Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2014 > July
2014

We are pleased to announce the release of our July Content pack for RSA Live! This release continues last month’s focus on providing “at-a-glance” situational awareness.  It also expands on our ability to detect both sensitive data leaving the network and potentially dangerous executable payload.

Reporting capabilities are introduced focusing on enabling our customers to detect suspicious mail traffic patterns commonly associated with Phishing attempts. And lastly we have a released a new parser designed to identify common HTML-based threat indicators. 

The above is a subset of the threat detection content were are quietly building behind the scenes to accompany our upcoming 10.4 release of Security Analytics and helps set the stage for providing the most advanced threat detection capability on the market today.

Detection of Data Exfiltration

  • New application rules for detecting sensitive data leaving the network via unknown protocols as well as common protocols not normally associated with files transfers.

  Expanded Reporting

  • Introduction of the Phishing Profile report. This report summarizes data relevant to identifying phishing attempts in the customer environment. In particular it summarizes HREF header mismatches, mail traffic from top countries by frequency, top email subjects, top email addresses by frequency, and top file extension of attachments by frequency.
  • Enhancing situational awareness are new two reports:
    • Top Communicants Report:  allows the customer to immediately see the top talkers on their network by country, domain, inbound protocol and outbound protocol.
    • Executables Report: presents instances of all executables detected on wire. This report is broken into four sections: Executables by Domain, Country, Abnormal executables - Suspicious and Abnormal executables -Warning.

  Enhanced Threat Detection

  • A new LUA parser called “HTML_threat”. This parser is designed to detect common HTML threat indicators like hidden frames and embedded objects within a web page.  

Additional Log Support

  • We’ve created support for two new log sources as well as provided updates to 30 of our existing log sources.

I previously wrote about Kargen here.  It's main characteristics are a set beacon filename length put to a /b/req/ or /b//opt/ directory on a compromised webserver.

 

I previously wrote about Chameleon encoding here, which primary characteristics were domains that were actually hexadecimal color codes, registered, I think, to frustrate researchers looking to search the internet for these domain names involved in an incident.  Instead of information about the incident, results from web searches only include any embedded matching hex color code in thousands of web pages crawled by the search engines.

 

In the sample below, we can see similar Kargen activity, coupled with beaconing to a Chameleon encoded domain.  The Kargen beacon has changed length strings a bit, and the Chameleon Encoding put commands are now url-encoded beacons rather than search engine strings.  Here is a screenshot of that beacon.

 

87508

 

This PCAP, attached below, is available for everyone to evaluate for new rules to detect this threat.  It came from MalwareTrafficAnalysis here, dated 6/29.  The infection is a result of the Magnitude Exploit Kit, but the post-infection network traffic should be familiar as Kargen.  This threat is new, but it builds on older techniques and methods of botnet masters that we have previously discussed in this space.  As always, the domains here will be added to the Live C2 domains list.

 

Please discuss among yourselves how best to detect this new combined variant.

 

Good Luck and Happy Hunting!

Filter Blog

By date: By tag: