies, social relationships, or email addresses. It is a non-intrusive method of intelligence gathering. 2. **Reconnaissance External to Inbound Scan** - At this phase, the target network is actively reconnoitered through inbound scanning events. This stage assumes that any detectable reconnaissance scan can be detected as an event in Malware Forensics procedures. 3. **Reconnaissance or Anomaly Communication from an External Source to Target Host(s)** - According to HP's SIEM kill chain, this phase involves initial communications from an external source to target hosts that are considered attack vectors. In the context of SIEM tooling, these communications can come from both outside the internet network perimeter (external source) and potentially even from within a secure internal network if they act as insiders providing reconnaissance information. Anomaly communication is used to describe various techniques like very slow scanning or traffic from known bad or blacklisted sources, which do not create specific discernable events in firewalls or intrusion prevention systems but are indicative of reconnaissance activities. These stages outline a potential process for gathering intelligence and assessing targets before proceeding with an attack, using different methodologies that emphasize non-intrusive methods and active reconnaissance followed by initial communication phases. The text discusses various aspects of cyber attacks, particularly within the context of HP's SIEM (Security Information and Event Management) kill chain model. It covers several key stages in a typical cyber attack lifecycle, including weaponization, delivery, exploitation, and more broadly, the "external to internal inbound exploit" process. **Weaponization:** This stage involves creating a malicious payload that can be delivered to the target environment. The payload is often disguised as legitimate files like PDF or Office documents, which are then used to deploy remote access trojans (RATs) and other types of malware. This process typically relies on automated tools called weaponizers, which simplify the creation of such attacks by bundling malicious software with exploits. **Delivery:** In this phase, the weaponized payload is transmitted to the target environment. The most common methods for delivering these payloads are via email attachments, websites hosting malicious content, and USB devices. These vectors allow attackers to infiltrate networks by exploiting vulnerabilities in various applications and systems. **Exploitation:** Once the payload reaches the victim's system (often referred to as a host), exploitation occurs when an attacker’s code is triggered, typically through exploiting vulnerabilities in software or user behavior. This stage often involves using phishing techniques like spear phishing to trick users into executing malicious code. If successful, this can lead to the installation of RATs or other backdoors that provide persistent access to the network. **External to Internal Inbound Exploit:** This term seems to be a typographical error and likely refers to the initial phase where an attacker gains external access to a system before attempting to move laterally within the network, which is a common approach in advanced persistent threats (APTs). The text also highlights that HP's SIEM kill chain model does not consider weaponization as part of its primary detection mechanisms because it relies on third-party tools to identify known malicious binaries. Instead, the focus is more on subsequent stages like delivery and exploitation, which are monitored for potential false positives rather than immediate threat indicators. The SAN's Institute Malware forensics stage in the kill chain focuses on detecting inbound exploitation events from an external host to an internal one. This involves looking for various methods including direct exploitation through open service ports, malicious email attachments, infected P2P media, and drive-by-download infections from malicious websites. The Lockheed Martin and SAN Institute methodologies are integrated into HP's SIEM kill chain, which also considers events from third-party vendor products (like Intrusion Prevention Systems, Antivirus, and Antimalware), system changes (processes starting and stopping), inbound communications traffic, correlated vulnerability information, and network & asset model information. After a host is compromised, the next stage involves installing remote access trojans or backdoors to maintain persistence within the environment. The final stage, Internal to External Binary Acquisition, sees the detection of events that download malicious binaries from the source of the attack. In cases like well-known exploits on Windows machines, this traffic leaves the compromised host towards an external source using ports such as TCP 135 for shell access. Finally, in the Binary Installation stage, detection is made for known or unknown malicious binaries not detected by point solutions like antivirus or antimalware software, focusing on attack payload delivery profiles to ensure proper mitigation. The text discusses various aspects of malware communication, specifically focusing on Command and Control (C2) channels within a cyber threat landscape. It starts by explaining how compromised hosts establish a C2 channel to communicate with an Internet controller server, typically requiring manual interaction for APT malware. Once established, intruders gain access to the target environment through this channel, allowing them to manipulate various components such as registry settings and system processes like antivirus services. Within the Malware Kill Chain, the next step involves setting up a listen port on the infected machine to accept updates or commands from the botnet master, along with scanning for other external victims to facilitate lateral movement within networks. This process aligns with the Lockheed Martin malware forensic methods and uses case production to correlate source-to-destination communication in order to identify C2 transactions. For HP SIEM, this methodology involves using blacklisting of known malicious sites and IP addresses to detect command and control (C2) activities. However, due to the advanced nature of persistent threats, these are unlikely to be present on public blacklists. To address this, HP recommends an exfiltration step in their kill chain that utilizes white lists and asset models to flag unexpected behaviors and deviations from normal patterns. Lastly, the text describes the actions taken by attackers after progressing through various stages of the malware lifecycle, which aligns with Lockheed Martin's methodology for attacking objectives. The Malware kill chain consists of six phases through which intruders can take actions to achieve their objectives, primarily data exfiltration or accessing more systems within a network. In the first phase, the infected host starts interacting with other potential victims as part of a botnet, scanning them for infection. During local compromise, compromised hosts may create new local accounts, escalate privileges, alter group policies, and manipulate file and folder access permissions using common command line tools. Internal reconnaissance involves profiling the network to locate more vulnerable targets or to find target data. Lateral movement occurs when intruders move from a compromised host to other systems through various methods like netlogin, remote registry, and session communications. Finally, in the Establish Persistence phase, the intruder maintains access by finding ways to stay within the system even after initial objectives are achieved. The HP SIEM Kill Chain is a model used to describe the progression stages of an attack, providing a structured approach to identify, analyze, and respond to cyber threats. Here's a summary of what it means and how it works: 1. Reconnaissance: This stage involves the attacker gathering information about the target network to understand its structure and potential vulnerabilities. They might use phishing attacks or other social engineering techniques to gain initial access by tricking users into downloading malware or providing credentials. 2. Weaponization: At this stage, the attacker prepares their weapon (malicious tool) that will be used in further stages of the attack. This could include delivering a payload via email attachments or exploiting software vulnerabilities. 3. Delivery: The weapon is delivered to the target network through various channels such as phishing emails, infected USB drives, or exploit kits embedded in websites. 4. Exploitation: Once inside the network, the attacker exploits weaknesses in the system and gains a foothold by installing backdoors, keyloggers, or other malicious software that allow them remote access. 5. Installation: The attacker installs additional tools to maintain their presence within the network and further exfiltrate data as they move up the hierarchy of the organization's systems. 6. Command and Control (C2): The attacker establishes a way to communicate with the malicious software installed on compromised hosts, which is essential for ongoing operations such as data theft or spreading to other parts of the network. 7. Actions on Objectives: In this stage, the primary goal of stealing sensitive information or disrupting business operations is pursued. This often involves encrypting stolen data before transferring it out of the network and might also include launching further attacks on high-value targets within the organization. 8. Exfiltration: The attacker takes active steps to steal and transfer collected data, which can be done by encryption locally before moving the data out of the compromised environment or directly through a covert channel that is less detectable in the network traffic. 9. Decoy and Covert Channel Use: To maintain their presence within the network without being detected, attackers might set up decoys to divert security measures and establish covert channels for communication between internal hosts. 10. Phishing Attack Case Study (Example from HP SIEM Kill Chain): In this case study, an increase in phishing attacks is noted by the business, which sends malicious emails containing harmful attachments or links that target specific employees. These emails are often detected by different security tools but isolatedly, as each tool focuses on a single aspect of the threat. By using HP SIEM Kill Chain use cases, organizations can filter and correlate events from various security products to reduce false positives and improve detection rates, providing a more comprehensive view of potential threats. This approach helps in mitigating risks associated with phishing attacks by understanding the progression of an attack and taking appropriate preventive or corrective actions based on the identified stages. The email attachment scanning process involves identifying potential threats before they reach the desktop, specifically targeting malicious files like Microsoft Excel, Document, JPEG images, PDF documents, M4A files, M4P files, MP3 audio files, and Movie files. If an email with such attachments travels through the company's network from untrusted sources or external IP addresses, it triggers a shortlist of potentially compromised devices. In the attack delivery stage, rules are set up to detect when these harmful attachments are opened despite being common business file types. This captures events where suspicious activity is detected, and the source IP address is added to the shortlist for further monitoring. When malicious software is executed on a host machine, it triggers antivirus or anti-malware alerts, and both the source IP address and specific registry changes or new process spawns are noted. If these actions match with entries from the initial shortlist, they indicate potential compromise, leading to the addition of the source IP address to a list of compromised hosts. Additional rules focus on registry alterations and unknown processes spawned by the host, also noting their IP addresses for correlation purposes. In summary, this process uses email attachment analysis, trigger points based on file type and sender trust, and dynamic threat detection through software alerts and system behavior anomalies to identify and contain potential malware threats within a corporate network. The text outlines a methodical approach to detecting and responding to potential cyber threats, specifically within the context of various stages of an attack lifecycle known as the Kill Chain. This process is designed to identify, investigate, and mitigate risks associated with malicious activity, particularly focusing on command and control communications, local system compromises, internal reconnaissance, and lateral movement. 1. **Command and Control (Kill Chain Stage 1):** The first stage involves checking if a source IP address communicates with known malicious servers from a blacklisted list. If such communication is detected, it triggers an alert, and the IP address is added to a compromised active list. This initial step sets the foundation for further investigation by identifying potential breaches. 2. **Local Compromise (Kill Chain Stage 2):** In this stage, specific rules are applied to local operating system logs to identify anomalies associated with unauthorized account creations, privilege escalation events, changes in group policies, or termination of antivirus or antimalware software processes. Any IP address implicated by these rules is added to a shortlist for further scrutiny (shortlist2). If an IP appears multiple times on this list, it signals a higher risk and triggers an alert. 3. **Internal Reconnaissance (Kill Chain Stage 3):** This stage involves analyzing network communications for anomalies that deviate from standard profiles. Key rules include peer-to-peer communications, HTTPS communications over non-standard services, beaconing activities attempting to bypass firewall restrictions, and multiple internal desktop-to-desktop communications. Any IP identified through these rules as potentially compromised is added to a shortlist (shortlist1 or 2) depending on the severity of the anomaly. 4. **Lateral Movement (Kill Chain Stage 4):** This final stage extends the reconnaissance efforts by focusing on transactions between devices, looking for deviations in typical network behavior patterns. Specific rules are defined around Windows program audit events and other relevant network interactions to detect signs of unauthorized access or movement across systems. Any IP detected through these rules is flagged as potentially compromised and added to a host asset list for further action. Overall, the process described is designed to be proactive in cyber threat detection by systematically assessing risks at multiple stages of an attack, allowing for targeted responses and improved security outcomes. The provided text outlines a series of rules and correlation mechanisms designed to detect potential security incidents based on specific events such as netlogon, remote registry, WMI, and policy editor events. These events are linked to particular activities like using psexec or NTbackup. The system uses shortlist 2 to track source IP addresses that appear more than once, which is flagged as an incident alert with a compromised host asset list. The rules focus on identifying anomalies in network communications within the same network zone and significant outbound traffic to external hosts not typically accessed. This includes monitoring changes in file and folder access rights and unusual internal communication patterns such as HTTPS usage between desktops. The system also involves Netflow events and queries to proxy servers to detect data exfiltration activities like low-talking website visits, which would be flagged with a source IP address added to shortlist 2. The primary purpose of this system is to establish persistence within the network (Establish Persistence) by looking for further communication anomalies and changes in local host settings that might indicate compromise. The subsequent exfiltration stage (Stage and Exfiltration) focuses on consolidating data and removing it from the network, which can be monitored through specific audit events like NTbackup usage. Overall, this system is designed to identify potential cyber threats by tracking IP addresses associated with suspicious activities across various network communications, aiming to detect and respond to attacks that aim to establish a presence within a network (Establish Persistence) and extract valuable data from it (Stage and Exfiltration). The document outlines several rules for detecting potential security incidents based on specific events and behaviors indicative of malicious activities such as accessing the Windows SAM file via registry changes, moving files across network shares, anomalous Netflow traffic from uncharacteristic geolocation destinations, and suspicious email communications with sensitive information. These scenarios are used to populate shortlists (one named "shortlist1" for high-priority indicators and another named "shortlist2") which help in the identification of potential phishing attacks or other types of cyber threats by correlating various events across different hosts. The rules include: 1. Monitoring registry accesses at specific locations (HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa) to detect changes that might indicate unauthorized access to the Windows SAM file, which is crucial for user authentication information. This could lead to an incident alert and adding the IP address to shortlist2. 2. Tracking movements of files across network shares, correlating with permission changes on the same host to identify potential data exfiltration or other malicious activities, also leading to addition to shortlist2. 3. Analyzing Netflow traffic anomalies in terms of destination geolocation over a trended period, which might indicate an attempt to bypass security measures by sending sensitive information to unknown recipients via email. This could result in adding the source IP address to shortlist1. 4. Relating access events to hosts that handle confidential data with suspicious email communications, especially when emails are sent to untrusted recipients containing attachments and have a total size exceeding 100MB. These actions should be added to shortlist1. 5. The document explains how these scenarios can be mapped onto the HP SIEM Kill Chain as indicators of potential phishing attacks or other forms of cyber threats, helping in the prioritization process using shortlists (based on the likelihood and severity of the detected threats). If a host appears multiple times in shortlist1 or shortlist2 with such indicators, it is considered highly likely to be compromised, triggering an incident alert. 6. Trusted alerts from host-based malware detection software that indicate specific malicious events could lead to immediate incident alerts and add the affected IP addresses to shortlist1 as well. 7. When a host is identified as having been compromised through these rules (either by being listed in multiple shortlists or directly flagged by trusted alerts), it will be added to a "compromised host list." This facilitates quick understanding of which systems have been breached and allows for more focused security operations against the identified threats. The passage outlines a strategy for using multiple indicators through the kill chain to detect threats more effectively, rather than focusing solely on isolated events. It suggests reviewing "short lists" of potential compromise indicators to get a broader understanding of an incident's scale and inform mitigation steps. In the provided example, the focus is on perimeter threats to DMZ hosts using HP SIEM Kill Chain Reusable Use Cases. The author explains that they will modify existing kill chain use cases for reconnaissance or anomaly communications and attack delivery phases, while reusing other use cases from a previous example and adding them to other relevant phases to adapt them to the new threat vector: perimeter threats to DMZ hosts. The business risk being addressed is the potential compromise of DMZ hosts leading to access to higher-value assets through lateral movement. The solution involves using layered security, with more robust controls for high-value assets and fewer for lower-value assets due to cost considerations. The goal is to mitigate this risk within the existing budget by leveraging the SIEM technology and Security Operations department. The passage concludes by mentioning that the current approach only considers DMZ hosts in isolation without considering potential threats from other sources, which could lead to inefficiencies and missed opportunities for effective threat detection and mitigation. The provided text outlines a method for managing network security using firewall, intrusion prevention systems (IPS), and antivirus software by defining specific rules to identify suspicious activities based on predefined criteria. These rules are designed to trigger alerts and add IP addresses to short-term lists of suspicious IP addresses or long-term threat intelligence active lists if certain conditions are met. For the "Reconnaissance" stage in a cyber attack kill chain, the following rules are applied: 1. Source IP addresses that attempt to establish unusual TCP/UDP connections (e.g., SYN, FIN, Xmas) are added to the suspicious list at both firewalls and IPS systems. 2. Network scans from external sources are also flagged for review by adding their IPs to the suspicious list at both firewalls and IPS systems. 3. IP addresses identified as known bad according to threat intelligence are immediately flagged if they attempt to connect to a DMZ asset, triggering an event of interest. 4. If multiple occurrences of an IP address appear on the suspicious list, it is added to the threat intelligence active list for longer-term monitoring and response adjustments. 5. In the "Attack Delivery" stage, rules are applied to identify attempts to exploit systems: 1. Source IPs of hosts attempting exploits are added to the suspicious IP address shortlist at the IPS level due to its ability to detect attempted exploitation actions. 2. Alerts are raised for source IPs targeting sensitive or critical assets as per predefined asset models. These alerts focus on potential breaches into vital parts of a network infrastructure, ensuring immediate attention is given where necessary. The text provided outlines a methodology for handling suspicious IP addresses and raising alerts based on potential threats, particularly focusing on exploitation attempts involving known vulnerabilities. It introduces a kill chain approach used in security information and event management (SIEM) systems to better define and manage the stages of an attack. The process starts by adding a source IP address to a suspicious list if the initial alert from an Intrusion Prevention System (IPS) might be incorrect. The asset, considered high priority for investigation, triggers manual human analytics. If the source IP attempts to exploit a host with a known vulnerability, both the source and destination assets are added to respective lists: one for threats (threat intelligence active list), another for compromised hosts. A global rule is implemented if an IP address appears suspiciously often across different events; this IP is then added to the threat intelligence active list. The kill chain stages include Stage and Exfiltration, with specific rules dictating actions based on the presence of IPs from the threat intelligence list: raising alerts and adding source hosts to a compromised list when there's outbound communication to such IPs. The benefits of applying this kill chain approach in security management include better defined coverage of potential threats across multiple vectors (enhancing threat coverage) and reducing false positives by not relying solely on single event analysis from tools like IPS, which can be prone to inaccuracies. This layered, more comprehensive method is often more effective than standalone use cases designed for individual events. The text discusses the effectiveness of using the HP SIEM kill chain methodology for enhancing security operations. It argues that by reducing false positives and providing a more accurate view of events, it allows Security Operations to focus on actionable incidents with greater efficiency. This is achieved through various methods such as filtering events into indicators of compromise (IOCs), correlating and post-correlating events based on rules throughout the kill chain, and creating shortlists or active lists for better visualizations that aid human analytics. The methodology helps in reducing false negatives by focusing on relevant events and enhancing situational awareness, which ultimately enables faster response to security incidents and better understanding of threat indicators. To summarize, this document outlines the use of shortlisted information from emails with potentially dangerous attachments sent by untrusted email senders to improve user safety and security operations. The key data points included sender IP address, receiver email address, sender email address, and attachment name are crucial for analytics and reporting purposes, such as visualizing how many recipients opened specific attachments. This intelligence helps in informing recipients about the potential risks of opening emails from untrusted senders and supports actions like blacklisting the sender's email address to prevent further attacks. The document emphasizes the importance of situational awareness through pattern discovery using HP ArcSight for anomaly detection and continuous improvement in threat actor focus based on risk domain analysis, with a specific emphasis on security controls performance relative to organizational risks. The passage discusses improving the performance of an email gateway as a security control by analyzing filtered events from harmful attachments detected by desktop antivirus and malware software. This is achieved through quantitative analysis, comparing shortlisted (active list) filtered events to assess the effectiveness of the email gateway in blocking malicious content. Furthermore, the passage highlights the use of HP SIEM kill chain for reusable use cases across different risks and phases, positioning each phase as a compensating security control that can be measured within a risk framework. This method not only helps save time and research but also reduces overhead and investment by allowing the reuse of existing use case rules for new threat vectors.