Ishtiyaq Shah

RSA Netwitness - Use Cases

Blog Post created by Ishtiyaq Shah Employee on Oct 26, 2016
CategorySub Category#Use CaseLog Source#RSA Supported
#Business Use Cases
Access/AuthenticationIdentity ManagementMonitor for use of disabled usernamesActive Directory , Databases, Applications, Web Proxy, HR dataIntegrating Windows AD and monitoring for event ID's for User login attempts and correlating with Status of user in AD
Password GuessingPossible successful brute force attack detectedAll event sourcesOOB
Possible successful brute force attack detected on critical devices/serversCritical devices and serversCriticality context to be incorporated using Feed integration from secops EM
Enterprise Services Access ManagementIncrease in failed domain admin account logins detectedAll event sourcesUser activity Trend Dashboard monitoring for User login activity
Perimeter & Network SecurityIncrease in failed remote login attempts detectedwindows, Unix, Firewalls, IDS & IPS, Access controls & VPN.User activity Trend Dashboard monitoring for User login activity
Enterprise Services Access ManagementUnusual number of failed/successful vendor/default user login attemptsAll Network, Host, Server & Security devicesUser activity Trend Dashboard monitoring/Alerting  for Privilege User login activity
Perimeter & Network SecurityPassword change on a known privileged account detectedAll windows, Unix, VPN, Database, Firewall & FIM.Provilege account monitoring Alert/Dasboard/Chart
#Audit TrailSystem HealthTampering of system audit logs detectedAll event sourcesIntegration of SA Audit logs with decoder for monitoring user audit activity
#Policy  violationPhysical SecurityEmployee absenteeism – Badge sharing detectionPhysical Access logs & AD logsIntegration of HID Access Card DB and AD last login details with Feeds from Leave Management system to monitor employee movements and access requests
attendance policy violationVPN, My Time Application & Physical Access logsTime from Access Control time tracker and matching with HID Access intime and out time for employee work hours policy monitoring
Enterprise Services Access ManagementPassword Sharing – Policy access violationAll event sourcesSame User login from different machines or locations in a specific time or any such attempts being made more than once
Enterprise Windows account ManagementUnauthorized use of service accountWindows OSMonitoring service accounts monitoring
RDP attempts from local admin accountWindows OSMonitoring remote Desktop port usage and identifying any such attempts by providing Dashboard or report for such admin activities
Network SecurityServer access from unauthorized IP AddressFirewall logs 
Internet access by unauthorized serverInternet Firewall, ProxyList of such users to be provided for Web activity monitoring
Policy Violation - Internet access from authorized serverInternet Firewall, ProxyProxy policy violation reorts user wise
Reverse Proxy bypass - Application accesed externallyInternet FirewallsAny access requests to Web servers or applications not published to external internet
Insecure application access - non httpsFirewall logsNon standard port using known service, like FTP over http protocol
Operational / FunctionalSystem HealthDevice Stopped Sending logsProposed solution logsHealth and wellness built in system
Log source stopped sending logs after rebootAll event sourcesHealth and wellness built in system
Disk Array capacity approaching thresholdProposed solution logsHealth and wellness built in system
Possible system instability state detectedAll event sourcesHealth and wellness built in system
System shutdownProposed solution logsHealth and wellness built in system
Backup and recovery: failedProposed solution logsHealth and wellness built in system
Backup and recovery: cancelledProposed solution logsHealth and wellness built in system
Perimeter & Network SecurityNetwork performance degradation detectedAll router, switch & firewalls.Nusing netflows we can having session monitoring to detect any deviations in usage
System metricsWindows service state changeWindows OSMonitoring windows Event logs
Successful or Failed Installation/ Updating any packageProposed solution logsEnable windows logging for auditing with file audits and folder audits in addition to Application, Security and system logs 
EPS Warning – EPS approaching limitProposed solution logsOn Screen Nag screens and notifications can be configured for such monitoring
Log Source added/deletedProposed solution logsBuilt in system to notify on any new integrations
User added to “remote user group” AD groupActive DirectoryAD user activity log monitoring
User added as part of “domain administrator“ & “local administrator” groupActive DirectoryAD user activity log monitoring
New windows service installationWindows OSWindows system and appliaction security logs
User added to VPN administrative groupActive DirectoryVPN service and activity log monitoring 
IntegrityIntegrity MonitoringChanges to databases holding customer data by unauthorized usersDatabase System LogsDB Fine Grain Auditing
Perimeter & Network SecurityConfiguration change on network & security device interceptedIDS, IPS, Firewall & VPN.Configuration Changes on assets listed to be monitored for any deviations
Host checker configuration changed on VPN deviceVPN device logsMonitor any changes on VPN device Host checker service on clients through Windows application logs or host checker logs
