SlideShare a Scribd company logo

2014_protect_presentation

J
Jeff Holland

This document discusses leveraging advanced persistent threat (APT) indicator feeds with enterprise security information and event management (SIEM/SEM) systems to improve cybersecurity incident detection accuracy. It presents a framework for developing use cases that integrate threat intelligence data to identify potential gaps in antivirus detection, improperly categorized domains in web proxies, and data exfiltration from malware-infected hosts. The framework is intended to increase incident detection accuracy, improve investigation quality, and create a knowledge base for threat intelligence.

1 of 25
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
TB3288 - Leveraging Advanced Persistent Threat (APT) Threat Indicator Feeds with Enterprise SIEM/SEM to Improve Cyber Security Incident Detection Accuracy Tom Baltis, Deputy Chief Information Security Officer, Blue Cross & Blue Shield of IL, TX, NM, OK, MT Jeff Holland, Security Architect, Blue Cross & Blue Shield of IL, TX, NM, OK, MT Blue Cross and Blue Shield of Illinois, Blue Cross and Blue Shield of Montana, Blue Cross and Blue Shield of New Mexico, Blue Cross and Blue Shield of Oklahoma, and Blue Cross and Blue Shield of Texas, divisions of Health Care Service Corporation, a Mutual Legal Reserve Company, and Independent Licensee of the Blue Cross and Blue Shield Association
2 Outline I. Need for APT indicator feed integration with ESM and overview II. Framework benefits and template III.Example use cases 1. Gaps in anti-virus detection 2. Improperly categorized domains in web proxy logs 3. Data exfiltration from malware-infected hosts IV. Summary and recommendations
3 Introduction Siloed monitoring methods, such as anti-virus, intrusion detection systems, and firewalls, don’t always detect advanced malware infections and other potential incidents.  Today’s malware is polymorphic in nature and easily bypasses signature-based detection tools  Bot infected hosts communicate back with command and control servers over HTTP/HTTPS through the firewall  Malicious malware drop sites rapidly change their domain/IP, making it difficult for proxy technologies to black-list them Integrating Advanced Persistent Threat (APT) feeds with ArcSight ESM will increase incident detection accuracy. This presentation will enable you to: 1) Update ArcSight with advanced content that uses threat indicator feeds 2) Apply a framework to systematically create and document this content
4 Threat Data Feed Sources External threat data feeds provide capabilities not readily available internally:  Larger sample sizes of IP/domains  More use-cases supported: malware, APT, fraud, phishing, DDoS  Richer data than just IP/domains: URLs, file names, emails, etc.  Multiple data collection methods: web scraping, email lists, honeynets, etc. Examples of Open Source Threat Feeds  zeustracker.abuse.ch/blocklist.php?download=domainblocklist  rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt  malwaredomainlist.com/mdlcsv.php  dshield.org/feeds/suspiciousdomains_High.txt Examples of Commercial Threat Feeds  HP/ArcSight RepSM  ThreatStream
5 Integrating Threat Feeds with ESM Once threat feeds are identified and selected, they must be integrated with ESM. Open Source Commercial Source 1. Download open source lists 2. Parse data feeds and normalize into a common format 3. Write or customize a flexconnector to read that common format 4. Import threat feed to ESM with the new flexconnector 5. Load data into Active Lists using rules 1. Utilize a commercial product that aggregates the threat intel data, e.g.  HP/ArcSight RepSM  ThreatStream 2. Import threat feed to ESM with connector (e.g. CEF Syslog) or a flexconnector 3. Load data into Active Lists using rules
6 Extending Threat Detection Capabilities  Past presentations have shown how rules can be written to identify when internal hosts connect to a malicious IP/domain found in the active lists.  Leveraging previous work in this area, a software development methodology approach, and advanced ESM features such as rule chaining, we created a framework to help develop advanced content.  We will apply the framework to demonstrate key benefits using three use case examples.
7 Benefits of the Threat Feed Use Case Framework In order to take threat detection correlation beyond just knowing when a host connects to a malicious IP or domain, we propose a threat use case framework that provides the following benefits:  Higher incident detection accuracy  An opportunity to identify missing data sources related to the content you want to develop and document them  Improved investigation quality by enabling systematic and creative problem solving (e.g. reduce investigation false positives)  Creation of a knowledge base for threat lists, their content, false positive sensitivity, etc.
8 Overview of the Threat Feed Use Case Framework Apply this framework to create use cases and associated content: 1. Determine what feeds are available, what intelligence they provide, what the false positive rate is (e.g. Low, Medium or High) 2. Determine what complementing log sources are available (e.g. firewall, (N)IDS, Anti-Virus, Malware Protection, File Integrity, etc) 3. Determine gaps in current logging sources that need to be addressed and those that threat intel can help bridge 4. Outline content logic, paying attention to any rule chaining or watchlist linkages 5. Create proof of concept content and test with live data, if possible
