top of page
Search

Modifications of HP SIEM Kill Chain Version 1.0

  • Writer: Pavan Raja
    Pavan Raja
  • Apr 8, 2025
  • 18 min read

Summary:

The passage provided outlines a comprehensive approach to security operations using the HP SIEM (Security Information and Event Management) tool, specifically through its kill chain methodology. This methodology is designed to enhance threat detection, response, and situational awareness by defining use cases that correlate events across different stages of an attack, from initial compromise to exfiltration. ### Key Points Highlighted in the Passage: 1. **Use Case Definition**: The HP SIEM kill chain methodology involves creating defined use cases for various stages of a potential cyber-attack. These use cases help in identifying and addressing multiple threat vectors through a layered security approach, ensuring that several layers of protection are in place. This method contributes to better understanding and coverage of potential threats across different stages. 2. **Reduction of False Positives**: By incorporating events into use cases through the kill chain methodology, false positives are reduced as these events are continuously evaluated for indicators of compromise. This process ensures that only true threats trigger alerts, thus minimizing unnecessary alarms that could be considered false positives. 3. **Enhanced Coverage Over False Negatives**: The methodology helps in reducing false negatives by ensuring that important events of interest are not overlooked or misclassified. By correlating events across different stages, valuable information about initial attack vectors is preserved and not lost during automated and manual analyses. 4. **Situational Awareness and Quick Response**: Through the use of visualisation tools and contextualized shortlists, HP SIEM allows for better understanding of threat indicators throughout the kill chain. This leads to quicker responses and focus on actionable incidents rather than mere events of interest. 5. **Example Application in Threat Detection**: The passage provides an example where an email containing a potentially dangerous attachment was filtered using specific values such as source IP address, receiver email address, sender email address, and email attachment name. This data is crucial for reporting, dashboards, and event graphs, enabling visualization of how many people received the attachment and informed actions like not opening attachments or blacklisting senders to prevent further attacks. 6. **Metrics and Continuous Improvement**: The passage highlights that by leveraging the HP SIEM kill chain methodology, organizations can gain metrics and continuous improvement based on quantifiable analysis and actionable insights. This approach allows for the reuse of use cases across different phases of the kill chain, making it easier to adapt to new threat vectors with less overhead. ### Conclusion: The passage underscores the effectiveness of using the HP SIEM kill chain methodology in enhancing security operations by improving coverage over false positives and negatives, providing greater situational awareness, and enabling quicker responses through actionable insights. This approach not only aids in detecting potential threats more effectively but also guides investments in improving security measures with a focus on quantifiable outcomes.

Details:

