Alerting: Configure Automated Threat Detection

Document created by RSA Information Design and Development on Jul 20, 2016Last modified by RSA Information Design and Development on Apr 26, 2017
Version 2Show Document
  • View in full screen mode
  

This topic tells administrators and analysts how to configure and work with Automated Threat Detection. 

This procedure provides the steps needed to configure Automated Threat Detection on your ESA. However, before you enable Automated Threat Detection, it is important to note that there are many potential installation configurations which may be installed on the ESA, including: Automated Threat Detection, ESA Rules, and the Context Hub. Each of these may take up resources, so it is important to have considered sizing before enabling this feature on your ESA.

Prerequisites

You must have configured a Decoder for HTTP packet data. 

You must have configured an HTTP Lua or Flex parser.

For best performance, enable the Context Hub service. This allows you to create a whitelist.

Important: Automated Threat Detection requires a "warm-up" period that acclimates the scoring algorithm to the traffic in your network. You should plan to configure Automated Threat Detection so that the warm-up period can be run during normal traffic. For example, starting Automated Threat Detection on a Tuesday at 8:00 am in the timezone which contains the majority of your users allows the module to accurately analyze a day of normal traffic.

Procedure: Configuring Automated Threat Detection

This procedure provides the steps needed to configure Automated Threat Detection. 

The basic steps required are:

  1. Create a whitelist (optional) using the Context Hub service. Creating a whitelist allows you to ensure that commonly accessed websites are excluded from any Automated Threat Detection scoring.
  2. Enable Automated Threat Detection for your specified ESA. You need to enable Automated Threat Detection for each ESA where you want the service to run.
  3. Configure WhoIs settings. The Whois Service allows you to get accurate data about domains that you connect to. In order to ensure effective scoring, it is important that you configure the Whois service settings.
  4. Verify that the Whois Service is reachable from your environment. For Automated Threat Detection to perform correctly, it is essential that the Whois service is reachable. Once Automated Threat Detection is running, you can verify the service is connecting.
  5. Create a calendar reminder to monitor traffic and Whois configuration. Once you have configured Automated Threat Detection, set a calendar reminder to check traffic and alerts after the warm-up period.
  6. Verify the C2 Incident Manager rule is enabled and monitor for activity. When using Automated Threat Detection, a period of time is required for the scoring algorithm to warm-up. After the warm-up period, verify the C2 rule is enabled on Incident Manager and monitor to see if the rule is triggered. 

Step 1: Create a Domains Whitelist (Optional)

Note: This step is optional: if you use the Incident Manager to manage these incidents, you can also create a whitelist by closing an incident as false-positive.  

This procedure is used when working with Automated Threat Detection to ensure that certain domains do not trigger a threat score.  Sometimes, a domain you access regularly may trigger an Automated Threat Detection score. For example, a weather service might have similar beaconing behavior as a Command and Control communication, thus triggering an unwarranted negative score.  When this happens, it's called a false positive. To prevent triggering a false positive with a specific domain you can add the domain to a whitelist. Most domains do not need to be whitelisted because the solution only alerts on very suspect behaviors. The domains you may want to whitelist are valid automated services which few hosts connect to.

 

Note: You can have only one Context Hub service instance enabled in your Security Analytics deployment. If your Context Hub service is running on a different ESA, you need to configure it to connect to the ESA that runs the Context Hub service. For instructions, see " Configure an ESA to Connect to the Context Hub on Another ESA" in the Event Stream Analysis Configuration Guide.

  1. From the Context Hub Service, you can create a list and manually add domains, or you can upload a .CSV file containing a list of domains. 
    1. From Administration > Services, select the Context Hub.
    2. Select the Context Hub, then ic-actns.png > View > Config
    3. Select the List tab to open the Lists for editing. 
    4. In the left pane, click to add a list. Enter a name for the list and then manually add domains by clicking  in the right pane.

    You can enter full domains, or you can use a wild card to include all sub-domains for a given domain. For example, you can enter *.gov to whitelist all government IP addresses. However, you cannot use other regex functions, such as [a-z]*.gov. This is because using *.gov replaces an entire string, such as www.irs.gov.

Caution: The whitelist must be named Whitelisted Domains. Otherwise, the Context Hub will not be able to process the list as a whitelist. 

