Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2016 > October
2016
CategorySub Category#Use CaseLog Source#RSA Supported
#Business Use Cases
Access/AuthenticationIdentity ManagementMonitor for use of disabled usernamesActive Directory , Databases, Applications, Web Proxy, HR dataIntegrating Windows AD and monitoring for event ID's for User login attempts and correlating with Status of user in AD
Password GuessingPossible successful brute force attack detectedAll event sourcesOOB
Possible successful brute force attack detected on critical devices/serversCritical devices and serversCriticality context to be incorporated using Feed integration from secops EM
Enterprise Services Access ManagementIncrease in failed domain admin account logins detectedAll event sourcesUser activity Trend Dashboard monitoring for User login activity
Perimeter & Network SecurityIncrease in failed remote login attempts detectedwindows, Unix, Firewalls, IDS & IPS, Access controls & VPN.User activity Trend Dashboard monitoring for User login activity
Enterprise Services Access ManagementUnusual number of failed/successful vendor/default user login attemptsAll Network, Host, Server & Security devicesUser activity Trend Dashboard monitoring/Alerting  for Privilege User login activity
Perimeter & Network SecurityPassword change on a known privileged account detectedAll windows, Unix, VPN, Database, Firewall & FIM.Provilege account monitoring Alert/Dasboard/Chart
#Audit TrailSystem HealthTampering of system audit logs detectedAll event sourcesIntegration of SA Audit logs with decoder for monitoring user audit activity
#Policy  violationPhysical SecurityEmployee absenteeism – Badge sharing detectionPhysical Access logs & AD logsIntegration of HID Access Card DB and AD last login details with Feeds from Leave Management system to monitor employee movements and access requests
attendance policy violationVPN, My Time Application & Physical Access logsTime from Access Control time tracker and matching with HID Access intime and out time for employee work hours policy monitoring
Enterprise Services Access ManagementPassword Sharing – Policy access violationAll event sourcesSame User login from different machines or locations in a specific time or any such attempts being made more than once
Enterprise Windows account ManagementUnauthorized use of service accountWindows OSMonitoring service accounts monitoring
RDP attempts from local admin accountWindows OSMonitoring remote Desktop port usage and identifying any such attempts by providing Dashboard or report for such admin activities
Network SecurityServer access from unauthorized IP AddressFirewall logs 
Internet access by unauthorized serverInternet Firewall, ProxyList of such users to be provided for Web activity monitoring
Policy Violation - Internet access from authorized serverInternet Firewall, ProxyProxy policy violation reorts user wise
Reverse Proxy bypass - Application accesed externallyInternet FirewallsAny access requests to Web servers or applications not published to external internet
Insecure application access - non httpsFirewall logsNon standard port using known service, like FTP over http protocol
Operational / FunctionalSystem HealthDevice Stopped Sending logsProposed solution logsHealth and wellness built in system
Log source stopped sending logs after rebootAll event sourcesHealth and wellness built in system
Disk Array capacity approaching thresholdProposed solution logsHealth and wellness built in system
Possible system instability state detectedAll event sourcesHealth and wellness built in system
System shutdownProposed solution logsHealth and wellness built in system
Backup and recovery: failedProposed solution logsHealth and wellness built in system
Backup and recovery: cancelledProposed solution logsHealth and wellness built in system
Perimeter & Network SecurityNetwork performance degradation detectedAll router, switch & firewalls.Nusing netflows we can having session monitoring to detect any deviations in usage
System metricsWindows service state changeWindows OSMonitoring windows Event logs
Successful or Failed Installation/ Updating any packageProposed solution logsEnable windows logging for auditing with file audits and folder audits in addition to Application, Security and system logs 
EPS Warning – EPS approaching limitProposed solution logsOn Screen Nag screens and notifications can be configured for such monitoring
Log Source added/deletedProposed solution logsBuilt in system to notify on any new integrations
User added to “remote user group” AD groupActive DirectoryAD user activity log monitoring
User added as part of “domain administrator“ & “local administrator” groupActive DirectoryAD user activity log monitoring
New windows service installationWindows OSWindows system and appliaction security logs
User added to VPN administrative groupActive DirectoryVPN service and activity log monitoring 
IntegrityIntegrity MonitoringChanges to databases holding customer data by unauthorized usersDatabase System LogsDB Fine Grain Auditing
Perimeter & Network SecurityConfiguration change on network & security device interceptedIDS, IPS, Firewall & VPN.Configuration Changes on assets listed to be monitored for any deviations
Host checker configuration changed on VPN deviceVPN device logsMonitor any changes on VPN device Host checker service on clients through Windows application logs or host checker logs
Privilege AccessEnterprise Services Access ManagementElevation of account privilege followed by restoration of previous state within a period of 24 hrs.All event sourcesPrivilege user monitoring
Revocation of user privileges detectedAll windows, Unix, Firewall, IDS & Network Configuration Management Solution.Changes in privilege access
Usage ActivityData transferLarge files transfer to 3rd Party SitesAll Firewall & Web proxyUsing netflows and logs correlation session size through FTP uploads or any such transfers on other protocols to be monitored
Perimeter & Network SecurityMonitoring over ports not permitted by policy on Internet-facing firewalls, non-compliant traffic activity.All Internet facing FirewallsUsing Watchlist of such ports we can monitor traffic of such users and report or alert on same
Use of clear-text confidential information detectedIDS, IPS, Web logs, Mail server logs, Database, Unix & WindowsUsing Network session Clear text confidential information can be detected
Excessive inbound denied connectionsFirewall logsTrend report on session and flow including firewall logs to identify what content and date is being transmitted in sessions
Increase in file transfer activity using instant messaging detectedAll IDS, IPS, Router & Firewall.Monitor IM traffic for any kind of file sharing activities
Active syn flood attack detected by network & security devicesThis rule works with all IDS, IPS, and FirewallOOB
Possible arp poisoning or spoofing activity detectedAll IDS, IPS, Firewalls, Switch & UnixOOB
Remote data harvestingVPN device logsVPN user activity monitoring
High Volume of TCP ResetsAll firewallsOOB and customizable
Threat IntelligencePerimeter & Network SecurityCommunication between internal hosts and known malware distribution siteAll IDS, IPS, Firewalls, web proxy & Threat Intelligence feedOOB. Monitoring using threat intelligence feeds
A connection from a server with a known spam sending hostAll IDS, IPS, Firewalls & Threat Intelligence feedOOB. Monitoring using threat intelligence feeds
Malicious Activity MonitoringPerimeter & Network SecurityIncrease in peer to peer traffic detectedIDS, IPS, Firewall & VPNMonitor Peer to peer protocols, networks and hosts
Network SecurityUnintended download of computer software from internetWeb Proxy solutionUsing packets any downloads can be monitored and reported out for any such anomalies
Successful backdoor attackAll IDS, IPS, Firewalls & AntivirusBased on the analyis and fusing threat intelligence feeds backdoor activity can be tracked. Also any such patterns can be customized
Worm propagation in the internal networkAll IDS, IPS & FirewallsSimilar worm alerts triggered over Lan /WAN using netflows can be monitored using lateral movements
SQL injection attack detectionWeb server logsOOB pattern available
Attack exploiting Microsoft Directory service vulnerability detectedAll IDS/IPSMDS monitoring, with IPS signature trigger and corrleating with Vulnerability CVE ID for correlation 
Streaming Media detectedAll Firewall ,Web proxy & IDS/IPSUsing packet and netflow such downloading activities can be monitored
Possible intruder trying to gain unauthorized access to networkAll IDS, IPS, Firewalls, VPN & Threat Intelligence feedUsing Threat feeds we can detect any communication to known malwares or spam hosts including blackisted IP's 
Successful Connections after Denied Attempts from same external sourceAll firewalls & IDS /IPSOOB can be customized
Aggressive database scanAll firewallsOOB monitoring on DB ports
Virus deletions failed on systemAntivirus SystemMonitoring Antivirus Client side scan Actions
System getting infected by same virusAntivirus SystemReport on Virus actions and alerts by using lookup and add function against unique Virusname and Hostname/IP
High number of Denial of Service (DoS) attack detectedAll IDS, IPS & firewall.OOB
Vulnerability correlation alertsVulnerability Data, IPS/IDSIPS alarms to be correlated with Vulnerability scan results for achieveing vulnerabiliuty based correlations
Malicious Activity - VPN accessActive Directory Any activity / actions notified by system evaluated by Threat feeds on VPN System
Malicious Activity - Deviation of network utilization of resourcesNetwork Monitoring toolTrend report on bandwidth utilization over a period of time or against a threshold
Processes/servicesActive DirectoryActive directory schema changeWindow Security Event LogsAD change logs
Active directory policy modifiedWindow Security Event LogsGPO policy change notifications
Microsoft ExchangeIncrease in the number of non-delivery report messages collected from Microsoft ExchangeWindow Event LogsMonitor the Mail notifications and report on NDR status  for each source and recipient malboxes