This document outlines HP's SIEM (Security Information and Event Management) Kill Chain methodology, which aims to enhance cybersecurity analysis by integrating various security events into a coherent framework focused on attacker behavior. The kill chain method involves grouping disparate security events based on attack vectors, payload delivery profiles, and intrusion compromise behaviors. By "chaining" these events together, the methodology helps reduce false negatives and noise in event data, leading to more accurate threat detection and improved overall security analytics. The article discusses the concept of a "kill chain" in cybersecurity, particularly as it relates to Security Information and Event Management (SIEM) systems. It highlights that traditional SIEM tools often rely on single use cases for indicators of compromise, which can lead to false positives and premature alerts due to insufficient correlation and analysis. The kill chain approach suggests a multi-stage methodology followed by attackers during cyber attacks: 1. Initial breach: The attacker gains access inside the network through a perimeter breach. 2. Establishing a beachhead: Once inside, the attacker sets up a foothold within the network. 3. Moving laterally: This involves exploring and collecting resources across the network to gather more credentials or privileges. 4. Collecting data: The attacker focuses on gathering sensitive information. 5. Exfiltration: Finally, they transfer the stolen data out of the target organization's systems. The article argues that using a kill chain approach in SIEM use cases can improve situational awareness by allowing for better post-correlation analysis of events related to potential compromises like command and control or data exfiltration. This helps in defining exact stages of compromise more accurately, reducing false positives and providing a clearer picture of the attack progression within an organization's network. In conclusion, adopting a kill chain approach enhances SIEM systems' ability to handle large volumes of events by grouping and correlating them post-incident, thereby improving the detection and response capabilities against sophisticated cyber threats that follow a structured multi-stage approach. The article discusses the application of different "kill chains" for analyzing cybersecurity events, each with its own methodology and purpose. It starts by introducing Lockheed Martin's well-known Cyber Kill Chain, which is used as a foundation for HP's ArcSight SIEM capabilities to enhance their event analysis processes. Three main kill chain methodologies are discussed: 1. **Lockheed Martin Cyber Kill Chain**: This method involves reconnaissance where researchers identify and select targets by gathering information through non-intrusive means such as crawling websites for details like email addresses, social relationships, or specific technology information. 2. **Malware Forensics Kill Chain**: Described by SANS Institute, this methodology includes reconnaissance external to inbound scans, which assumes that any detectable reconnaissance scan will be detected as an event due to its active reconnaissance of the target network. 3. **HP SIEM Kill Chain**: This method is used to describe security events within specific stages for intelligence and use case development. It also helps in understanding risks associated with particular areas within the kill chain. The article further breaks down each phase of these methodologies, starting from Lockheed Martin's reconnaissance phase, followed by Malware Forensics' reconnaissance external to inbound scan phase, and finally HP SIEM Kill Chain's reconnaissance or anomaly communication phase. This structured approach is designed to help readers understand the distinct differences between these methods and improve their analytical capabilities in cybersecurity event management. In this context, stages involve initial communications from an external source to target hosts, potentially acting as attack vectors. This includes various communication techniques used for reconnaissance, such as slow scanning that doesn't trigger specific scanner events in firewalls or intrusion prevention systems, and anomalous traffic from unknown sources. Weaponization involves coupling a remote access trojan with an exploit into a payload, often through automated tools like weaponizers, using files like Adobe Portable Document Format (PDF) or Microsoft Office documents. Delivery of the weapon to the targeted environment includes email attachments, websites hosting malicious content, and USB removable media as common vectors. The HP SIEM kill chain framework considers these stages but may not emphasize weaponization as a primary part due to its dependency on third-party products for understanding known malicious binaries. The passage discusses several aspects related to security and malware detection within a network, focusing on the stages involved in an intrusion kill chain. It highlights how certain weaknesses in browsers or third-party applications can be exploited by attackers to infiltrate systems. These exploits often target vulnerabilities in software or user error, aiming to install remote access trojans (RATs) or backdoors that allow persistent access within a network. In the context of detection through Security Information and Event Management (SIEM) tools like HP's, false positives are managed by using this information as part of a filtered watch list rather than directly triggering alerts. The passage then goes on to describe stages in the exploitation process: external to inbound exploit where malware is detected entering the network from outside; host exploitation that considers various sources such as third-party vendor products and OS changes; and installation, which involves setting up persistent access through RAT or backdoor installations. The passage also introduces another stage within malware detection called internal to external binary acquisition, which relates to how malware might be acquired and introduced into a network environment. This sequence of stages is crucial for understanding the lifecycle of an attack and developing effective countermeasures in cybersecurity strategies. The article describes several stages in the kill chain methodology used once a host has been compromised. 1. **Communication**: Once a host is compromised, it communicates with the source of the attack and downloads a binary payload to install on the compromised host. In some cases, this traffic can be viewed as leaving the compromised host through specific ports like TCP 135 for Windows DCE or RPC, aiming to gain shell access. 2. **Binary Installation**: This stage involves detecting events released to known attack payload delivery profiles. For instance, on a Windows machine, it involves identifying unknown or malicious binaries not detected by point solutions like antivirus or anti-malware software. Additional indicators might include registry settings changes, increased number of windows processes, terminated protection software services, and unusual memory usage patterns. 3. **Command and Control (C2)**: Compromised hosts typically need to establish a C2 channel by beaconing outbound to an Internet controller server. APT malware often require manual interaction for activities rather than automatic execution. Once the C2 channel is established, intruders gain direct access into the target environment. 4. **Internal to External C&C Communication**: The next step involves setting up a listen port to accept new binary updates or commands and begins scanning other external victims on behalf of the botnet for lateral movement opportunities. 5. **Command and Control (C2) Continued**: This step is similar in HP SIEM kill chain methodology to Lockheed Martin and SAN's malware forensic methods, focusing on identifying the source-to-destination communication that recognizes command and control transactions back out to the network. The strategy includes recognizing web sites and IP addresses involved in these communications. Overall, this process involves a series of steps designed to maintain unauthorized access and continue exploiting a compromised system for various objectives such as data theft or surveillance. This text discusses several cybersecurity concepts related to detecting and preventing malicious activities on computers. It refers to "blacklisting," where attackers use domains to communicate with their malware already present on a computer. These sites are often new domain registrations by attackers specifically for command and control purposes, which may or may not be legitimate. HP recommends using the kill chain method (a concept from Lockheed Martin) to detect advanced persistent threats that are unlikely to appear in public blacklists. This involves creating white lists and asset models based on expected behaviors to flag unexpected actions. The text also mentions exfiltration as a step in the kill chain, where attackers aim to collect, encrypt, and extract information from victim environments or use initial access points to compromise more systems within a network. The Malware Kill Chain describes how an infected host starts interacting with other external victims on behalf of a botnet to spread infection through scanning. The final part of the text discusses local compromise in terms of reviewing events of compromised hosts, focusing specifically on creating local accounts, privilege escalation from existing local accounts, altering group policies, and changing file and folder access permissions. The HP SIEM kill chain is a model that outlines the steps an attacker typically takes from initial compromise to data exfiltration. Here's a summary of each phase as described by this model: 1. **Internal Reconnaissance**: This stage involves profiling a compromised host and searching for vulnerabilities or sensitive information within the network, using tools like `netstat` to identify communication between hosts. The goal is to locate data of interest or other potential targets. 2. **Lateral Movement**: In this phase, the attacker moves from the initial compromised host to other systems across the network. Use cases involve events such as remote login (`netlogin`), accessing the remote registry, using WMI for communications, and more. The focus is on establishing a presence without being detected. 3. **Establish Persistence**: Once inside the network, the attacker invests in remaining undetected by continuing to use command line tools for less obvious communication with external hosts. This includes new processes spawned within the network and unusual binary installations on compromised hosts. 4. **Stage and Exfiltration**: The final stage involves actively stealing and transferring sensitive data from the network. Attackers may encrypt data locally before exfiltrating it, often indicating a spike in network communications indicative of data transfer. An example use case within this model is related to phishing attacks, where an attacker uses these stages to gain unauthorized access and steal valuable information or resources from a targeted system or network. The provided text discusses a security measure using HP SIEM (Security Information and Event Management) for reducing false positives in triggered events from point solutions, while also reviewing events that might be ignored by automated rules. This method aims to improve detection rates by considering more comprehensive contexts of the events, which can lead to fewer missed detections. **Example Use Case: Phishing Attacks**