9 Advanced Correlation Use Cases Using Threat Data We utilized the framework to create three use case examples that leverage threat data to: 1. Identify potential gaps in anti-virus reporting when a malware-infected host is not being detected 2. Detect when a web proxy solution is not properly blocking a host connecting to a malicious site 3. Identify potential data exfiltration from a malware-infected host using firewall events
10 Use Case 1: Potential Gaps in Anti-Virus  A rule fires when an internal host connects to an IP identified as a malware drop site.  The return traffic from the malicious IP to the internal host is observed.
11 Use Case 1: Potential Gaps in Anti-Virus (cont.)  The threat intel content adds the internal user to a possibly compromised active list (watchlist).
12 Use Case 1: Potential Gaps in Anti-Virus (cont.)  Another rule looks for anti-virus events for the internal host. If this rule doesn’t fire, a malware infected host was not detected by the anti-virus system, i.e. a gap exists.
13 Use Case 1: Potential Gaps in Anti-Virus (cont.)  If an anti-virus base event is observed for the same host, the rule removes the internal host from the watchlist and creates a case indicating a compromised host has been confirmed.
14 Use Case 1: Potential Gaps in Anti-Virus (cont.) A potentially infected internal host connects to a IP address identified as a malware drop site. By using the APT feeds and the framework, you will be able to:  Identify gaps in signature based anti-virus tools.  Identify potential false positives in threat data if the investigation finds no malware infection  Investigate cases to determine if the host is actually compromised  Derive malware infection detection metrics through auto case creation
Use Case 2: Improperly Categorized Domains in Web Proxies  A threat intel rule fires when an internal user connects to a malicious domain.  The web proxy doesn’t block the traffic as the malicious domain has not been categorized by the vendor. 15
16 Use Case 2: Improperly Categorized Domains in Web Proxies (cont.)  If the multi-event join rule fires, a case is generated for investigation and the internal host is added to a possibly compromised active list.
17 Use Case 2: Improperly Categorized Domains in Web Proxies (cont.) A potentially infected internal host connects to a malicious domain that was not categorized by the web proxy vendor. By using the APT feeds and the framework, you will be able to:  Identify web users connecting to a potentially malicious site that the web proxy technology missed  Provide feedback for the web proxy product vendor to improve the product  Identify potential false positives in threat data if the investigation finds no malware infection  Investigate cases to determine if the host is actually compromised  Derive malware infection detection metrics through auto case creation
18 Use Case 3: Data Exfiltration from a Malware Infected Host  Firewall logs indicate a permitted connection from internal DHCP pool to external IP of more than 500 bytes, as seen below  A rule identifies a possible data exfiltration by matching the destination IP to a threat data active list containing malicious IP's
19 Use Case 3: Data Exfiltration from a Malware Infected Host (cont.)  If a match is found, the rule adds the source IP/destination IP pair to a suspicious watchlist with a TTL and creates a case for investigation
20 Use Case 3: Data Exfiltration from a Malware Infected Host (cont.) A potentially infected internal host sends “significant” traffic to an IP address on the APT list and may be communicating with a command and control server. By using the APT feeds and the framework, you will be able to:  Identify potential data exfiltration between internal host and malicious external IP based upon a user-defined threshold  Identify potential false positives in threat data if the investigation finds no malware infection  Investigate cases to determine if the host is actually compromised  Derive malware infection detection metrics through auto case creation
21 Conclusion and Recommendations Benefits  Threat based use cases help derive value from integrating APT feeds with ESM to solve security issues such as identifying malware infected hosts  A use case framework facilitates creating correlation content that improves incident detection accuracy  Use cases can be developed to verify the accuracy of other event sources such as web proxy logs  Auto case creation from rules can help derive metrics To apply what you’ve learned, we recommend the following:  Identify and adopt an appropriate knowledge base system  Apply framework to create use cases and update the knowledge base  Execute the use cases to create content
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. Session TB3288 Speaker Tom Baltis and Jeff Holland Please give me your feedback
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you
© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