Privilege AccessEnterprise Services Access ManagementElevation of account privilege followed by restoration of previous state within a period of 24 hrs.All event sourcesPrivilege user monitoring
Revocation of user privileges detectedAll windows, Unix, Firewall, IDS & Network Configuration Management Solution.Changes in privilege access
Usage ActivityData transferLarge files transfer to 3rd Party SitesAll Firewall & Web proxyUsing netflows and logs correlation session size through FTP uploads or any such transfers on other protocols to be monitored
Perimeter & Network SecurityMonitoring over ports not permitted by policy on Internet-facing firewalls, non-compliant traffic activity.All Internet facing FirewallsUsing Watchlist of such ports we can monitor traffic of such users and report or alert on same
Use of clear-text confidential information detectedIDS, IPS, Web logs, Mail server logs, Database, Unix & WindowsUsing Network session Clear text confidential information can be detected
Excessive inbound denied connectionsFirewall logsTrend report on session and flow including firewall logs to identify what content and date is being transmitted in sessions
Increase in file transfer activity using instant messaging detectedAll IDS, IPS, Router & Firewall.Monitor IM traffic for any kind of file sharing activities
Active syn flood attack detected by network & security devicesThis rule works with all IDS, IPS, and FirewallOOB
Possible arp poisoning or spoofing activity detectedAll IDS, IPS, Firewalls, Switch & UnixOOB
Remote data harvestingVPN device logsVPN user activity monitoring
High Volume of TCP ResetsAll firewallsOOB and customizable
Threat IntelligencePerimeter & Network SecurityCommunication between internal hosts and known malware distribution siteAll IDS, IPS, Firewalls, web proxy & Threat Intelligence feedOOB. Monitoring using threat intelligence feeds
A connection from a server with a known spam sending hostAll IDS, IPS, Firewalls & Threat Intelligence feedOOB. Monitoring using threat intelligence feeds
Malicious Activity MonitoringPerimeter & Network SecurityIncrease in peer to peer traffic detectedIDS, IPS, Firewall & VPNMonitor Peer to peer protocols, networks and hosts
Network SecurityUnintended download of computer software from internetWeb Proxy solutionUsing packets any downloads can be monitored and reported out for any such anomalies
Successful backdoor attackAll IDS, IPS, Firewalls & AntivirusBased on the analyis and fusing threat intelligence feeds backdoor activity can be tracked. Also any such patterns can be customized
Worm propagation in the internal networkAll IDS, IPS & FirewallsSimilar worm alerts triggered over Lan /WAN using netflows can be monitored using lateral movements
SQL injection attack detectionWeb server logsOOB pattern available
Attack exploiting Microsoft Directory service vulnerability detectedAll IDS/IPSMDS monitoring, with IPS signature trigger and corrleating with Vulnerability CVE ID for correlation 
Streaming Media detectedAll Firewall ,Web proxy & IDS/IPSUsing packet and netflow such downloading activities can be monitored
Possible intruder trying to gain unauthorized access to networkAll IDS, IPS, Firewalls, VPN & Threat Intelligence feedUsing Threat feeds we can detect any communication to known malwares or spam hosts including blackisted IP's 
Successful Connections after Denied Attempts from same external sourceAll firewalls & IDS /IPSOOB can be customized
Aggressive database scanAll firewallsOOB monitoring on DB ports
Virus deletions failed on systemAntivirus SystemMonitoring Antivirus Client side scan Actions
System getting infected by same virusAntivirus SystemReport on Virus actions and alerts by using lookup and add function against unique Virusname and Hostname/IP
High number of Denial of Service (DoS) attack detectedAll IDS, IPS & firewall.OOB
Vulnerability correlation alertsVulnerability Data, IPS/IDSIPS alarms to be correlated with Vulnerability scan results for achieveing vulnerabiliuty based correlations
Malicious Activity - VPN accessActive Directory Any activity / actions notified by system evaluated by Threat feeds on VPN System
Malicious Activity - Deviation of network utilization of resourcesNetwork Monitoring toolTrend report on bandwidth utilization over a period of time or against a threshold
Processes/servicesActive DirectoryActive directory schema changeWindow Security Event LogsAD change logs
Active directory policy modifiedWindow Security Event LogsGPO policy change notifications
Microsoft ExchangeIncrease in the number of non-delivery report messages collected from Microsoft ExchangeWindow Event LogsMonitor the Mail notifications and report on NDR status  for each source and recipient malboxes
System HealthPatch & update failuresPatch Management ServerUse patch management server logs to see patch status and any Actions based on patch deployment jobs
Attack Life Cycle based Use Cases
Initial ReconPort Scan from outsideHorizontal port ScanInternet Facing FirewallsOOB
Horizontal port scan on well known vulnerable portsInternet Facing FirewallsOOB
Horizontal port scan on critical assets (PDMZ)Internet Facing FirewallsOOB
Horizontal port scan on existing vulnerable ports on critical assets (PDMZ)Internet Facing Firewalls, Vulnerability Management ReportsOOB
Vertical Port ScanInternet Facing FirewallsOOB
Vertical port scan on well known vulnerable portsInternet Facing FirewallsOOB