System HealthPatch & update failuresPatch Management ServerUse patch management server logs to see patch status and any Actions based on patch deployment jobs
Attack Life Cycle based Use Cases
Initial ReconPort Scan from outsideHorizontal port ScanInternet Facing FirewallsOOB
Horizontal port scan on well known vulnerable portsInternet Facing FirewallsOOB
Horizontal port scan on critical assets (PDMZ)Internet Facing FirewallsOOB
Horizontal port scan on existing vulnerable ports on critical assets (PDMZ)Internet Facing Firewalls, Vulnerability Management ReportsOOB
Vertical Port ScanInternet Facing FirewallsOOB
Vertical port scan on well known vulnerable portsInternet Facing FirewallsOOB
Vertical port scan on critical assets (PDMZ)Internet Facing FirewallsOOB
Vertical port scan on existing vulnerable ports on critical assets (PDMZ)Internet Facing FirewallsOOB
IDS/IPS port scan on well known vulnerable portsInternet IPS/IDSOOB
IDS/IPS port scan on  critical assets (PDMZ)Internet IPS/IDSOOB
IDS/IPS port scan on well known vulnerable portsInternet IPS/IDSOOB
Vulnerability Scan from outsideVulnerability ScanInternet - Firewalls and IDS/IPSOOB
Vulnerability Scan on critical assetsInternet - Firewalls and IDS/IPS, Server HIDS/HIPSUsing Criticality context to identify the Port scan on vulnerable ports
Communication traffic that is from an unusual geo location source.Communication traffic observed from an unusual geo location source.Internet - Firewalls and IPS/IDS, VPN DevicesCan use data from FW, IPS & IDS and use GeoIP enrichment to identify any communication to or from unusual Geo's
Communication traffic that is known to be from bad or blacklisted source host addresses.Communication traffic observed from bad or blacklisted source host addresses.Firewalls, IPS/IDS, VPNCan use data from FW, IPS & IDS and use Threat intelligence to identify any communication to or from unusual Geo's
Slow ScansSlow Horizontal ScanInternet - Firewalls and IDS/IPSUsing logs and Packets with threat intelligence to detect any beaconing traffic
Slow Vertical ScanInternet - Firewalls and IDS/IPSUsing logs and Packets with threat intelligence to detect any beaconing traffic
Slow Box Scan (Combination of horizontal and Vertical Scan)Internet - Firewalls and IDS/IPSUsing logs and Packets with threat intelligence to detect any beaconing traffic
Initial Compromise Spear phishing Malware downloadedAV Using Packet capture to analyse the downloaded file for malicious content
Weaponized documentMalware downloadedAV Using Packet capture to analyse the downloaded file for malicious content
Watering Hole attackMalware downloadedproxy Using Packet capture to analyse the downloaded file for malicious content
System ExploitC&C communication attemptsProxy/Firewall Threat feedUsing Threat intelligence identify known CnC communication attempts
Establish Footholdinstall backdoor malwareMalware has been installedAVThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
create command and control infrastructureC&C communication denied by firewall/proxy.Firewalls/Proxy - Threat FeedUsing Threat intelligence identify known CnC communication attempts
Successful C&C communicationFirewalls/Proxy - Threat FeedUsing Threat intelligence identify known CnC communication attempts
install keyloggersUnauthorized software installed - Key loggers.AV The installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Dump password hashesPrivilege escalation alertsWindows OSAny privilege escalations monitored for changes
Unauthorized software installed - password hash dumping tool.AV / EDRThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
RootkitsSuccessful Privilege escalation alertsWindows OSThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Rootkits installedAV The installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Escalate PrivilegesRetrieve password hashesPassword hash transport detectedNIDS/NIPS(Signature to capture NTLM password hash in clear text)Using Parser for content analysis packet capture can detect the cleartext transport of hashes or other data
traffic sniffingNetwork adaptor going in promiscus mode (white list for apps like Symantec HIDS)Windows/UnixOSOOB
keyloggingUnauthorized software installed - Key loggers.AV The installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Internal ReconGather system information, network information, hardware infoInside - Horizontal port ScanFirewalls, IPS/IDSOOB
Inside - Horizontal port scan on well known vulnerable portsOOB
Inside - Horizontal port scan on critical assets (PDMZ)OOB
Inside - Horizontal port scan on existing vulnerable ports on critical assets (PDMZ)OOB
Inside - Vertical Port ScanOOB
Inside - Vertical port scan on well known vulnerable portsOOB
Inside - Vertical port scan on critical assetsOOB
Inside - Vertical port scan on existing vulnerable ports on critical assetsOOB
Inside - HIDS/HIPS port scan on well known vulnerable portsOOB
Inside - HIDS/HIPS port scan on  critical assetsOOB
Inside - HIDS/HIPS port scan on well known vulnerable portsOOB
Inside - Vulnerability ScanOOB
Inside - Vulnerability Scan on critical assetsOOB
Inside - ARP broadcast DetectedUsing Netflow or Packet capture 
Looks at files and documents, explore file sharesWork station to work station communicationWindows OS, SEPMInternal communication monitoring user to user VLAN
User behavior anomaly detected The solution proposed is based around the RSA Security Analytics platform. This can collect logs as well as network packet data to give much greater visibility into the risk that the organization may be exposed to. By combining not just the log data collected from the devices within the infrastructure but also identifying anomalies within the network traffic as well as using 3rd party feeds from industry authoritative sources it is possible to identify if your organization is under attack, exposed to the new and emerging threats as well as identifying if the organization has already been compromised. This can be implemented in a phased approach, initially focusing on log data, eventually moving towards a more pervasive view with the implementation of packet capture.
At the log collection level RSA can use techniques such as base lining of events across devices as well as advanced correlation so that an organization can be alerted to an event that falls outside of normal day to day activity. This can help provide insight into anomalies and areas of concern that the security analyst may need to be aware of. These can be as simple as multiple failed logins across a number of different devices, to more complicated scenarios such as unusual activity seen in web logs from a certain username combined with escalation of privileges from that user and then failed an successful logins to resources holding sensitive data that may in some circumstances indicate a breach of the network.
In terms of packet data there are a number of techniques and applications available to help an organization get deep visibility into the health of the network.
Metadata is assigned to the packets that are collected to make the data much easier to search through as well as much more humanly readable. The data that is collected can also be referenced against live feeds from various authoritative sources to further enrich your data and provide intelligence around the latest threats as well as blacklisted IPs, known bad websites etc. This enables automated alerting and reporting against the threats that the organization is exposed to. These alerts and reports are presented on a dashboard. The alerts and reports can be customized to provide intelligence relevant to the organization.
Another component of the solution is the malware analysis tool that will evaluate the threat posed by any executable seen within the organization. This is done using a variety of techniques such as static file analysis, sandboxing, next generation analysis, referencing it against community information as well as allowing the organization to see if their antivirus or in fact any antivirus vendor would have flagged this as malicious. This tool is especially useful when looking for 0 day malware that signatures alone would not have spotted.
Move LaterallyUse of psexec, scheduled tasks (at command), WMIcapture schedule tasks with taskname "At<number>g" event ID 602,4698.windows OSUsing Event ID's can be achieved from windows sytem event logs
psexec:- monitor event log service install 4697 with service name psexesvcwindows OSUsing Event ID's can be achieved from windows sytem event logs
Use of valid credentials over SMB or RDPAnomaly detection using event logsUser behavior analysisInternal communication monitoring for user behaviour changes like multiple login fails and succeffull logins frequently
Desktop to Desktop communication observedSEPM/HIDS (personal firewall)Internal communication monitoring for user behaviour changes like multiple login fails and succeffull logins frequently
Maintain PresenceBackdoor malwareMalware has been installedApplication whitelisting, AV, Anti Malware solutionThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
VPN accessDetailed analysis of host check failure alertsVPN deviceTrend report on Host checker status of VPN clients
Anomaly detection for VPN users (user profiling)User behavior analysisBaselining of VPN users access requests to monitor any behavioural changes or deviations
 Executable detected in http/https trafficNIDS/NIPSUsing Packet capture files detected as non-standard service over standard protocol
 password encoded zip or RAR filesPassword encoded Outbound file transfer detectedNIDS, proxy DLPUsing Packet Capture identify zip and rara files. 
FTPDetected File transfer over FTP (white list for FTP allowed Ips)FirewallsWhitelisting of key listed FTP sites
smbConnection established over port SMB ports (139, 445) towards known bad IPFirewalls - threat feedUsing Threat intelligence and SMB ports to identify threats and SMB traffic within internal network
Kevin Clerks

