HPE Attack Lifecycle Use Case Methodology

Summary:

This document outlines a comprehensive framework for cybersecurity that focuses on detecting potential cyber-attacks within an organization's network through various stages of an attacker's lifecycle. The rules are designed to identify anomalies in network communications and system behavior indicative of compromise or suspicious activity, focusing primarily on changes in user privileges, unauthorized access attempts, and communication patterns suggestive of lateral movement. ### Key Components: 1. **Internal Reconnaissance:** Rules for monitoring network communications from IPs added to shortlists in response to specific triggers like peer-to-peer communications, HTTPS mismatches, beaconing activities, and multiple internal-to-internal communications without prior known white list profiles. 2. **Lateral Movement:** Focused on identifying events such as Windows program audit events using netstat or psexec, remote registry and WMI accesses that could indicate unauthorized access to other systems in the network. 3. **Establish Persistence:** Rules for monitoring changes in local host configurations through rules like policy event changes affecting file and folder access, internal communications on unknown channels, and large data downloads from uncommon external hosts with associated netflow anomalies or visits to suspicious websites. 4. **Exfiltration:** Actions such as the use of NTbackup for data extraction, registry accesses targeting the Windows SAM database, file movements across network shares, and email sending activities involving attachments larger than 100MB being sent to unknown recipients are monitored. 5. **Incident Response:** Specific events like alerts from host malware software lead to incident alerts that add compromised hosts to a list for further analysis. This helps in understanding if a single host has been involved in multiple attacks throughout its lifecycle. 6. **Threat Intelligence and Shortlists:** IPs identified as suspicious are added to shortlists, providing contextual information for better situational awareness during incident handling. These shortlists help filter false positives and prioritize high-priority alerts for further investigation. 7. **Use of Threat Intelligence:** Reusing case studies from previous examples across different stages of an attack life cycle helps in adapting to new threat vectors, with a focus on perimeter threats affecting the DMZ hosts. 8. **Layered Security Measures:** High-value assets have more robust controls while lower-value assets have less costly ones, ensuring comprehensive defense mechanisms throughout various stages of an attack. 9. **Efficiency and Effectiveness:** Improved coverage over false positives and negatives, enhanced situational awareness, reduced overhead due to fewer false alarms, and increased efficiency in responding to security incidents by focusing on actionable events. 10. **Continuous Threat Actor Evaluation:** Shortlists are created for specific types of suspicious activities, which can be used for reporting, visualization, and continuous threat actor evaluation. ### Benefits: - **Enhanced Security Posture:** A more comprehensive defense mechanism that integrates multiple layers of security measures throughout various stages of an attack, improving the effectiveness and efficiency of handling potential threats. - **Reduced Overhead:** Fewer false alarms lead to reduced operational overhead, allowing teams to focus on actionable events rather than irrelevant ones. - **Adaptability:** Reusable use case rules across different risk stages make each phase a measurable security control with reduced overhead, saving time and resources when adapting to new threat vectors. ### Implementation: 1. **Define Rules for Each Stage:** Based on the attacker's lifecycle, define specific rules for internal reconnaissance, lateral movement, persistence establishment, and exfiltration. 2. **Implement Shortlists:** For each rule, identify triggers that would add IP addresses to shortlists for further scrutiny. This includes monitoring network anomalies, unauthorized access attempts, and changes in system configurations. 3. **Utilize Threat Intelligence:** Continuously update shortlists with threat intelligence feeds to ensure that the rules are always aligned with known malicious actors and patterns. 4. **Monitor and Analyze:** Regularly monitor network traffic and system logs for any anomalies that match the defined rules. Use automated tools and manual review processes to analyze suspicious activities. 5. **Incident Response:** When potential threats are detected, follow established incident response procedures to investigate further, contain the threat, and mitigate any damage caused by the attack. 6. **Continuous Improvement:** Regularly review and update the rules and shortlists based on new threat intelligence and changes in the cyber threat landscape. By implementing this framework, organizations can significantly enhance their ability to detect, respond to, and recover from cyber-attacks, ensuring a more secure and resilient network infrastructure.

Details:

The document outlines the concept of an "Attack Life Cycle" methodology, which involves structuring intrusion analysis into stages similar to how diseases progress through stages in medical treatment. This method aids in creating actionable security intelligence by integrating various security events and data sets based on attacker actions such as penetration, lateral movement, credential access, privilege escalation, and data exfiltration. The Attack Life Cycle Use Cases section details practical examples of applying this methodology:

• The first example is a phishing use case where HPE's ArcSight ESM (Extended Security Manager) tool detects malicious emails that could lead to initial breach.

• The second example involves reusable use cases for security products, showcasing how different stages of an attack can be chained together in the SIEM system to reduce false positives and negatives.

The document argues that focusing only on stopping an initial breach is insufficient; attackers often follow a multi-stage approach. By following an Attack Life Cycle methodology, security teams can improve their situational awareness, leading to better detection of subsequent stages such as command and control or data exfiltration events. This integrated approach allows for more effective management of both false positives and negatives in SIEM systems. In summary, the document promotes using a structured "Attack Life Cycle" methodology instead of standalone use cases to enhance security analysis and response capabilities, particularly through the integration of diverse security tools and analytics. HPE has developed a methodology centered around the event attack life cycle to enhance the capabilities of their ArcSight SIEM tool in supporting use case development and reducing manual analytics effort. This approach involves three main methodologies: Lockheed Martin's Cyber Kill Chain, Malware Forensics Kill Chain Method, and HPE Attack Life Cycle. These methods help describe security events within specific stages for intelligence gathering and use case development, as well as assisting in risk assessment within the attack life cycle. The methodology includes several phases that are crucial to understanding cyber threats: 1. Reconnaissance: This initial phase involves researching targets, which can be non-intrusively through internet research or by active reconnaissance such as inbound scanning events. The HPE Attack Life Cycle specifically focuses on reconnaissance via anomaly communication from external sources to target hosts. 2. Weaponization: In this stage, a malicious payload is created by coupling remote access trojans with exploits, often using automated tools and delivered through client applications like Adobe PDF or Microsoft Office documents. 3. Delivery: The weaponized payload is transmitted to the target environment via email attachments, websites hosting malware, or USB devices. HPE considers specific events during delivery for potential payloads like spear phishing emails that exploit browser vulnerabilities. 4. Exploitation: Upon reaching the victim's host, exploitation triggers the adversary’s code by targeting application or system vulnerabilities, potentially installing a remote access trojan or backdoor to maintain persistence within the environment. This phase also includes exploitation of inbound events from external hosts into internal networks. 5. Installation: The final stage involves setting up a persistent presence in the compromised environment through installation activities like keylogging and command-and-control communications. Overall, this methodology helps organizations better understand and respond to cyber threats by breaking down each phase of an attack, providing a structured approach for security analytics and incident response. The HPE Attack Life Cycle, incorporating elements from Lockheed Martin and SANS Institute methodologies, is focused on understanding and mitigating cyber threats through a multi-faceted approach involving various aspects such as exploitation, installation, communication (C2), command and control (C&C) operations, exfiltration of data, and reconnaissance. The cycle emphasizes the importance of SIEM use cases to detect events from third-party vendor products like Intrusion Prevention Systems, Antivirus, and Antimalware, changes in operating systems, network communications, correlated vulnerability information, and asset model details. The life cycle includes stages such as host exploitation, installation (remote access trojan or backdoor), internal to external binary acquisition, binary installation (malicious payload detection), C2 establishment (beacon outbound for internet control), internal to external command and control communication, actions on objectives (data exfiltration), and internal to internal or external outbound infection scanning. Each stage is crucial in understanding the progression of an attack from initial compromise to data theft or lateral movement within a network. By using SIEM tools effectively, organizations can monitor potential breaches more closely and react promptly by deploying patches or updates for vulnerabilities that attackers exploit during these stages. This proactive approach helps in reducing the impact of cyber threats posed by advanced persistent threats (APTs) and other malicious actors. The article describes the stages in the HPE Attack Life Cycle, which include Reconnaissance or anomaly communications, Attack Delivery, Host Exploitation and Binary Installation, Command and Control, and Local Compromise. These stages involve different types of use cases for event filtering and cross-event correlation. For example, a Phishing Use Case involves shortlisting email attachments based on file type and sender's email address to identify potentially harmful files like Microsoft Excel or JPEG images. If the attachment is opened on a machine that accepts normal business file types but contains malware, it triggers incident alerts related to escalated antivirus and anti-malware software events. Additional rules detect registry changes and unknown processes spawned by the host, and correlate with source IP addresses for further analysis. This helps identify potential malicious activity such as local account creation or communication with blacklisted C&C servers. The text outlines a series of rules and procedures for detecting potential cyber-attacks within an organization's network, based on specific stages of an attacker's lifecycle from internal reconnaissance to data exfiltration. These rules are designed to identify anomalies in network communications and system behavior that may indicate compromise or suspicious activity. The rules primarily focus on monitoring changes in user privileges, unauthorized access attempts through compromised accounts, and communication patterns indicative of lateral movement. Specific actions include adding IP addresses to shortlists (shortlist 1 and shortlist 2) for further scrutiny and triggering incident alerts upon repeated occurrences or anomalies detected. For instance:

• **Internal Reconnaissance** involves monitoring network communications from IPs added to the shortlists in response to rules like peer-to-peer communications, HTTPS mismatches, beaconing activities, and multiple internal-to-internal communications without prior known white list profiles.

• **Lateral Movement** is focused on identifying events such as Windows program audit events using netstat or psexec, remote registry and WMI accesses, which could indicate unauthorized access to other systems in the network.

• **Establish Persistence** involves monitoring changes in local host configurations through rules like policy event changes affecting file and folder access, internal communications on unknown channels, and large data downloads from uncommon external hosts with associated netflow anomalies or visits to suspicious websites.

• **Exfiltration** includes actions such as the use of NTbackup for data extraction, registry accesses that potentially target the Windows SAM (Security Accounts Manager) database, file movements across network shares, and email sending activities involving attachments larger than 100MB being sent to unknown recipients.

Each rule aims to detect specific patterns indicative of an attack or suspicious activity, with actions including adding IP addresses to shortlists for further review and alerting on repeated occurrences or significant anomalies. These rules are part of a broader strategy for network security monitoring and incident response, designed to help organizations proactively identify potential threats and respond accordingly. The document outlines how security operations can identify potential threats and generate incidents based on hosts with multiple indicators of compromise, which are highlighted by grey lines in diagrams. Specific events, such as alerts from host malware software, lead to incident alerts that add the compromised host to a list for further analysis. This approach helps the team understand if a single host has been involved in multiple attacks throughout its lifecycle. The document suggests reusing case studies (use cases) from previous examples across different stages of an attack life cycle and applying them to new threat vectors, like perimeter threats affecting DMZ hosts. It emphasizes the importance of layered security measures in mitigating risk, with high-value assets having more robust controls while lower-value assets have less costly ones. The document provides example use cases for reconnaissance (anomaly communications) and attack delivery stages:

• For reconnaissance, rules are defined to monitor suspicious IP addresses based on attempts at making unusual network connections or scans. If these actions match known bad IPs from threat intelligence lists, the IP is added to a short list of suspicious addresses.

• In the attack delivery stage, rules focus on detecting exploitation attempts towards sensitive or priority assets, adding the source IP to the suspicious list if detected by the Intrusion Prevention System (IPS). The addition to this list helps in filtering false positives and prioritizes high-priority alerts for further investigation.

The provided text discusses the concept of using an "attack life cycle" approach within security systems, particularly as it relates to alerting mechanisms and threat intelligence. It outlines several rules for detecting potential threats, such as monitoring outbound communications from compromised IP addresses, adding these to a list of known threats, and creating shortlists with contextual information for better situational awareness during incident handling. The benefits of this approach include improved coverage over false positives and negatives, enhanced situational awareness, reduced overhead due to fewer false alarms, and increased efficiency in responding to security incidents by focusing on actionable events rather than irrelevant ones. The text also mentions the creation of shortlists for specific types of suspicious activities (like opening emails from untrusted senders) and how such lists can be used for reporting, visualization, and continuous threat actor evaluation. In summary, this approach aims to provide a more comprehensive defense mechanism by integrating multiple layers of security measures throughout various stages of an attack, thereby improving the effectiveness and efficiency of handling potential threats in a layered manner that closely follows the lifecycle of an attack. This summary explains how antivirus and malware software can analyze email gateway performance by looking at active lists of filtered events, which helps in detecting harmful attachments. It also talks about how HPE Attack Life Cycle allows for the reuse of use case rules across different risk stages, making each phase a measurable security control with reduced overhead. The benefits include saving time and resources when adapting to new threat vectors.