More Related Content

PDF
PDMLP: PHISHING DETECTION USING MULTILAYER PERCEPTRON
IJNSA Journal
 
PDF
ChongLiu-MaliciousURLDetection
Daniel Liu
 
PDF
Tracking Spam Mails Using SPRT Algorithm With AAA
IRJET Journal
 
DOC
SEC 572 Inspiring Innovation / tutorialrank.com
Bromleyz38
 
PDF
Internet Worm Classification and Detection using Data Mining Techniques
iosrjce
 
PDF
An internet worm early warning system
UltraUploader
 
DOCX
Sec 572 Enhance teaching / snaptutorial.com
HarrisGeorg69
 
DOC
Sec 572 Education Organization / snaptutorial.com
Baileya109
 
PDMLP: PHISHING DETECTION USING MULTILAYER PERCEPTRON
IJNSA Journal
 
ChongLiu-MaliciousURLDetection
Daniel Liu
 
Tracking Spam Mails Using SPRT Algorithm With AAA
IRJET Journal
 
SEC 572 Inspiring Innovation / tutorialrank.com
Bromleyz38
 
Internet Worm Classification and Detection using Data Mining Techniques
iosrjce
 
An internet worm early warning system
UltraUploader
 
Sec 572 Enhance teaching / snaptutorial.com
HarrisGeorg69
 
Sec 572 Education Organization / snaptutorial.com
Baileya109
 

What's hot (15)

DOC
Sec 572 Education Specialist-snaptutorial.com
robertlesew79
 
PDF
Iy2515891593
IJERA Editor
 
PDF
An effective architecture and algorithm for detecting worms with various scan...
UltraUploader
 
PDF
Sec 572 Effective Communication - tutorialrank.com
Bartholomew99
 
PDF
Carbanak apt eng
Merve Kara
 
DOC
Constructing inter domain packet filters to control ip (synopsis)
Mumbai Academisc
 
PDF
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
IRJET Journal
 
DOC
Report - Final_New_phishila
Ashwin Palani
 
PDF
A web content analytics
csandit
 
PDF
Network paperthesis2
Dhara Shah
 
DOC
Sec 572 Effective Communication / snaptutorial.com
Baileyabl
 
PDF
Intrusion detection system based on web usage mining
IJCSEA Journal
 
PDF
Analysis of Malware Infected Systems & Classification with Gradient-boosted T...
Darshan Gorasiya
 
DOC
E spam
zelkan19
 
PDF
Web Spam Detection Using Machine Learning
butest
 
Sec 572 Education Specialist-snaptutorial.com
robertlesew79
 
Iy2515891593
IJERA Editor
 
An effective architecture and algorithm for detecting worms with various scan...
UltraUploader
 
Sec 572 Effective Communication - tutorialrank.com
Bartholomew99
 
Carbanak apt eng
Merve Kara
 
Constructing inter domain packet filters to control ip (synopsis)
Mumbai Academisc
 
IRJET- Netreconner: An Innovative Method to Intrusion Detection using Regular...
IRJET Journal
 
Report - Final_New_phishila
Ashwin Palani
 
A web content analytics
csandit
 
Network paperthesis2
Dhara Shah
 
Sec 572 Effective Communication / snaptutorial.com
Baileyabl
 
Intrusion detection system based on web usage mining
IJCSEA Journal
 
Analysis of Malware Infected Systems & Classification with Gradient-boosted T...
Darshan Gorasiya
 
E spam
zelkan19
 
Web Spam Detection Using Machine Learning
butest
 
Ad

Viewers also liked (12)

PDF
Security Trends and Risk Mitigation for the Public Sector
IBMGovernmentCA
 
PPTX
2016 - Cyber Security for the Public Sector
Scott Geye
 
PDF
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
PPT
Alloy Cybersecurity
Mark Stockman
 
PPTX
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
PPTX
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
PDF
Cyber Security 2017 Challenges
Leandro Bennaton
 
PDF
IBM Security 2017 Lunch and Learn Series
Jeff Miller
 
PPTX
Presentación1
federnelson
 
PDF
Redes industriales
Maestros en Linea MX
 
DOCX
Transmision o webcast
Ana-steel
 
PDF
Art as a Gateway to the Divine
Joanne E. McFadden
 
Security Trends and Risk Mitigation for the Public Sector
IBMGovernmentCA
 
2016 - Cyber Security for the Public Sector
Scott Geye
 
Symantec Cyber Security Solutions | MSS and Advanced Threat Protection
infoLock Technologies
 
Alloy Cybersecurity
Mark Stockman
 
Cybersecurity Metrics: Reporting to BoD
Pranav Shah
 
Securing fintech - threats, challenges, best practices, ffiec, nist, and beyo...
Ulf Mattsson
 
Cyber Security 2017 Challenges
Leandro Bennaton
 
IBM Security 2017 Lunch and Learn Series
Jeff Miller
 
Presentación1
federnelson
 
Redes industriales
Maestros en Linea MX
 
Transmision o webcast
Ana-steel
 
Art as a Gateway to the Divine
Joanne E. McFadden
 
Ad

Similar to 2014_protect_presentation (20)

PDF
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
PDF
2016 09-19 - stephan jou - machine learning meetup v1
Jenny Midwinter
 
PPTX
User and entity behavior analytics: building an effective solution
Yolanta Beresna
 
PPT
NetWitness
TechBiz Forense Digital
 
PDF
Detection of Spreading Process on many assets over the network
Security Bootcamp
 
PDF
4 Getting Started & 5 Leads
Sam Bowne
 
PDF
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
PPTX
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
PDF
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
PPTX
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
PDF
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
PDF
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
PDF
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
PPTX
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
 
PDF
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
PPTX
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
Interset
 
PDF
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
PDF
DataWorks 2018: How Big Data and AI Saved the Day
Interset
 
PDF
AI4Cyber-SAGE-slides.pdf
Ahmed Mohamed
 
PDF
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Big Data Spain
 
FireSIGHT Management Center (FMC) slides
Amy Gerrie
 
2016 09-19 - stephan jou - machine learning meetup v1
Jenny Midwinter
 
User and entity behavior analytics: building an effective solution
Yolanta Beresna
 
NetWitness
TechBiz Forense Digital
 
Detection of Spreading Process on many assets over the network
Security Bootcamp
 
4 Getting Started & 5 Leads
Sam Bowne
 
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Incident Response: Validation, Containment & Forensics
Priyanka Aash
 
CNIT 152: 4 Starting the Investigation & 5 Leads
Sam Bowne
 
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
CNIT 121: 4 Getting the Investigation Started on the Right Foot & 5 Initial D...
Sam Bowne
 
Cyber security series advanced persistent threats
Jim Kaplan CIA CFE
 
Combating Advanced Persistent Threats with Flow-based Security Monitoring
Lancope, Inc.
 
Cyber threat-hunting---part-2-25062021-095909pm
MuhammadJalalShah1
 
RSA: Security Analytics Architecture for APT
Lee Wei Yeong
 
IANS Forum Seattle Technology Spotlight: Looking for and Finding the Inside...
Interset
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Napier University
 
DataWorks 2018: How Big Data and AI Saved the Day
Interset
 
AI4Cyber-SAGE-slides.pdf
Ahmed Mohamed
 
Finding the needle in the haystack: how Nestle is leveraging big data to defe...
Big Data Spain
 

