Transcription

Cyber Threat AnalyticsOn thisThe Cyber Threat Analytics app monitors security logs and network flows to detectmalware infections (for example, zero day attacks and ransomware), systemcompromise, lateral movement, pass-the-hash, pass-the-ticket, and other advancedthreats. SNYPR ingests data from sources such as firewalls, proxy, VPN, IDS, DNS,endpoints, and Netflow devices to baseline normal behavior and detect maliciouspatterns such as beaconing; connections to digitally generated domains; roboticbehavior; rare executables; and programs, lateral connections, and unusual webactivity.Actionable Security IntelligenceThe Securonix platform mines, enriches, and transforms SIEM events from HPArcSight, IBM Radar, McAfee ESM, Splunk, and others into actionable intelligence onthreats against the entire IT environment including critical business applications.Securonix integrates with SIEM products through a direct API connection, syslog, or adatabase connection where it picks up activity and event data. The platform hasconnectors leading to HR and identity management systems, bringing in more than 75standard and custom identity attributes, and pulls in detailed activity and entitlementinformation for application level deep monitoring from enterprise managementsystems such as SAP, SharePoint, and EPIC.Business ImpactFaster breach detectionReduce breach impactComprehensive threat response and investigationLower monitoring and management costsLower compliance costsReceive quantified, non-subjective threat and risk reportingKey Use CasesAnomalous program execution (rare process, path, MD5)Robotic traffic pattern to a malicious, uncategorized, or suspicious websiteSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 074859209661/20

CybAnalyticsConnections to digitally generated domainsUnusual DNS queriesPossible command and control (C&C) activitySpike in bytes out to external destinationsUnusual traffic pattern (application / port)Anglr exploit detectionsRare user agentsUnusual session durationConnections to blacklisted IP or domainsDDOS / port scan activityAbnormal number of failed or redirected requestsTargeted SPAM / phishing attemptsKey Threat ModelsMultiple threat indicators that occur in a pattern and involve similar entities tend tohave a much higher risk of being a real threat. Threat Models define these patterns,and combine policies and threat indicators to detect related behavior across multipledata sources to detect threats that might otherwise go unnoticed.Threat Model NameDescriptionLATERAL MOVEMENTDETECTIONThis threatmodel detectspossiblenetwork lateralmovementscenarioswhich aredeployed byattackers toprogressivelyspread througha network asthey search forkey assets anddataStageThreat IndicatorsAccount accessing ahost never accessedbeforeHost enumerationdetectedAUTHENTICATIONANOMALYUse of explicitaccount credentialsacross multiple nomalousprovisioning activitydetectedSUSPICIOUS USEOF PRIVILEGESSuspicious escalationof privilegesdetectedAnomalous networkshare objectsaccessedPROCESSANOMALYSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 07485920966Rare process/MD5detected2/20

Threat Model NameDescriptionStageThreat IndicatorsSuspicious creationof scheduled tasksSuspicious changesto registry settingdetectedTraffic to randomlygenerated domainsCOMPROMISED HOSTDETECTIONThis threatmodel aims toidentify hoststhat show signsof infectionandcompromise bycorrelatinghost andnetwork basedanomalies onthe same entityOUTBOUNDTRAFFICANOMALYTraffic to knownmalicious hostsdetectedAbnormal number ofrare domainsaccessedPossible C2communicationdetectedRare rotocol usageby process detectedRare user agentdetectedAPT DETECTIONThis threatmodel aims toidentifystealthycomputernetworkattacks inwhich amalicious actorgainsunauthorizedaccess to anetwork withan intention toremainundetected foran extendedperiodPossible phishingattemptRECONNetwork scanningand enumerationdetectedCircumvention ofcontrols detectedTraffic to randomlygenerated domainsDELIVERYDHCP trafficanomaly detectedTraffic to knownmalicious hostsdetectedEXPLOITActivity byterminated/dormantaccounts detectedDNS traffic sdetectedAccount accessing ahost never accessedbeforeSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 074859209663/20

