Tag Archives: Arcsight

Analytical tool usage: getting faster

Posted on 2012-02-29 | Leave a comment

I don’t know how people get anything done in text editors that lack regex support. But then, I also don’t understand analysts doing full-text log searches instead of using fields (assuming your tool actually parses data into a structured format). And why do analysis of really large logs without parsing them first? Structured data will make it so much faster. So occasionally something happens that reminds me how much tools matter, both in terms of speed and scope. Today’s post will talk a little about getting faster by using the right tools in the right way, using a simple and straightforward log analysis example. Tomorrow’s post will talk a little more about getting better, using an equally simple and straightforward threat intelligence example.

Structured log queries

Let’s take an example here. Perhaps someone has given us a “known bad” IP address (we’ll use 192.168.13.37) and we want to check whether that address appears in our logs over, say, the previous 30 days. We work in an ArcSight shop, so we fire up the Logger interface. An uninformed analyst might simply paste the address into the query box. Such an analyst will almost certainly not get results as quickly as he’d like, and in fact might not get them. This happens because he’s doing a full text search over every row in the database, restricting only by date. (If he hasn’t even done that, then he really needs some coaching.) So the database literally has to search every field, at any start position, trying to match that literal pattern.

But then a hero appears out of the darkness, wielding knowledge for great justice! He looks at the indicator, decides that he will err on the side of caution and look for inbound or outbound traffic related to that address, and quickly writes:

sourceAddress="192.168.13.37" OR destinationAddress="192.168.13.37"

In some circumstances, our hero may encapsulate those two conditions in parentheses and restrict the search to firewall records:

categoryDeviceGroup="/Firewall" AND (sourceAddress="192.168.13.37" OR destinationAddress="192.168.13.37")

This depends on the environment in question, because this would eliminate (say) any web server logs that show activity from that address. I rarely restrict these types of searches like that, but I’ve run into situations where it made sense to do so as part of a larger set of searches.

By the way, assuming we have fairly large firewall records, we definitely do not want to dump them into a directory and just grep for the address:

grep -r 192\.168\.13\.37

As much as I love grep (and its friends sed, awk, et al.), this method will simply not perform as well in this sort of situation, for precisely the reasons stated above. However, with small enough data volume, you can get away with this.

regex for indicator sets

Now our intrepid analyst team receives a new set of intel, only this time we have multiple addresses, as in:


10.31.80.08
10.5.13.37
...
10.0.3.14

Should we run several searches, one after the other? Of course not, because then we’d miss the opportunity to do it all at once. So we load the list into our trusty text editor. If you think this means “Notepad”, or even “Wordpad”, then you need to call upon our hero from the previous section. We should instead regard any “text editor” that does not support regular expressions as a toy unworthy of the name.

Personally, I use gvim (a vi derivative with a GUI, available for most platforms). But I understand that others prefer other power tools like Notepad++ or TextMate. While I look at such tools with suspicion due to their newfangledness, we live in a multilateral society and thus all may join us in free association.

In gvim, I would issue a couple of commands:

:%s/^/sourceAddress\=\"/
:%s/$/\" OR /

This leaves us with the following:

sourceAddress="10.31.80.08" OR
sourceAddress="10.5.13.37" OR
sourceAddress="..." OR
sourceAddress="10.0.3.14" OR

Now we look at the number of lines in the buffer. Assuming we have, say, 13, we can join them all from the top line using the simple command “13J”. Strip off the last ” OR ” and you can paste that line right into the Logger query box.

We’ve seen that knowing how to make full use of our tools can greatly improve our speed at relatively simple tasks. Tomorrow, I’ll have an example of using Maltego to validate and extend threat intelligence, improving our scope. In the meantime, if you see ways to improve any of the above, or have other thoughts on this sort of thing, please comment below or ping me on Twitter.

→ Leave a comment

Posted in Notes

Tagged , ,

Event graphs in ArcSight

Posted on 2012-01-22 | 2 Comments

ArcSight has a reputation as a large, powerful, and expensive SIEM. And like most enterprise-class applications, it has a lot of features that don’t get very much attention simply because they get lost in the noise. Lately, I’ve experimented with event graphs. In this case, we mean graph in the discrete mathematics sense, rather than what most people use instead of the more correct term chart:

An abstract representation of a set of objects where some pairs of the objects are connected by links

I’ll use a simple (and sanitized) example of an event graph to illustrate its value. Below is a graph of a set of events. For interpretation, note that by default the red squares represent source addresses, blue circles represent event types, and white squares represent destination addresses.

Event Graph from ArcSight

As you can see, one event cluster dominates the graph. In this case, we see a user system (the largest red square, in the upper left) sending lots of a particular event type to many different destination systems. It doesn’t share any destinations with the other four sources in the graph. Mathematically, we would say that we can subdivide this into five disjoint graphs.

Clearly this source needs a closer look. In ArcSight, since that graph node represents an object in the SIEM, you can right-click and choose “Investigate > Create Channel [Attacker Address = #.#.#.#]“, for example, or run another tool via Integration Commands.

I have also seen situations where one or two external destination systems dominate the graph, which could represent anything from a popular site such as your intranet SSO to a command-and-control system for a botnet. Interpretation here matters, as you need to carefully consider the meaning of the node and link types. This tool works best on larger sets of data that you can’t simply eyeball. While other techniques exist to analyze these data, this particular tool appeals to our innate visual pattern recognition abilities. This means less time explaining your results to your end audience (e.g. executives or lawyers) and more time doing real work.

→ 2 Comments

Posted in Notes

Tagged , ,

Chroming up the facts: SIEM and IR presentation

Posted on 2011-12-28 | Leave a comment

Chroming it up doesn't actually make it go faster

I recently had the opportunity to watch the Trends in SIEM and Incident Response presentation from Narayan Makaram with HP (ArcSight), Anthony Di Bello with Guidance (EnCase), and Andrew Hay with The 451 Group. The topic addressed the specific nexus of my professional interests: log analysis and correlation for detecting and responding to incidents. While I’ve followed Hay on Twitter for a long time, I also have worked with both of the sponsoring
products for years.

Trends

The presentation identifies several primary organizational trends:

  • trying to close the gap between compromise, detection, and response
  • taking a proactive approach
  • emphasis on lessons learned through increased visibility
  • response automation key to address relentless threats

(I suppose “relentless” is the new “persistent”.)

Hay did a great job addressing issues, largely based on the 2011 Verizon DBIR. Less than 1% of organizations detect data breaches through log analysis, a number which frankly frightens me. We spend millions of dollars on log management for compliance, and then we don’t use them properly. Given how often logs shed light on an incident in hindsight (69%, according to the same study), we know that they contain the proper data and indications. At best, we just don’t know how to make sense of them, and at worst, we don’t even look. (Guess which I believe happens more often.)

On a similar note, around 28% of surveyed organizations use threat intelligence right now. This looks like a massive opportunity to me: sharing data, understanding indicators and how to use them appropriately, and generally climbing the incident response learning curve faster. Threat intel providers and analysts have a huge field of untapped potential awaiting – so, as Hay says, we need to be less Paul Blart – Mall Cop and more Tom Cruise – Minority report.

Di Bello (with Guidance Software) made some important points related to speed of response. He uses a traditional IR timeline, where a call to a help desk leads over several days to a low-level analyst going onsite for data gathering before eventually a senior analyst looks at the data and performs manual forensic analysis. We can’t stick with this model: automated data gathering based on solid alerting and event analysis can speed this up. It’s a great model for the future, and many organizations have started trying to lead the way in this trend. He discusses several example use cases, like suspicious network traffic or DLP alerts.

Inconsistent data

Unfortunately, I found the quality of the rest of the presentation highly variable.  Given their audience, they should take care to confirm the consistency of their data and ensure that their conclusions follow appropriately from the evidence presented. I understand the need for marketing in order for the sponsors to get value from the event, but puffery shouldn’t override the value for the listeners. That disappointed me, as I also use ArcSight heavily in my day-to-day operational analyses and like the product. I also use EnCase Enterprise, though less frequently and with much less satisfaction.

I just present two examples here, but they illustrate the issue that persisted through the entire presentation. This really detracted from the overall value, and I hope that future iterations will focus on the great value of this approach. The message matters and I would like to see it handled well.

For example, the HP speaker had a slide titled “Cybercrime Keeps Growing”. Among other well-publicized security breaches, he listed Google: “Accounts affected: Unknown” and “12.5 billion market cap lost”. This statistic makes me cry, and not for the intended reason. First, which data breach? The most public one that occurs to me would be the Aurora incident, and while that got a lot of press due to the details and geopolitical implications, I don’t believe they lost substantial investor confidence due to that. Second, given the economy of the last few years, attributing any market capitalization loss to this one incident ignores lots of other factors. And third, over what time period did this loss supposedly occur?

All the other listed incidents list specific costs, either financial or relating to a “processing license” revocation. With a bit of time spent on Google (ironically), I can’t find any support for that statement other than ArcSight presentations. And their mention of RBS WorldPay doesn’t seem to note that the PCI Council recertified them not long after. Also: I can’t imagine anybody who would take time out of their day for a presentation on this topic who doesn’t understand the overall risk. These sorts of slides have no value in presentations to this type of audience.

Time to respond also got some discussion, and here the Guidance representative exaggerated wildly. He claimed that EnCase Enterprise can get data from a system to confirm a compromise in seconds. In response to an audience question on this, he repeated the point. I don’t believe that this is the case except for large values of “seconds” (e.g. an hour is 3600 seconds, but that doesn’t seem to have been his intent). Even gathering metadata from memory, not to mention data on persistence mechanisms and core OS files, causes enough of a performance hit that it takes time. By itself, that’s not a knock on EnCase, but on the presentation here. That doesn’t even take into account the licensing limitations with EnCase Enterprise that greatly reduce the number of hosts from which the system can gather data simultaneously, typically in multiples of five.

These examples illustrate the feeling I had throughout, at least after Hay’s segment: not only did it consistent almost entirely of sales pitches, they didn’t even really consider the type of audience who would attend. That said, I’d welcome any corrections to my statements above. Nothing convinces an analyst like data, after all.

(Disclosure: I work for Heartland Payment Systems, also mentioned in the presentation. As always, my opinions here are my own and don’t necessarily reflect those of my employer. And I will re-emphasize that I have received no compensation or other inducements for my opinions on the products mentioned in this post.)

→ Leave a comment

Posted in Links

Tagged , , , , , ,

Threat intelligence and ArcSight CEF

Posted on 2011-12-07 | 6 Comments
PacMan Monitoring

Know and monitor your threats

At my organization, much of the threat intelligence we receive consists of one-off reports that require some manual processing. But we also receive a weekly consolidated list, which primarily consists of IP addresses, domain names, URLs, file names, and MD5 hashes in a CSV file.

While we’ve considered bringing threat intel data into our ArcSight SIEM implementation for some time, until lately we did this manually as well. This can cause lots of difficulties: staff falling behind due to the volume of other work we perform, individual variations in process, and lack of ongoing correlation. So I decided to implement a small script to make our lives easier.

Originally, I’d planned on modifying ArcOSI for this purpose. ArcOSI scrapes several open source intel feeds, runs a regex on them for IP addresses and domain names, then streams the data in ArcSight’s Common Event Format (CEF) over syslog for proccessing and correlation. As it turned out, my data have enough consistency that I didn’t need all the logic and configuration that ArcOSI provides. I ended up gutting the whole thing and writing a Python script more or less from scratch, keeping only the four lines that actually communicate with the Collector via UDP. (The csv module in Python sped this up tremendously.)

I also found that CEF actually makes this fairly easy. Basically, you just send a syslog message as follows:

CEF:Version|Device Vendor|Device Product|Device Version|Signature
ID|Name|Severity|Extension

The Name field should be fairly generic (“Port scan”, not “Port Scan from 10.1.1.1 against 10.2.2.2″). The Extension field actually consists of key-value pairs. ArcSight includes some predefined keys like src & dst (source address / destination address, and you can define additional keys plus include a detailed message. So, in my script, I emit two signatures: “Known Malicious IP Address” and “Known Malicious Domain Name”. I include some other data in the Extension fields such as the indicator’s tracking ID and the date that it appeared in our intel feed.

Now we just need to create an Active List in ArcSight ESM for these indicators and correlate appropriately. When an event comes in that correlates to one of these indicators, we’ll generate a notification (at least as a first pass). We also have an engineer building out appropriate reporting, trending, and dashboards.

Think about your own intel feeds and whether it makes sense to use ArcOSI or write your own script to parse the feeds into CEF.

→ 6 Comments

Posted in Notes

Tagged , , , , , ,

Threat intel sharing with OpenIOC

Posted on 2011-11-13 | Leave a comment

Indicator of Compromise by Kool-Aid Man

Mandiant recently announced OpenIOC, “an extensible XML schema that enables you to describe the technical characteristics that identify a known threat, an attacker’s methodology, or other evidence of compromise.” For example, you might have an IOC listing something as simple as a set of MD5 hashes and file names, or as complex as descriptors of the structure of a particular executable (PE file. The schema includes terms for network indicators as well, like URIs, IP addresses, and strings in network traffic.

Those of us who react to threats every day already know we need to get better at sharing threat intel and acting on it quickly. A number of industry and other organizations exist that help get these data out to folks who can use it, but often the intel comes in the form of a human-written. This means that systems can’t parse the data easily, and in fact the communication sometimes has significant ambiguity on it. When systems and tools can’t parse the data, not only does that introduce delays into the detection process, it also makes validation difficult. So sometimes we get notified of malware with the MD5 sum “d41d8cd98f00b204e9800998ecf8427e” (the hash of the zero or null string), or of “http://google.com?webhp&hl=en”. Both of these have happened to me in the last few months, and while that’s simple human error, allowing tools to do some basic sanity checks would help with this.

This, of course, shows up the weakness with OpenIOC: a classic chicken and egg problem. The XML files don’t serve much purpose until tools can read them, but at the moment the only tools that can read them come from Mandiant: their enterprise commercial product MIR and the free no-cost IOC Finder. (Note that, while OpenIOC is released under the Apache 2 license and therefore qualifies as ‘free software‘, the same does not hold true for IOC Finder.)

For OpenIOC to work well, we need more tools and responders to support it. That could start with truly free tools like Splunk, Sleuthkit, and Snort, but I’d like to see large commercial tools like Arcsight, EnCase, and Sourcefire incorporate it as well. This applies as much to producing IOCs as it does to consuming them, by the way: if FireEye’s malware detection and analysis tools could export an IOC, detection across the network would become much more straightforward. But Mandiant, as much as I love many of the people who work there, has sort of a NIH problem: they like to blaze new trails and do cool new stuff, but working with other vendors has always seemed to stymie them as far as I can tell. Hopefully Doug Wilson, the new point man on OpenIOC, can turn that around.

OpenIOC can solve a key problem, but we will see whether anybody actually uses it to do so.

→ Leave a comment

Posted in Notes

Tagged , , , , , , , , , , , , , , , ,