How to detect the Heartbleed Vulnerability using RSA Security Analytics
What is Heartbleed?
The Heartbleed OpenSSL vulnerability is a serious weakness in specific implementations of the OpenSSL software on servers, Virtual Private Networks and other applications. For full details on this vulnerability, please visit http://heartbleed.com
How can RSA find instances of Heartbleed?
RSA Security Analytics gives users the ability to identify servers vulnerable to the Heartbleed exploit, as well as detect attempts to exploit the service. This is a perfect example of the type of incident investigation and forensics that can be achieved utilizing full packet capture and RSA Security Analytics.
What rules and/or parsers have been created to help find Heartbleed?
Parsers that have been created to address Heartbleed are now available in RSA Live. These are available for all RSA Live subscription tiers. The specific parsers are “TLS” and “TLS_lua”. Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser “TLS”. For those running versions 10.2 and above, use the LUA parser “TLS-lua”.
To detect vulnerable servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational meta-key. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning meta-key.
Once detected how can Heartbleed be remediated?
To fully remediate this vulnerability, upgrade weak systems to the latest fixed version of OpenSSL and revoke old keys. Renew your SSL certificate, and if applicable, change passwords for sensitive accounts.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
Heartbleed detection was added to them as secondary functionality. But Heartbleed detection does not use any certificate information.
Is there a way for us to know what it is using? How can I validate that the things SA finds are actually heartbleed attacks and not certificate problems?