2014_protect_presentation

  • 1. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
  • 2. TB3288 - Leveraging Advanced Persistent Threat (APT) Threat Indicator Feeds with Enterprise SIEM/SEM to Improve Cyber Security Incident Detection Accuracy Tom Baltis, Deputy Chief Information Security Officer, Blue Cross & Blue Shield of IL, TX, NM, OK, MT Jeff Holland, Security Architect, Blue Cross & Blue Shield of IL, TX, NM, OK, MT Blue Cross and Blue Shield of Illinois, Blue Cross and Blue Shield of Montana, Blue Cross and Blue Shield of New Mexico, Blue Cross and Blue Shield of Oklahoma, and Blue Cross and Blue Shield of Texas, divisions of Health Care Service Corporation, a Mutual Legal Reserve Company, and Independent Licensee of the Blue Cross and Blue Shield Association
  • 3. 2 Outline I. Need for APT indicator feed integration with ESM and overview II. Framework benefits and template III.Example use cases 1. Gaps in anti-virus detection 2. Improperly categorized domains in web proxy logs 3. Data exfiltration from malware-infected hosts IV. Summary and recommendations
  • 4. 3 Introduction Siloed monitoring methods, such as anti-virus, intrusion detection systems, and firewalls, don’t always detect advanced malware infections and other potential incidents.  Today’s malware is polymorphic in nature and easily bypasses signature-based detection tools  Bot infected hosts communicate back with command and control servers over HTTP/HTTPS through the firewall  Malicious malware drop sites rapidly change their domain/IP, making it difficult for proxy technologies to black-list them Integrating Advanced Persistent Threat (APT) feeds with ArcSight ESM will increase incident detection accuracy. This presentation will enable you to: 1) Update ArcSight with advanced content that uses threat indicator feeds 2) Apply a framework to systematically create and document this content
  • 5. 4 Threat Data Feed Sources External threat data feeds provide capabilities not readily available internally:  Larger sample sizes of IP/domains  More use-cases supported: malware, APT, fraud, phishing, DDoS  Richer data than just IP/domains: URLs, file names, emails, etc.  Multiple data collection methods: web scraping, email lists, honeynets, etc. Examples of Open Source Threat Feeds  zeustracker.abuse.ch/blocklist.php?download=domainblocklist  rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt  malwaredomainlist.com/mdlcsv.php  dshield.org/feeds/suspiciousdomains_High.txt Examples of Commercial Threat Feeds  HP/ArcSight RepSM  ThreatStream
  • 6. 5 Integrating Threat Feeds with ESM Once threat feeds are identified and selected, they must be integrated with ESM. Open Source Commercial Source 1. Download open source lists 2. Parse data feeds and normalize into a common format 3. Write or customize a flexconnector to read that common format 4. Import threat feed to ESM with the new flexconnector 5. Load data into Active Lists using rules 1. Utilize a commercial product that aggregates the threat intel data, e.g.  HP/ArcSight RepSM  ThreatStream 2. Import threat feed to ESM with connector (e.g. CEF Syslog) or a flexconnector 3. Load data into Active Lists using rules
  • 7. 6 Extending Threat Detection Capabilities  Past presentations have shown how rules can be written to identify when internal hosts connect to a malicious IP/domain found in the active lists.  Leveraging previous work in this area, a software development methodology approach, and advanced ESM features such as rule chaining, we created a framework to help develop advanced content.  We will apply the framework to demonstrate key benefits using three use case examples.
  • 8. 7 Benefits of the Threat Feed Use Case Framework In order to take threat detection correlation beyond just knowing when a host connects to a malicious IP or domain, we propose a threat use case framework that provides the following benefits:  Higher incident detection accuracy  An opportunity to identify missing data sources related to the content you want to develop and document them  Improved investigation quality by enabling systematic and creative problem solving (e.g. reduce investigation false positives)  Creation of a knowledge base for threat lists, their content, false positive sensitivity, etc.
  • 9. 8 Overview of the Threat Feed Use Case Framework Apply this framework to create use cases and associated content: 1. Determine what feeds are available, what intelligence they provide, what the false positive rate is (e.g. Low, Medium or High) 2. Determine what complementing log sources are available (e.g. firewall, (N)IDS, Anti-Virus, Malware Protection, File Integrity, etc) 3. Determine gaps in current logging sources that need to be addressed and those that threat intel can help bridge 4. Outline content logic, paying attention to any rule chaining or watchlist linkages 5. Create proof of concept content and test with live data, if possible