Investigation Bootcamp

Posted by Kevin Clerks Employee Oct 21, 2016

Hi Folks,

I recently a recorded a few brief videos explaining the Investigation module of NetWitness. They’re broken into 3 sections that cover the Navigate View, Event View, and Profiles.

Much like this blog post, I tried to keep them as short as possible for convenience. If you’re seeking a more concise and thorough training experience, I would recommend RSA University - RSA NetWitness Logs and Packets: Hunting. However, if you’re interested in a more targeted explanation, please take a look at the following:

1. Navigate View

  • Searching and querying using meta keys available as well as the Query box
  • Meta formatting and behavior

 

2. Investigation Profiles

  • HTTP Meta Group Demo
  • Creation of Meta Group, Column Group, then using both in a profile
  • Prequeries

3. Events View

  • Pivoting to/from Navigate View
  • Different views of event listing
  • Best Reconstruction and the other types of session rendering
  • Discovery of malicious executable

 

As always, Happy Hunting

The CEF helper script attempts to fill the gap of CEF extensions that the system parser does not currently parse. For a complete list of what we do parse, please refer to Supported CEF Meta Keys - RSA Security Analytics Documentation .

 

This CEF helper template was written to be highly configurable as well as adhere to revision 16 of the Common Event Format (CEF) standards document. Its aim is to be able to parse meta data into any meta key in RSA Netwitness from any security appliance with the least amount of programming.


This is performed by several routines within the code that associates “csX” and “cnX” within a CEF extension with their appropriate “csXLabel” and “cnXLabel”. If no “csLabel” exists, it will use “csX” or “cnX” as the key name (where X is a numeric value). For example, a CEF message containing “cs3=name cs3Label=Ian” will set the key name to “name” and the value to “Ian” whereas a CEF message containing “cs3=Ian” will set the key name to “cs3” and the value to “Ian”. However, using scripts configuration, you can translate cs3 to any meta key name you want (i.e. username). This is configured in the t_keys_to_use variable.  More information on that below!

 

As CEF messages can also contain carriage returns (\n), if a carriage return is found, it will parse each line into a separate meta value of the same key name. For example, a CEF message containing “cs2=user.names cs2Label=iredden\nepartington” will result in 2 meta values (user.names) containing “iredden” and “epartington”.

 

The template can be downloaded at the bottom of this article.  It is configured for a FireEye HX appliance but can be easily modified for anything!

 

 

Configuration

The main configuration of the script is in 2 variables.  These variables are t_keys_to_use and b_debug.

t_keys_to_use – Is a LUA key/value table containing which keys to parse.

 

b_debug – By default, this variable is set to true.  This means that no meta will be created.  Instead, output will be provided for debugging to logs.

 

You also need to configure the cefhelper:setKeys() section of the script.  It needs to contain all the same keys from the t_keys_to_use table.  For example:

cefhelper:setKeys({
   nwlanguagekey.create("vx.threatscore"),
   nwlanguagekey.create("vx.detection"),
   nwlanguagekey.create("virusname"),
   ...
   nwlanguagekey.create("alias.host"),
   nwlanguagekey.create("vx.filedesc")
})



You can access logs on a Log Decoder via the REST API:

http://de.co.der.ip:50102/logs?msg=pull&force-content-type=text/plain&expiry=600&count=50 

 

Example - Accellion File Transfer (FTA)

 

The CEF system parser from RSA Live parses numerous CEF extension keys.  However, there are a few meta keys that we need a helper for to be able to parse CEF logs from Accellion FTA:

CEF Extension

Description

System Parser

NetWitness Key Name

msg

Message

Yes

msg

src

Source

Yes

src

deviceFacility

Device Facility

Yes

deviceFacility

fname

File Name

No

filename

fsize

File Size

No

n/a

location

Location

No

directory

type

Transfer Type

No

action

seconds

Transfer Time - # Seconds

No

n/a

suser

Source User

Yes

username

 

Helper Configuration:

local t_keys_to_use = {
        ["fname"] = "filename",
        ["location"] = "directory",

        ["type"] = "action"
}

cefhelper:setKeys({
   nwlanguagekey.create("filename"),
   nwlanguagekey.create("directory"),
   nwlanguagekey.create("action")
})

local b_debug = false

 

Example CEF Message:

CEF:0|Accellion|FTA|FTA_9_12_80|203|Download|1|msg=(172.16.20.45) test.txt downloaded by ian.redden@rsa.local (23 bytes, 3.5 sec) (Type: ssl_download, Location: ) src=172.16.20.45 deviceFacility=local5 fname=test.txt fsize=23 cs2Label=location cs2= cs1Label=type cs1=ssl_download cn1Label=seconds cn1=3.5 suser=ian.redden@rsa.local

 

Example - Payload Security's VxStream

 

The CEF system parser from RSA Live parses numerous CEF extension keys.  However, there are a few meta keys that we need a helper for to be able to parse CEF logs from Accellion FTA:

CEF Extension

Description

System Parser

NetWitness Key Name

Threat Score

Threat Score

No

vx.threatscore

AV Detection Rate

Detection Rate

No

vx.detection

Malware Family

Malware Family Name

No

virusname

fileHash

File Hash Value

No

vx.filehash

fname

File Name

No

vx.fname

fsize

File Size

No

vx.fsize

fileType

File Type

No

vx.filetype

flexString1

Comments

No

vx.comments

Client

Client

No

vx.client

Indicators

Source User

No

vx.indicators

Contacted Domains

Contacted Domains

No

alias.host

Contacted Hosts

Contacted Hosts

No

alias.host

Compromised Hosts

Compromised Hosts

No

alias.host

File Description

File Description

No

vx.filedesc

 

Helper Configuration:

local t_keys_to_use = {
   ["Threat Score"] = "vx.threatscore",
   ["AV Detection Rate"] = "vx.detection",
   ["Malware Family"] = "virusname",
   ["fileHash"] = "vx.filehash",
   ["fname"] = "vx.fname",
   ["fsize"] = "vx.fsize",
   ["fileType"] = "vx.filetype",
   ["flexString1"] = "vx.comments",
   ["Client"] = "vx.client",
   ["Indicators"] = "vx.indicators",
   ["Contacted Domains"] = "alias.host",
   ["Contacted Hosts"] = "alias.host",
   ["Compromised Hosts"] = "alias.host",
   ["File Description"] = "vx.filedesc"
}

cefhelper:setKeys({
   nwlanguagekey.create("vx.threatscore"),
   nwlanguagekey.create("vx.detection"),
   nwlanguagekey.create("virusname"),
   nwlanguagekey.create("vx.filehash"),
   nwlanguagekey.create("vx.fname"),
   nwlanguagekey.create("vx.fsize"),
   nwlanguagekey.create("vx.filetype"),
   nwlanguagekey.create("vx.comments"),
   nwlanguagekey.create("vx.client"),
   nwlanguagekey.create("vx.indicators"),
   nwlanguagekey.create("alias.host"),
   nwlanguagekey.create("vx.filedesc")
})

local b_debug = false

 

Example CEF Message:

Mar 29 15:42:59 192.168.1.100 CEF:0|Payload Security|VxStream|6.20|Sample Analysis Result - Malicious|Sample Analysis Result - Malicious|100|end=03/29/2017 21:28:55 cn1=100 cn1Label=Threat Score cn2=88 cn2Label=AV Detection Rate cs1=Trojan.Generic cs1Label=Malware Family cs2=100 cs2Label=EnvironmentID cs3=Windows 7 32 bit cs3Label=Environment Description fileHash=8271d841b9971f04d6a48804d06ecd7185d71ed8546988b1697fbe01741a8572 fname=8271d841b9971f04d6a48804d06ecd7185d71ed8546988b1697fbe01741a8572 fsize=357888 fileType=exe request=https://www.hybrid-analysis.com/sample/8271d841b9971f04d6a48804d06ecd7185d71ed8546988b1697fbe01741a8572/?environmentId\=100 msg=Malicious flexString1= flexString1Label=Uploader Comment cs4=zpr5huq4bgmutfnf.tor2web.org \nzpr5huq4bgmutfnf.onion.to \ncrl2.alphassl.com \nipinfo.io \nkosdfnure75.op1gifsd05mllk.com \ngfdkotriam.fo4j4wnq51hepa.com cs4Label=Contacted Domains cs5=84.200.69.80:53 \n34.196.176.140:80 \n185.100.85.150:443 \n192.36.27.5:443 cs5Label=Contacted Hosts cs6=84.200.69.80 \n185.100.85.150 \n192.36.27.5 cs6Label=Compromised Hosts cs8=2812134 \n2015576 \n2812134 \n2020116 \n2020716 \n2016810 \n2016810 cs8Label=ET Alerts cs9=api-12:1:4 \napi-75:1:10 \nsuricata-2:2:10 \nnetwork-21:2:10 \napi-10:1:6 \ntarget-4:2:10 \nnetwork-0:0:1 \nnetwork-2:0:5 \ntarget-25:0:3 \nnetwork-22:1:10 \nregistry-25:1:3 \nstatic-3:1:10 \ntarget-58:2:10 \nstatic-6:1:10 \navtest-3:2:10 \nsuricata-1:1:10 \napi-25:1:7 \nnetwork-27:2:10 \nregistry-27:1:10 \nnetwork-14:2:9 \napi-16:0:1 \nregistry-36:1:8 \nstring-14:1:3 \napi-51:1:5 \nregistry-35:1:5 \napi-37:0:10 \napi-76:1:10 \nnetwork-24:2:6 \nstatic-17:1:10 \nregistry-1:1:10 \nnetwork-5:1:7 \ntarget-14:2:8 \nhandle-0:1:7 \nstatic-0:1:10 \ntarget-3:0:5 \napi-27:1:10 \napi-77:1:10 \navtest-0:2:8 \nnetwork-1:0:1 \napi-55:0:7 \napi-9:1:4 \napi-42:2:7 \nstatic-60:1:10 \napi-39:0:8 \nregistry-61:1:10 \nstring-13:1:7 \nnetwork-15:2:5 \napi-26:1:10 \navtest-5:2:5 \nmutant-0:0:3 \nregistry-55:0:10 \napi-11:0:2 \napi-6:1:4 \nstatic-1:1:1 cs9Label=Indicators priority=9 cs10=PE32 executable (GUI) Intel 80386 (stripped to external PDB) \n for MS Windows cs10Label=File Description

 

Example – FireEye HX

FireEye HX is FireEye’s endpoint protection appliance.  There are a few meta keys that we need to parse from FireEye HX:

 

CEF Extension

Description

NetWitness Key Name

IOC Name

IOC Name / Malware Family

risk.warning

Target OS

Target Operating System

OS

dhost

Destination Hostname

alias.host

dst

Destination IP

ip.dst

dntdom

Destination Domain

ad.domain.dst

 

Helper Configuration:

local t_keys_to_use = {
        ["IOC Name"] = "risk.warning",
        ["Target OS"] = "OS”,
        ["dhost"] = "alias.host",
        ["dst"] = "ip.dst",
        ["dntdom"] = "ad.domain.dst"
}

cefhelper:setKeys({
   nwlanguagekey.create("risk.warning"),
   nwlanguagekey.create("OS"),

   nwlanguagekey.create("alias.host"),
   nwlanguagekey.create("ip.dst"),
   nwlanguagekey.create("ad.domain.dst")
})

local b_debug = false

Example CEF Message:

CEF:0|fireeye|hx|3.1.3|IOC Hit Found|IOC Hit Found|10|rt=Sep 29 2016 02:39:54 UTC dvchost=lab.rsa.local categoryDeviceGroup=/IDS categoryDeviceType=Forensic Investigation categoryObject=/Host cs1Label=Host Agent Cert Hash cs1=YUGh0fvlBG5ewBBahhbEZH dst=172.16.10.50 dmac=aa-bb-7a-fa-75-d8 dhost=victim-a3c696c8 dntdom=WORKGROUP deviceCustomDate1Label=Agent Last Audit deviceCustomDate1=Sep 29 2016 02:39:49 UTC cs2Label=FireEye Agent Version cs2=21.33.0 cs5Label=Target GMT Offset cs5=PT0H cs6Label=Target OS cs6=Windows 7 Professional 7601 Service Pack 1 externalId=1049717 start=Sep 29 2016 02:39:28 UTC categoryOutcome=/Success categorySignificance=/Compromise categoryBehavior=/Execute categoryTechnique=Exploit act=Detection IOC Hit msg=Host victim-a3c696c8 IOC compromise alert categoryTupleDescription=A Detection IOC found a compromise indication. cs4Label=IOC Name cs4=SANDSTORM (FAMILY)

 

DISCLAIMER: As always, this script is provided as is.  If you have any questions, feel free to reach out to me at ian.redden@rsa.com.

