We are looking for good rule logic to include in the product. I've seen some good examples so far but tell me what you want to see, what would be useful to you?
Could you ad rules to detect portscans and network sweeps ?
Also, it would be nice to have a correlated rule that can trigger an alert when it sees the vulnerability value of a device increase.
Other examples for correlated rules would be to have a rule that detects common P2P traffic activity.
I think we need rules that address each stage of a common attack lifecycle. I will refer to the methodology used in "Hacking Exposed,4th ed."
Footprinting - Scanning - Enumeration - Gaining Access - Escalating privilege - Pilfering - Covering tracks - creating back doors - Denial of Service
Using these steps as a guideline, I think that most attacks follow a pattern of probe (Footprinting - Scanning - Enumeration) - attack (Gaining Access - Escalating privilege - Pilfering) - response (Covering tracks - creating back doors, maybe acommand and control response) in general Using these as flexible rule templates, we can build rules that allow for a wide range of activities.
Other interesting rules would be around wireless attacks, PCI incidents, DLP incidents, and change control incidents.
If there are useful rules from other event correlation systems, we should also replicate the functionality we find to be useful.
Thanks for the input. FYI, if you see a feature request that you'd like to "second", you can give it Kudos instead of creating a new post. We just turned Kudos on, so I think people aren't aware of how they work. The customer mailing this month indicates how to use them.
Apologies. Will do. Thanks!
In addition to the SANS Top 20, I would highly encourage folks at RSA enVision to consider getting with folks at SANS regarding course specific items that could be potentially used from the SANS / GIAC training programs. For example, I know the GIAC Certified Incident Handler (GCIH) training program has tons of "you need to be watching for [this] in your logs... and here's exactly how and why..." type of content that is specific to exact attack vectors and techniques used by hackers. The challenging part is coming home from one of those training courses, sitting down at the enVision console and making it happen. It's a huge gap... or... opportunity, depenging on how you see it. They do have other courses that would directly relate also. I'll be honest, I like the compliance reports, but we really don't use them at all. Maybe a couple of the NISPOM ones. A solid list of SANS/GIAC reports would be sweet!
Whats that Dave? You mean to tell me that you can't crank out correlation rules for the all latest threats by the 0-Day + 72 hour mark? just kidding. You have very good points about taking it one at a time, over time. Good suggestion on syncronizing the watchlists. I've been doing this for a while with AD groups and OU's but haven't tried external web sources. Thats a great idea. Oh, and no... I can't just sit a test and pass like that. Wish I could.
Great idea! I've shared with the PM, Engineering, and Training teams.
In the meantime, do you have a couple of specific examples you could provide here in the Intelligence Community? Then we can get someone to chime in with how to implement.
That would be awesome. Here are a few examples that come to mind, definaely not a complete list…
- Pulling data from DLP and data mgmt solutions. On demand we need to be able to quickly see who’s baselines for data access, creation, deletion, movement, etc has sharply gone up, stayed the same, gone down, etc.
- Email Abuse. Not just trendy numbers like % of spam blocks and holds, but more importantly I’m referring to egress monitoring of outbound mail and IM traffic patterns.
- For the evidence to hold any water, I need to rely on envision to pull all this together from all sources, mail servers, smtp relays, firewalls, IDS, DLP’s etc and package it up with complete chain of custody.
Dynamic Hotlists For vetting out suspected assets–
- Much like a watchlist, I’d like to be able to throw user accounts, IP addresses, email address, whatever, into a dynamic hotlist that will scrutinize their log data much differently, assigning higher alert levels, or running addition actions or commands or scripts against them, etc, whatever I specify, until such time as they are removed from the list dynamically. This would allow incident handling teams to throw a suspect system into a hotlist, and “let it cook”. If it comes up clean after a period of time it gets removed. One of the reasons the Eradication phase of incident handling can take so long is vetting out what’s been cleansed and returned to production (based on behavioral log analysis) and what hasn’t. Anyone who’s had to eradicate network segments in the thousands knows it’s not easily done unless automated. I see a HUGE market for envision to step in there. Even if all you do is toss the hotlist over to a 3rd party tool like Core Impact, Nessus, etc, then re-read back in their results, it would save a lot of time. You are going to get support for Core Impact right?
A category that identifies Reconnaissance activities (internal and external) on the network-
- Website searches and Google hacking techniques, Registrar and Whois lookups
- Abuse of internal corporate portal search, either frequency or keyword list.
- Abnormal DNS interrogation.
- Attempts to pull zone transfers.
- A lot of IDS alerts could also be used in this category as most of them already have signatures for reconnaissance related activities such as network mapping, OS fingerprinting, etc.
A category that identifies Scanning activities on the network.
- Scanning tools are good, when we’re the ones using them. Otherwise I want to know if anyone is running any scans.. VA tests against hosts, port scanning, etc.
A category that identifies systems being exploited ( or attempts to).
- Mostly IDS, HIPS and AV alerts of access attempts, privilege escalation attempts, and all the network layer and app level attacks
- web based attacks: SQL injection, cross-site scripting, account harvesting, etc.
- Attempts to cover up tracks, like AV and HIPS picking up on rootkits, bots, compilers or encoders.
- Potential usage of rogue proxies on the network. (Paros proxy).
Also, one other consideration would be to categorize reports with respect to the incident handling process itself… Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned. I know the reporting capabilities in envision could be used extensively for doing post-mortem lessons learned reports, charts, etc.
Unrelated to incident handling but something I just remembered…and I feel is long overdue….
A category for VMware Virtualization Infrastructure.
- When was a virtual resource created, modified, deleted and by whom?
- Changes to virtual infrastructure, i.e. A virtual machine was connected to a virtual switch, or a new virtual switch was created/deleted/modified, etc.
- When did a system VMotion or DRS from one location to another?
- File level access auditing on .vmdk files.
- User account auditing, who’s logging in and doing what within the entire virtual environment.
- Alert when update manager failed to download update signatures.
- Alert when update manager has available patches that are not yet installed on a host of guest machine.
- Alert when update manager failed to successfully patch a host or guest machine.
It looks like a common request from multiple boards now is the ability to identify when a monitored device has not sent messages within a period of time (somewhat like the NIC heartbeat message, but not message specific).
Great news, this capability already exists in enVision. See post from Mark Nadir:
[[page no longer exists]]
We are mainly focused on insider threats so everything abnormal that the administrators are doing is of interest. I guess baselining would be an interesting way forward here:
-First define what is normal behaviour, for example logons to the system is ok between 08-17, and everything besides that should be alerted on. I know this can be achived with sceduling the alert to have it enabled non-office hours, so this is how we will do it now.
-More baselining regarding logons would be of interest, for example persons logging on to sensitive systems they have not logged on to before could be interesting.
-I think the rules for example addition/deletion of an account within an hour are great rules to build further upon, so more rules like that is of interest for us.
Thanks much for your input! This is great feedback. We'll take this into account in our product planning.
I agree. We too are focused on insider threat, mainly that from elevated privilege administrator accounts across the 200+ person IT support organization.
One thing that constantly plagues us is that one IT person will move within the department, say he's a web server admin for a couple years and takes a transfer over to be a SQL DB admin on the DB team... from an Identity Management perspective, they're supposed to catch that and clean up the admin's group memberships accordingly so his/her accesses reflect only those required by the new position. In reality, this almost never happens. Over the years we've found several people who've had upwards of 3 or 4 transfers inside 15 years... and now maintain access to just about everything. So... the ability to baseline which administrators are logging into what systems, on average over a week, month, year, whatever, and then alert on when they show an increase in accessing systems they didn't previously hit would be of huge benefit.
In reflection of Tuesday's roadmap presentation by Don MacLennan, this aligns with the whole idea of bringing in non-log data from other outside sources (i.e. Identity Management systems) for additional relevance and meaning behind what you're seeing in the alerts.
How can you schedule alerts? I can't find a sollution for that.
You don't schedule alerts like you would do with reports.
Alerts are selected and put into an alert view, as they operate in a real-time mode.
... or alternatively, you could contact your adversaries and evil-do'ers and simply ask them to attack around your desired schedule.
All joking aside, I think that would be a cool feature and although Matt is correct, I could see a couple good use cases for that. About the closest thing to what you're after might be the really cool idea that Dave Glover wrote about here, where you could consider placing your alerts into custom views and then script your different views to start/stop so they are basically on/off durring your desired "schedule". This would in essence schedule the time window for which you could be alerted, but it doesn't extactly schedule the alert itself. You'd be dependant on the said alert to coincidentally fire during the time in which the view is enabled.
Thank you for the link. Start en stopping a view from commandline that was what I needed!
I'd like to see more inter-device correlation.
For example - if I see x activity on my firewall - followed by y activity on one of my Windows servers - I get an alert.
Retrieving data ...