  • **Threat / Business Risk:** Phishing attacks are identified as a significant threat in this context, particularly where malicious emails containing harmful attachments or URLs are targeted at specific business users.

  • **Summary of Risk:** The business has observed an increase in malicious emails that could potentially be used to launch phishing attacks, often with attachments or links embedded within the email content.

  • **Risk Analysis:** Various security products might not consistently detect these threats due to isolated detections by different tools (e.g., desktop antivirus software quarantining attachments independently from email gateway detection). This results in potential unknown malware/virus going undetected within the business network.

**Use Case Example: HP SIEM Kill Chain**

  • **Kill Chain Stage - Reconnaissance:** Rules are defined to filter and cross-correlate events where there is anomalous communication from an external source to target hosts. Specifically, rules should be set up for emails with attachments that potentially contain harmful file types (e.g., Excel, Word documents, JPEG images, PDF files, audio/video files) and which have senders not in the trusted email list or internal IP addresses.

  • **Kill Chain Stage - Attack Delivery:** Rules are defined to capture events when harmful email attachments, despite being accepted file types for routine use (e.g., mentioned above), are opened on recipient machines. The source IP address of such events should be included in the shortlist1 for further investigation.

This approach using HP SIEM not only helps in narrowing down potential threats by cross-event correlation but also ensures that legitimate communications are not unnecessarily flagged, thus reducing both false positives and negatives. The text outlines a multi-stage process for threat detection and response, using rules based on antivirus/anti-malware events, local operating system logs, and network communication anomalies to identify potential security threats. Here's a summary of the outlined stages and their associated rules: 1. **Chain Stages; Host Exploitation and Binary Installation**:

  • Rule1: If there is a change in registry settings related to startup locations (e.g., \Runonce).

  • Rule2: Detection of new, unknown processes spawning on the host.

  • For both rules, the source IP address is added to shortlist1 whenever these changes or process spawns are detected.

2. **Kill Chain Stage; Command and Control**:

  • Rule: Check if the source IP address communicates with known malicious command and control servers (blacklisted).

  • If this rule is violated, an incident alert is raised, and the IP address is added to the compromised host active list.

3. **Kill Chain Stage; Local Compromise**:

  • Rule1: Detection of new local accounts being created on the system.

  • Rule2: Discovery of any actions that escalate privileges (e.g., changes in group policy).

  • Rule3: If Antivirus or Anti-Malware software processes are terminated.

  • For rules 1 to 4, if violated, the source IP address is added to shortlist2.

  • If an IP address appears more than once on shortlist2, a correlation rule triggers an incident alert.

4. **Kill Chain Stage; Internal Recon**:

  • Rule1: Peer-to-peer communication anomalies.

  • Rule2: HTTPS communications between desktop servers where such communications are not expected or documented.

  • Violation of these rules regarding network communication patterns can lead to the detection of internal reconnaissance activities and trigger incident alerts, with IP addresses added to shortlist1 or shortlist2 as per context.

This process is designed to identify potential security threats by analyzing various indicators including software changes, system activity logs, and network communications within a defined threat model framework. The provided text outlines a set of cybersecurity rules designed to detect potential security incidents within a corporate network, focusing on stages of a kill chain model typically associated with adversary tactics such as lateral movement and establishing persistence. Here's a summarized version of the content: **Kill Chain Stage: Lateral Movement**

  • **Objective**: Identify and respond to internal reconnaissance activities that may lead to unauthorized access across the network.

  • **Rules Overview**:

  • Rule 1: Detects communication attempts via services like netstat, adding source IP to shortlist2 if involved in desktop network communications seeking internet access.

  • Rule 2: Identifies multiple internal communications (source: desktop, destination: desktop) and correlates with IPs on shortlists, raising alerts for potential incidents.

  • **Correlation Rules**:

  • If an IP address appears more than once on shortlist2, it triggers a high alert indicating compromised status.

  • Correlating rules to IPs on shortlist1 suggests severe compromise, triggering immediate incident response and adding the host to the compromised list.

**Kill Chain Stage: Establish Persistence**

  • **Objective**: Maintain unauthorized access by making persistent changes within the local environment without being easily detected or removed.

  • **Rules Overview**:

  • Rule 1: Monitors Windows audit logs for events related to netstat usage, adding source IPs to shortlist2 if detected.

  • Rule 2: Logs onet logon and remote registry/WMI events involving the source IP, also adding them to shortlist2.

  • Rule 3: Detects changes in local policies regarding file and folder access through Windows policy event audits.

  • **Correlation Rules**:

  • If an IP address shows up repeatedly on shortlist2 across multiple rules, it signals a critical incident requiring immediate attention.

  • Cross-referencing with IPs on shortlist1 suggests extensive network compromise, triggering an alert for potential internal security breach.

This framework is designed to proactively identify and respond to cyber threats by monitoring specific events that are indicative of unauthorized access or persistence within the network, using a combination of rule-based detection and correlation analysis. This document outlines a cybersecurity framework designed to detect and respond to potential threats using specific rules and correlated events across multiple systems and networks. The process involves several steps, each focusing on different aspects of network activity and potential malicious behavior. **Rule 1:** Monitors Windows programs for audit events where NTbackup is used, which could indicate data backup activities potentially linked to unauthorized access or exfiltration. If such an event occurs, the source IP address is added to a secondary list (shortlist2). **Rule 2:** Observes registry accesses specifically in locations associated with the Windows Security Account Manager (SAM), suggesting possible attempts to tamper with user accounts and security configurations. Any access here raises an incident alert and also adds the source IP to shortlist2. **Rule 3:** Looks for large data downloads from external hosts that are not frequent visitors, using Netflow event anomalies as a trend indicator. It correlates this with queries about low-traffic website visits through a proxy server. If there's a match, the source IP is added to shortlist2 and reviewed further based on multiple rules. **Rule 4:** Analyzes Netflow data showing unusual geographic locations for destination addresses over time, suggesting potential data exfiltration attempts. The source IP associated with this activity is added to shortlist1. **Rule 5:** Monitors access events to systems containing sensitive information and correlates these with email sending activities where the emails are sent to unknown recipients, potentially linked to data leakage or further malicious actions. Multiple such emails in a day, especially if attachments exceed 100MB, also raise alerts, adding source IPs to shortlist1 for follow-up. **Correlation and Incident Response:** Any correlation between rules (from 1 to 5) indicates potential compromise, particularly at the Exfiltration stage of the cyber kill chain. The source IP addresses identified through these rules are compiled into a list named "shortlist2" or shortlist1 based on severity. If a single source IP appears in both lists, it is considered compromised and triggers an incident alert. This IP address is then added to a list of potentially compromised host assets for further investigation and possible remediation actions. The document concludes with a diagram depicting the overall use case scenario as described in the text. This summary discusses the application of indicators from a phishing attack example within the HP SIEM Kill Chain phases for identifying incidents and managing compromised hosts. Initially, potential events of interest are shortlisted based on multiple occurrences of the same host with indicators of compromise across various phases in the kill chain. If these repeated indicators meet specific criteria of high certainty (e.g., alerts from host malware software), they raise incident alert lines in the diagram, signifying red lines for significant incidents. When an incident is raised due to a compromised host, it's added to a list of such hosts, enabling Security Operations to assess quickly if multiple indicators of compromise are present across different phases of the kill chain. This comprehensive view helps in understanding the scale and nature of the incident more effectively. Additionally, short lists can be reviewed for nonevent indications to provide further insights into potential non-compromise events alongside those that have been identified as compromised. This approach aids in informing and triaging mitigation steps based on a better understanding of the scope of the issue. In a second example, these principles are applied more broadly across different threat vectors within the HP SIEM Kill Chain using reusable use cases. Here, focus shifts to perimeter threats where changes are made specifically to Reconnaissance or attack delivery phases, while reusing other established use cases from the initial scenario. The risk in question is focused on attacks targeting DMZ hosts, highlighting a significant concern for business security related to external threats. The document discusses addressing inherent weaknesses in the security of DMZ hosts, which are assets located in a low-value area that can potentially be used to access higher-value assets through lateral movement due to limited security controls. To mitigate this risk, a layered security approach is recommended, utilizing SIEM technology and Security Operations from the business. The suggested solution includes using standard security controls such as firewalls, intrusion prevention systems (IPS), and antivirus software for all assets, despite differences in their value. To implement risk mitigation, define rules based on reconnaissance activities or anomalous communications to shortlist events of interest: 1. Rule 1 involves adding the source IP addresses of hosts attempting to make TCP/UDP connections that are considered packet anomalies (such as SYN, ACK, FIN packets) to a suspicious IP address list monitored by both firewall and IPS systems. 2. Rule 2 includes adding the source IPs of hosts performing network scans to the same list. 3. If the source IP is on a known bad IP list from threat intelligence and attempts to connect to a DMZ asset, raise an event of interest and add this IP to the suspicious IP address list. 4. Develop a global rule that if an IP address appears multiple times on the suspicious IP address list, it should be added to the threat intelligence active list. Note that the suspicious IP address list has a short time-to-live (TTL) period before being evaluated further or removed from monitoring. This summary outlines a process for identifying and managing potential security threats based on network activities, particularly focusing on stages of a cyberattack known as "Attack Delivery" and "Stage and Exfiltration." The process involves creating short lists for suspicious IP addresses and a long-term active list for threat intelligence. Here's how it works: **Attack Delivery (Initial Exploitation)**: 1. **Rule 1**: If an Intrusion Prevention System (IPS) detects an attempt to exploit a system, the source IP address of the host is added to a suspicious IP address short list. This initial detection helps filter out false positives by adding any potentially malicious attempts. 