How to detect the Heartbleed Vulnerability using RSA Security Analytics
What is Heartbleed?
The Heartbleed OpenSSL vulnerability is a serious weakness in specific implementations of the OpenSSL software on servers, Virtual Private Networks and other applications. For full details on this vulnerability, please visit http://heartbleed.com
How can RSA find instances of Heartbleed?
RSA Security Analytics gives users the ability to identify servers vulnerable to the Heartbleed exploit, as well as detect attempts to exploit the service. This is a perfect example of the type of incident investigation and forensics that can be achieved utilizing full packet capture and RSA Security Analytics.
What rules and/or parsers have been created to help find Heartbleed?
Parsers that have been created to address Heartbleed are now available in RSA Live. These are available for all RSA Live subscription tiers. The specific parsers are “TLS” and “TLS_lua”. Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser “TLS”. For those running versions 10.2 and above, use the LUA parser “TLS-lua”.
To detect vulnerable servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational meta-key. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning meta-key.
Once detected how can Heartbleed be remediated?
To fully remediate this vulnerability, upgrade weak systems to the latest fixed version of OpenSSL and revoke old keys. Renew your SSL certificate, and if applicable, change passwords for sensitive accounts.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Make sure to subscribe to the parsers on Live, as they will be updated as we find new methods of attack. If you are a Security Analytics for Logs customer, ensure that you are subscribed to the appropriate IDS / IPS log parsers, as they will be updated as vendors release new signature sto detect exploits against the Heartbleed vulnerability
App rules are kind of a catch-22, in that app rules are based off meta collected by successfully parsing the session. So if you are truncating with an app rule, that implies that the session has already been parsed and the meta has already been registered.
I *believe* you should be good to go