UEBA: Use Cases for Network (Packets)

Document created by RSA Information Design and Development Employee on Jan 31, 2020Last modified by RSA Information Design and Development Employee on Feb 9, 2020
Version 9Show Document
  • View in full screen mode

In NetWitness Platform 11.4, UEBA can detect malicious traffic masked within an authentic HTTPS session. To support this UEBA added TLS data source and introduced two new entities - namely JA3 and SSL Subject that are used on inbound and outbound network traffic.

  • JA3 - You can investigate on this entity when you have limited visibility to the anomalous behaviors in the network. The purpose is to be able to perform JA3-Signature-based analysis, to detect the abnormal network behavior.

  • SSL Subject - You can investigate on this entity to be able to validate False Negative and True Positive for SSL.fingerprints from the UEBA alerts. The purpose is to be able to view anomalies on SSL certificates entities, which represents domain network activity in HTTPS communication.

For more information about NetWitness UEBA-supported entity indicators, see NetWitness UEBA Use Cases for Network (Packets).

                       
Alert TypeDescription
PhishingPhishing is the fraudulent attempt to obtain sensitive information such as usernames, passwords and credit card details by disguising oneself as a trustworthy entity in an electronic communication. This activity can be associated with Uncommom SSL Subject, Uncommon Domain, Uncommon Port and High Number of Distinct Source IPs. indicators.
ExfiltrationExfiltration is the unauthorized copying, transfer, or retrieval of data from a computer or server. Exfiltration is a malicious activity performed through various techniques, typically by cyber criminals over the Internet or other network. This activity can be associated with Unusual Traffic Volume sent from A Source IP and Large Transfer from A Source IP indicators.

 

 

NetWitness UEBA Indicators for Network

The following tables list indicators that display when a potentially malicious activity is detected for entities.

JA3

                                                                                        
IndicatorAlert TypeDescription
Unusual Traffic Volume Sent using JA3ExfiltrationWhen a host in the organization sends an unexpectedly high amount of data for an application.

Uncommon Domain (Alias.Host[1]) for JA3

Phishing, Adware/Malware Installation or Update

When an uncommon domain is contacted for an application.

Uncommon Port for JA3Phishing, Adware/Malware Installation or UpdateWhen an uncommon port is contacted for an application.

Uncommon Organization for JA3

Phishing, Adware/Malware Installation or Update

When an uncommon organization is contacted for an application.

Uncommon Time for JA3 When an application is used at an uncommon time.

Uncommon Country for JA3

Phishing, Adware/Malware Installation or Update

When an uncommon country is contacted for an application.

Uncommon ASN for JA3Phishing, Adware/Malware Installation or UpdateWhen an uncommon ASN is contacted for an application.
Source Netname Uses New JA3Phishing, Adware/Malware Installation or UpdateWhen a source netname access a remote site using a new application.
Large Outbound Transfer Using New JA3ExfiltrationWhen a host in the organization sends a high amount of data using a new application.

JA3 Accesses a High Number of New SSL.Subject

Command & Control, Malicious Download

When an application contacts an unexpectedly high number of new ssl.subject.

JA3 Accesses a High Number of New Domain (Alias.Host[1])Command & Control, Malicious DownloadWhen an application contacts an unexpectedly high number of domain (alias.host).

JA3 Accesses a High Number of New Organization

Command & Control, Malicious Download

When an application contacts an unexpectedly high number of new organization.

JA3 Accesses a High Number of New ASNCommand & Control, Malicious DownloadWhen an application contacts an unexpectedly high number of new ASN.

JA3 Accesses a High Number of New Country

Command & Control, Malicious Download

When an application contacts an unexpectedly high number of new country.

JA3 Accesses a High Number of New Destination PortCommand & Control, Malicious DownloadWhen an application contacts an unexpectedly high number of new destination port.

SSL Subject

                                                                                                                                
IndicatorAlert TypeDescription
Unusual Traffic Volume Sent From a Source IP to Domain For Same SSL.SubjectExfiltrationWhen a host in the organization sends an unexpectedly high amount of data for domain.

Unusual Traffic Volume Sent From a Source IP to Organization For Same Ssl Subject

Exfiltration

When a host in the organization sends an unexpectedly high amount of data for organization.