  • 10. 9 Advanced Correlation Use Cases Using Threat Data We utilized the framework to create three use case examples that leverage threat data to: 1. Identify potential gaps in anti-virus reporting when a malware-infected host is not being detected 2. Detect when a web proxy solution is not properly blocking a host connecting to a malicious site 3. Identify potential data exfiltration from a malware-infected host using firewall events
  • 11. 10 Use Case 1: Potential Gaps in Anti-Virus  A rule fires when an internal host connects to an IP identified as a malware drop site.  The return traffic from the malicious IP to the internal host is observed.
  • 12. 11 Use Case 1: Potential Gaps in Anti-Virus (cont.)  The threat intel content adds the internal user to a possibly compromised active list (watchlist).
  • 13. 12 Use Case 1: Potential Gaps in Anti-Virus (cont.)  Another rule looks for anti-virus events for the internal host. If this rule doesn’t fire, a malware infected host was not detected by the anti-virus system, i.e. a gap exists.
  • 14. 13 Use Case 1: Potential Gaps in Anti-Virus (cont.)  If an anti-virus base event is observed for the same host, the rule removes the internal host from the watchlist and creates a case indicating a compromised host has been confirmed.
  • 15. 14 Use Case 1: Potential Gaps in Anti-Virus (cont.) A potentially infected internal host connects to a IP address identified as a malware drop site. By using the APT feeds and the framework, you will be able to:  Identify gaps in signature based anti-virus tools.  Identify potential false positives in threat data if the investigation finds no malware infection  Investigate cases to determine if the host is actually compromised  Derive malware infection detection metrics through auto case creation
  • 16. Use Case 2: Improperly Categorized Domains in Web Proxies  A threat intel rule fires when an internal user connects to a malicious domain.  The web proxy doesn’t block the traffic as the malicious domain has not been categorized by the vendor. 15
  • 17. 16 Use Case 2: Improperly Categorized Domains in Web Proxies (cont.)  If the multi-event join rule fires, a case is generated for investigation and the internal host is added to a possibly compromised active list.
  • 18. 17 Use Case 2: Improperly Categorized Domains in Web Proxies (cont.) A potentially infected internal host connects to a malicious domain that was not categorized by the web proxy vendor. By using the APT feeds and the framework, you will be able to:  Identify web users connecting to a potentially malicious site that the web proxy technology missed  Provide feedback for the web proxy product vendor to improve the product  Identify potential false positives in threat data if the investigation finds no malware infection  Investigate cases to determine if the host is actually compromised  Derive malware infection detection metrics through auto case creation
  • 19. 18 Use Case 3: Data Exfiltration from a Malware Infected Host  Firewall logs indicate a permitted connection from internal DHCP pool to external IP of more than 500 bytes, as seen below  A rule identifies a possible data exfiltration by matching the destination IP to a threat data active list containing malicious IP's
  • 20. 19 Use Case 3: Data Exfiltration from a Malware Infected Host (cont.)  If a match is found, the rule adds the source IP/destination IP pair to a suspicious watchlist with a TTL and creates a case for investigation
  • 21. 20 Use Case 3: Data Exfiltration from a Malware Infected Host (cont.) A potentially infected internal host sends “significant” traffic to an IP address on the APT list and may be communicating with a command and control server. By using the APT feeds and the framework, you will be able to:  Identify potential data exfiltration between internal host and malicious external IP based upon a user-defined threshold  Identify potential false positives in threat data if the investigation finds no malware infection  Investigate cases to determine if the host is actually compromised  Derive malware infection detection metrics through auto case creation
  • 22. 21 Conclusion and Recommendations Benefits  Threat based use cases help derive value from integrating APT feeds with ESM to solve security issues such as identifying malware infected hosts  A use case framework facilitates creating correlation content that improves incident detection accuracy  Use cases can be developed to verify the accuracy of other event sources such as web proxy logs  Auto case creation from rules can help derive metrics To apply what you’ve learned, we recommend the following:  Identify and adopt an appropriate knowledge base system  Apply framework to create use cases and update the knowledge base  Execute the use cases to create content
  • 23. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.22 Please fill out a survey. Hand it to the door monitor on your way out. Thank you for providing your feedback, which helps us enhance content for future events. Session TB3288 Speaker Tom Baltis and Jeff Holland Please give me your feedback
  • 24. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. Thank you
  • 25. © Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.