L2-Threat Intelligence - Situational Awareness

This package builds upon the L1 Threat Intelligence package to provide detection and reporting on network traffic to suspicious entities. The main authors are Heidi Gerken, Yun Peng, Rashaad Steward of Micro Focus and George Boitano, Adai Kumarappan, Madan Kommareddy, Paul Bagnell and Myles Cooley of SEMplicity, Inc. The package is agnostic regarding threat feeds: it should process any threat intelligence as populated by the L1 package. It does not require a network model, but some of the use cases provide additional value if one exists.

Main Use Cases

Below are the main use cases for this packages

Suspicious Activity

This fundamental use case deals with the detection of suspicious activities based on the information Threat Model.

User Stories

  • ESM detects traffic to a suspicious IP or URL
    • That suspicious entity is persisted. If it has already been seen, ESM updates a counter.
    • If this suspicious entity has not been seen yet, or not seen within a certain time frame, an event goes to the main console for the analyst to handle.
    • The internal asset, if it exists, is marked with a category of /Potentially Compromised. If the asset doesn't exist, it is created and marked similarly.
  • ESM detects traffic from a suspicious IP or URL
    • That suspicious entity is persisted. If it has already been seen, ESM updates a counter.
    • If this suspicious entity has not been seen yet, or not seen within a certain time frame, an event goes to the main console for the analyst to handle.
    • The internal asset, if it exists, is marked with a category of /Potentially Compromised. If the asset doesn't exist, it is created and marked similarly.
  • Anonymization
    • ESM generates an alert which detected any inbound traffic from suspicious reputation data list with indicator type is Anonymization to the main console which an analyst handles
  • Dangerous Browsing
    • ESM generates an alert which detected any outbound traffic from suspicious reputation data list using port 80 or 443 and indicator type is IP watchlist or domain watchlist or malware artifacts or file hash watchlist, or URL watchlist to the main console which an analyst handle
  • Phishing
    • ESM generates an alert which detected any outbound traffic from suspicious reputation data list with indicator type is malicious email to the main console which an analyst handles
  • Command and Control
    • ESM generates an alert which detected any outbound traffic from suspicious reputation data list with indicator type is Command and Control (C&C) and port is not equal 53 to the main console which an analyst handles
  • DNS Queries Of Malicious Hosts
    • ESM generates an alert which detected any outbound traffic from suspicious reputation data list using port 53 to the main console which an analyst handles
  • Reconnaissance
    • ESM generates an alert which detected any inbound traffic from suspicious reputation data list with indicator type is Host Characteristics or IP watchlist or domain watchlist to the main console which an analyst handles
  • Port Scan
    • ESM generates an alert which detected at least 5 inbound traffic from suspicious reputation data list with different target ports for the same target in 1 minute to the main console which an analyst handles
  • Host Sweep
    • ESM generates an alert which detected at least 5 inbound traffic from suspicious reputation data list with same target ports for different targets in 1 minute to the main console which an analyst handle.
  • Ransomware Detection (available from V1.1)
    • ESM generates an alert which detected outbound traffic from suspicious ransom ware reputation data with indicator type is C2, Distribution Site, and Payment Site.
  • Suspicious File Hash Detection (available from V1.2)
    • ESM generates alerts which detect traffic with a file hash in a suspicious reputation data list.
  • Alert with Campaign information
    • Priority for L2 alert will be increased by "1" if campaign is in the care list.
    • Rule will be triggered if an alert has campaign information.
-+

Internal Asset Found in Reputation Data

User Stories

  • The Internal Assets Found in Reputation Data use case helps ensure the reputation of your organization’s assets by detecting when those internal assets appear in the reputation database. The internal assets are detected when they communicate with another asset, which will trigger a rule and report the communication.

Download Instructions

Include information on how to download this package, including URL. Or, perhaps, we could include the package as an attachment in this wiki.

Installation

Prerequisites

Step 1: Install L2 ESM Threat Intelligence Package

  • Download and extract L2-Threat Intelligence - Situational Awareness.zip into your ArcSight Console's current directory.
  • Open a command prompt and navigate to ARCSIGHT_HOME
  • Execute the L2ThreatIntelligence.bat file to install. (You will be prompted to enter the manager hostname, username, and password. The password is displayed in clear text, please be aware of your environment)
  • After install, your packages in ArcSight ESM will look like the screenshot.

Configure Indicator Types for Each Use Case and Active Lists

In general, you must configure an indicator type for each use case, in order for rules to trigger properly.

Example:
  • The Dangerous Browsing indicator type can be Domain Watchlist, IP Watchlist, File Hash Watchlist,...
  • The Phishing indicator type can be Malicious E-mail,...

Extensibility

No suggestions at this time.

Resources

The link below contains a table of all resources included in this package:
Topic attachments
I Attachment Action Size Date Who Comment
Suspicious_Entity.csvcsv Suspicious_Entity.csv manage 8.6 K 26 May 2018 - 00:22 YunPeng  
ThreatIntelligence_replay.eventsevents ThreatIntelligence_replay.events manage 5.5 K 26 May 2018 - 00:16 YunPeng Threat Intelligence replay with campaign
Topic revision: r20 - 09 Jan 2019, BeirneKonarski


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback