This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
  • RSA.com
  • Products
    • Archer®
      • Archer®
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Archer® Exchange
      • Training
      • Upcoming Events
      • Videos
    • RSA® Fraud & Risk Intelligence Suite
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Web Threat Detection
      • Upcoming Events
      • Videos
    • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Cloud
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Patch Content
      • Videos
    • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication Mobile SDK
      • Advisories
      • Events
      • Ideas
      • Knowledge Base
      • Request Access
      • Training
    • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 7.x
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Events
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® Adaptive Authentication for eCommerce
      • RSA® Adaptive Authentication for eCommerce
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Ideas
      • Knowledge Base
      • Training
      • Videos
    • RSA® FraudAction Services
      • RSA® FraudAction Services
      • Advisories
      • Discussions
      • Documentation
      • Ideas
      • Videos
    • RSA® Web Threat Detection
      • RSA® Web Threat Detection
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Videos
    • RSA NetWitness® Platform
      • RSA NetWitness® Platform
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA NetWitness® Detect AI
      • RSA NetWitness® Detect AI
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Investigator
      • RSA NetWitness® Investigator
      • Documentation
      • Download the Client
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA NetWitness® Orchestrator
      • RSA NetWitness® Orchestrator
      • Overview
      • Documentation
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
    • RSA SecurID® Suite
      • RSA SecurID® Suite
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Knowledge Base
      • Ideas
      • Integrations
      • Training
      • Videos
    • RSA® Identity Governance & Lifecycle
      • RSA® Identity Governance & Lifecycle
      • Advisories
      • Blog
      • Community Exchange
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • RSA SecurID® Access
      • RSA SecurID® Access
      • Advisories
      • Blog
      • Discussions
      • Documentation
      • Downloads
      • Ideas
      • Integrations
      • Knowledge Base
      • Training
      • Upcoming Events
      • Videos
    • Other RSA® Products
      • Other RSA® Products
      • RSA® Access Manager
      • RSA® Data Loss Prevention
      • RSA® Digital Certificate Solutions
      • RSA enVision®
      • RSA® Federated Identity Manager
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
      •  
  • Resources
    • Advisories
      • Product Advisories on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Hosted
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Product Advisories
    • Blogs
      • Blogs on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Blogs on RSA Link
    • Discussion Forums
      • Discussion Forums
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Discussion Forums on RSA Link
    • Documentation
      • Product Documentation
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Downloads
      • Product Downloads
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Downloads on RSA Link
    • Ideas
      • Idea Exchange
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® FraudAction Services
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Documentation on RSA Link
    • Knowledge Base
      • Knowledge Base
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication Mobile SDK
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Knowledge Base Pages on RSA Link
    • Upcoming Events on RSA Link
      • Upcoming Events
    • Videos
      • Videos on RSA Link
      • Archer®
      • RSA® Adaptive Authentication Cloud
      • RSA® Adaptive Authentication On-Premise 7.x
      • RSA® Adaptive Authentication On-Premise 14.x
      • RSA® Adaptive Authentication for eCommerce
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
      • RSA® Web Threat Detection
      • All Videos on RSA Link
  • Support
    • RSA Link Support
      • RSA Link Support
      • News & Announcements
      • Getting Started
      • Support Forum
      • Support Knowledge Base
      • Ideas & Suggestions
    • RSA Product Support
      • RSA Product Support
      • General Security Advisories and Statements
      • Product Life Cycle
      • Support Information
      •  
      •  
      •  
      •  
      •  
  • RSA Ready
  • RSA University
    • Certification Program
      • Certification Program
    • Course Catalogs
      • Course Catalogs
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • On-Demand Subscriptions
      • On-Demand Subscriptions
      • Archer®
      • RSA NetWitness® Platform
      • RSA SecurID® Suite
    • Product Training
      • Product Training
      • Archer®
      • RSA® Fraud & Risk Intelligence Suite
      • RSA® Identity Governance & Lifecycle
      • RSA NetWitness® Platform
      • RSA SecurID® Access
    • Student Resources
      • Student Resources
      • Access On-Demand Learning
      • Access Virtual Labs
      • Contact RSA University
      • Enrollments & Transcripts
      • Frequently Asked Questions
      • Getting Started
      • Learning Modalities
      • Payments & Cancellations
      • Private Training
      • Training Center Locations
      • Training Credits
      • YouTube Channel
    • Upcoming Events
      • Upcoming Events
      • Full Calendar
      • Conferences
      • Live Classroom Training
      • Live Virtual Classroom Training
      • Webinars
Sign In Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

RSA NetWitness® Platform Discussions

Discussions about the RSA NetWitness Platform.
  • RSA Link
  • :
  • Products
  • :
  • RSA NetWitness Platform
  • :
  • Discussions
  • :
  • Zero Day Attacks
  • Options
    • Subscribe to RSS Feed
    • Mark Topic as New
    • Mark Topic as Read
    • Float this Topic for Current User
    • Bookmark
    • Subscribe
    • Mute
    • Printer Friendly Page
VivekWanelkar
VivekWanelkar Beginner
Beginner
‎2017-01-11 12:48 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Zero Day Attacks

How are we equipped to handle zero day attacks in our environment? We are running RSA SA version 10.4.1.2 and we do not have a malware analysis module.

  • Tags:
  • Community Thread
  • Discussion
  • Forum Thread
  • NetWitness
  • NW
  • NWP
  • RSA NetWitness
  • RSA NetWitness Platform
0 Likes
Share
Reply
  • All forum topics
  • Previous Topic
  • Next Topic
5 Replies
ChristopherAhea
Employee ChristopherAhea
Employee
‎2017-01-11 09:10 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Security Analytics is a world-class network monitoring suite capable of identifying all sorts of traffic and log events.  It is a suite of tools that help analysts and incident responders do their jobs.  What is your organizations security team currently doing to prevent, detect, and respond to incidents and threats today?  

 

Threat analysis should be part of an overall Risk Management program and should include detection and response.  

 

If you feel your organization could benefit from an assessment to help answer your question, I would strongly encourage you to reach out to our Advanced Cyber Defense team and arrange an engagement.  Tools help fight the battles, but strategy wins the war.

0 Likes
Share
Reply
VivekWanelkar
VivekWanelkar Beginner
Beginner
In response to ChristopherAhea
‎2017-01-13 12:03 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hello Christopher,I appreciate your help in helping me clarify my query.However I want to know that with our current setup of RSA SA what is the source of update in case there is a zero day attack.Is it only through RSA live notifications.If that is the case we expect to get input about new ESA rules,app rules etc.Is it ?

0 Likes
Share
Reply
MohdSaadKhan
MohdSaadKhan Occasional Contributor
Occasional Contributor
‎2017-01-13 06:20 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi Vivek,

As per Christopher I agree on that "Security Analytics is a world-class network monitoring suite capable of identifying all sorts of traffic and log events". Though for zero day attack we cannot go for the specific ESA rules, App rules and capture attack, for this we need to create multiple scenarios using perimeter devices and internal device's logs.

 

For example :

 

For signature based detection we can use detection systems such as Anti-Virus, Intrusion Prevention Systems, Content Inspection Systems and Application Firewalls or if we identify suspicious behavior by users and computers that may have been compromised by a zero day exploit then the only method is that to determine 'intrusion' i.e. Large file transfers detected by network flows, attempts at accessing data outside of a compromised user’s environment, disabling of services, installation of software and other infrequent acts imply compromise.

 

Also if you are using packet in your environment then it is best to use feeds for IOCs(Indicator of compromise), BOCs(behaviour of compromise) and packs specifically configures for such malicious activities. Else you can use manual feeds for malwares, blacklist IPs, domains etc and from RSA live also in order to monitor threat category, threat description and create dashboard, correlation and rules and monitor the traffic, trend and analyze the risk and behavior. You can also go for some basic activities check in the environment i.e.

 

1.) Determine Malicious Authentication Attempts.

2.) Identify Compromised Account Activities.

3.) Determine Data Exfiltration and Methods (Use proxy logs to determine data exfilteration or any http outbound activity)

4.) Malware search dashboard for any compromised endpoint.

etc. Likewise you can create many checkpoint for malicious attacks, ransomwares, variants attacks etc.

0 Likes
Share
Reply
DavidWaugh1
Employee DavidWaugh1
Employee
‎2017-01-13 06:31 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Hi the very nature of it being a Zero day attack means that no signature based system will be aware of it. You need to know what is normal in your environment and whitelist all this normal stuff, so that you then start looking at abnormal traffic.

 

Having Netwitness Endpoint on your endpoint machines will help to detect abnormal behaviour as it only looks at the behaviour of applications and it not signature based.

 

However, there is no one size fits all solution. Buying more technology is not always the answer. I think you need to understand your own environment and know what normal behavior is, so you can concentrate on the more unusual stuff.

 

This is a hard task, so being able to prioritize by critical assets and automate as much as possible is worthwhile.

0 Likes
Share
Reply
ChristopherAhea
Employee ChristopherAhea
Employee
In response to VivekWanelkar
‎2017-01-13 08:18 AM
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content

Live would be one way to receive updated content. There could also be other posts to this community site by members like yourself, around detection.  This could be parsers, feeds, app rules, ESA rules, etc.

 

A zero-day attack could take many forms depending on the target.  It could be in a windows executable that exploits code, office files, Flash, java and several others.  It could be in the form of malicious web traffic that exploits a web application server.  Or it could be something we haven't seen before.  

 

You could also become aware of new attacks from research and intelligence from any number of sources.  By placing your packet decoders to monitor all traffic inbound and outbound, you have a high likelihood of capturing the traffic involved in such an attack.  From there, I would typically start looking at what my attack surface looked like.  This would involve understanding what services and applications are exposed. After applying as much locking down of systems and applications as possible, I still need that visibility...not only in the network traffic, but the happenings on the host systems as well.  Systems would generate logs.  I will need those.  Systems have certain processes and services running.  I need to baseline that and understand what normal looks like.  I allow email to enter my environment that may include attachments or links.  I need to validate that.

 

Once we know what now how the systems within our organization should operate normally, it will make it easier to determine when the abnormal occurs.  This is what should start an investigation.

 

I don't know of a tool that would call out "THIS IS A ZERO DAY ATTACK".  Once we understand what normal system activity looks like,  we can remove that hay and focus on the needles.  Then, when we find that needle, we create some meta (parser, feed, app rule, ESA rule) to make it easier to find again.  

0 Likes
Share
Reply
Powered by Khoros
  • Products
  • Resources
  • Solutions
  • RSA University
  • Support
  • RSA Labs
  • RSA Ready
  • About RSA Link
  • Terms & Conditions
  • Privacy Statement
  • Provide Feedback
© 2021 RSA Security LLC or its affiliates.
All rights reserved.