  1. Or, to import a .CSV file, click , and in the Import File dialog box, navigate to the .CSV file. Note that the file must be named Whitelisted Domains. Choose from the following delimiters: Comma, LF (Line Feed), and CR (Carriage Return) depending on how you have separated the values in your file. Then click Upload
  2. From the Context Hub Service, you can also modify an existing whitelist to add or remove a domain.  
  3. In the right pane, List displays your existing domain whitelist.
  4. Click Whitelisted Domains. The values for the whitelist display in the right pane. 

  1. To add a domain, click and enter the domain name.
  2. To remove a domain, select the domain and click .
  3. To import a .CSV file, click , and in the Import File dialog box, navigate to the .CSV file. Choose from the following delimiters: Comma, LF (Line Feed), and CR (Carriage Return) depending on how you have separated the values in your file. Then click Upload

Step 2: Enable Automated Threat Detection

  1. From Administration > Services,  select your ESA service and then ic-actns.png > View > Config. 
  2. Click on the Advanced tab, and select Enable Automated Threat Detection and click Apply.

  1. Set a warm-up duration. A warm-up period is required to allow Automated Threat Detection to acclimate to your traffic. During this time, alerting is suppressed. Set the warm-up duration in hours. RSA recommends a warm-up period of 24 hours. After this warm-up period, alerts can be viewed. If the ESA restarts, this warm-up period starts over, so the time is reset. To stop an existing warm-up, enter 0 for the Warm-up Duration value, and click Apply.

    Note: When you set the warm-up period, it should be run when typical traffic is running. This enables Automated Threat Detection to create a scoring model based on typical behavior in your network. For example, if you set the warm-up period to run over a weekend, the Automated Threat Detection creates a model based on traffic that is both lower than and different from typical weekday traffic. A better solution would be to run the warm-up period on a weekday starting at 8 a.m. to ensure the model reflects normal traffic.

  2. Click Enable Live Whois Lookup to enable the Whois service for your ESA. This allows your ESA service to obtain detailed information about the domain that triggers the Automated Threat Detection score. By default, the Whois service users the same User ID and password as your RSA Live User ID and password. If you have not configured an RSA Live account, you will need to do so prior to enabling the Whois service.

 

Automated Threat Detection and Whois Live Lookup are now enabled on your selected ESA. Once you enable the Whois Live Lookup, you can specify other Whois Lookup settings from the Explorer by following the instructions in Step 3: Configure the Whois Service Settings for your ESA.

Note: A rule is added to perform C2 detection. However, this rule "Suspect C&C" ESA rule," is not visible in the User Interface for editing. The rule is not editable, and to prevent accidental deletion or modification, the rule is hidden from view. You can view the associated Incident Manager rule and results in the Incident Manager, however.

Step 3: Configure the WhoIs Service Settings for your ESA

You configure settings to allow your ESA to connect to the Whois service. This allows your ESA service to obtain detailed information about the domain that triggers the Automated Threat Detection score. 

Warning: The Whois service is critical for accurate Automated Threat Detection scoring. If you do not configure the Whois service, excessive alerting can occur.

  1. From Administration > Services,  select your ESA service and then ic-actns.png > View > Explore
  2. In the Explorer, click Service > Whois > whoisClient.
  3. Configure the following settings (note that only the first two parameters require modification. RSA recommends you use the default settings for other parameters):
                                                             
ParameterDescription
whoisUserId

Required only if you did not enable the Whois service in Step 2:  Enter the authentication credential for the RSA Whois Server. This is the same as your RSA Live User ID. If you have not configured an RSA Live account, you will need to do so. 

The default value is "whois".

whoisPassword

Required only if you did not enable the Whois service in Step 2: Enter the authentication credential for the RSA Whois Server. This is the same as your RSA Live password. If you have not configured an RSA Live account, you will need to do so. 

The default value is null.

whoisUrl

Optional: Enter the URL to obtain Whois data from the RSA Whois Service. Note that the trailing slash ('/') is required. Otherwise, requests will fail.

 The default value is: "https://cms.netwitness.com/whois/query/"

whoisAuthUrl

Optional: Enter the URL to obtain authentication tokens from the RSA Whois Service.

The default value is: "https://cms.netwitness.com/authlive/authenticate/WHOIS

whoisAuthTokenLifespanSeconds 

Optional: Enter the time, in seconds, after which an authentication token should be renewed.

The default value is 3300. 


whoisHttpsProxy

Optional: If HTTP requests require a proxy, set this to the same value as is used for the RSA Live service.  Only use this parameter when insecureConnection is set to true

The default value is false.

(Requires an ESA restart to take effect.)

insecureConnection

Optional:  Set this parameter to true to allow the HTTP request to the RSA Whois Service ignore SSL certs.  

Note: If the RSA Whois Service is accessed via a proxy, this parameter should be set to true.  

The default value is false.

(Requires an ESA restart to take effect.)

allowedRequests

Optional: Enter how many queries you want to allow before you start throttling the Whois service. This parameter works with allowedRequestsIntervalSeconds, where you set the interval for queries. For example, if you set allowedRequests to 100 and allowedRequestsIntervalSeconds to 60, you are allowed 100 requests in any 60 second interval.

The default value is 100.

(Requires an ESA restart to take effect.)

allowedRequestsIntervalSeconds

Optional: If you set the allowedRequests parameter, you need to also configure this setting to determine the interval. This value should be tuned for your  environment.

 The default setting is 60 seconds.

(Requires an ESA restart to take effect.)

queueMaxSize

Optional: Specify the maximum size of the queue of the domains whose information will be requested of the RSA WhoisService.

The default is 100,000.

cacheMaxSize

Optional: Specify the maximum number of cached Whois entries. Once this limit is reached, the least recently used entry will be removed to accommodate a new entry.

The default is 50,000.

(Requires an ESA restart to take effect.)

refreshIntervalSeconds

Optional: Specify the number of seconds for the refresh interval.  If requested Whois information is found in the cache, and the cache entry has been there for more than the specified number of seconds, the entry is removed from the cache and the domain returned to the queue to be looked up. (The cache entry is returned for the request that identified it as stale.)

The default setting is  2,592,000 seconds (30 days).

waitForHTTPRequest

Optional: Requires that the ESA wait for the Whois service to respond before it can complete running the EPL. This ensures that the Whois data is always included in the results, but it can negatively impact performance as the ESA pauses up to 30 seconds to wait for the Whois service response.

If you do not configure this setting, and the response time is slow, the ESA completes running the analysis for a given event without the Whois data, and calculates the score without the data.

The default setting is true

Step 4: Verify the Whois Service is Reachable from your Environment

After starting Automated Threat Detection, test that the WhoIs service is reachable from your environment, and that the account information configured is valid. You can see the count incrementing for the WhoIs calls in the Explorer.

To verify the Whois lookups are successful, go to ESA > Explore > Service > Whois > whoisClient and confirm that the ServiceRequestCount and Response200ValidData parameters are incrementing.

 

Step 5: Configure a Calendar Reminder to Monitor Traffic and Whois Settings After the Warm-Up Period

It is critical that you check alerts soon after the warm-up period to ensure that the scoring algorithm sets up correctly. To do this, set a calendar reminder immediately after the warm-up period to check on the alerts.

 

Step 6: Verify the Suspected Command & Control By Domain Rule is Enabled and Monitor the Rule

Verify the Suspected Command & Command Control by Domain rule on the Incident Manager.

Note: You must have configured the Incident Manager database for the Suspected Command & Control by Domain rule to display in the Incident Manager. If it does not display, follow the steps to configure the database in Configure Incident Manager in the Incident Management Configuration Guide.

  1. From Incidents > Configure, select Aggregation Rules.
  2. Select the Suspected Command & Control Communication by Domain Rule, and double-click to open it. 

  1. Verify that Enabledis selected.

 The Rule displays a green Enabled button when it is enabled.

Result

Once you have enabled Automated Threat Detection, your ESA will begin to perform analytics on the HTTP traffic. You can view detailed information for each incident in the Incident Management queue. 

Next Steps

Monitor the Incident Manager to see if the rule is triggered. If the rule is triggered, follow the steps in the following section to investigate the domain associated with the triggered rule. 

Work with Automated Threat Detection Results

You are here
Table of Contents > Use Automated Threat Detection > Configure Automated Threat Detection

Attachments

    Outcomes