Happy Hunting!

 

Update 5/26/2017 - Updated CEF template fixing several bugs.

Update 6/14/2017 - Added sample for VxStream

Preface

 

This blog post explains how to import external intelligence as a NetWitness recurring feed. As an example, the Locky Ransomware C2 domain blocklist from https://ransomwaretracker.abuse.ch is used.

We will use the SA Server Head Unit to perform all the operations described in this blog post. 

 

 

Downloading and pre-processing external content

 

At first the list offered by the external provider must be downloaded to the local environment:

 

curl https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt > locky.txt 

The file contains a comment block at the top followed by one domain per line:

##########################################################################
# Locky Ransomware C2 domain blocklist (LY_C2_DOMBL)                     #
# Generated on 2016-10-18 09:10:02 UTC                                   #
#                                                                        #
# For questions please refer to:                                         #
# https://ransomwaretracker.abuse.ch/blocklist/                          #
##########################################################################
wrubyjtvqhxaqkh.pw
jfmiondv.xyz
tswsgajtwhqkosd.su
xofguhypjgvxrm.pw
yofkhfskdyiqo.biz
[...]

To be able to schedule the feed import for the decoders, we create a path dedicated for feed deployment on the local webserver:

 

mkdir /var/netwitness/srv/www/rsa/feeds

Now we need to perform the following operations on the file:

  • Remove the comments
  • Add the values to be written to Meta Keys at the end of each line
  • Write the result to a new file

 

The following command will do all those tasks at once. It may look very complicated at first, but all parts of the command will be explained below:

 

cat locky.txt | grep -v '#' | awk -F $'\n' '{print $1",Locky Ransomware,ransomwaretracker.abuse.ch,Ransomware"}' > /var/netwitness/srv/www/rsa/feeds/locky.csv

 

Explanation:

  • cat locky.txt: Read the file locky.txt in the current folder
  • grep -v '#': Remove all lines that include the hash symbol
  • awk -F $'\n' '{print $1"[...]"}': for each line return the first column (which is the domain name) and add the static text within the double quotes (which are the meta values to be generated later).
  • > /var/netwitness/srv/www/rsa/feeds/locky.csv: Save the result to the locky.csv file to the path created before

 

As these lists usually change quite often (some providers update their feeds every 30 minutes), a bash script can be created and scheduled to automate the process (some minimal error handling is added in case the file could not be downloaded):

 

  • Create the bash script (the file can also be found in the attachments to this post)

 

vi /root/lockyC2.sh
#!/bin/bash
curl https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt > locky.txt
firstLine=$(head -n 1 locky.txt)
if [[ ${firstLine:0:1} == '#' ]]; then
cat locky.txt | grep -v '#' | awk -F $'\n' '{print $1",Locky Ransomware,ransomwaretracker.abuse.ch,Ransomware"}' > /var/netwitness/srv/www/rsa/feeds/locky.csv
else
echo "File not downloaded successfully"
fi

 

  • Schedule the script to run every 30 minutes

 

crontab -e

*/30 * * * * /root/lockyC2.sh

 

Creating a custom feed

 

After completing the steps mentioned above, a recurring custom feed can be created in Live > Feeds:

 

  • Provide a name for the feed and add its URL, make sure the “Recur Every” schedule matches the update interval that you set in the cronjob (to have the data updated in the same intervals).

         Feed Configuration

 

  • Select the decoders to push the feed to

 

  • Select “IP” if the feed is based on IP addresses or “Non-IP” otherwise. Select the correct index column (the column where the “search” parameter can be found) and the callback key(s) which are the meta keys where you want to find the value in. Define which meta keys the remaining columns should be written to by selecting from the drop-down above each column.

         Feed Columns

 

  • Verify your settings then click “Finish”

Preface

 

This blog post should help everybody who wants to integrate the free (community) version of the MySQL database with NetWitness for Logs. This blog does NOT describe the MySQL database auditing. Instead the procedure can be used for applications that store their events in the MySQL database.

 

As we do not provide the drivers for that version, it has to be downloaded from http://dev.mysql.com/downloads/connector/odbc/

 

Make sure to get the tar.gz version for EL6. The version downloaded at that the time of writing was mysql-connector-odbc-5.3.4-linux-el6-x86-64bit.tar.gz:

 

MySQL download

   (click the image to enlarge)

 

Enabling MySQL collection

 

To enable MySQL collection perform the following steps:

  • Untar the file obtained from the MySQL website and copy the ODBC driver to the SA ODBC drivers folder:
    tar -xvzf mysql-connector-odbc-5.3.4-linux-el6-x86-64bit.tar.gz
    cp mysql-connector-odbc-5.3.4-linux-el6-x86-64bit/lib/libmyodbc5a.so /opt/netwitness/odbc/lib/

 

  • This is the structure of my example database on 192.168.2.200 Port 3306:
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| test               |
+--------------------+
3 rows in set (0.01 sec)

 

mysql> use test;
    Database changed

    mysql> show tables;
    +----------------+
    
| Tables_in_test |
    +----------------+
    | audit          |
    +----------------+
    1 row in set (0.00 sec)

     mysql> desc audit;
    +--------------+--------------+------+-----+-------------------+-----------------------------+
    | Field        | Type         | Null | Key | Default           | Extra                       |
    +--------------+--------------+------+-----+-------------------+-----------------------------+
    | ID           | int(11)      | YES  |     | NULL              |                             |
    | Username     | varchar(255) | YES  |     | NULL              |                             |
    | Action       | varchar(255) | YES  |     | NULL              |                             |
    | TimeOfAction | timestamp    | NO   |     | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
    +--------------+--------------+------+-----+-------------------+-----------------------------+
    4 rows in set (0.00 sec)

 

  • Create the database DSN in Administration > Services > LogCollector > View > Config > Event Sources.

        DSN

 

  • The names for the parameters are different from the names of our default drivers. The following values have to be set:

   

ParameterValue
DatabaseDatabase name
SERVERDatabase server IP
PORTDatabase server listening port
DriverDriver path

 

       In my example:

 

       DSN Values

 

  • Now create the type specification (mine is named mysql_audit.xml) for your database in /etc/netwitness/ng/logcollection/content/collection/odbc/. My example would require the following specification:

 

<?xml version="1.0" encoding="UTF-8"?>
<typespec>
 
   <name>mysql_audit</name>
   <type>odbc</type>
   <prettyName>Mysql Custom Auditing</prettyName>
   <version>1.0</version>
   <author>Andreas Funk</author>
   <description>Mysql SQL for Testing</description>
 
   <device>
      <name>mysql_audit</name>
   </device>
 
   <configuration>
   </configuration>
 
   <collection>
      <odbc>
         <query>
            <tag>mysql_audit</tag>
            <outputDelimiter>||</outputDelimiter>
            <interval>30</interval>
            <dataQuery>
               SELECT ID, Username, Action, TimeOfAction FROM audit WHERE ID > '%TRACKING%' ORDER BY ID ASC
            </dataQuery>
            <trackingColumn>ID</trackingColumn>
            <maxTrackingQuery>SELECT MAX(ID) FROM audit</maxTrackingQuery>
            <trackingColumn>ID</trackingColumn>
         </query>
      </odbc>
   </collection>
</typespec>
  • Next create a parser to match this specification in /etc/netwitness/ng/envision/etc/devices/yourDeviceName. My simple example looks as follows:

 

<?xml version="1.0" encoding="ISO-8859-1" ?>
 
<DEVICEMESSAGES>
 
        <VERSION
                xml="1"
                checksum=""
                revision="0"
                enVision=""
                device="2.0"/>
 
