Amy Blackshaw

Detecting Intrusions with the RSA NetWitness Suite

Blog Post created by Amy Blackshaw Employee on Feb 22, 2018

The threat landscape continues to be aggressive, with the advantage on the side of threat actors. Attackers use ever evolving tools and techniques that evade signature based intrusion detection technology. We are no longer dealing with simple script kiddies that can be thwarted by a traditional, preventative control based approach. The deep inspection of network traffic and endpoint behaviors for signs of intrusion –yes, based on signatures for known attacks, but also based on more than just rules and policies to detect unknown threats is needed in today’s landscape to tip the advantage to the good guys. 

IPS/IDS has always promised to stop or detect intrusion at the front door by using a signature based approach, which blocks based on known indicators – but we all realize that no matter how high of a wall the security team builds, some attacks will still get over (or through it).  Today, preventing intrusions mean stopping the attackers from taking (or destroying) your data – and you can’t rely only on rules, like traditional IDS.  Whether that is through malware analytics, user behavior analytics, advanced correlation or endpoint analytics – true intrusion detection must be enabled by visibility across the network and down to the endpoint. One size does not fit all here.

Detecting intrusions has to begin with understanding network traffic, and using it to detect anomalies that may signal an intrusion. This is exactly what RSA NetWitness Suite does – it quickly detects any intrusion or attack as they are happening by performing multiple types of analysis on enriched network metadata – not based on rules, like a traditional IDS.  With out-of-the-box threat content to better detect known and unknown threats such as malicious webshells, DNS tunneling, custom protocols, lateral movements, and data exfiltration, analysts can easily deploy the same detection rules used by the experienced RSA Incident Response Team. Real-time enrichment with threat intelligence - from industry experts, third party providers and crowd sourced from our customer base – as well as business context provides for better prioritization of alerting and helps analysts during forensics and hunting. In addition, we can utilize this intelligent metadata to detect any anomalies across your network, suspicious activity of machines and users, as well as abnormal activities across your applications – no matter where they reside: on premise, virtual machines or 3rd party cloud and within both north-south and east-west communications. 

Let’s take a look at an example – detecting intrusions based on Webshells – and how RSA NetWitness Suite can give early indicators of an intrusion.

A Typical Attack Scenario

A common method of attack leverages vulnerabilities in a website (e.g. SQL Injection, Remote File Inclusion) to remotely generate or install a file that will act as a WebShell. Once the WebShell is successfully installed, the remote attacker may then craft an HTTP POST request directly to the WebShell with embedded commands that will be executed as if the attacker had local (shell) access to the web server.


Attackers who successfully use WebShells take advantage of the fact that many organizations do not have complete visibility into HTTP sessions. Traditional tools rely on signatures and are easily left blind by intentional obfuscation of payloads and commands. In order to effectively respond to WebShell attacks, defenders must maximize visibility into each stage of the attack lifecycle. The following chart contrasts the visibility by attack stage into an attacker’s tools, tactics, and procedures (TTPs) provided by traditional tools with RSA NetWitness solution:


Detecting possible WebShell activity involves understanding what an HTTP session with an embedded command typically looks like. There are a few notable features often seen with this attack:

  • Request sent directly to a web server with the HTTP POST method to send data without populating commands in the URL string: This method ensures typical web access logs do not include the command (vs. HTTP GET which would include the commands within the URL)
  • No HTTP GET will have been seen before the POST (Normal human-based web traffic would have seen a GET before a POST is issued)
  • (Usually) No Referrer header since the request is sent directly to the server and is not a result of click-through browsing
  • Posted data includes obfuscated shell commands to be executed by the WebShell


By reconstructing the entire HTTP session upon capture and immediately generating and extracting rich metadata, RSA NetWitness Suite makes it simple to alert on the features indicative of a WebShell attack, or a very early sign of an intrusion.


RSA NetWitness Suite is a critical component to any security organization’s capability to detect and intrusions that bypass security controls and other monitoring capabilities. The Suite utilizes multiple types of analytics – not just static rules – to find the broadest set of both known and unknown threats.

To read more about how RSA NetWitness Suite can detect early in the lifecycle of an intrusion attempt, check out the Remote Access: Webshells solution brief.