Threat Intelligence Overview 1

Summary:

ArcSight ESM Threat Intelligence Solution Accelerator is a pre-packaged use case designed for versions 4.5 sp1 and above, focusing on enhancing security operations by detecting malware infections and identifying botnet threats. It includes an IP/Domain scraper script that gathers threat intelligence from the Internet to detect systems accessing known malicious domains and IPs. The solution provides correlations rules for near real-time detection of malware, active lists for tracking infected hosts, dashboards for visualizing the situation, and automated reporting. It integrates with ArcSight ESM to help organizations mitigate threats more efficiently, reduce adverse impacts, save time, and money. The solution utilizes intelligence feeds from sources like SANS Internet Storm Center and Zeus Tracker to cross-reference incoming events against known malicious hosts and domains. The main focus of this project is to assist system administrators in managing and preventing network infections from known malicious hosts such as ZeuS and SpyEye. They provide tools like blocklists for systems that can be used by web proxies or firewalls to prevent access to the malware's command & control servers, thereby protecting networks from further infection. Additionally, they track other types of threats using honey pots to identify spammers and their activities on websites. The information gathered is then sent to a Syslog connector for analysis in an enterprise security management (ESM) system, where malicious entries are added to separate active lists for IP addresses and domains.

Details:

ArcSight ESM™ Threat Intelligence Solution Accelerator is a pre-packaged use case for versions 4.5 sp1 and above, aimed at enhancing security operations by detecting malware infections and achieving situational awareness of botnet infections. It includes an IP/Domain scraper script that automatically gathers threat intelligence from the Internet to identify systems accessing known malicious domains and IPs, indicative of potential threats like advanced persistent threats (APTs), botnets, and other malicious activities. The solution provides correlations rules for near real-time detection of malware infections, active lists for tracking infected hosts, dashboards for visualizing the situation, and automated reporting summarizing malware incidents in a comprehensible format. It integrates with ArcSight ESM to help organizations mitigate threats more efficiently, reduce adverse impacts, save time, and money. The solution utilizes intelligence feeds from sources like SANS Internet Storm Center and Zeus Tracker to cross-reference incoming events against known malicious hosts and domains. The main focus of these projects is to help system administrators in managing and preventing network infections from known malicious hosts such as ZeuS and SpyEye. They provide tools like blocklists for systems that can be used by web proxies or firewalls to prevent access to the malware's command & control servers, thereby protecting networks from further infection. Additionally, they track other types of threats like AMaDa malware and spam bots using honey pots to identify spammers and their activities on websites. The information gathered is then sent to a Syslog connector for analysis in an enterprise security management (ESM) system, where malicious entries are added to separate active lists for IP addresses and domains.