<!--ESI.DeviceClass = Database-->
<!--
If the message tag does not contain a definition of a property,
the default value will be used.
The default values are:
                category="0"
                level="1"
                parse="0
                parsedefvalue="0"
                tableid="1"
                id1=""
                id2=""
                content=""
                reportcategory="0"
                sitetrack="0"
 
The following are the entity reference for all the predefined entities:
&lt;           <(opening angle bracket)
&gt;           >(closing angle bracket)
&amp;          &(ampersand)
&quot;         "(double quotation mark)
 
-->
        <HEADER
                id1="0001"
                id2="0001"
                content="&lt;messageid&gt;:&lt;!payload&gt;"/>
 
        <MESSAGE
                level="5"
                parse="1"
                parsedefvalue="1"
                tableid="47"
                id1="%mysql_audit"
                id2="%mysql_audit"
                eventcategory=""
                content="&lt;sessionid&gt;||&lt;username&gt;||&lt;action&gt;||&lt;event_time&gt;"/>
 
</DEVICEMESSAGES>
  • Finally add the category (name as chosen in your typespec file) and database to the Event Sources and start the ODBC collection:

       Add event source

       Start ODBC collection

 

Testing MySQL collection

To test MySQL collection:

  • Wait for new events to arrive in the database. In my test database I created two events manually:
    mysql> INSERT INTO audit VALUES (7, 'Andreas', 'Login', NOW());
    Query OK, 1 row affected (0.01 sec)
     
    mysql> INSERT INTO audit VALUES (8, 'Andreas', 'Logout', NOW());
    Query OK, 1 row affected (0.00 sec)
     
    mysql> SELECT * FROM audit WHERE ID > 6;
    +------+----------+--------+---------------------+
    | ID   | Username | Action | TimeOfAction        |
    +------+----------+--------+---------------------+
    |    7 | Andreas  | Login  | 2015-08-07 17:27:44 |
    |    8 | Andreas  | Logout | 2015-08-07 17:27:55 |
    +------+----------+--------+---------------------+
    2 rows in set (0.00 sec)
  • Wait for the ODBC collection to get those events. You can verify collection in /var/log/messages:

Aug  7 15:30:22 ld nw[1420]: [OdbcCollection] [info] [mysql_audit.SQL_Audit] [processing] [SQL_Audit] [processing] Published 2 ODBC events: last tracking id: 8

  • The events can now be found in the Investigator with the defined meta generated:

    Navigate view

 

    Events view

Over a year ago, RSA front man Amit Yoran likened “stumbling around in the dark as a pretty good metaphor for everyone who’s trying to defend a digital infrastructure today”[1]. Those words couldn’t have rung more true over these past few weeks as security professionals scurried to respond to Mirai and the threat of massive Internet of Things (IoT) botnets with the ability to launch historic distributed denial of service (DDoS) attacks. Whether you agree or not as to the brilliance or level of sophistication from Mirai developers, let’s give a shout out @Anna-senpai, who dropped a wake up call to the security industry.

 

Figure 1: CCTV Botnet rendering courtesy of https://fossbytes.com/are-you-under-the-attack-of-cctv-botnet/ 

 

At first blush, many of us (myself included) reviewed the posted source code[2] and reacted with a certain degree of industry arrogance… ‘I mean this is an attack vector leveraging telnet and a list of manufacturer default credentials… Who the hell could still be using telnet right?’ As these words left my mouth, a few things begin to sink in… I began to consider all of less security-conscious people each of us knows, their devices, and maybe a few devices our kids or even we might use. This was a humbling experience… ask Brian Krebs.

 

Here we are near the end of 2016 immersed (maybe a bit preoccupied) with machine learning, continuous authentication, and user behavior analytics. Is it possible that with all of this technological evolution, we’ve lost the lessons of the past (e.g., the Morris worm circa 1988 with 432 words in its brute-force list)? It’s certainly clear that we have forgotten perhaps the most important lesson: respect the adversary. In an era where the security industry is operating with unprecedented levels of sophistication, we have adversaries smart enough to ignore the typical attack vectors (i.e., playgrounds for industry analytics) and strike at the soft belly. Mirai developers were competent enough to leverage an aging service to harvest thousands of IoT devices via 63 passwords in a brute-force list; spring loading one of the the most impressive DDoS attack ever seen[3].

 

While there are a number of current research postings on Mirai[4], perhaps most insightful is the detailed post on Hackforums by Anna-senpai (aka Mirai developer), an excerpt of which is pasted below.

 

Figure 2: Excerpt of anna-senpai's hackforum post

 

As Anna-senpai steps through explanations for components and functions of the Mirai malware, two striking things can be noted. First, the hijacking of IoT infrastructure for use as a botnet effectively negates all of the fancy security controls that have been evolved over the years. (These are typically dumb devices with crappy firmware and maybe an admin console if you are lucky). Secondly, the rapid spin-up and disposable nature of these IoT botnets creates challenges for real-time response and makes post-mortem attribution nearly impossible. This means everyone on the Internet could be at jeopardy for retaliatory or even whimsical attacks from any number of different hacker groups. Scary stuff, and the truth is that we are only going to see increasing numbers of IoT related botnets like Mirai and Linux/LuaBot[5]. As further evidence, the charts below from a shodan.io provide a snapshot in today's current growth in telnet traffic.

 

Figure 2: Shodan search for telnet on Oct 12, 2016

 

To that end, are there other glaring gaps (i.e., telnet was developed in 1969) in aging applications and services that might be ignoring in today's IT hygiene practices?  Are there other perceived as ‘well-understood’ or ‘protected’ services that also deserve additional scrutiny? These are hard questions for most businesses to answer, and unfortunately more times than not we’re relegated to a reactive security posture due to circumstances just such as Mirai.

 

so what actions can we take in the security industry? First and foremost, clean up poor IT Hygiene. This means blocking traffic to ports and services at the perimeter, and moving ‘dumb’ devices inside of your perimeter defense. For example, under no circumstances should your Nest thermostat, Rachio smart sprinkler, or Samsung family hub refrigerator be connecting directly to the Internet without the protection of a properly configured access point with firewalls. Just as critical is enforcing a policy to change any and all default credentials for Internet-enabled devices, many of which have direct access to and control of critical infrastructure. Consider this year’s unprecedented hack of the Ukrainian power grid[6]… but hey don’t blame the Fridge!

 

Of course there are already quite a few security vendors that have built themselves around the DDoS protection use case, and these services currently stand as our best chance of mitigating future such IoT hosted attacks. However, it remains to be seen how effective these capabilities will be under fire.

 

In addition, a problem-oriented response is also building momentum across facets of the security industry. For example, a recent article by Motherboard (Digital Vigilantes Want to Shame DDoS Attackers And Their Corporate Enablers) features a project called SpoofIT, the goal of which is to “shame not only the hackers responsible for such crippling attacks, but also the Internet providers and traffic carriers that enable them”[7]. Other organizations such as the non-profit group MITRE are offering cash incentives to 'fingerprint' rogue, dangerous IoT devices[8]. Whether either of these approaches will gain significant traction also remains to be seen.

 

Thanks goes toMichael SconzoRaymond.Carney@rsa.com, and Steven Sipes for research, discussion, and pointed feedback on my frequent ramblings.