Threat Model NameDescriptionStageThreat IndicatorsLandspeed anomalydetectedRare process/MD5detectedPossible C2communicationdetectedEXECUTEDNS amplificationanomalyCovert channelexfiltration detectedEXFILTRATIONPHISHINGThis threatmodel aims toidentifypossiblephishingattempts totarget userswithin theorganizationData egress vianetwork uploadsdetectedDetection oftargeted/spearphishing campaignsDetection of possiblespray phishingSUSPICIOUSINBOUND EMAILDetection ofpersistent phishingcampaigns – Similarsender from multipledomainsEmails from on ofsuspicious emailattachmentsTraffic to randomlygenerated domainsTraffic to knownmalicious hostsdetectedOUTBOUNDTRAFFICANOMALYAbnormal number ofrare domainsaccessedPossible C2communicationdetectedSuspicious proxyredirects detectedSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 074859209664/20

Threat Model NameDescriptionStageThreat IndicatorsRare process/MD5detectedPROCESSANOMALYSuspicious creationof scheduled tasksSuspicious changesto registry settingdetectedRare process/MD5detectedSUSPICIOUSPROCESSEXECUTIONUse of possible ADenumeration toolsetsUse of malicioustools and utilitiesdetectedDetection of possibleAD account/privilegeenumerationHOST/ACCOUNT ENUMERATIONON LDAPThis threatmodel aims toidentifypotentialassets oraccountsenumerationon the networkby maliciousentitiesNETWORKSCANNINGDetection of LDAPor SMB servicesenumerationDetection ofabnormal number ofKerberos serviceticket requestsDetection of portscanningAccounts accessing ahost for the first timeAUTHENTICATIONANOMALYUse of previouslyunseen accounts onthe networkAbnormal number offailed authenticationrequestsDetection of possiblepassword sprayingRECON FOLLOWED BYPOTENTIAL EXPLOITATIONThis threatmodel aims ollowed byindicators ofexploitEXTERNAL SCANNETWORKSCANNINGSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 07485920966Port scan fromexternal hostsHost enumerationfrom external hostsDetection of possibleAD account/privilegeenumerationDetection of LDAPservicesenumeration5/20

Threat Model NameDescriptionStageThreat IndicatorsDetection ofabnormal number ofKerberos serviceticket requestsDetection of spike inLDAP trafficDetection of SMBservicesenumerationRare process/MD5detectedPROCESSANOMALYSuspicious creationof scheduled tasksSuspicious changesto registry settingdetectedAccount accessing ahost never accessedbeforeNETWORKSCANNINGDETECTIONAbnormal number ofSMBv1 networkactivitySMBv1 scanninganomaly detectionWANNACRY MALWAREDETECTIONThis targetedthreat modelaims to identifyWannacrymalwarebehaviorTraffic to raredomainsOUTBOUNDTRAFFICANOMALYTraffic to randomlygenerated domainsTraffic to knownmalicious hostsdetectedTraffic to TOR exitnodesRare process/MD5detectedPROCESSANOMALYSuspicious creationof scheduled tasksSuspicious changesto registry settingdetectedNETWORK ANOMALYFOLLOWED BY DATAEXFILTRATIONThis threatmodel aims toidentifysuccessfulnetwork dataaggregationattemptsfollowed bysigns of dataexfiltrationNETWORKSCANNINGSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 07485920966Detection of possibleAD account/privilegeenumerationDetection of LDAPservicesenumeration6/20

outside of theDescriptionnetworkThreat Model NameStageThreat IndicatorsDetection ofabnormal number ofKerberos serviceticket requestsDetection of spike inLDAP trafficDetection of SMBservicesenumerationRare network shareobject accessedNETWORK DRIVEANOMALYAbnormal number ofnetwork shareobjects accessedAdmin object accessanomalyDATAAGGREGATIONDATAEXFILTRATION VIANETWORKAbnormal amount ofbytes downloadedvia SMB PortsAbnormal amount ofbytes downloadedvia FTP PortsAbnormal amount ofbytes transmitted viaFTP PortsAbnormal amount ofbytes transmitted viacovert channelAccount accessing ahost never accessedbeforeNETWORKSCANNINGDETECTIONAbnormal number ofSMBv1 networkactivitySMBv1 scanninganomaly detectionPETRWRAP/GOLDENEYE/NYETYAMALWARE DETECTIONThis targetedthreat modelaims to DACTIVITYPossible privilegeescalationUnusual IPC Adminshare accessDetection of auditlog tamperingRare process/MD5detectedPROCESSANOMALYSuspicious creationof scheduled tasksSuspicious changesto registry settingdetectedSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 074859209667/20

Threat Model NameDescriptionStageThreat IndicatorsSuspicious ProcessExecutionBLOODHOUND CRITICAL ATTACKThis threatmodel aims toidentify usageof Bloodhoundlike utilitiesthat aretargetedtowards ActiveDirectoryenumerationMalicious ProcessDetectionRare ProcessCreationSuspiciousapplication detectedNetwork AnomalyOutbound AnomalyNetwork Scanningand EnumerationData aggregationover networkPossible C2communicationSuspicious ProcessExecutionSAMSAM - GOLDLOWELLRANSOMWARE ATTACKThis targetedthreat modelaims to identifySamsammalwarebehavior.MaliciousProcess DetectedSuspiciousApplication DetectedNetwork AnomalyOutbound AnomalySPECTRE MELTDOWN ATTACKThis targetedthreat modelaims to identifySpectremeltdownattackbehaviorRare processexecutionSuspicious ProcessDetectionNetwork Scanningand EnumerationData aggregationover networkPossible C2CommunicationSuspicious processexecutionRare processcreationData egress overcloud collaborationPossible C2CommunicationData aggregationover networkPossible C2communicationSupported Datasources by FunctionalityThe following datasources are recommended to run the applicable use cases in theapplication:FunctionalityDatasource(s)Secure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 074859209668/20

FunctionalityDatasource(s)Antivirus / Malware / EDRCheck Point Anti-malware; CheckpointSmartDefense; Cisco Intrusion DetectionSystem; Cisco SourceFire; CiscoSourceFire FireAMP; Cisco SourceFireIntrusion Sensor; Cybereason EndpointSensor; Darktrace;Secureworks iSensor;FireEye EX; FireEye HX; FireEye NX;EnCase Security; McAfee EPO VirusScan;Malwarebytes; Panda Security EndpointProtection; Qualys; Symantec EndpointProtection; Trend Micro Deep DiscoveryInspector; Trend Micro Deep SecurityAgent; Trend Micro Deep SecurityManager; Trend Micro Control ManagerEmail / Email Security (inbound)Ironport Email Security Appliance; McAfeeIronMail Email Gateway; Office 365Exchange; Proofpoint Email Gateway;SureView Email; Symantec MessageSecurity Gateway; SymantecMessageLabs; Symantec MessagingSecurity GatewayFirewall / NGFW / WAFAkamai Web Application Firewall; JuniperFirewall; Juniper Junos Router; BarracudaNetworks Load Balancer; Check PointFirewall; Cisco Adaptive SecurityAppliance; Fortinet Firewall; JuniperNetscreen Firewall; Juniper SRX Firewall;JunOS Pulse Firewall; McAfee Firewall;McAfee Sidewinder; Microsoft ForefrontThreat Management Gateway Firewall;Palo Alto Network NextGeneration Firewall; Sonicwall GlobalManagement System; Fortigate UTM;ASM Web Application Firewall; ImpervaWAFNetflowNETSCOUT nGeniusWeb ProxyBluecoat Proxy; Cisco ASA FirepowerURL; Cisco Ironport Web SecurityAppliance; Cisco Web Security; ForefrontThreat Management Gateway; ibossProxy; IronPort Web Security Appliance;McAfee Web Gateway; SureView HTTP;Websense Proxy; ZscalerDLP/ EndpointMcAfee DLP; ObserveIT; ProofpointThreat Response ; Digital Guardian;Symantec DLP; Symantec DLP Endpoint;Websense Triton DLP; McAfee nDLP;McAfee Network DLPIDS/IPSIBM IDS/IPS; McAfee EPO HIDS/HIP;McAfee Network IPSTPIDarktrace TPI;Note: The examples listed here may not represent a complete list of datasources forthese functionalities. See Connectors by Functionality to view the list of connectors bySecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 074859209669/20

functionality.Required DataSNYPR connectors include built-in parsers that split raw event data into meaningfulkey-value pairs and map the fields to corresponding attributes in the Securonix eventschema. The following fields are required for each functionality to support the usecases for this packaged application:Data TypeRecommended attributessrc-address (IP)Bytes inBytes OutActionStatusCategoryHttpMethod (GET / POST)Destination IPProxyDestination HostURLSource PortDestPortUsernameUser AgentTransactionrefererurlurl tionPortDeviceAddressNumber of Flows in PacketNumber of PacketsTCP FlagTCP Flag Message DescriptionSource AddressSource PortAd tosSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096610/20

Data TypeRecommended attributesprotocolsubnetseveritysrc macClass NameType NameobjectnameResponse Code NameRawDNS Record TypeHostAddressdst ipdst macDNSsrc ipsrc portGrid Master IPMessage Texthostnameapplicationdomaindst imeActionbytes receivedbytes sentapplicationcategoryclientipprotocolsource portdestination portdirectiondst hostnamedst zonedest ipSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096611/20

Data TypeRecommended attributesseveritysession idTransactionAccountnameapp:has known vulnerabilityapp:categoryapp:subcategoryDVSDGA ScoreUser Agent ScoreROC CenterROC WeightAccountnameSource IPDatetimeFilenameFilepathMacaddressThreat description/categoryProtocolThreat LabelIDS/IPS/Endpoint ProtectionThreat Sub sThreat name/ virus wordsTimeCreatedCorrelationSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096612/20

Data TypeRecommended attributesChannelComputerSecurity earedBysystrack-rpt CCOUNT eApplicationTypesystrack-rpt t application faultsApplicationNameSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096613/20

Data TypeRecommended ack-rpt esystrack-rpt firewall rtNumbersystrack-rpt firewall rstFaultTimeApplicationProtocolsystrack-rpt net ecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096614/20

Data TypeRecommended ssystrack-rpt network askAppliedMACAddressSystemIdAccountIDsystrackrpt software package geLoadTimesystrack-rpt web usageTimeOnPageTimetoLiveURLUserNameKey Threat IndicatorsThreat Indicators are used to categorize the type of behavior or threat for a policy andcan be used across multiple policies for different datasource functionalities. Threatindicators can be chained together into threat models to identify sophisticatedattacks across multiple datasources.Threat IndicatorAbnormal Administrative Share Access AnomalyAbnormal amount of data exfiltrated over covert channelsAbnormal application load timesAbnormal memory utilized by an applicationAbnormal number of account lock out eventsAbnormal number of accounts on account creationAbnormal number of accounts on account lockoutsAbnormal number of accounts on failed authentication attemptsAbnormal number of accounts on RDP auth attemptsSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096615/20

Threat IndicatorAbnormal number of accounts on runAbnormal number of application installation failuresAbnormal number of blocked events for external trafficAbnormal number of bytes transmitted to storage based websitesAbnormal number of connections to critical ports null scanAbnormal number of connections to critical ports xmas scanAbnormal number of connections within a subnetAbnormal number of device unlock attemptsAbnormal number of discover requests from a clientAbnormal number of DNS zone transfersAbnormal number of dns zone transfers - FirewallAbnormal number of events on LDAP portAbnormal number of failed requests - FirewallAbnormal number of failed requests to non Alexa domainsAbnormal number of faults for an applicationAbnormal number of hosts on account creationAbnormal number of hosts on account lockoutsAbnormal number of hosts on failed authentication attemptsAbnormal number of hosts on RDP auth attemptsAbnormal number of hosts on runAbnormal number of ICMP connectionsAbnormal number of kerberos pre authentication failuresAbnormal number of NXDOMAIN results for an endpointAbnormal number of packets to critical portsAbnormal number of profile change attemptsAbnormal number of RDP connection attemptsAbnormal number of requests to a DHCP serverAbnormal number of RPC requestsAbnormal number of SSH connection attemptsAbnormal number of SYN packets transmittedAbnormal number of telnet requestsSecuronix ConfidentialAbnormal number of UDP connections Fraggle AttackAbnormal object or network share access attemptsAbnormal volume of DNS Traffic by Single IPAccount accessing a host for the first timeAccount added and removed to security groupAccount Created and Deleted within a short timeAccount Enabled and then Disabled within a short timeSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096616/20