Vertical port scan on critical assets (PDMZ)Internet Facing FirewallsOOB
Vertical port scan on existing vulnerable ports on critical assets (PDMZ)Internet Facing FirewallsOOB
IDS/IPS port scan on well known vulnerable portsInternet IPS/IDSOOB
IDS/IPS port scan on  critical assets (PDMZ)Internet IPS/IDSOOB
IDS/IPS port scan on well known vulnerable portsInternet IPS/IDSOOB
Vulnerability Scan from outsideVulnerability ScanInternet - Firewalls and IDS/IPSOOB
Vulnerability Scan on critical assetsInternet - Firewalls and IDS/IPS, Server HIDS/HIPSUsing Criticality context to identify the Port scan on vulnerable ports
Communication traffic that is from an unusual geo location source.Communication traffic observed from an unusual geo location source.Internet - Firewalls and IPS/IDS, VPN DevicesCan use data from FW, IPS & IDS and use GeoIP enrichment to identify any communication to or from unusual Geo's
Communication traffic that is known to be from bad or blacklisted source host addresses.Communication traffic observed from bad or blacklisted source host addresses.Firewalls, IPS/IDS, VPNCan use data from FW, IPS & IDS and use Threat intelligence to identify any communication to or from unusual Geo's
Slow ScansSlow Horizontal ScanInternet - Firewalls and IDS/IPSUsing logs and Packets with threat intelligence to detect any beaconing traffic
Slow Vertical ScanInternet - Firewalls and IDS/IPSUsing logs and Packets with threat intelligence to detect any beaconing traffic
Slow Box Scan (Combination of horizontal and Vertical Scan)Internet - Firewalls and IDS/IPSUsing logs and Packets with threat intelligence to detect any beaconing traffic
Initial Compromise Spear phishing Malware downloadedAV Using Packet capture to analyse the downloaded file for malicious content
Weaponized documentMalware downloadedAV Using Packet capture to analyse the downloaded file for malicious content
Watering Hole attackMalware downloadedproxy Using Packet capture to analyse the downloaded file for malicious content
System ExploitC&C communication attemptsProxy/Firewall Threat feedUsing Threat intelligence identify known CnC communication attempts
Establish Footholdinstall backdoor malwareMalware has been installedAVThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
create command and control infrastructureC&C communication denied by firewall/proxy.Firewalls/Proxy - Threat FeedUsing Threat intelligence identify known CnC communication attempts
Successful C&C communicationFirewalls/Proxy - Threat FeedUsing Threat intelligence identify known CnC communication attempts
install keyloggersUnauthorized software installed - Key loggers.AV The installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Dump password hashesPrivilege escalation alertsWindows OSAny privilege escalations monitored for changes
Unauthorized software installed - password hash dumping tool.AV / EDRThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
RootkitsSuccessful Privilege escalation alertsWindows OSThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Rootkits installedAV The installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Escalate PrivilegesRetrieve password hashesPassword hash transport detectedNIDS/NIPS(Signature to capture NTLM password hash in clear text)Using Parser for content analysis packet capture can detect the cleartext transport of hashes or other data
traffic sniffingNetwork adaptor going in promiscus mode (white list for apps like Symantec HIDS)Windows/UnixOSOOB
keyloggingUnauthorized software installed - Key loggers.AV The installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
Internal ReconGather system information, network information, hardware infoInside - Horizontal port ScanFirewalls, IPS/IDSOOB
Inside - Horizontal port scan on well known vulnerable portsOOB
Inside - Horizontal port scan on critical assets (PDMZ)OOB
Inside - Horizontal port scan on existing vulnerable ports on critical assets (PDMZ)OOB
Inside - Vertical Port ScanOOB
Inside - Vertical port scan on well known vulnerable portsOOB
Inside - Vertical port scan on critical assetsOOB
Inside - Vertical port scan on existing vulnerable ports on critical assetsOOB
Inside - HIDS/HIPS port scan on well known vulnerable portsOOB
Inside - HIDS/HIPS port scan on  critical assetsOOB
Inside - HIDS/HIPS port scan on well known vulnerable portsOOB
Inside - Vulnerability ScanOOB
Inside - Vulnerability Scan on critical assetsOOB
Inside - ARP broadcast DetectedUsing Netflow or Packet capture 
Looks at files and documents, explore file sharesWork station to work station communicationWindows OS, SEPMInternal communication monitoring user to user VLAN
User behavior anomaly detected The solution proposed is based around the RSA Security Analytics platform. This can collect logs as well as network packet data to give much greater visibility into the risk that the organization may be exposed to. By combining not just the log data collected from the devices within the infrastructure but also identifying anomalies within the network traffic as well as using 3rd party feeds from industry authoritative sources it is possible to identify if your organization is under attack, exposed to the new and emerging threats as well as identifying if the organization has already been compromised. This can be implemented in a phased approach, initially focusing on log data, eventually moving towards a more pervasive view with the implementation of packet capture.