 

 

[1] https://www.rsaconference.com/blogs/rsas-amit-yoran-security-is-stumbling-around-in-the-dark

[2] https://github.com/jgamblin/Mirai-Source-Code

[3] Why a massive DDoS attack on a blogger has internet experts worried – Naked Security 

[4] http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html

[5] https://medium.com/@x0rz/interview-with-the-luabot-malware-author-731b0646fc8f#.1ms49jocb

[6] https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

[7] http://motherboard.vice.com/read/spoofit-digital-vigilantes-shame-ddos-attackers-and-corporate-enablers

[8] http://www.zdnet.com/article/mitre-will-give-you-50000-for-fingerprinting-rogue-dangerous-iot-devices/

Vertical Scan Dashboard for Firewall Logs

Overview

 

The Vertical Scan Dashboard for Firewall Logs shows vertical scan activity conducted against any firewall class device on the Internet Perimeter. This set of dashlets will display the top 10 port probing/scanning activity over the last 24 hours, broken down into the following categories:

  • Unique port count of individual IP addresses probing/scanning the network and displayed by IP address.
  • Unique port count of countries probing/scanning the network and displayed by country.
  • Unique IP address count of individual Countries probing/scanning the network and displayed by country.
  • Top 10 most denied destination ports, displayed by port.

 

The Dashlets

Top 10 Denied IP High Unique Port Count

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by IP address.  In short, it shows which IP addresses are using the most ports to scan your network on an hourly basis.  Basically a vertical scan, a single IP probing multiple ports.

 

Top 10 Denied High Unique Port Count by Country

It looks at the inbound traffic and every hour it counts the number of unique ports for each source IP address it sees, then it displays them in a Timeline and a Summary format by country.  In short, a unique port count by country and displayed by country.

 

Top 10 Denied Countries by Unique IP Count

It looks at the inbound traffic and every hour it counts the number of unique IP addresses for each Source Country it sees, then it displays them in a Timeline and a Summary format by country.  In short, it’s a count of unique IP addresses used to probe your network displayed by country.

 

Top 10 Denied Destination Ports

It looks at the inbound traffic and every hour it finds the distinct ports and counts how many times they are denied.  Then it displays them in a Timeline and a Summary format as shown below.  In short, it shows the top ten ports that are being probed and denied.

Prerequisites

You must have the items listed below installed and configured for this dashboard to work properly.

Security Analytics/Netwitness

  • Versions 10.5 or higher
  • Log Decoder and Concentrator
  • Firewall Logs

Versions Prior to 10.5 will not have the “distinct” and “countdistinct” available in the Report Engine.

Lua Parser

  • Traffic Flow (RSA Live)
  • lua (RSA Live

 

Directions for installation and configuration of this parser are located in the link below:

https://community.rsa.com/docs/DOC-44948

 

If you already have a parser that defines Internet source IP addresses, you can modify the rules and swap out the “netname='other src'” with your metakey and value.

Saket Bajoria

Log Parser Improvements

Posted by Saket Bajoria Employee Oct 12, 2016

The RSA Live Content team has published updates for 15 Log Parsers that generate the largest number of, “Unknown Message Defect” support cases.

 

These enhancements are part of a strategic initiative to drive improvements to Log Parsers.

 

Benefits from these improvements result in:

  • Fewer Unknown Messages
  • Improved Device Discovery
  • Better Adaptability to newer versions of an Event Source
  • Reduced Parser Maintenance

 

To take advantage of these improvements you will need to download the latest versions of the parsers listed below from the Live Portal.

 

 

S.No.

Event Source

Log Parser

Improvements

1

Microsoft Windows using Event Collection

winevent_nic

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

2

Microsoft Windows using Adiscon Event Reporter

winevent_er

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

3

Microsoft Windows using Intersect Alliance Snare

winevent_snare

This parser can now identify all Windows Security, System and Application log events. 

 

Note: Application channel events are parsed with the standard fields needed for basic analytics. Some applications are parsed in more detail for specific use-cases.

4

FireEye Web Malware Protection System

fireeyewebmps

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

5

McAfee Network Security Platform

intrushield

Certain types of events generated by this event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

6

Voltage Secure Data

voltagesecuredata

This parser has been redesigned to parse all event ids generated by the event source. It has been made future proof to parse newer event ids that may be introduced in newer versions of the product. It can also accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

7

Cisco IronPort Web Security Appliance (WSA)

ciscoiportwsa

This parser has been improved to parse all web methods for Squid and Apache log formats.  It has been improved to accommodate New/Unknown tags as well, which significantly reduces the number of unknown messages.

8

Cisco Adaptive Security Appliance

ciscoasa

This parser can now support all event ids from the event source. 

 

The log format is semi-structured and the event source registers a unique ID for each type of event. We do detailed parsing for most of the documented event ids. It has been made future proof to identify newer event ids that may be introduced in newer versions of the product.

9

Cisco Identity Services Engine & Cisco Secure Access Control Server

ciscosecureacs

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

10

Microsoft Internet Information Services

microsoftiis

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

11

UnboundID Identity Data Store

unboundidids

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages. It has also been made future proof to parser new types of events that may be introduced in newer versions of the product.

12

IBM WebSphere

ibmwebsphere

Certain types of events generated by this event source have a structured log format. The parser has been improved to identify and parse newer events of that log format.

13

IBM iSeries AS400

iseries

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

14

Blue Coat ProxySG SGOS

cacheflowelff

This event source has 2 types of logs. Web Logs and Audit Logs.

 

Web logs follows a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

 

Audit logs have a semi-structured format and we do a detailed parsing of most of the audit events. It has also been made future proof to parser new types of audit events that may be introduced in newer versions of the product.

15

Juniper Networks SSL VPN

junipervpn

This event source has a structured log format and uses tag=value format. It has been improved to accommodate New/Unknown tags, which significantly reduces the number of unknown messages.

 

RSA Live Content team will be powering similar improvements for more parsers over the next two quarters.

 

Lee Kirkpatrick

Everything is PossiEPL

Posted by Lee Kirkpatrick Employee Oct 12, 2016

Event Processing Language is utilised within the NetWitness Event Stream Analysis (ESA) component. This language is what allows us to write advanced correlation rules to detect and thwart the advanced threats we face on a constant basis; it allows us to make sense, to organise and sift through the copious amounts of metadata which is produced on a daily basis.

 

EPL can seem a little daunting upon first glance, but understanding a few basic principles will allow you to create a plethora of use cases - I have created a document to better understand those principles, to extend my knowledge, and hopefully yours as well:-

 

 

Enjoy!

NetWitness Logs and Packets User Group is formed in order to seek continuous feedback from our user base.

 

Who can participate?

Any customer who uses NetWitness Logs and Packets. 

NetWitness Product Management and UX team are also part of this User Group. 

 

What are User Group activities?

User Group members are provided several opportunities to interact with NetWitness product management team and also influence product functionalities. This is also an opportunity to know upcoming features of the product. 

 

  • Monthly meetings

        User Group meets once a month on a conference call. Meeting topics are chosen in advance and will be discussed in a very interactive way. Some of the topics discussed in the past included Investigation, (Incident) Respond workflow, Context Hub and Reporting. 

       

         Product Management and UX teams present the topic with wireframes, in-progress work or surveys to seek feedback. This feedback will be analyzed and added to the product as appropriate.

 

Note: We do not discuss roadmaps or RFEs in this meeting. These meetings are dedicated to discuss product functionality and design. 

 

  • Customer Environment Testing (CET)

User Group members get an opportunity to use the product in a hosted environment several times throughout the lifecycle for a release. The environment can be accessed at own pace to provide feedback.

 

  • Usability Testing

UX team seeks usability testing based on the product features and functionalities they are working on. 

When does User Group meet?

User Group meets once a month on a conference call. CET and Usability Testing are conducted based on needs. 

How can I participate? 

Contact NetWitness product manager Pushpa Chandrashekaraiah at pushpa.chandrashekaraiah@rsa.com

Michael Sconzo

Nemucod and Locky

Posted by Michael Sconzo Employee Oct 3, 2016

Thanks to Kevin, Rajas, Angela, Ray, and Tophs for all the data, research, and output.

 

On the heels of RSA’s recent investigation into Cerber and Ransomware-as-a-Service (RaaS), additional consideration was given to other aspects of the ‘Crimeware circuit’ that might also be moving into a more commercialized role.  The Nemucod Trojan’s recent evolution as of August-September of 2016, may well provide another fitting example of actors adapting to market forces.  Not coincidentally, the JS/TrojanDownloader.Nemucod is currently being tracked as the second current ‘Top World Threat’ by ESET’s Virusradar[1], with an uptick of activity noted in the latter weeks of September.

 

Figure 1: Nemucod trending, courtesy of ESET Virusradar[2]

 

Historically speaking, Nemucod is a relatively well-known family that has often utilized malspam campaigns with the trojan delivering flavors of ransomware, ad-clickers, and other payloads.  However, it is important to note that these payloads were typically each delivered in time-serial linear fashion; this appears to have changed for Nemucod.  Evidence to this fact, analysis of detonated malware (from the week of September 19th) indicates that today’s Nemucod Trojan may be operating as an uncoupled delivery mechanism, capable of dropping not just Locky Ransomware, but a slew of other malicious portable executables (e.g., win32/kovter and win32/boaxxe).

 

Does this shift represent Nemucod actors adjusting their business model to better align core competencies with market demand, in this case for the distribution and delivery of a plethora of crimeware?  It’s possible and even likely, especially considering the evolution of EK delivered Cerber RaaS.  That being said, there is not yet a conclusive body of evidence today to prove or disprove the theory that Numecod actors have hung a shingle as distribution and delivery service providers.

 

Locky ransomware was one of the primary payloads noted in this investigation, and the executables observed demonstrate behavior consistent with Locky as described in previous security industry documentation.  As with previous Nemucod campaigns, the attack vector used for this campaign was mostly e-mail, a sample of which can be seen below.

 

Figure 5: E-mail attack vector.

 

Meet the Nemucod Trojan.  It is attached above as a non-password protected ZIP containing an HTA (HTML Application) file, which is encoded Javascript responsible for the delivery of one or more malicious payloads.  This type of executable inherently brings agility to the actor’s operating model, because encoded JavaScript can easily be modified to reconfigure malware-serving domains or IPs.  Add to this, the amount of bulletproof hosting available in countries with “less stringent laws and/or regulations”, and it becomes apparent how quickly Nemucod can launch or modify a campaign.

 

Another noteworthy observation was that community antivirus and malware detection capabilities typically mischaracterize Nemucod.  Rather then identifying the trojan as a downloader and delivery mechanism, the community often categorizes Nemucod by the payload it most commonly.  This fact has probably helped obscure Nemucod’s utility in delivering multiple flavors of ransom and other crimeware.

 

In the case of Locky, the delivered payload is a PHP interpreter, an additional PHP library, and then the download of a third PHP file, which uses a hard-coded encryption key to encrypt important files and rename them after its namesake, “.locky”.  Once this routine has completed, the software then proceeds to inform the user and demand ransom.

 

Figure 2: Maltego snapshot of Locky Infrastructure

 

Post-delivery, observed a number of Locky .PHP check-ins via HTTP posts direct to IPs connections (e.g., userinfo.php, data/info.php, submit.php, amin.php).  It is believed that these are initial check-ins by the ransomware once it has successfully installed itself.  There were also a number of expected callbacks to 51.254.0.0/15, a known command and control (c2) infrastructure for Locky.  In our malware samples, the majority of activity destined for 51.255.105.2, confirming it as a current Locky C2 site[3]

 

Figure 3: Sample of Locky’s direct-to-IP check-in, courtesy of VirusTotal[4]

 

In addition to this activity, a large number of callbacks were also seen heading to 51.255.107.30, which is likely critical infrastructure related to Locky malspam.  This was demonstrated by a number of SMTP formatted port 80 callbacks to known infrastructure as well as the large number of POP, IMAP, and other mail related domains hosted therein.  51.255.107.30 itself hosts more than 50 mail related domains as well as a possible control panel (cpanel[.]rowz.[.]ru).  Similar provisioning was noted across other nodes within the Locky infrastructure.

 

Figure 4: Additional Locky domains

 

Also not surprising, there were a number of connections to dynamic DNS provider checkip[.]dyndns[.]org, who has been a player in too many past crimeware campaigns to list.

 

While little detail currently exists on most open source ransomware trackers with regard to Locky payment processing, several candidate hosts were noted during the course of this research.  First, in addition to it’s C2 role, 51.255.105.2 was found to be hosting more than 400 possible payment site domains matching a [8-20char DGA].[key].win pattern.  185.141.25.108 was also noted as a possible payment site host with a smaller number of [DGA].[DGA].top and [DGA].[DGA].pw patterned domains observed. 

 

There was also handful of traffic to Eastern European hosting services (e.g., 185.162.8.101 Eurohoster hosting services out of Bulgaria) and privately registered Ukrainian infrastructure such as 107.181.187.228, identified as hosting obscure domains like m2.[]dreamboatoffer[.]com and horehjw19882[.]com, coincidentally owned by an IOS developer living in Ukraine.  It’s not possible at this stage to determine if these artifacts are indicative of compromised infrastructure hijacked for Locky or possibly something more closely related to the actual group of Locky actors.

 


Figure 4: VirusTotal site scoring[5]

 

Another aspect of the Nemucod investigation revealed that many of the ‘Locky’ characterized hashes were false positive identifications (by several algorithms within VirusTotal) that actually demonstrated behavior more consistent with malvertising.  These hashes made direct callbacks to Akamai CDN infrastructure (e.g., aka.ms) and are likely further examples of Nemucod’s evolved ability for multiple payloads and more importantly achieving multiple revenue streams.

  

Conclusion

While no significantly new technical understanding was developed during the course of this research.  RSA was able to identify several Nemucod and Locky behaviors that are currently being evaluated for post-infection signature based detection in RSA Security Analytics (i.e. NetWitness).  Additionally, the RSA FirstWatch Exploit Domain and FirstWatch Exploit IP threat intelligence feeds were updated as of September 28th, 2016 to include more than 3000 unique indicators of compromise (IOCs) for the Nemucod trojan as well as Locky ransomware it currently delivers.

 

In addion, a new App Rule is also available in Live. The query is:

rule="action = 'post' && risk.info = 'http direct to ip request' && content = 'application/x-www-form-urlencoded' && direction='outbound' && (extension = 'php' || extension = 'cgi' )

This rule should have a low false-positive rate, if you find anything to the contrary please let us know.

 

Perhaps more important than the technical discoveries though is the additional evidence this research contributes to the theory that crimeware actors are adopting commercially accepted market principles to refine their business models in order to increase profits and diversify revenue streams.

 

Footnotes

[1] http://www.virusradar.com/en

[2] http://www.virusradar.com/en/JS_TrojanDownloader.Nemucod/chart/month

[3] http://malware-traffic-analysis.net/2016/09/16/index3.html

[4] https://www.virustotal.com/intelligence/search/?query=81e85dcaf482aba2f8ea047145490493%C2%A0+

[5] https://www.virustotal.com/en/url/d188070f344a6645c451c0602ceb6afe0f9336fe1803df687eab1ae186f8b06c/analysis/1475167507/

Filter Blog

By date: By tag: