Investigate 2.20 Demo Script

Summary:

The document you've provided is a detailed history of updates for a demo script used with ArcSight Investigate software, focusing on how to investigate potential security issues related to Domain Generation Algorithms (DGA). Here’s a breakdown and summary of the key points: ### Document Overview The document outlines steps taken in an investigation using ArcSight Investigate to identify potential malware-related activities. The primary focus is on detecting malicious DNS communication through DGA domains, which are generated by malware to avoid traditional signature-based detection. ### Key Steps and Tools Used 1. **Subnet Traffic Analysis**: Focused on outbound traffic from the subnet 172.16.135.* in April, excluding Microsoft DNS traffic using a specific filter for DGA vendors. 2. **Visualization of Outgoing Bytes**: Created an area chart comparing bytes out over time for host 172.16.135.52 against the rest of the subnet to highlight potential anomalies. 3. **Host Profiling**: Identified that all SSH traffic, both legitimate and potentially compromised, was directed towards unknown sites via a single destination hostname, leading to the identification of the source machine as workstation-contrator-3752.hkfinancial.local, part of a contractor subnet. 4. **Traffic Volume Comparison**: Visualized discrepancies in traffic volume between the problematic host and its peers, suggesting potential data exfiltration and confirming security concerns within the organization. ### Tool: ArcSight Investigate - **Purpose**: An unspecified tool used for advanced search and visualization features to aid cybersecurity analysts in conducting thorough investigations quickly. - **Features**: Includes built-in analytics capabilities, easy-to-use search and visualization tools, and support for multiple fields and types of data. ### Updates and Versions The document includes detailed information about various versions from May 2017 to May 2018, detailing changes made in response to updates in ArcSight Investigate software versions: - **Version 6.0** (May 7, 2018): Updated for ArcSight Investigate 2.10 and added new scenarios like Host Profiler Demo and DGA Scenario. - **Version 5.0** (March 3, 2018): Improved the scenario for comparing outbound data against possibly infected hosts and updated to version 2.01 of ArcSight Investigate. - **Version 4.1** (November 16, 2017): Converted to a Micro Focus template and branding, added use cases demonstrating new features introduced in version 2.0 of ArcSight Investigate. - **Version 4.0** (October 27, 2017): Updated for ArcSight Investigate 2.0 with new capabilities. - **Version 3.0** (August 10, 2017): Updated to version 1.10 of ArcSight Investigate and minor adjustments in use cases. - **Version 2.0** (June 20, 2017): Added Intuitive Use Case and Total Bytes Use Case. - **Version 1.0** (May 31, 2017): The first release addressing a bug related to "Starts With/Contains" in ArcSight Investigate 1.0. ### Contact Information For support or further information: - Company Name: Micro Focus International plc - Registered Address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q (England and Wales) - Registration Number: 5134647 - Contact Email: arst-gfs@microfocus.com ### Trademarks The document mentions that "MICRO FOCUS" and the Micro Focus logo are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries in certain countries, while other marks are property of their respective owners. This summary provides a clear overview of how to use ArcSight Investigate for DGA-related investigations and highlights the software's capabilities in dealing with complex cybersecurity issues through user-friendly tools and advanced features.

Details:

ArcSight Investigate Demonstration Script V7 - October 2018 **Contents:** 1. **Set up and Configuration Notes**

• Overview of the demonstration setup and configuration requirements for running ArcSight Investigate.

• Instructions to update local hosts file on Windows host machines for DNS resolution.

• Network settings for NAT's in VMWare Workstation.

• Accessing the Investigate interface via URL or IP address.

• System memory recommendations and SSD drive usage advice.

2. **Overview**

• A brief introduction to the demonstration scripts provided, which include screenshots of the PowerPoint presentation used during the demo.

3. **Intuitive Search – Simpler, easier, more natural syntax**

• Demonstration of how ArcSight Investigate's intuitive search feature simplifies and accelerates data searches using a conversational approach.

• Examples of dynamic field suggestions based on partial input queries.

4. **Comparing Outbound Data Baseline Against Possibly Infected Host**

• Use case illustrating the comparison of outbound network traffic data against potential indicators of infection to identify compromised hosts or suspicious activities.

5. **Find the User**

• Demonstration of how Investigate can quickly locate and profile users based on search inputs, useful for incident response and user-based investigations.

6. **Look Up Lists – Using External Lists with Investigate Searches**

• Exploring the integration of external lists into Investigate searches to enhance investigation capabilities by leveraging additional data sources.

7. **Root Cause Analysis**

• Techniques for performing root cause analysis using ArcSight's platform, focusing on how Investigate aids in uncovering deeper system issues and anomalies.

8. **Host Profiler: Host-based or Port-based Analytics at Scale**

• A detailed look into the host profiling capabilities of Investigate, which can analyze both local and remote hosts for security insights.

9. **Analytics: DNS Domain Generating Algorithm (DGA) detection**

• Demonstration of how Investigate detects domains generated by algorithms that are often used in malware to evade detection.

10. **Summary**

• Recap of key features and capabilities demonstrated during the script, highlighting the efficiency and effectiveness of ArcSight Investigate 2.20.

11. **Revision History**

• A list of updates, changes, or corrections made to this document since its previous version.

12. **Micro Focus Trademark Information**

• Legal details about the use of Micro Focus trademarks and copyright information relevant to the content provided in this script.

13. **Company Details**

• General information about the company, ArcSight, providing background on its products and services including Investigate.

This document serves as a guide for users to understand how to set up and use ArcSight Investigate 2.20 effectively through practical demonstrations and scenarios outlined in this script. ArcSight Investigate's intuitive search feature simplifies network security analysis by allowing users to input vague search terms, which are then interpreted and refined automatically by the software. The system can recognize whether a term is likely a hostname, domain name, or specific field such as port numbers or IP addresses. It adjusts suggestions based on numerical sequences (like adding digits), decimal points (suggesting floating-point searches), or special characters (offering IP address related options). This flexibility in interpretation and search refinement helps analysts quickly narrow down large volumes of data to identify relevant events like system calls, network communications, or user actions associated with a particular device or domain. For example, starting with a simple term such as '1', the software understands this is likely a number rather than text, suggesting port numbers or other numeric fields. Adding more digits (like '12') directs the search towards specific port numbers. Introducing a period ('.'), like in '12.', suggests searches related to IP addresses, expanding the focus from generic numbers to network-related data such as source and destination IPs. This dynamic interpretation of input allows for efficient exploration of network events without requiring extensive prior knowledge about syntax or field names. The provided text outlines a procedure for analyzing network traffic using a security analytics tool, Investigate 2.10, focusing on specific workstations through saved searches and filters. Here's a summarized version of the steps outlined: 1. **Applying Filters**: Start by applying filters to narrow down the search results. If only one filter is defined, click "Apply". Multiple filters can be modified and updated for quicker investigation. 2. **Analyzing Traffic Protocols**: Add a filter for Application Protocol != (Null) to understand which protocols are in use by the workstations. Note that inbound flows might not initially interest analysts but focus on outbound traffic volume. 3. **Identifying Anomalies**: Observe anomalies in traffic volumes and interesting destination addresses. Highlight references to FTP traffic, noting potential residential ISP addresses as significant observations for further investigation. 4. **Baseline Comparison**: Clear the search panel and compare this workstation's behavior with others by removing previous filters. This baseline comparison helps identify any irregularities. 5. **Visualizing Data**: Utilize prebuilt security analytics or create custom visualizations. For instance, add charts for Bytes Out by Source Address and Destination Activity -> Bytes out by Destination Address to understand traffic distribution and potential anomalies. 6. **Highlighting Anomalies**: Point out specific data that suggests anomalies such as a single host (10.0.111.24) dominating the outbound traffic. This indicates a "red flag" for further investigation. 7. **Assessing Traffic Destinations and Protocols**: Analyze Bytes out by Destination Address to understand where most of the data is going, noting that external addresses receive a majority of the organization's data. Consider application protocols to infer activity types (malicious or legitimate). 8. **Custom Visualizations**: Create custom visualizations such as Vertical Bar Charts for Bytes out by Destination Port to further analyze traffic distribution and identify anomalies like high percentages of FTP traffic leaving the organization. Overall, this process involves using filters to narrow down search results, analyzing specific data points, and visually representing findings to quickly identify potential security issues or unusual activity in network traffic. This document outlines a procedure for using ArcSight Investigate to analyze network traffic and user activity. The goal is to investigate an anomalous workstation with the IP address 10.0.111.24 by following these steps: 1. **Add a new series** in the software, naming it "Workstation24." 2. **Change aggregation** from average(Bytes Out) to sum(Bytes Out) for this series. 3. **Filter by source address** 10.0.111.24 and visualize the data. 4. Notice a large spike in bytes out for the workstation, indicating potential issues. 5. To understand more about why there's such high traffic, check which user was logged into the machine during these behaviors. 6. Use ArcSight Investigate to trace network activity from the source address to specific users. Enter the search term "Source Address equals 10.0.111.24." Set the default field and time frame, then click 'Search.' The results should list nearly 400 events related to this IP address. 7. From these events, identify a user (in this case, 'dpool') who was logged in when anomalous behavior occurred. 8. Further investigate by looking up lists to see all events for the source address and count them. This will help understand which external hosts are receiving most of the traffic. Execute a search using different terms such as "Source Address equals 10.0.111.24" or similar, expecting approximately 14 events in total. 9. Focus on the Destination Hostname field to identify and compare these external hosts that receive significant data volume from Workstation24. The document emphasizes using ArcSight Investigate's capabilities to explore relationships between network addresses and users, providing a powerful tool for security analysis and troubleshooting network issues. The provided text discusses a series of steps and actions taken during an investigation using ArcSight Investigate, focusing on narrowing down potential issues with a workstation (workstation 24) based on certain criteria. Here's a summarized version of the key points discussed in the text: 1. **Initial Setup**: A saved search was created to focus on events related to workstation 24 within the year 2018. The search parameters included the source address (10.0.111.24) and a date range covering the entire calendar year of 2018. 2. **Scenario**: The saved search was used again for a specific period, including the month of April 2018. This revealed two clusters of events within this timeframe. 3. **Focus on McAfee Events**: To narrow down to relevant McAfee events only, the search query was updated to include only McAfee-related entries for the same date range (April 2018). A new fieldset containing 'File Name' and other related fields was created to better understand the nature of the events. 4. **File Scan Issues**: The analysis highlighted several executable files on the workstation that were associated with a suspicious name, run from the user’s temporary folder over FTP. This indicated potential malware presence. 5. **Device Vendor Analysis**: Further investigation involved looking at device vendor information and web browsing habits of the user around the same time period to trace how the file was introduced onto the system. The Destination Host Name field revealed unusual references, leading to further exploration through the Request URL field. 6. **Visualization and Exporting Evidence**: Visualizations within ArcSight Investigate were used to help understand the issue better. Eventually, evidence was exported in PDF format for inclusion in a case management tool (ESM) as part of the investigation. 7. **Root Cause Analysis**: The final step involved performing root cause analysis by focusing on how and why the workstation was infected. This process included reviewing device information, web browsing history, and other relevant logs to trace the infection back to its source. The text emphasizes the use of ArcSight Investigate for efficient event management and visualization during investigations, highlighting its ability to narrow down search results based on specific criteria and providing visual aids such as field sets and export options to aid in detailed reports. The provided text discusses two main topics in Investigate analytics - Host Profiler and DNS Domain Generating Algorithm (DGA) detection. Both are part of the "Insight Analytics" included in Investigate, aiming to provide quicker insights into potentially malicious activities without deep analysis. 1. **Host Profiler**: This feature allows users to profile hosts within their organization or externally connected internet hosts. The setup involves specifying a time range for profiling and using default ranges like 24 hours or customizing to "All Time." The scenario demonstrates how to use Host Profiler to investigate connections, switching from the default 24-hour window to "All Time" to find more detailed results. It highlights that only Workstation 24 has interacted with a suspicious website, suggesting potential infection and suggesting adding it to a proxy block list. 2. **DNS Domain Generating Algorithm (DGA) detection**: This feature in Investigate helps identify DGA-related activity which is crucial for detecting malware attempting to communicate through DNS lookups. The setup involves accessing the "DNS Analysis" under the Insights section of Investigate. The scenario shows how pre-populated charts and widgets provide immediate insights into hosts potentially infected by malware via DGA domains. For example, a host (172.16.135.52) stands out with high numbers in unique DGA domain counts and outbound DNS traffic, indicating possible infection which could be further investigated using Host Profiler. In summary, both features are user-friendly tools that offer quick insights into potential malicious activities without requiring extensive analysis. They help analysts quickly assess the risk posed by certain hosts or domains connected to malware beaconing mechanisms. This document outlines a series of steps taken to investigate potential security issues on host 172.16.135.52, which appears to be attempting to resolve multiple domains generated by Domain Generation Algorithms (DGA). The investigation is conducted using an unspecified tool called "Investigate," which supports advanced search and visualization features for cybersecurity analysts. The analysis began with a comparison of traffic out from the subnet 172.16.135.* during April, focusing on outgoing bytes by source address. The data was filtered to exclude Microsoft DNS-based traffic using an unspecified DGA vendor filter. A new visualization was created to compare bytes out over time for host 172.16.135.52 against the rest of the subnet using an area chart. Further analysis revealed that all SSH traffic, both legitimate and potentially compromised, was directed towards unknown sites via a single destination hostname. This led to identifying the source machine as workstation-contrator-3752.hkfinancial.local, which is part of a contractor subnet. The investigation concluded with visualizations showing discrepancies in traffic volume between the problematic host and its peers, highlighting potential data exfiltration and confirming security concerns within the organization. The document emphasizes using Investigate for efficient incident response by combining built-in analytics capabilities with easy-to-use search and visualization tools. It highlights how to conduct a thorough investigation across multiple fields and types of data, leveraging advanced templates to visualize key event information promptly. The process is designed to be completed quickly even when dealing with extensive datasets without long wait times associated with traditional methods. This document is a history of updates for a demo script used with the ArcSight Investigate software. Here's a summary of the key points:

• **Version 6.0** (May 7, 2018): Updated for ArcSight Investigate 2.10. Added Host Profiler Demo and DGA Scenario.

• **Version 5.0** (March 3, 2018): Improved the scenario for comparing outbound data against possibly infected hosts. The document was updated to reflect version 2.01 of ArcSight Investigate.

• **Version 4.1** (November 16, 2017): Converted to a Micro Focus template and branding. Added use cases demonstrating new features introduced in version 2.0 of ArcSight Investigate.

• **Version 4.0** (October 27, 2017): Updated for ArcSight Investigate 2.0, including use cases that showcase the software's new capabilities. Note: Time zone issues might affect users outside North America.

• **Version 3.0** (August 10, 2017): Updated for version 1.10 of ArcSight Investigate. Reordered some use cases to improve readability and removed certain use cases.

• **Version 2.0** (June 20, 2017): Added Intuitive Use Case and Total Bytes Use Case.

• **Version 1.0** (May 31, 2017): The first release of the demo script for ArcSight Investigate 1.0, addressing a "Starts With/Contains" bug noted as HERC-3474.

Additionally, there's information about contacting Micro Focus at arst-gfs@microfocus.com and details on company registration and trademarks:

• Company name: Micro Focus International plc

• Place of registration: England and Wales

• Registered number: 5134647

• Registered address: The Lawn, 22-30 Old Bath Road, Berkshire, RG14 1Q.

• MICRO FOCUS and the Micro Focus logo are trademarks or registered trademarks of Micro Focus (IP) Limited or its subsidiaries in certain countries; other marks are property of their respective owners.