Threat Detection Content Update - May 2017

Document created by RSA Product Team Employee on May 31, 2017Last modified by RSA Product Team Employee on May 31, 2017
Version 2Show Document
  • View in full screen mode

Summary

Several changes have been made to the Threat Detection Content in Live.
 

Additions

Detection

  • Punycode Phishing Attempt ESA Rule - This rule looks identifies mail sessions that have a mis-match between hostname in a link and the text in the link, in addition the hostname is an identified IDN homograph. In order for the alert to trigger, there must also be a HTTP or HTTPS session that follows the mail session that contains the IDN homograph in the HTTP Host header or in the SSL certificate. IDN Homograph support was released last month, this builds on that capability. For information check out the blog post: https://community.rsa.com/community/products/netwitness/blog/2017/05/03/punycode-not-all-characters-are-created-equal
 

Changes

Hunting

  • Hunting Bundle - Added IDN_homograph parser as well as the SuperCMD parser.
  • ssh_to_external App Rule - This has been re-written to leverage directionality (https://community.rsa.com/docs/DOC-44948) vs. hard-coded RFC 1918 IP space.
  • HTTP_lua Parser - Updated to flag Host Headers with an integer as the host (as opposed to an IP address or FQHN) in support of: https://community.rsa.com/community/products/netwitness/blog/2017/05/11/rig-decimal-ip-campaign
  • TLD_lua Parser - Numerals are now considered consonants in tagging hostnames with five or more consecutive consonants or numerals as well as two groups of four consecutive consonants or numerals.
  • DNS_verbose_lua - Tag resolution of external domains and hostnames to the loopback address. This replaces the retired Application Rule below.
 

Detection

 

Other bug fixes and changes

  • HTTP_lua - bug fixes
 

Retired

We strive to provide timely and accurate detection of threats as well as traits that can help analysts hunt through network and log data. Occasionally this means retiring content that provides little-to-no value.
  • carberp botnet activity - No longer a relevant threat.
  • Facebook Login - Facebook transmits all traffic SSL so this rule is no longer applicable in the general case.
  • loopback Traffic - This has been superseded by a more accurate approach (looking for external domains resolving to 127.0.0.0/8.
  • Zeus Botnet Activity - No longer an active threat.
  • Botnet Report - Replaced with the Malware Activity report listed above.
 

EOPS Policy

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Attachments

    Outcomes