SIOC Perimeter Defense Jumpstart 1

Summary:

The HP Enterprise Security Products (ESP) SIOC Perimeter Defense Jumpstart Package is designed to help HP ESP Consultants quickly set up comprehensive security measures focusing on network perimeter defense. It includes rules for firewall management, intrusion detection system (IDS), cross-platform correlation, monitoring of traffic protocols like HTTP over 443 and TOR exit node activities, and protection against suspicious actions such as accessing restricted regions based on ITAR and OFAC lists. The package must be installed on systems with ArcSight 5.2.x or 6.x versions, specifically requiring the ArcSight Intelligence Correlation (CORR) module. Installation involves importing a specific .arb file from the ArcSight Console Navigator panel, using an admin account for security purposes. The package contains several use cases: - Use case /0001 protects against successful egress connections to open internet DNS servers. - Use case /0002 detects responses from external DNS servers to protected assets. - Use case /0003 is related to traffic containing known malicious ArcOSI IP addresses but lacks a full AL condition. - Use case /0004 covers egress traffic towards watched IP addresses on external lists. - Use case /0006 matches events between firewall and IDS alerts. - Additional use cases for FTP, RDP, SMTP, SSH, and Telnet to protected assets are available but not detailed in the summary. The package is intended to provide a rapid deployment solution for HP ESP consultants to enhance network security by focusing on critical perimeter vulnerabilities.

Details:

The HP Enterprise Security Products (ESP) package, known as the "SIOC Perimeter Defense Jumpstart Package," is designed to assist HP ESP Consultants in rapidly deploying a comprehensive set of security use cases that focus on perimeter defense within customer environments. This package includes rules for various aspects such as firewall management, intrusion detection system (IDS), cross-platform correlation, monitoring of ingress and egress traffic protocols, and protection against suspicious activities like using TOR exit nodes or accessing restricted regions based on ITAR and OFAC lists. To utilize this package, it must be installed on systems running ArcSight 5.2.x or ArcSight 6.x with the ArcSight Intelligence Correlation (CORR) module. The installation process involves importing the SIOC_Perimeter_UseCase.arb file from the ArcSight Console Navigator panel, selecting "Packages - Import" and then opening the file. While it can be imported under an admin account, it is recommended to use an individual user account with appropriate permissions for security reasons. Upon importation, all resources will be stored in a predefined directory within the system. Initially, rules are disabled by default and need to be enabled manually by the consultant performing the import. The rule conditions are built using embedded filters, which not only support the use cases but also enable the creation of dashboards, queries, reports, and other functionalities that can leverage centrally defined filters for consistency across different security analytics tools. The package includes several specific use cases:

• Use case /0001 pertains to successful egress connection protection where an asset is connected to an open internet DNS server.

• Use case /0002 relates to successful ingress responses from an open internet DNS server to a protected asset.

• Use case /0003 involves egress traffic containing known ArcOSI malicious IP addresses, although it lacks the necessary AL (active list) condition for full functionality.

• Use case /0004 is about egress traffic directed towards external IP addresses listed on a watchlist.

• Use case /0006 covers matching events between firewall and IDS alerts.

• Further use cases, such as FTP, RDP, SMTP, SSH, and Telnet successful ingress rules to protected assets, are also included but not detailed here due to space constraints.

This package aims to provide a rapid deployment solution for HP ESP consultants to enhance the security posture of customer networks by focusing on critical areas of potential vulnerability in the network perimeter. The provided text appears to be a list of identifiers followed by descriptions related to network security events, possibly from a firewall or intrusion detection system (IDS). Here's a summary of each entry based on the context and typical interpretations: 1. ***/0012 - FW: Successful Egress SSH --> Non-Protected Asset** Indicates a successful attempt to access a non-protected asset via SSH from an external network, likely through a firewall (FW). 2. ***/0013 - FW: 25+ Deny Events --> Same Critical Target** Signifies that there were 25 or more denied events targeting the same critical asset, suggesting potential high-volume attacks on this specific target. 3. ***/0014 - FW: Scan --> TCP Host Scan** Indicates a scan event where multiple hosts are being scanned using TCP protocol. 4. ***/0015 - FW: Scan --> TCP Port Scan** Similar to the above, but specifically mentions that it is a port scan on TCP protocols. 5. ***/0016 - FW: Egress TOR Exit Node Activity** A report of activity originating from a Tor exit node during an egress attempt, which could indicate traffic leaving the protected network. 6. ***/0017 - FW: Ingress TOR Exit Node Activity** The opposite of the above, indicating that there was attempted ingress through a Tor exit node, potentially trying to access the internal network from outside. 7. ***/0018 - FW: Scan --> UDP Host Scan** A scan event using UDP protocol targeting multiple hosts. 8. ***/0019 - FW: Scan --> UDP Port Scan** Specific to UDP port scans, similar to the TCP version but using UDP instead of TCP. 9. ***/0020 - FW: Egress HTTP over 443** A request or data transfer over HTTP on port 443 during an egress attempt from the network. 10. ***/0021 - IDS: 4 Unique Events --> Same Target** Indicates that there were four unique events detected by the IDS system targeting a single asset. 11. ***/0022 - IDS: Ingress 4 Unique Events --> Protected Asset** Shows four different events from the same attacker trying to access a protected asset via ingress. 12. ***/0023 - IDS: 4 Unique Events from Same Attacker** Refers to cases where there are four incidents involving the same attacker, regardless of target. 13. ***/0024 - IDS: 25+ Attackers --> Same Event** Indicates multiple attackers attempting the same event or attack more than once. 14. ***/0025 - IDS: 25+ Events from Same Attacker** Shows that there were at least 25 instances of an event or attacks by a single attacker. 15. ***/0026 - IDS: High Severity Event** A significant security incident detected with high severity, possibly indicating critical threats to the network. 16. ***/0028 - IDS: Very High Severity Event** A very severe security event flagged by the IDS system as extremely critical. 17. ***/0029 - Egress Suspicious Region Traffic** Indicates egress traffic from a region considered suspicious based on its potential to engage in malicious activities. 18. ***/0030 - Ingress Suspicious Region Traffic** Similar to the above but for ingress traffic, indicating attempts to access the network from potentially risky regions. The context suggests these are entries in a log or database related to cybersecurity incidents and defensive actions, possibly managed through software that organizes such events into identifiable codes for quick review and response.