Sec/User Mgmt: Add a User and Assign a Role 86985

Document created by RSA Information Design and Development on Mar 27, 2018Last modified by RSA Information Design and Development on Apr 3, 2018
Version 2Show Document
  • View in full screen mode
 

Analysts can use the RSA NetWitness Suite Hosts or Files service to detect suspicious hosts or files.

Analysts who conduct analysis using Investigate need to have the appropriate system roles and permissions set up for their user accounts. An administrator must configure roles and permissions as described in Roles and Permissions for Malware Analysts.

Begin an Endpoint Investigation

Analysts can use the Hosts view to identify suspicious hosts using a few indicators, such as security configurations (for example, task manager disabled, firewall disabled, host entries) and construct queries for investigation. To conduct an investigation on hosts:

  1. Go to INVESTIGATE > Hosts.
    A list of hosts is displayed that is sorted based on the last time the agent communicated with the NetWitness Endpoint server, and the most recent ones are at the top of the list.
  2. Select the hosts that you want to scan and click Start Scan.

Note: You can either perform a manual scan or schedule an automatic scan (see Scan Your Network Environment).

  1. After completing the process of scanning the hosts, click on the host name to investigate the scan results.
  2. To investigate Instant Indicators of Compromise (InstantIOCs or IIOCs), behavior tracking, and risk score of the NetWitness Endpoint 4.4 agent, open it in the NetWitness Endpoint 4.4 user interface.

Investigate a Host

To look for suspicious activities on a host, click on the host name and view the details of the host.

Host Details

Manual Scan

You may want to perform a manual scan if:

  • A file in the Global Files section is found to be malicious
  • A malicious file is present on different hosts in the network
  • You want to investigate a host that is infected
  • Get the latest data of the host

To start a scan:

  1. Navigate to Investigate > Hosts view.
  2. Select one or more hosts (up to 100) at a time for ad hoc scan, and click Start Scan.
  3. Click Start Scan in the dialog box. This performs a quick scan of all executable modules loaded in memory. It takes approximately 10 minutes.

The following are the scan statuses:

                           
StatusDescription
IdleNo scan is in progress.
Scanning
  • Scan is in progress.
  • Starting Scan
  • Scan request is sent to the server but the agent will receive the request when it communicates with the server next time.
  • Stopping ScanStop request is sent to the server but the agent will receive the request when it communicates with the sever next time.

    Search on Snapshots

    To investigate a host for suspicious activities or to check if it is infected with a known malware, you can search for occurrences of the file name, file path, or SHA-256 checksum.

    Note: To search for SHA-256 checksum, provide the entire hash string in the search box.

    The result displays details, such as file name, signature information, along with its interaction with the system (ran as process, library, autorun, service, task, or driver). To view more details for these results, click on the category.

    For example, a user has clicked and executed a malicious attachment through a phishing email, and downloaded it to C:\Users. To investigate this file:

    1. Go to INVESTIGATE > Hosts.
    2. Select the host that you want to investigate.
    3. In the Host Details view, enter the file path C:\Users in the search box. The search displays all the executables in this folder. In this example, the file server.exe, is an unsigned file that might be malicious.
      Search
  • This file has run as a Process and an Autorun.
    1. To view details of this file, click Autorun or Process in the result.
      Search resultThe following screen shows the Autoruns panel where you can view the file name and registry path.
      Search Details

    Reviewing Processes

    In the Hosts view, select the Process tab. You can view the processes that were running for the selected host at the time of scan.

    When reviewing processes, it is important to see the Launch Arguments. Even legitimate files can be used for malicious purposes, so it is important to view all of them to determine if there is any malicious activity.

    For example:

    • rundll32.exe is a legitimate Windows executable that is categorized as a good file. However, an adversary may use this executable to load a malicious DLL. Therefore, when viewing processes, you must view the arguments of the rundll32.exe file.
    • LSASS.EXE is a child to WININIT.EXE. It should not have child processes. Often malware use this executable to dump passwords or mimic to hide on a system (lass.exe, lssass.exe, lsasss.exe, and so on).

    • Most legitimate user applications like Adobe, Web browsers, and so on do not spawn child processes like cmd.exe. If you encounter this, investigate the processes.

    Reviewing Autoruns

    In the Hosts view, select the Autoruns tab. You can view the autoruns, services, tasks, and cron jobs that are running for the selected host.

    For example, in Services, you can look for the file creation time. The compile time is found within each portable executable (PE) file in the PE header. The time stamp is rarely tampered, even though an adversary can easily change it before deploying to a victim's endpoint. This time stamp can indicate if a new file is introduced. You can compare the time stamp of the file against the created time on the system to find the difference. If a file was compiled a few days ago, but the time stamp of this file on the system shows that it was created a few years ago, it indicates that the file is tampered.

    Reviewing Files

    In the Hosts view, select the Files tab. You can view the list of files scanned on the host at the time of scan. By default, the table displays 100 files. To display more files, click Load More at the bottom of the page.

    For example, many trojans write random filenames when dropping their payloads to prevent an easy search across the endpoints in the network based on the filename. If a file is named svch0st.exe, scvhost.exe, or svchosts.exe, it indicates that the legitimate Windows file named svchost.exe is mimicked.

    Reviewing Libraries

    In the Hosts view, select the Libraries tab. You can view the list of libraries loaded at the time of scan.

    For example, a file with high entropy gets flagged as packed. A packed file means that it is compressed to reduce its size (or to obfuscate malicious strings/configuration information).

    Reviewing Drivers

    In the Hosts view, select the Drivers tab. You can view the list of drivers running on the host at the time of scan.

    For example, using this panel, you can check if the file is signed or unsigned. A file that is signed by a trusted vendor such as Google, Apple, Oracle, and so on, with the term valid, indicates that it is a good file.

    Verify signature

    Reviewing System Information

    In the Hosts view, select the System Information tab. This panel lists the agent system information. For Windows, the panel displays the host file entries and network shares of that host.

    For example, malware uses host file entries to block detection by security software by blocking the traffic to all download or update servers of the most well-known security vendors.

    Investigate a Host in the NetWitness Endpoint

    To investigate Instant Indicators of Compromise (InstantIOCs or IIOCs), behavior tracking, or the risk score of a NetWitness Endpoint agent (version 4.4.0.0 or later), open the host in the NetWitness Endpoint user interface (version 4.4.0.0 or later). This option is not applicable for the NetWitness Endpoint 11.1 agents.

    Note: The NetWitness Endpoint must be installed on the system where you are accessing the NetWitness Suite User Interface.

    To investigate a host in the NetWitness Endpoint user interface (version 4.4.0.0 or later):

    1. Go to INVESTIGATE > Hosts.
    2. Select the host from the Hosts view table.
    3. Click Pivot to Endpoint.

    Delete Uninstalled Agent

    When an agent is uninstalled from a host and is seen as inactive, the server will delete this host based on the threshold set in the Inactive Agents Retention Policy (See <cross-reference>). However, you can delete this host manually from the Hosts view using the Delete option.

    To delete uninstalled or inactive hosts:

    1. Go to INVESTIGATE > Hosts.
    2. Select the hosts that you want to delete from the Hosts view and click Delete.
      This deletes all data for the selected hosts.

    Note: If you accidentally delete a host from the Hosts view for which the agent still exists or uninstallation has failed, the server will forbid all requests from this agent. The agent must be uninstalled manually from the host and reinstalled for it to appear on the Hosts view.

    Export Host Attributes

    To extract the host attributes to a comma-separate values (csv) file:

    1. Go to INVESTIGATE > Hosts.
    2. Filter the hosts by selecting the required filter options.
    3. Add columns by clicking Column Chooser in the right-hand corner.
    4. Click Export to CSV.

    You can either save or open the csv file.

    Find Suspicious Files

    Analysts can use the Files view (INVESTIGATE > Files) to identify suspicious files by looking at the file name, file size, entropy, format, company name, signature, and checksum.

    For example, when looking at a file name, if an environment is infected by the WannaCry ransomware, using this file name, the analyst can filter the list. You can also look for this ransomware using the checksum.

    When looking at file size, trojans are usually less than 1 MB, and the majority of them are less than 500 KB. The file size can be an indicator when assessing a file.

    Export Global Files

    To extract the list of global files to a CSV file:

    1. Go to INVESTIGATE > Files.
    2. Filter the files by selecting the required filter option.
    3. Add columns by clicking in the right-hand corner.
    4. Click Export to CSV.

    You can either save or open the CSV file.

    Note: Use appropriate filters instead of exporting all data.

    Filter Hosts or Files

    You can either filter the hosts or files on the operating system, or select the fields in the Add Filter drop-down menu.

    Filter

    To search multiple values within a field, set the filter option to equals, and use || as a separator. Click Reset to reset to the default settings.Click Save to save the search and provide a name (up to 250 alphanumeric characters). The filter is added to the Saved Filters pane on the left. To delete a filter, hover over the name and click .

    Note: Special characters are not allowed except underscore (_) and hyphen (-) while saving the filter.

    For example, in the Files view, to create a filter for unsigned files:

    1. From the Filter options, select Add Filters > Signature.
      Custom Search
    2. Select unsigned. The page will refresh to display all unsigned files.
    3. Click Save and provide a name for the search. This name will appear in the Filters list on the left.

    Set Hosts or Files Preferences

    If you want to view specific columns and sort data on a specific field, you can customize the view by selecting the columns from the column chooser. This will be set as your default view every time you log in to the Hosts or Files view.

    To set the preferences:

    1. Go to INVESTIGATE > Hosts or Files view.
    2. Select the columns by clicking Column Chooser in the right-hand corner. The following example shows the screen displayed while adding columns for the Hosts view:
      Column Chooser for Hosts
    3. Select the field on which you want to sort the table.

    Pivot to Investigate for Hosts and Files

    If you need to investigate a particular host, file, IP address, or username to look for related activity across a time window, you can pivot to both Navigate and Event Analysis to get entire context of the activity.

    To pivot to investigate:

    1. Go to INVESTIGATE > Hosts or Files view.
    2. Click Pivot to Investigate besides the hostname.

    Pivot to Investigate

    Alternately, within the Host Details view, you can right-click on host name, IP address, or logged-in users to pivot.

    Pivot to Investigate

    Note: For the Files view, you can pivot from Filename and Hash (SHA256 and MD5).

    1. In the Select Service dialog, select any of the services required for investigation.
    2. Click Navigate or Event Analysis to analyze the data.
    You are here
    Table of Contents > Sec/User Mgmt: Add a User and Assign a Role

    Attachments

      Outcomes