CSN15: Using ArcSight ESM for Malicious Domain Detection. Chris Watley Information Assurance Engineer US Government

Transcription

1 CSN15: Using ArcSight ESM for Malicious Domain Detection Chris Watley Information Assurance Engineer US Government

2 Agenda Problem defined Snort versus ArcSight ESM Rule creation Active lists Variables Future possibilities Summary Contact information 2

3 Problem Defined Traditional technique for malicious domain detection are Snort-style signatures Need separate signatures for UDP and TCP Requires multiple sensors if there are multiple Internet connections Must process all packets, at least to some extent Signature syntax can be daunting ArcSight with a firewall connector can do the same thing Will work if HTTP requests are logged on firewalls Process all firewall in single location Uses active lists and rules Hash value lookups are faster than string comparisons Simply add new domain to active list to begin monitoring 3

4 Snort syntax Two signatures ArcSight Problem cont. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: arcsight.com TCP ; content: Host\: ; content: within:100; ) alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg: arcsight.com UDP ; content: 03 www 08 arcsight 03 com ; ) Single active list entry 4

5 Problem cont. Goal with ArcSight Process all HTTP requests in real time Requests have various formats Capture domain, URI content, and port Trigger rule if domain is in the active list 5

6 Procedure Create active list Create rule Define variables Define conditions Define aggregation Define actions 6

7 Create fields-based active list with key fields Fields Domain (KEY) string Description string Active List Example entries 7

8 Rule Variables Start by converting the request URL to lower case Active list lookups are case sensitive Variable: ToLower Find the index of the forward slash (/) Denotes end of domain and beginning of URI content Variable: IndexOf Will equal -1 if there is no / 8

9 Variables cont. Get substring from beginning of URL to the indexofslash variable Captures the domain Will also get the port if specified in the URL Variable: substring If End Index = -1, the end of the string is used Effect If URL is the variable will equal If URL is just the variable will equal 9

10 Variables cont. Find the index of the colon (:) Denotes the location of the port, if specified Variable: IndexOf Will equal -1 if no port is specified Get substring from beginning of URL to indexofcolon Variable: substring Effect Domain has been extracted 10

11 Finally want to retrieve domain from the active list Variables cont. Will allow us to pull in the description field when rule triggers Variable: GetActiveListValue Result 11

12 Rule Conditions Set the rule conditions to only have events from the firewalls I used device vendor Ignore ArcSight generated events Can cause loops if not done Ensure request URL has a value For InActiveList, compare domain field with the variable domain created above 12

13 Rule Aggregation and Actions Aggregate on the most important fields domain activelistdescription IP addresses Anything else you wish to see when the rule triggers For actions, enable the trigger on every event Use set event field actions so the variables carry over If variables are not set, they will all have to be recreated if you wish to use the event later 13

14 Rule Testing Visited and protect724.arcsight.com Rule triggers for any HTTP(S) request to the domains, regardless of port or URI Content protect724.arcsight.com is an SSL CONNECT 14

15 Let s Make it More Complicated The rule as it is now will trigger on any event to the domain There are some domains that only matter if a particular file (URI content) is accessed Example: Legitimate domain hacked for short period of time Attacker uploads file to the domain Exploited victim downloads file from that domain By adding a few more variables, we can start processing URI Content with the domain Also create new active list for URI content field 15

16 URI Content Variables Ensure the indexofslash is a positive value Will be used as start Index in a substring variable, so must be non-negative Variable: absolute Get substring for the URI content Start Index is the absolute value of indexofslash Variable: substring 16

17 Variables cont. Use a conditional variable to determine request URL had a URI content Must first create a filter Create an indexofslash variable In conditions, verify indexofslash is non-negative Non-negative means URL has URI content 17

18 Variables cont. Conditional variable uses a filter to determine if the event matches the filter Can specify separate values for true and false URI content conditional variable Variable: ConditionalEvaluation Filter: index of slash If true: urisubstring (URL had URI content) If false: leave blank (URL had no URI content) 18

19 Variables cont. Determine if the requested URI contains what is specified in active list Variable: IndexOf Will equal -1 if value in active list is not in requested URI Convert the index to a string value Will be used in a conditional variable Values can only be fields or strings in conditional variables Variable: ConvertNumberToString 19

20 Variables cont. Use a conditional variable to determine if the active list has a URI content specified for the domain Create a filter Create all variables that were used in the original rule before testing URI content Single condition: Verify the field is not NULL 20

21 Variables cont. Conditional variable to determine whether a URI content value was specified in the active list Variable: ConditionalEvaluation Filter: domain has URI content If true: uristring (value specified, use value from IndexOf) If false: 1 (value not specified, enter positive number so rule triggers for any URI content) 21

22 Last variable is to convert back to a number Variable: ConvertStringToInteger Variables cont. Result 22

23 Rule Add one condition to the rule conditions Verify urimatch is non-negative Rule aggregation and actions 23

24 Rule Testing Sites visited Did not trigger any events and subsites Triggered events protect724.arcsight.com Triggered events 24

25 Working rule to trigger on malicious domains Can filter down by URI content Current Situation Step up the detection by adding port into the mix Similar process to that of URI content 25

26 One Last Variable LastIndexOf Added in ArcSight ESM 4.5 Like IndexOf, but works from end of string Allows for capability to capture variability with domains We know and protect724.arcsight.com are bad What if user visits ftp.arcsight.com? Can add arcsight.com to active list and capture any third level domain Logic is complex to set up, but incredibly useful 26

27 Possibilities Automatically determine if request URL was blocked by any appliances, had a virus, etc. Compare domains from sender addresses against the lists Similar variables can strip the information to find the domain Create a script to automatically run request URL through Rex Swain HTTP Viewer, Wepawet, etc. Rule actions -> execute command Alternately add as ArcSight tool or integrated command Would not run automatically Analyst can pick and choose when to run the command 27

28 Rules can detect malicious domains in real time Can be refined by Benefits URI content Port Efficient comparison with active lists Single entry can be used in multiple rules Active lists can have tens of thousands of entries Frees up Snort for more proactive signatures Easier to teach new analysts Summary 28

29 Your Feedback Builds a Better Conference! Text to (USA & Canada) or (Non-USA) Type CLSN <space> 15 and the letter to each response SMS body example: CLSN 15ae*your comments Excellent Good Fair Poor Rate the speaker a b c d Rate the content e f g h Please provide comments: (*) enter any comments/feedback Download session replays after the conference:

30 Contact Protect 724 Username: christow Send Private Message 30