Unusual Traffic Volume Sent From a Source IP to Destination Port For Same Ssl SubjectExfiltrationWhen a host in the organization sends an unexpectedly high amount of data for destination port.

Unusual Traffic Volume Sent to SSL.Subject

Exfiltration

When a host in the organization sends an unexpectedly high amount of data for ssl.subject.

Unusual Traffic Volume Sent to Domain (Alias.Host[1]) For Same Ssl SubjectExfiltrationWhen a host in the organization sends an unexpectedly high amount of data for domain.

Unusual Traffic Volume Sent to Destination Port For Same SSL.Subject

Exfiltration

When a host in the organization sends an unexpectedly high amount of data for destination port.

Unusual Traffic Volume Sent to Organization For Same SSL.SubjectExfiltrationWhen a host in the organization sends an unexpectedly high amount of data for organization.

High Number of Distinct Source IP for new SSL.Subject

Phishing, Adware/Malware Installation or Update

When an unexpectedly high number of hosts in the organization contact the same new ssl.subject.

High Number of Distinct Source IP for same new domain for same SSL.SubjectPhishing, Adware/Malware Installation or UpdateWhen an unexpectedly high number of hosts in the organization contact the same new domain.

High Number of Distinct Source IP for new organization for same SSL.Subject

Phishing, Adware/Malware Installation or Update

When an unexpectedly high number of hosts in the organization contact the same new organization.

High Number of Distinct Source IP for new destination Port for same SSL.SubjectPhishing, Adware/Malware Installation or UpdateWhen an unexpectedly high number of hosts in the organization contact a new domain.
Large Outbound Transfer From a Source IP to a New SSL.Subject Data ExfiltrationWhen a host in the organization sends a high amount of data to a new ssl.subject.
Large Outbound Transfer From a Source IP to a New Domain (Alias.Host[1]) For Same SSL.SubjectData ExfiltrationWhen a host in the organization sends a high amount of data to a new domain.
Large Outbound Transfer From a Source IP to a New Destination Port For Same SSL.SubjectData ExfiltrationWhen a host in the organization sends a high amount of data to a new destination port.
Large Outbound Transfer From a Source IP to a New Organization for Same SSL.SubjectData ExfiltrationWhen a host in the organization sends a high amount of data to a new organization.
Large Outbound Transfer To a New SSL.SubjectData ExfiltrationWhen a host in the organization sends a high amount of data to a new ssl.subject.
Large Outbound Transfer To a New Domain (Alias.Host[1]) For Same SSL.SubjectData ExfiltrationWhen a host in the organization sends a high amount of data to a new domain.
Large Outbound Transfer To a New Destination Port For Same SSL.SubjectData ExfiltrationWhen a host in the organization sends a high amount of data to a new destination port.
Large Outbound Transfer To a New Organization for Same SSL.SubjectData ExfiltrationWhen a host in the organization sends a high amount of data to a new organization.

Uncommon Country for SSL.Subject

Phishing (SSL.Subject impersonation)

When a host in the organization contacts an SSL.Subject in an uncommon country for this SSL.Subject.

Uncommon Time for SSL.SubjectData Exfiltration, Command & Control, Adware/Malware Installation or UpdateWhen a host in the organization contacts an SSL.Subject at an uncommon time for this SSL.Subject.

Uncommon Destination Port for Domain

<need inputs>

<need inputs>

Uncommon Destination Port for Organization<need inputs><need inputs>

Access NetWitness UEBA

Note: To access the NetWitness UEBA service and Entities tab, you must be assigned to either the UEBA_Analyst role or Administrators role. For information about how to assign these roles, see the "How Role-Based Access Control Works" topic in the System Security and User Maintenance Guide. You must also ensure that you have proper NetWitness UEBA licensing configured. For information about NetWitness UEBA licensing, see the "User and Entity Behavior Analytics License" topic in the Licensing Management Guide.

To access NetWitness UEBA, log into NetWitness Platform and go to INVESTIGATE > ENTITIES. The Entities view, which contains all the NetWitness UEBA feature is displayed.

Users view, Overview tab

You can choose a dark or a light theme for the view. For information, please see the "Choose the Appearance of NetWitness Platform" topic in the RSA NetWitness Getting Started Guide.

You are here
Table of Contents > UEBA: Use Cases for Network (Packets)

Attachments

    Outcomes