Monitoring Targeted Attacks with HP ArcSight: Using Kill Chain Methodology

Summary:

This document discusses how organizations can effectively monitor and defend against targeted attacks (APT) using ArcSight Enterprise Security Manager (ESM). The author introduces the Cyber Kill Chain model, which helps to understand and disrupt APT progression stages such as Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control (C2), and Actions on Objectives. ArcSight ESM can be used to monitor network traffic for signs of reconnaissance activities like scanning and internal/external threats. It helps in weaponization by improving defenses against APTs through integration capabilities and monitoring exploit attempts. The tool also aids in detecting unusual behaviors during the delivery stage, such as malicious software or social engineering attacks via email links. For exploitation, ArcSight can identify failed login attempts that may indicate a targeted attack. In the installation phase, it emphasizes change management processes to prevent malicious software installations. Monitoring C2 communication between compromised systems is crucial in this stage. Lastly, by detecting indicators at each stage and stopping or mitigating them effectively, organizations can hinder APTs from achieving their objectives. The document concludes that while ArcSight ESM alone may not provide a comprehensive defense against APTs, it serves as a valuable tool when used in conjunction with other security measures and integrated into the broader cyber kill chain strategy.

Details:

The article discusses how organizations can effectively monitor targeted attacks (APT) using ArcSight Enterprise Security Manager (ESM). It addresses common questions about dealing with increasing threats from nation states and sophisticated attackers, such as APTs. The author introduces the concept of the "Cyber Kill Chain," which is a military term applied to cyber threats to defend against APTs by disrupting their progression through various stages. ArcSight ESM can be leveraged in several ways according to the Cyber Kill Chain:

• **Reconnaissance**: ArcSight has default content for detecting external and internal scanning, as well as integrating with existing firewall, IDS/IPS, and Netflow security tools to enhance detection capabilities.

• **Weaponization**: The article suggests leveraging ArcSight's integration capabilities to improve the effectiveness of weaponization in a defense strategy against APTs.

• **Delivery**: ESM can help by analyzing network traffic patterns and identifying unusual activities that could indicate an ongoing attack or potential delivery attempts.

• **Exploitation**: By closely monitoring system activity, ArcSight can detect signs of exploitation such as failed login attempts, which might be indicative of a targeted attack.

• **Installation**: Implementing robust change management processes in conjunction with ESM will help identify and respond to malicious software installations that are often part of an APT lifecycle.

• **Command & Control (C2)**: ArcSight can monitor network traffic for signs of communication between compromised systems, which is a critical aspect of the C2 stage in APTs.

• **Actions on Objectives**: By detecting indicators at each stage and stopping or mitigating them effectively, organizations can hinder an APT's ability to achieve its objectives.

The article concludes by emphasizing that while ArcSight ESM might not be sufficient on its own for a comprehensive defense against APTs, it is a valuable tool when used in conjunction with other security measures and integrated into the broader cyber kill chain strategy. The passage outlines a comprehensive approach to mitigating Reconnaissance (Recon) activities in an organization. It emphasizes the importance of keeping track of all activity from specific sources, such as IP addresses, and monitoring their actions along with geographical location and reputation. Additionally, it discusses weaponization, where attackers use exploits and vulnerabilities to target emails, requiring integration of defenses like Proxy and Email (SMTP) transactions monitored through Extended Security Monitoring (ESM). The passage also mentions leveraging tools like Exploit-DB for known exploitable vulnerabilities and integrating these with ESM to ensure systems have the latest patches. It highlights the critical role of delivery in APT attacks, which often involve social engineering tactics within emails that lead to exploitation. This phase requires integration of Proxy, Email SMTP, and Firewall logs to detect suspicious executable attachments, links with bad reputations, or visits to un-categorized websites. The passage concludes by discussing exploit prevention at this stage, recommending application white-listing and a vendor-specific solution to mitigate the risk associated with exploits in emails and other digital communications. Bit9, a company that deals with cybersecurity measures, experienced a highly targeted attack where the attackers were able to exploit their system and leave them vulnerable. This incident highlighted some issues in managing security within large enterprises, especially concerning Bring Your Own Device (BYOD) policies. To combat this type of threat more effectively, it is recommended to use Host Intrusion Prevention Systems (HIPS), such as those from Symantec, McAfee, and others. These tools can help manage group and domain policy in managing endpoints without needing third-party products. Patching is a crucial aspect of cybersecurity, and intrusion detection systems (IDS) or intrusion prevention systems (IPS) can at least soften the risk associated with these attacks. A defense in depth strategy that involves using ArcSight to monitor exploitation against vulnerability data is recommended. This tool helps bring all aspects of the APT attack into one view for better monitoring and analysis. In analyzing post-exploitation actions from such attacks, multiple stages are observed. The first stage involves a highly obfuscated "dropper," which is like a stealth jet that bypasses security measures to drop the real payload without being detected by IDS or antivirus software. As the attack progresses to the second stage, we start to see more common tools used in cyber-attacks, such as hash capture tools (like pwdump) that are typically used for exfiltrating data like LANMAN/NTLM hashes. This behavior is a clear indicator of an ongoing APT and can be tracked using ArcSight by monitoring Windows application and security logs or logs from your HIPS. Having a list of known bad-ware by file name can help track these types of attacks more efficiently, as it allows for better identification and monitoring of potential threats in the system. This text highlights the importance of having an "Active List" in cybersecurity, specifically for tracking file-names related to command and control (C&C) servers that are associated with advanced persistent threats (APTs). The author, Greg Martin from THREAT STREAM Inc., emphasizes the effectiveness of using ArcSight ESM (Extended Security Management) for detecting cyber threats at an early stage in the cyber kill chain. He mentions that over 2200 C&C servers related to APTs are being tracked by THREAT STREAM, and these can be detected through firewall, proxy, or DNS traffic. For ArcSight users, THREAT STREAM offers a free upgrade to their Core version to assist with content and threat intelligence for detecting C&C traffic. The text also addresses the importance of taking action during different stages of the cyber threat kill chain. It warns that failing to act at an earlier stage can lead to severe consequences such as data exfiltration, similar to recent APT attacks on companies like Coca Cola, NY Times, Wall Street Journal, and Bit9. Finally, the author urges organizations to use available tools effectively, especially ArcSight ESM, and to seek additional cyber threat intelligence sources to initiate the Cyber Kill Chain as high up in the layer as possible. The article discusses the role of a Warrior and ArcSight Evangelist, focusing on various aspects such as views, categories, ratings, comments, and actions. It provides information about different features like ESM (Event Management System), ArcSight Express, SmartConnectors, Connector Appliance, Content, Database, Logger, NSP (Network Security Performance), Reports, Upgrade, and Feature Requests related to security threats like targeted attacks from China in cyber scenarios. The article also mentions user ratings and comments expressing appreciation for the content written by the author.