Threat IndicatorAccount enabled and then disabled within short timeActivity performed by terminated userAnomalous LDAP enumerationAnomalous NTP enumeration attemptAnomalous SNMP enumerationAnomalous WS Remote Management enumerationAttempted exfiltration via ICMPAttempts to Reset Domain Admin PasswordAudit Log TamperingBackdoor account detectionBruteForce - Higher than normal logon failureData exfiltration from DNS tunnelingDetect creation of local accountsDetect cross site scripting attemptsDetect Firewall Getting DisabledDetect possible sql injectionDetect possible sql injectionDetection directory traversal attemptsDetection of beaconing traffic patternDetection of Changes to Firewall SettingsDetection of Domain Trust AdditionsDetection of member additions to built-in Windows admin groupsDGA host detected in DNS requestDGA host resolving to multiple IP addressesDGA host resolving to multiple IP addresses - FirewallDNS Server(s) not seen beforeDNS Server(s) not used by PeersDomains Resolved to Malicious IPsExplicit credentials - Account sharing or Password misuseFast flux Domains / Dynamic DNS DomainsFirewall - DGA Host DetectedFirewall - Rare Domains VisitedHigh number of accounts from the same ipaddress for authentication failures or lockouteventsHigh number of accounts from the same ipaddress for successful authentications or runas eventsSecuronix ConfidentialHigh number of accounts used on a workstation for authentication failures or lockouteventsSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096617/20

Threat IndicatorHigh number of accounts used on a workstation for successful authentications or run aseventsHigh Number of bytes transmittedHigh number of bytes transmitted over DNS - firewallHigh number of hosts accessed for authentication failures or lockout eventsHigh number of hosts accessed for successful authentication events or run as eventsHigh number of hosts accessed while enumerating critical portsHigh number of redirected/blocked attemptsHigh number of run as activity across hostsHigh number of server errorsHosts with disabled AVHosts with outdated AVInteractive Logon by Service AccountLocal Account CreatedLogon using Explicit Credentials by Rare Process into Rare AccountLogon using Explicit Credentials into Rare AccountMultiple DGA hosts detected for the same endpointMultiple DGA hosts detected for the same endpoint - FirewallMultiple hosts accessed within a subnetNew admin account detectedNon compliant hostsOutbound DNS requests from internal workstationsPassword Reset AnomalyPossible Account EnumerationPossible port scan- FirewallPossible Privilege EnumerationPossible Privilege Escalation - Account Added and Removed from Security EnabledGroupsPossible Privilege Escalation - Self EscalationPossible Telnet Scan DetectedPossible use of unauthorized devices - MAC address never seen beforeProxy - DGA Host DetectedProxy - Rare Domains VisitedProxy - Rare User Agent UsedRare application and protocol combination - FirewallRare application installation detectedRare destination port for a process on outbound connections detectedRare DHCP server accessedRare dll process and path combinationRare dll used by a process - endpoint monitoringSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096618/20

Threat IndicatorRare DNS domain queriedRare dns host used - FirewallSecuronix ConfidentialRare DNS hosts detected in the organizationRare file hash detected across the resourceRare function used by dllRare Geolocation detected by resourceRare logon process detected for an accountRare logon type detected for an accountRare object access attemptsRare parent process and process creationRare path for a applicationRare path of execution detected for outbound trafficRare Port AccessedRare port and application combination - FirewallRare port for applicationRare process creationRare process execution detected for outbound trafficRare Request Method utilizedRare User- Agent detectedRarity in Privilege level for new logonRarity in Token Elevation for ProcessRegistry Modification AttemptsReplay attack detectionService account interactive logonService or Process creation on rare pathSMB or NetBIOS enumeration anomalySMB scanning anomaly detectionSpike in Account CreationSpike in number of run-as activitySpike in Password ResetsSpike in Remote Logon AttemptsSuspicious exfiltration attempts over known file transfer portsSuspicious Service or Process creationTerminated user performing activityThreat Intel Collision - Firewall Domains VisitedThreat Intel Collision - Firewall Malicious IPThreat Intel Collision - Proxy Domains VisitedThreat Intel Collision - Proxy Malicious IPSecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096619/20

Threat IndicatorUnauthorized VPN usageUnusual Process For Host Heuristics AnomalyUse of RegeditUser accessing password hashWIP- Unusual IPC Administrative Share Access AnomalySecure Online Desktop s.r.l. - www.secure-od.comVia dell’Annunciata 27 – 20121 MilanoTel. 39 0522 16 85 330 - P.IVA 0748592096620/20

The Cyber Threat Analytics app monitors security logs and network flows to detect malware infections (for example, zero day attacks and ransomware), system compromise, lateral mov