Enriching and Automating Fraud Response with HP ArcSight ESM

Ron Stamper, Regions Financial, Cybersecurity Engineer Josh Larkins, Malcovery Security, Sr Threat Intel Analyst

TB3022

Table of Contents

› Introduction to PCAPs › Use Case: Phishing › Use Case: Fraud Detection › Use Case: Internal Malware Response › Use Case: TippingPoint Quarantines › Bonus Ideas

9/9/2014 2

PCAPs: Huh?

9/9/2014 3

PCAPs: Packets are not complicated

› At the raw text level they contain a lot of useful information that is easily absorbed and manipulated and can be fed into a multitude of systems only limited by your imagination.

› ASCII is your friend!

9/9/2014 4

PCAPs: Are your friend

9/9/2014 5

PCAPs: Use the proper TCPDUMP syntax

› tcpdump -r -Anns0 | less › -r read a file › -A Print each packet (minus its link level header) in ASCII. Handy for capturing web pages. › -nn Don’t convert host addresses, protocol, or port numbers etc. to names. This can be used to avoid

DNS lookups. › -s0 For backwards compatibility with older versions of tcpdump, sets snaplength to default of MAX

› tcpdump -r -Anns0 host | less › tcpdump -r -Anns0 src host | less

9/9/2014 6

PCAPs: Can be read like a book

9/9/2014 7

PCAPs: Lots of information can be had

9/9/2014 8

PCAPs: Binding Perl Wireshark sessions

9/9/2014 9

PCAPs: Perl script black magic

9/9/2014 10

PCAPs: Using PIPE to stdoutput

9/9/2014 11

PCAPs: TShark command

9/9/2014 12

PCAPs: Regex match the text

9/9/2014 13

PCAPs: Populating a database

9/9/2014 14

PCAPs: Create a CEF message

9/9/2014 15

Use case: Phishing › Send referrer URLs to SmartConnector

› Send the requested URL in addition to referrer URL › Use customString, not requestUrl › Extract at least FQDN to customString, can be done by pre-processing to send CEF or implementing a

FlexConnector › Extracting second-level domain into the ArcSight event is better for whitelisting than FQDN

› Note any files being requested from your site by external referrers › Build rule to notify your internal/external phishing team based on external requests to these

resources › Adding new phish to an ActiveList can allow a simple way to know both the first and most recent

time a phish was seen › Advanced Mode: use additional heuristics, such as content retrieval or automated processing by

external partner

9/9/2014 16

Use case: Phishing

9/9/2014 17

Use case: Fraud detection with PCAPs › First-stage rule triggers on IDS event, calls an external bash script › Bash script uses lynx to POST data to external system for processing › External system performs actions

› Lookup in local database › Retrieve information from raw PCAP

› Returns CEF event with most or all of first_stage event, plus enrichment data in customString and customNumber fields

› Second-stage rules handle this second_stage event. Could be multiple rules or just one depending on Use Case

› What if the second_stage event never arrives? › In first_stage event, add eventId to a fields-based ActiveList with a low TTL (5 minutes) › Pass eventId to external system › External system returns first_stage’s eventId as part of second_stage event as customNumber › In any rule that handles second_stage events, remove the eventId from the above ActiveList › If any event expires from ActiveList (deviceEventClassId=activelist:104), send a notification

9/9/2014 18

Use case: Fraud detection with PCAPs

9/9/2014 19

Use case: Internal malware response

› In a single rule, select the external IP based on the originator field using a Local Variable with a conditional statement

› Using another custom variable with a conditional statement, use ArcSight’s geo-coding to set the variable to a small integer for an IP within your geographic footprint or a large integer for an IP outside your geographic footprint

› Issue a ban against that IP via external script and notify your SOC to investigate further

9/9/2014 20

Use case: Internal malware response

9/9/2014 21

Use case: TippingPoint quarantines

› TippingPoint has an API and ArcSight can call external scripts › For any Rule that requires an IP to be banned, call an external script, passing the IP as an

argument › Using cURL, issues a POST to TippingPoint API › TippingPoint will issue a quarantine, different from its regular blocks. Quarantine events are not

sent in TippingPoint’s standard syslog feed, they are enabled from a separate menu › Name the file tippingpointwebapi.subagent.sdkrfilereader.properties, place it in

/user/agent/flexagent/syslog/

9/9/2014 22

Use case: TippingPoint quarantines

9/9/2014 23

Use case: TippingPoint quarantines do.unparsed.events=true regex=([^\\\=]+)\=(\\d+)\\s+HOSTID\=(\\d+)\\s+IP\=(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})\\s+MAC\=([^\\s]+)\\s+Filter\=([^\\s]+)\\s+Switch\=([^\\s]+)\\s+Port\=(.*) token.count=8 token[0].name=Message token[0].type=String token[1].name=ID token[1].type=String token[2].name=HOSTID token[2].type=String token[3].name=HOSTIP token[3].type=IPAddress token[4].name=MAC token[4].type=String token[5].name=FILTER token[5].type=String token[6].name=SWITCH token[6].type=String token[7].name=PORT token[7].type=String event.sourceHostName=HOSTID event.name=__stringConstant("TippingPoint Quarantine") event.deviceAction=__stringConstant("Quarantine") event.deviceCustomString1Label=__stringConstant("Switch") event.sourceAddress=HOSTIPevent.message=Message event.sourceMacAddress=__oneOfMac(MAC) event.deviceVendor=__stringConstant("TippingPoint") event.deviceCustomString2Label=__stringConstant("Port") event.deviceEventClassId=FILTER event.deviceCustomString1=SWITCH event.deviceCustomString2=PORT event.deviceProduct=__stringConstant("UnityOne")

9/9/2014 24

Bonus ideas: Ok, what else?

› You are limited only by your imagination! › Create Customer Database Information › Create Transaction Information such as Wires and any money transfers › Easily Record and send all files being sent or gotten by both external or internal users › Anything in packet data!

9/9/2014 25

Bonus ideas: Remember this guy?

9/9/2014 26

Bonus ideas: Customer login regex

9/9/2014 27

Bonus ideas: Sample interface for database

9/9/2014 28

Bonus ideas: Populate incident database

9/9/2014 29

Bonus ideas: Clicking on USE NPULSE button

9/9/2014 30

Bonus ideas: Foreign wires

9/9/2014 31

Bonus ideas: Foreign events

9/9/2014 32

Bonus ideas: ActiveList correlation

9/9/2014 33

Questions

› Ron Stamper – ron.stamper@regions.com › Josh Larkins – jlarkins@malcovery.com

9/9/2014 34

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 35

Please fill out a survey. Hand it to the door monitor on your way out.

Thank you for providing your feedback, which helps us enhance content for future events.

Session TB3022 Speakers Ron Stamper and Josh Larkins

Please give me your feedback

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Thank you

© Copyright 2014 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Enriching and Automating Fraud Response with HP ArcSight ESMTable of ContentsPCAPs: Huh?PCAPs: Packets are not complicatedPCAPs: Are your friendPCAPs: Use the proper TCPDUMP syntaxPCAPs: Can be read like a bookPCAPs: Lots of information can be hadPCAPs: Binding Perl Wireshark sessionsPCAPs: Perl script black magicPCAPs: Using PIPE to stdoutputPCAPs: TShark commandPCAPs: Regex match the textPCAPs: Populating a databasePCAPs: Create a CEF messageUse case: PhishingUse case: PhishingUse case: Fraud detection with PCAPsUse case: Fraud detection with PCAPsUse case: Internal malware responseUse case: Internal malware responseUse case: TippingPoint quarantinesUse case: TippingPoint quarantinesUse case: TippingPoint quarantinesBonus ideas: Ok, what else?Bonus ideas: Remember this guy?Bonus ideas: Customer login regexBonus ideas: Sample interface for databaseBonus ideas: Populate incident databaseBonus ideas: Clicking on USE NPULSE buttonBonus ideas: Foreign wiresBonus ideas: Foreign eventsBonus ideas: ActiveList correlationQuestionsPlease give me your feedbackThank youSlide Number 37