Threat Intelligence Solution Accelerator Overview

Summary:

ArcSight ESM™ Threat Intelligence Solution Accelerator is a tool that helps organizations detect malware, track infected hosts, visualize threats geographically, and automate reporting. It uses open-source threat intelligence from sources like SANS Internet Storm Center and Zeus Tracker to identify systems accessing known malicious domains and IP addresses associated with advanced persistent threats, botnets, etc. The solution includes rules for near real-time detection, dashboards for situational awareness, active lists for tracking infections, visualizations for understanding threats better, and automated reports summarizing malware incidents in an easy-to-understand format. The main focus of these projects is to help system administrators combat cyber threats like ZeuS, SpyEye, and other malicious software by providing tools to block known command and control (C&C) servers associated with these threats. This includes creating tracking systems for monitoring and blocking the C&Cs associated with these threats, such as the ZeuS Tracker, SpyEye Tracker, AMaDa Malware Database, and Project HoneyPot which identifies spammers and their tools used to scrape personal information from websites. The gathered threat intelligence is sent through a Syslog connector to a security monitoring system (ESM), where the malware IP and domain entries are added to active lists for blocking purposes.

Details:

ArcSight ESM™ Threat Intelligence Solution Accelerator is a tool designed for organizations to detect malware infections, achieve situational awareness, track infected hosts, perform visual and geographical analysis, and automate malware reporting. It leverages open-source threat intelligence information from sources like SANS Internet Storm Center and Zeus Tracker to identify systems on the network attempting to access known malicious domains and IP addresses, which are indicative of malware threats such as advanced persistent threats, botnets, etc. The solution includes correlations rules for near real-time detection, dashboards for real-time situational awareness, active lists for tracking infections, visualizations for understanding threats better, and automated reports summarizing malware incidents in an easy-to-comprehend format. The main focus of these projects is to help system administrators combat cyber threats such as ZeuS, SpyEye, and other malicious software by providing them with tools to block known command and control (C&C) servers associated with these threats. This includes the creation of tracking systems like the ZeuS Tracker for monitoring and blocking ZeuS hosts, a SpyEye Tracker specifically for tracking and blocking SpyEye C&Cs, an AMaDa Malware Database to track malicious addresses and domains, and Project HoneyPot which identifies spammers and their tools used to scrape personal information from websites. The gathered threat intelligence is sent through a Syslog connector to a security monitoring system (ESM), where the malware IP and domain entries are added to active lists for blocking purposes.