Over the last day or so you likely have seen an uptick in attention to the emerging threat, Project Blitzkrieg. Project Blitzkrieg is a large-scale planned cyber-attack against US financial institutions, which gained some new credibility due to a newly-published blog post and research report from McAfee Labs: Analyzing Project Blitzkrieg.
With all the blog posts and news stories, organizations everywhere are concerned about how this operation might affect their business, regardless of their industry. Security executives are going to be asking questions:
- Will this operation affect me?
- Have I already been affected?
- How would I know?
Included in the McAfee Labs report is a great deal of specific information about this threat, which is very useful in identifying signs of it on your network. With proper threat intelligence, and a functioning SIEM with proper context, these are easy questions to answer. Let's put these items together in McAfee SIEM.
Attached to this post are a pair of text files, suitable for import as SIEM watchlists. To begin, download the BlitzkriegIPs file. To create a watchlist:
1) In the McAfee ESM UI, select System Properties, select the Watchlist tab, and click the "Add" button to create a new list.
2) Give the watchlist a name you like (e.g. "Project Blitzkrieg IPs") and use the "Import" button to bring in the text file you downloaded above.
3) Click Save, and you're done!
A watchlist like this is like a powerful spotlight, and can immediately highlight critical events that are indicators of probing or compromise that would otherwise go unnoticed. Use this watchlist as a filter on your favorite dashboard,or in a scheduled report in order to highlight any communication in the past between your internal hosts and these suspicious actors. Use it in a correlation rule, and create an associated alarm, to automatically detect and alert on any suspicious communication moving forward.
Speaking of correlation rules, you will notice a related shiny new one delivered by the McAfee SIEM team today: "Project Blitzkrieg - Communication with Known Command and Control Server". This rule, when enabled within the policy on your correlation engine, will automatcially trigger on any events that indicate outbound communication with hosts on the above list. If your organization is in the financial industry, this rule warrants close attention. Even if you're not, it's possible for a major initiative like this to spread and deliver collateral damage outside of the original targets. Note that you don't need to create the watchlist in order to leverage the correlation rule; we've embedded the list directly in the rule.
Also included below is a list of MD5 hashes. These hashes are associated with malware files that are known to be associated with Project Blitzkrieg. If you have data sources in your SIEM that report file hashes, these can be useful in identifying traces of Blitzkrieg activity lurking on hosts in your network.
McAfee's threat research is a key advantage enjoyed by our SIEM customers, and this is one example where it can truly prove its value. Any SIEM can collect logs from a variety of sources, and allow analysts to hunt and peck, looking for acorns in the forest. McAfee's Threat Intelligence cuts through the noise and ensures you are able to focus on what matters most, first.