At the log collection level RSA can use techniques such as base lining of events across devices as well as advanced correlation so that an organization can be alerted to an event that falls outside of normal day to day activity. This can help provide insight into anomalies and areas of concern that the security analyst may need to be aware of. These can be as simple as multiple failed logins across a number of different devices, to more complicated scenarios such as unusual activity seen in web logs from a certain username combined with escalation of privileges from that user and then failed an successful logins to resources holding sensitive data that may in some circumstances indicate a breach of the network.
In terms of packet data there are a number of techniques and applications available to help an organization get deep visibility into the health of the network.
Metadata is assigned to the packets that are collected to make the data much easier to search through as well as much more humanly readable. The data that is collected can also be referenced against live feeds from various authoritative sources to further enrich your data and provide intelligence around the latest threats as well as blacklisted IPs, known bad websites etc. This enables automated alerting and reporting against the threats that the organization is exposed to. These alerts and reports are presented on a dashboard. The alerts and reports can be customized to provide intelligence relevant to the organization.
Another component of the solution is the malware analysis tool that will evaluate the threat posed by any executable seen within the organization. This is done using a variety of techniques such as static file analysis, sandboxing, next generation analysis, referencing it against community information as well as allowing the organization to see if their antivirus or in fact any antivirus vendor would have flagged this as malicious. This tool is especially useful when looking for 0 day malware that signatures alone would not have spotted.
Move LaterallyUse of psexec, scheduled tasks (at command), WMIcapture schedule tasks with taskname "At<number>g" event ID 602,4698.windows OSUsing Event ID's can be achieved from windows sytem event logs
psexec:- monitor event log service install 4697 with service name psexesvcwindows OSUsing Event ID's can be achieved from windows sytem event logs
Use of valid credentials over SMB or RDPAnomaly detection using event logsUser behavior analysisInternal communication monitoring for user behaviour changes like multiple login fails and succeffull logins frequently
Desktop to Desktop communication observedSEPM/HIDS (personal firewall)Internal communication monitoring for user behaviour changes like multiple login fails and succeffull logins frequently
Maintain PresenceBackdoor malwareMalware has been installedApplication whitelisting, AV, Anti Malware solutionThe installation of package can be identified by system logs but the actual Endpoint forensics can be achieved from Endpoint solution ECAT. Without endpoint forensics we cannot confirm the installed software is malicious or not unless Threat feeds already have the data
VPN accessDetailed analysis of host check failure alertsVPN deviceTrend report on Host checker status of VPN clients
Anomaly detection for VPN users (user profiling)User behavior analysisBaselining of VPN users access requests to monitor any behavioural changes or deviations
 Executable detected in http/https trafficNIDS/NIPSUsing Packet capture files detected as non-standard service over standard protocol
 password encoded zip or RAR filesPassword encoded Outbound file transfer detectedNIDS, proxy DLPUsing Packet Capture identify zip and rara files. 
FTPDetected File transfer over FTP (white list for FTP allowed Ips)FirewallsWhitelisting of key listed FTP sites
smbConnection established over port SMB ports (139, 445) towards known bad IPFirewalls - threat feedUsing Threat intelligence and SMB ports to identify threats and SMB traffic within internal network

Attachments

Outcomes