top of page
Search

JN Data Use Case Modelling Analysis Version 0.1

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 22 min read

Summary:

The passage provides a detailed explanation of how to implement a Security Information and Event Management (SIEM) system using the HP SIEM kill chain methodology to enhance cybersecurity by improving threat detection and reducing false positives. Here’s an overview of the main points discussed in the passage: 1. **Suspicious IP Address Shortlist**: If an IP address appears on this shortlist more than once, it is added to the threat intelligence active list for longer-term monitoring and management of potential threats. 2. **Rules for Event Creation**: - Rule 1: Add the source IP address from hosts that attempt to exploit a system as indicated by the IPS (e.g., attempts to breach firewall or access restricted areas) to the suspicious IP address shortlist. - Rule 2: Alert if the source IP attempts to exploit a sensitive or priority asset, defined in the company’s asset model; this triggers further investigation using manual human analytics due to the asset's high priority. - Rule 3: Raise an alert and add the source IP address to the threat intelligence active list when it tries to exploit a host with known vulnerabilities. Also, add the destination host asset IP address to the compromised host list for follow-up actions. 3. **Global Rule**: If an IP address appears on the suspicious IP address shortlist multiple times, it is added to the threat intelligence active list as a persistent threat requiring attention and further action. 4. **Kill Chain Benefits**: - Defined Threat Coverage: By defining use cases with the HP SIEM kill chain methodology, it aids in specifying threat vectors and ensures a layered security approach by utilizing a deep defense strategy. - Reduction of False Positives: Using a kill chain reduces false positives because it considers ongoing events from other indicators of compromise throughout the chain, providing better situational awareness than standalone use cases or single event solutions. - Increased Coverage Over False Negatives: The HP SIEM kill chain methodology helps to filter out potential negative events and provides greater coverage over missed threats by continuously evaluating various stages within a defined threat lifecycle. 5. **SIEM Kill Chain Methodology for Event Visualization**: - Identifying anomalies in event patterns through shortlisted events such as phishing emails with harmful attachments. - Analyzing these events quantitatively to assess the effectiveness of security controls like email gateways. - Reporting on key threat actors and focusing investment on areas needing improvement to enhance situational awareness continuously. 6. **Use Cases Generation**: The use cases generated from different kill chain phases can be reused across multiple phases for improved efficiency and flexibility in security operations, simplifying the process of creating new rules for dealing with emerging threats compared to traditional methods. This approach not only improves automated analytics but also supports manual efforts by security teams, leading to faster response times and better threat understanding throughout the incident response process (CIRT). The use of a SIEM system with HP SIEM kill chain methodology is beneficial in enhancing cybersecurity through defined threat coverage, reduction of false positives, and increased situational awareness.

Details:

The provided document is an analysis and scope outline for the generation of use cases within a larger project aimed at improving the SIEM capabilities of JN Data, utilizing HP Enterprise Security Products. The document outlines various aspects including version control, circulation, executive summary, use case listing, and specific details about each stage in the "kill chain" process used to model potential threats. **Document Control:**

  • **Title:** JN Data Use Case Modelling Analysis v0.1

  • **Author:** Darren Humphries

  • **Update Details:** Includes who created it and when, as well as any previous versions if applicable.

**Executive Summary:**

  • The document serves as a part of the project to enhance the ArcSight SIEM capabilities of JN Data using HP Enterprise Security Products.

  • It emphasizes the importance of risk-based approach in developing use cases to ensure coverage and mitigation strategies for business related risks.

  • A maturity matrix is proposed to measure the effectiveness of use case development, suggesting areas that need improvement based on current security threats like perimeter, user identification, etc., applicable to both cloud service businesses and limitations within such setups.

**Use Case Listing:**

  • The document categorizes potential threats into stages similar to a "kill chain" process:

  • **Reconnaissance External to inbound scan:** Involves detection of possible external reconnaissance activities targeting the host(s).

  • **Weaponization:** Followed by development or preparation of tools and techniques used in the attack.

  • **Delivery:** Includes various methods of deploying malicious software.

  • **Exploitation:** Focuses on exploiting vulnerabilities to gain unauthorized access.

  • **Actions on Objectives:** Involves further actions post exploitation, including data theft or disruption.

  • Each stage is detailed with specific actions that could be taken during these phases of a potential cyber attack.

This document aims to provide a structured approach for understanding and mitigating risks associated with various stages of a cyber threat, using HP's security practices and SIEM enhancements as part of the overall strategy against digital threats. The business case review conducted by HP Professional Services for the partnership with JN Data, a managed service provider (MSP) specializing in data management and security solutions, has identified several key aspects concerning internal threats, business use cases, IPR leakage, malware, advanced persistent threats (APTs), financial issues, application layer context awareness, incident handling workflows, cross-device correlation, zero days, compliance, and SIEM (Security Information and Event Management) use case classification. During the initial review of BEC (Business Execution Capability) customer use cases, no specific business use cases were identified but potential scenarios were noted. The use cases are undergoing a phased approach for further development and review. The analysis involves mapping these use cases against various categorizations including SIEM use case classification to assess context awareness and intrusion detection capabilities. The review revealed that while there is limited cross-device correlation use cases, primarily related to physical versus logical access in buildings, there are no instances of Zero Day threats or Malware/Phishing/APT scenarios due to the reliance on Antivirus or Antimalware desktop software. Additionally, JN Data's BEC use cases did not involve an Intrusion Detection System, indicating a need for improvement in cross-device correlation and situational awareness. The subjective analysis suggests that while there are limited use cases for cross-device correlation and detection of Zero Day threats or Malware/Phishing/APT incidents, the situation is somewhat mitigated by the presence of Antivirus or Antimalware software as standard practices. However, more robust incident handling workflows and compliance mechanisms could be beneficial to ensure comprehensive security measures are in place within the managed services provider framework. The use case categorization highlights that while some physical access scenarios are considered due to limited application layer context awareness in cloud environments, there is a lack of advanced threat detection capabilities such as Malware, Phishing, and APTs unless supported by desktop software like Antivirus or Antimalware. This indicates the need for enhanced security measures including SIEM integration and improved incident handling processes to address these gaps effectively. In conclusion, HP's review underscores that while JN Data operates primarily as a managed service provider with limited identified business use cases, there are significant gaps in advanced threat detection and cross-device correlation capabilities within their current cybersecurity framework. Enhancing the integration of Antivirus/Antimalware tools, improving incident handling workflows, and exploring SIEM system enhancements would be crucial steps for HP to consider in developing a more robust security strategy alongside JN Data as a customer. The document outlines the concept of integrating use cases into a cyber kill chain framework for better situational awareness and cross-correlation of event data. This approach aims to enhance automated analytics by considering not only how to detect overlooked false negatives but also to improve overall security operations in virtual security operation centers (vSOCs) where SIEM tooling is commonly used. The document suggests that with minor modifications, existing use cases can be adapted for this purpose, enabling better situational awareness and cross-correlation of event data points within the kill chain structure. The cyber kill chain model helps to group disparate security events into a coherent context related to both the attacker's actions and the specific stages of an attack. This method encourages looking at network and host-based security events together, considering them as part of a unified analytic effort focused on understanding how attacks progress through various vectors and payload delivery profiles until they reach their final stage of compromise. By doing so, this approach seeks to provide more comprehensive analytics that not only find events missed by individual point solutions but also support the automation of analytical processes alongside manual human input when necessary. The article discusses how Intrusion Detection Systems (IDS) are used to detect threats by identifying false positives, or events that do not actually represent a security incident. By grouping and analyzing these events as indicators of compromise, IDS can help reduce false negatives and improve detection accuracy. This process is often referred to as the "kill chain," where each stage represents a method an attacker might use to infiltrate a network, such as establishing a beachhead, downloading toolkits, collecting credentials, escalating privileges, and ultimately exfiltrating data. The article also highlights that while there has been significant focus on stopping an initial breach, less attention has been given to following through with a staged approach to compromise the organization. The kill chain model helps in understanding these multi-stage attacks more effectively by breaking down each phase described above: penetration of the perimeter, establishing connections for toolkits and payloads, lateral movement within the network, privilege escalation, and data exfiltration. Moreover, it points out that using this staged approach can be beneficial when creating use cases in Security Information and Event Management (SIEM) technology. In standard SIEM practices, events are usually analyzed individually; however, by adopting a kill chain perspective, organizations can improve their security operations by focusing on the entire sequence of events leading to potential compromise. Overall, this article underscores the importance of understanding how attackers operate through various stages and using tools like IDS and SIEM systems to better detect and respond to these threats in a systematic way, rather than treating each event as an isolated incident. The article discusses the use of a "kill chain" methodology in cybersecurity analysis to streamline event grouping and correlation. It highlights how Lockheed Martin's Cyber Kill Chain, Malware Forensics kill chain as described by SANS Institute, and HP SIEM kill chain are utilized for this purpose. Each method has its distinct phases that help in analyzing events of interest or potential threats, such as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action on target stages. The article emphasizes the importance of using single individual use cases as indicators of compromise (IoCs) but acknowledges the need for manual human analytics to further review related events, which may be considered premature at times. The article provides an overview of three different kill chain methodologies: Lockheed Martin's Cyber Kill Chain, Malware Forensics kill chain by SANS Institute, and HP SIEM kill chain. It explains that while Lockheed Martin’s method is the most publicized, each has its own approach to analyzing events in a cybersecurity context. The phases of these methods include reconnaissance, weaponization, delivery, exploitation, installation, command and control, and action on target stages. Furthermore, the article points out that even though IoCs can be used as indicators for potential threats, further manual review is often necessary to confirm their validity. This helps in reducing the heavy burden of manually analyzing numerous related events by providing a structured approach through the kill chain methodology. Overall, this method provides a systematic way to categorize and correlate cybersecurity events more efficiently, helping organizations better understand and respond to potential risks. Reconnaissance external to inbound scan, also known as none intrusive intelligence gathering, involves actively reconnoitering a target network by scanning it from an outside source. This stage within malware forensics procedures assumes that detectable reconnaissance scans can be detected as events in SIEM tooling. It encompasses various communication techniques such as slow scanning that doesn't trigger specific scanning discernible events in firewalls or intrusion prevention systems, traffic from bad or blacklisted host addresses, anomalous communications outside normal network profiles, and unusual geo-location sources. Weaponization follows this stage by coupling a remote access trojan with an exploit to create a deliverable payload, often through automated tools like weaponizers, using files such as Adobe Portable Document Format (PDF) or Microsoft Office documents. In the context of HP SIEM kill chain, weaponization is not typically considered part of practical use cases due to its dependence on third-party products for understanding known malicious binaries, which are covered in later aspects of the kill chain. The article discusses various aspects of cyber attack delivery and exploitation processes within the context of Lockheed Martin's transmission stage for delivering weapons to a targeted environment, which includes email attachments, websites hosting malicious content, and USB removable media as the most common methods. It also explains how HP’s SIEM kill chain uses events and use cases to review potential payload delivery through spear phishing emails or exploiting browser vulnerabilities. Exploitation in this context involves triggering an intruder's code after the weapon has been delivered to a victim's host, often targeting application or operating system vulnerabilities, but can also involve exploiting users directly or leveraging auto-executing code features within the OS. Installation of remote access trojans or backdoors enables continued presence within the environment post-exploitation. For detection and analysis from external to internal hosts during this stage, the article refers to the SAN Institute’s Malware Forensics methodology. It highlights that mechanisms search for events such as open service ports, malicious email attachments, infected P2P media files, or drive-by-download infections on malicious websites. Furthermore, HP's SIEM kill chain adapts methods from Lockheed Martin and SAN Institute to integrate both direct exploitation through third party vendor products (like Intrusion Prevention Systems, Antivirus, and Antimalware) as well as less obvious changes in the host environment that might indicate an exploit attempt. This comprehensive approach aims to reduce false positives by using a filtered watch list based on specific use cases rather than treating every event as an alert. The text discusses various stages in a hypothetical cyber attack, as seen through the lens of HP's SIEM (Security Information and Event Management) kill chain. Here’s a summarized breakdown of each stage: 1. **Process Manipulation**: This involves starting new processes and stopping existing ones within an operating system, which could disrupt normal functioning or allow for further manipulation. 2. **Communication Traffic**: External to inbound communications traffic refers to the movement of data towards the victim from external sources. It includes any form of communication that might involve sensitive information being transferred inwards. 3. **Correlated Information**: This involves using vulnerability, network, and asset models to gain a more comprehensive view of what is happening within an organization. The aim is to link different pieces of data together for better analysis and understanding. 4. **Installation and Persistence**: An adversary can install remote access trojans or backdoors on the victim's system to maintain their presence inside the network, allowing them to continue operations undetected. 5. **Binary Acquisition**: After a host is compromised, malware communicates with an external source to download malicious payloads onto the infected machine. In some cases, this involves exploiting vulnerabilities on Windows systems through ports like TCP 135 (DCE or RPC). 6. **Binary Installation and Detection**: This stage focuses on detecting unusual additions of binaries that might be either unknown or malicious, as traditional security tools like antivirus may not detect them. It includes looking at heuristic events such as changes in registry settings, increased process count, or termination of protection software services. 7. **Command and Control (C&C)**: Compromised hosts must establish a connection with an Internet controller server to maintain control over the target environment. This is crucial for advanced persistent threats that often require manual interaction rather than running automatically. 8. **Internal to External C&C Communication**: Once inside, compromised systems communicate back to the attacker's server to receive updates or commands, which is a critical part of maintaining their presence and control over the network. Each stage represents a step in the life cycle of an attack as described by HP's SIEM kill chain, highlighting the importance of continuous monitoring and analysis to prevent cyber threats effectively. The HP SIEM kill chain methodology, akin to Lockheed Martin's malware forensic methods and SAN's techniques, focuses on identifying command and control (C2) transactions through analysis of source-to-destination communication, which involves recognizing web sites and IP addresses used by attackers for malicious communications. To combat this, HP recommends a blacklisting strategy that targets the domains attackers use to communicate with their malware. Despite some legitimate sites being compromised, most are new domain registrations specifically for C2 purposes. Advanced persistent threats are less likely to be found in public blacklists, so HP suggests using white lists and asset models based on expected behaviors for detection of deviations. In the later stages of the Lockheed Martin methodology, after initial phases, attackers may take actions that align with their objectives. Data exfiltration is a common objective, involving collection, encryption, and extraction of information from victim environments or violations of data integrity/availability. Alternatively, attackers might use compromised systems as stepping stones to further network intrusions. The malware kill chain describes the progression where infected hosts become part of a botnet, actively scanning external victims for infection spread. This phase is crucial in understanding how malware spreads and evades detection within networked environments. The HP SIEM (Security Information and Event Management) Kill Chain is a model that outlines the progression of cyber attacks through various stages, providing a structured approach for security analysts to identify and respond to potential threats. Here's a summary of each stage as described by the HP SIEM kill chain: 1. **Internal Reconnaissance**: This phase involves reviewing events from a compromised host to profile the network in search of other vulnerable targets or to locate important data. Common tools used include netstat for examining network connections, and looking for signs of beaconing which indicates communication between the compromised host and external servers. 2. **Lateral Movement**: In this stage, the attacker uses various methods to move from one compromised host to another within the network. This includes using command line tools like netlogin, accessing remote registry or WMI for configuration settings, editing group policies remotely, and establishing session communications such as file sharing, RDP (Remote Desktop Protocol), SSH (Secure Shell), and HTTPS connections. 3. **Establish Persistence**: Once the attacker has gained access to multiple hosts within the network without being detected, they aim to establish a long-term presence by investing in stealth techniques. This stage involves covert communication between internal hosts and external servers, spawning new services on internal networks that should not support such connections, discovering unknown processes across various hosts, and adding new binaries to the compromised host. 4. **Exfiltration**: The final stage of the HP SIEM kill chain is about actively stealing data from the network and transferring it out. This involves monitoring for events where sensitive information might be stolen or transferred, such as using common command line tools in Windows and Unix systems to extract data before sending it off-site through protocols like HTTPS. Each phase has specific use cases that help security teams understand the tactics used by attackers and enables them to implement appropriate preventive measures and response strategies. In cybersecurity, attackers often encrypt sensitive data before transferring it out, which can be detected through network communications spikes that are unusual compared to normal operations. An example of this is the HP SIEM Kill Chain Phishing Use Case. This use case involves filtering and correlating events related to suspicious activities like phishing attacks, such as malicious emails containing harmful attachments or URLs. The purpose of using a kill chain in security analysis is to reduce false positives by focusing on specific, high-interest events while also providing context for reviewing ignored events that might be missed by automated systems. In the case of HP SIEM, when an email with potential malware reaches a host, it would typically be quarantined by tools like desktop antivirus software. However, hidden threats within the network may go undetected unless specific rules are set up to identify and flag such anomalies during reconnaissance or external communication from compromised hosts. The example provided outlines how HP SIEM can be used in a kill chain for phishing attacks: 1. Identify an increase in malicious emails targeting specific employees, which often include harmful attachments or links. 2. Define rules that trigger on emails containing suspicious file types and coming from untrusted sources (like email addresses not on the trusted list or internal IP addresses). 3. Monitor network communications to detect spikes of anomalous activity indicating potential malware transfer. 4. Use these rules to shortlist events for further analysis, focusing on emails with harmful attachments that might be transmitted during phishing attacks. 5. Set up alerts and automated responses based on identified threats using the SIEM system's capabilities to manage security incidents more efficiently. This use case effectively leverages HP SIEM's features to detect and respond to sophisticated cyber threats such as phishing, enhancing overall network security posture against potential data breaches and unauthorized access attempts. The document outlines a multi-stage cybersecurity approach involving different kill chain stages, each with specific rules designed to identify and respond to potential threats. Here's a summary of the key points from the text: 1. **Attack Delivery (Initial Access)**: Focuses on email attachments that could be harmful but are commonly used for business such as Excel, Word documents, JPEG images, PDF files, audio files, and video files. The source IP address is added to "shortlist1" whenever an attachment from these file types is opened. 2. **Host Exploitation and Binary Installation**: Addresses events related to antivirus or anti-malware software failures where the source IP address is added to a compromised host active list. A cross-correlation rule detects if the same IP address appears on shortlist1, which would also trigger an alert for that IP address being associated with a compromised host. Specific rules include:

  • Rule 1: Registry changes in start locations like \Runonce.

  • Rule 2: Spawning of new unknown processes.

  • For these rules, the source IP is added to shortlist1.

3. **Command and Control (Continuation of Compromise)**: This stage involves checking if a source IP address communicates with known malicious command and control servers. If detected, an incident alert is raised, and the IP address is added to the compromised active list. 4. **Local Compromise**: Rules in this section are designed to detect local operating system anomalies:

  • Rule 1: Creation of local accounts.

  • Rule 2: Actions that escalate privileges.

  • Rule 3: Changes in group policy settings.

  • Rule 4: Termination of antivirus or anti-malware processes.

For these rules, the source IP address is added to "shortlist2". Overall, this document provides a structured way to correlate various events and data points related to potential threats, using defined stages and specific rules to add IP addresses to shortlists for further investigation and response. The provided text describes a method for detecting network anomalies and potential security incidents within a system, specifically focusing on two stages of the kill chain methodology—Internal Reconnaissance and Lateral Movement. For Internal Reconnaissance, the process involves creating rules to analyze network communications based on IP addresses that have been added to either Shortlist1 or Shortlist2. The rules are designed to identify anomalies in peer-to-peer communications, HTTPS interactions not supported by corporate services, beaconing activities attempting unauthorized internet access, and repeated internal zone communication attempts. When these conditions are met for an IP address present on either shortlist, it triggers the creation of a new incident alert, which also adds the IP to the compromised host asset list. In the Lateral Movement stage, similar rules are applied but focus more specifically on event transactions between devices rather than just communications. These include monitoring Windows program audit events related to netstat and psexec usage, as well as logon, remote registry, WMI, and policy editor events. Similar to the Internal Reconnaissance phase, any IP address appearing multiple times on Shortlist2 or upon first appearance on Shortlist1 is flagged as an incident alert, adding the IP to the compromised host asset list. The rules are designed to enhance security by detecting potential unauthorized access and lateral movement within a network, ensuring that any suspicious activity can be promptly identified and responded to. The process outlined involves several steps designed to identify and respond to potential cyber threats during different stages of an attack lifecycle, commonly referred to as the "kill chain." This strategy focuses on persistence within a network and subsequent data exfiltration. 1. **Establish Persistence**: In this phase, which occurs after initial access is gained, the focus shifts to maintaining a presence in the compromised environment. The following rules are used to detect anomalies:

  • Rule 1: Monitors changes to Windows file and folder access policies, indicating potential persistence or unauthorized modifications.

  • Rule 2: Detects internal communications between hosts within the same network on unknown channels, which could be a sign of further compromise or data exfiltration attempts.

  • Rule 3: Identifies large-scale downloads from external hosts that are not typically visited, suggesting possible data theft and persistence activities. Special attention is given to Netflow event anomalies as they may indicate unusual internet activity.

Any suspicious activity detected through these rules leads to the addition of the source IP address to a shortlist for further investigation. If multiple alerts come from the same IP, it is flagged as an incident alert, and the host is added to a list of compromised assets. 2. **Stage and Exfiltration**: In this stage, the focus shifts to consolidating stolen data and transferring it out of the network. The rules used in this phase include:

  • Rule 1: Monitors Windows program audit events for signs of unauthorized backup tools like NTbackup, flagging potential exfiltration activities.

  • Rule 2: Checks registry accesses specifically at HKLM\System\CurrentControlSet\Control\Lsa related locations known to be associated with system security data (SAM file), raising alerts if accessed.

  • Rule 3: Tracks file movements across network shares as an indicator of data transfer and persistence within the network.

Correlating these events, especially those involving movement from network shares and changes in folder permissions, is crucial for detecting ongoing exfiltration activities. Any such anomalies are added to shortlist 2, which triggers further investigation into potential breaches or unauthorized access. Overall, this process leverages a combination of system monitoring, event correlation, and anomaly detection to identify sophisticated cyber threats that may not be immediately apparent through traditional security measures. The text outlines a process used in detecting potential security threats, particularly phishing attacks, through the HP SIEM Kill Chain. It involves creating shortlists based on specific criteria such as IP addresses and email activities that might indicate a compromise. These shortlists are used to correlate events related to sensitive information storage, unknown email recipients, multiple large attachments sent via email within one day, and trusted alerts from host malware software. When these potential threats repeatedly appear in the shortlist across different phases of the kill chain, they lead to incident generation, which is indicated by grey lines on a diagram. High-certainty events like alerts from host malware raise red alert lines, leading to an addition to a compromised host list. This list helps security operations quickly identify if a host has multiple indicators of compromise throughout the entire kill chain. The shortlists can also be reviewed to check for additional non-compromise event indicators, providing more insight into the scale and nature of the incident. The process aims to enhance understanding and inform mitigation actions based on these findings. In summary, this method is a structured way to track potential security threats using predefined criteria that are applied across different phases of an attack detection model (the HP SIEM Kill Chain), aiming to provide detailed insights into compromised hosts through multiple indicators of compromise. The provided text discusses a risk related to perimeter attacks targeting DMZ (Demilitarized Zone) hosts, which could lead to unauthorized access to higher-value assets within the network through lateral movement. This risk is identified through penetration test reports and requires mitigation by leveraging existing SIEM (Security Information and Event Management) technology and Security Operations department. The solution should focus on a layered security approach due to varying levels of security controls across different asset types in the DMZ, which are either low-value or high-value assets. Key aspects include: 1. Risk identification: Perimeter attacks can lead to unauthorized access from compromised low-value DMZ hosts to higher-value internal network assets through lateral movement. 2. Mitigation strategy: Using SIEM technology and Security Operations to implement layered security, focusing on the DMZ where segregation weaknesses exist. 3. Control usage: Basic controls such as Firewall, Intrusion Prevention System (IPS), and Antivirus are recommended for all assets in the DMZ. 4. Use of rules for event detection: Specific rules should be defined to detect anomalies or unauthorized communications from external sources, including TCP/UDP connections with anomaly characteristics like SYN, FIN, RST packets, as well as network scans. These rules will apply across both firewall and IPS systems. This approach aims to address the risk without incurring additional costs for high-value assets by focusing on cost-effective solutions within the existing technological environment. This process is designed to detect and manage potential security threats by monitoring network traffic for known bad IP addresses, which are typically associated with malicious activity. The steps involve using an Intrusion Prevention System (IPS) to identify attempts to exploit systems or access sensitive assets. Here's a summary of the key points: 1. **Detection**: An IP address that is on the threat intelligence active list and attempts to connect to a DMZ asset raises an event of interest, potentially adding this IP to a suspicious IP address shortlist for further review. 2. **Short-term Filtering**: The suspicious IP address shortlist has a limited lifespan for stored IP addresses to help filter out false positives. 3. **Long-term Active List**: If the same IP address appears on the suspicious IP address shortlist more than once, it is added to the threat intelligence active list for longer-term monitoring and management of potential threats. 4. **Rules for Event Creation**:

  • **Rule 1**: Add the source IP address from hosts that attempt to exploit a system as indicated by the IPS (e.g., attempts to breach firewall or access restricted areas) to the suspicious IP address shortlist. This is done initially to account for possible false positives.

  • **Rule 2**: Alert if the source IP attempts to exploit a sensitive or priority asset, defined in the company’s asset model; this triggers further investigation using manual human analytics due to the asset's high priority.

  • **Rule 3**: Raise an alert and add the source IP address to the threat intelligence active list when it tries to exploit a host with known vulnerabilities. Also, add the destination host asset IP address to the compromised host list for follow-up actions.

5. **Global Rule**: If an IP address appears on the suspicious IP address shortlist multiple times, it is added to the threat intelligence active list as a persistent threat requiring attention and further action. This system helps in swiftly identifying potential threats while distinguishing between genuine attempts and false positives, ensuring efficient use of resources for security measures. The text provided outlines a summary of how to create rules for a specific phase in a kill chain, as well as discussing the benefits of using a kill chain approach compared to standalone use cases. For creating rules related to a particular stage in a kill chain, the rule set includes: If outbound communication from a source host IP address is detected towards an IP address on a threat intelligence active list through firewall or Netflow detection, raise an alert and add the source host IP address to a compromised list. All other initial rules remain applicable as indicators of compromise. This methodology aims to improve security by providing defined threat coverage, reducing false positives, and increasing situational awareness without relying solely on single event solutions like Intrusion Prevention Systems or Antivirus/Antimalware software. The benefits highlighted for using a kill chain include: 1. Defined Threat Coverage: By defining use cases with the HP SIEM kill chain methodology, it aids in specifying threat vectors and ensures a layered security approach by utilizing a deep defense strategy. 2. Reduction of False Positives: Using a kill chain reduces false positives because it considers ongoing events from other indicators of compromise throughout the chain, providing better situational awareness than standalone use cases or single event solutions. 3. Increased Coverage Over False Negatives: The HP SIEM kill chain methodology helps to filter out potential negative events and provides greater coverage over missed threats by continuously evaluating various stages within a defined threat lifecycle. The use of a SIEM (Security Information and Event Management) system, following specific methodologies like the kill chain, helps in correlating events that are often ignored due to their volume or potential false positives. By implementing rules that post-correlate these events throughout the kill chain, Security Operations can include such events into actionable use cases, which would otherwise be disregarded. This approach is particularly valuable for reducing false negatives – instances where important events of interest are missed. The enhanced situation awareness resulting from this methodology not only improves automated analytics but also supports manual efforts by security teams, leading to faster response times and better threat understanding throughout the incident response process (CIRT). Furthermore, utilizing SIEM kill chain methodologies for event visualization aids human analysts in enhancing their situational awareness during incidents. By creating shortlists with contextual information such as IP addresses, email details, and attachment names, visual tools can be effectively used to support analytics. This is demonstrated through the example of filtering events from users opening emails from untrusted senders potentially containing dangerous attachments. The data on how many people received specific attachments provides valuable intelligence for Security Operations to advise recipients not to open such materials, thereby taking informed actions based on visualized threat indicators. The passage outlines a method for enhancing situation awareness and understanding threat patterns using HP ArcSight pattern discovery, which is integrated with the HP SIEM kill chain methodology. This approach involves identifying anomalies in event patterns through shortlisted events such as phishing emails with harmful attachments. By analyzing these events quantitatively, it assesses the effectiveness of security controls like email gateways. The method also supports the reporting on key threat actors and focuses investment on areas needing improvement to enhance situational awareness continuously. The use cases generated from different kill chain phases can be reused across multiple phases for improved efficiency and flexibility in security operations. This statement is about enhancing cybersecurity by aligning each phase of the kill chain with specific security controls, allowing for better measurement and adaptation to changing threats. The introduction of renewable energy use cases simplifies the process of creating new rules for dealing with emerging threats, requiring less time and resources compared to traditional methods.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page