2. **Rule 2**: If the attempted exploitation involves sensitive or high-priority assets as defined in the asset model, the source IP address is also added to the suspicious IP address short list and an alert is raised since these are considered priority items for investigation. 3. **Rule 3**: When an attempt to exploit a host with a known vulnerability occurs, both the source and destination host IP addresses are added to specific lists: the threat intelligence active list for long-term tracking and the compromised host list for further monitoring. 4. **Global Rule**: If the same IP address appears on the suspicious IP address short list more than once, it is added to the threat intelligence active list for comprehensive tracking of potential threats. **Stage and Exfiltration**: 1. **Rule 1**: If firewall or Netflow detects outbound communication to an IP address that is already on the threat intelligence active list, an alert is triggered, and the source host IP address is added to a compromised list. This rule integrates with other indicators of compromise from earlier stages for a cohesive defense strategy against potential threats. Overall, this structured approach helps in rapidly identifying and prioritizing suspicious activities while continuously updating and refining the threat intelligence base based on repeated appearances or significant events like exploitation attempts involving high-value assets or known vulnerabilities. The diagram provided illustrates various benefits associated with employing a kill chain methodology in comparison to standalone use cases, particularly within the context of security information and event management (SIEM) tools like HP SIEM. This approach offers several advantages such as defining more comprehensive threat coverage, reducing false positives, and minimizing false negatives. 1. Defined Threat Coverage: By using the HP SIEM kill chain methodology to define use cases, a layered security strategy is adopted, which involves utilizing a security in-depth approach. This method helps in clearly identifying and addressing various threat vectors by ensuring that multiple layers of protection are in place. It contributes to better understanding and coverage of potential threats across different stages of an attack. 2. Reduction of False Positives: Traditional reliance on single event triggers, such as those from Intrusion Prevention Systems (IPS) or antivirus software, can lead to a high number of false positives. These false alarms consume resources and distract security analysts from focusing on genuine incidents. The kill chain methodology helps in reducing this by continuously evaluating events within the chain for indicators of compromise. This evaluation process allows for more accurate identification of true threats and reduces unnecessary alerts that could be considered as false positives. 3. Providing Greater Coverage Over False Negatives: Another advantage is the reduction of false negatives, which are instances where important events of interest are overlooked or ignored due to their volume or potential to be misclassified as false positives. By incorporating these events into use cases through the kill chain methodology and allowing for correlation and analysis across different stages, valuable information about initial attack vectors is preserved and not lost, thus improving overall situational awareness in both automated and manual analyses. In summary, adopting a kill chain approach using HP SIEM can lead to more effective threat detection and response by enhancing coverage, reducing unnecessary alerts, and minimizing missed opportunities for security interventions. The passage discusses how HP SIEM kill chain methodology enhances security operations by raising events of interest as incidents, allowing for better understanding of threat indicators throughout the kill chain. This leads to quicker responses through situation awareness, with focus on actionable incidents instead of mere events of interest. Additionally, it highlights the use of shortlists and contextual information for visualisation tools to aid in analytics. In one example, an email containing a potentially dangerous attachment from an untrusted sender was filtered using specific values such as source IP address, receiver email address, sender email address, and email attachment name. From an analytical standpoint, this data is crucial for reporting, dashboards, and event graphs, enabling visualization of how many people received the attachment even if only opened by a few users. This information allows informed actions like not opening attachments or blacklisting senders to prevent further attacks. The passage does not delve into every shortlisted event but rather provides examples that illustrate the use of contextualized information in visualizing and reporting on events, which can be discussed in detail during workshops. HP ArcSight pattern discovery provides significant advantages for situational awareness by enabling the indication of anomalies in event patterns, which can help organizations understand if their security controls are effective against specific threats. By leveraging the HP SIEM kill chain methodology, it allows for reporting on key threat actors within a particular risk domain and helps guide investments in improving security measures. This approach also enables the reuse of use cases across different phases of the kill chain, making it easier to adapt to new threat vectors with less overhead. Overall, these features enhance situational awareness by providing metrics and continuous improvement based on quantifiable analysis and actionable insights from the HP SIEM kill chain.

Disclaimer:
The content in this post is for informational and educational purposes only. It may reference technologies, configurations, or products that are outdated or no longer supported. If there are any comments or feedback, kindly leave a message and will be responded.

Recent Posts

See All
Zeus Bot Use Case

Summary: "Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the...

 
 
 
Windows Unified Connector

Summary: The document "iServe_Demo_System_Usage_for_HP_ESP_Canada_Solution_Architects_v1.1" outlines specific deployment guidelines for...

 
 
 

Comments

@2021 Copyrights reserved.

bottom of page