SIEM Use Case: Tracking Malware

Version 8

    1 Index

     

    2 Introduction

    In this use case we'll leverage the SIEM as a central hub for monitoring and responding to malware-infected systems.  The use case will center around a view that is tailored to provide a high-level overview of the malware situation in your enterprise, as well as more focused information around the most critical issues.  In addition to visibility, we will also build out necessary alarms and watchlists we can use to react to important events, such as the first occurrence of a new malware event, or a newly infected host.

     

    malware-dash.png

     

    3 Prerequisites

    In order to complete the Tracking Malware use case, the following items are required.  Note that this tutorial will assume you are on ESM 9.4 or better.  In particular, the alarm configuration will be very different for users with ESM v9.3 and earlier.


    3.1 Data Sources

    The views and other elements of this use case are keyed mostly to events that have been categorized by the SIEM as "Malware" events.  These events may come from a wide variety of sources, including:

      • Host-based security
      • Network IDS/IPS
      • Web proxies
      • Email security gateways
      • Advanced threat analysis tools such as malware sandboxing solutions

    All events from these types of data sources that are categorized as malware events will be incorporated into this use case.  If you have no data sources that create malware events, you will get very little value from this use case.

     

    3.2 Required Configuration

    This use case will assume you have defined zones and sub-zones within your enterprise.  For details on zones, see SIEM Foundations: Define Zones. If you have not defined zones in your environment, then the provided view will not display properly.   You may need to customize the view in order to get useful results.

     

    4 Configuration and Build out

    With the prerequisites out of the way, we can start building the use case within the McAfee ESM.  For each of the watchlists below, begin by opening opening the watchlist manager (System Properties/Watchlists) and clicking Add.

     

    4.1 Watchlists

    This use case will leverage several watchlists.

     

    Watchlist: Malware - Noteworthy Sig IDs

    This watchlist will be used as a filter in views and reports to allow administrators to focus on specific malware events that are important in your environment.

      • Watchlist Type: Static
      • Values Expire: No
      • Data Type: Signature ID.
      • Values: As a starting point, you may choose to copy and paste in the list below.  These represent pre-built McAfee correlation rules that are related to malware:

    47-4000001

    47-4000026

    47-4000086

    47-4000088

    47-4000127

    47-4000129

    47-4000131

    47-4000132

    47-4000133

    47-4000134

    47-4000136

    47-4000147

    47-4000151

    47-4000152

    47-4000166

    47-4000167

    47-6000156

     

    In addition, if you use McAfee VirusScan Enterprise as part of your endpoint security, consider adding these signature IDs as well.  They represent malware detections that were not successfully cleaned, nor blocked.

    367-1274

    367-1275

    367-1276

    367-1277

    367-1282

    367-1283

    367-1284

    367-1285

    367-1286

    367-1294

    367-1298

     

    Watchlist: Malware - Recent Sig IDs - 7 days

    With this watchlist we will keep track of malware-related signatures that have been seen in the SIEM within the last 30 days.  The list will be set up as a manual list, and will be updated with an alarm that we will configure in a later section of this document.  When new sig IDs are added to this list, we will also trigger a notification to administrators.  Signature IDs age off this list after 7 days, so you will get one notification per signature, per week, at maximum. Feel free to modify the expiration values to better meet your needs, if desired.

      • Watchlist Type: Static
      • Values Expire: Yes, 7 days
      • Data Type: Signature ID.


    Watchlist: Malware - Recent Threats - 7 days

    With this watchlist we will keep track of threat names that have been seen in the SIEM within the last 30 days.  The list will be set up as a manual list, and will be updated with an alarm that we will configure in a later section of this document.  When new threat names are added to this list, we will also trigger a notification to administrators.  Threats age off this list after 7 days, so you will get one notification per threat, per week, at maximum. Feel free to modify the expiration values to better meet your needs, if desired.

      • Watchlist Type: Static
      • Values Expire: Yes, 7 days
      • Data Type: Threat_Name.

     

    Watchlist: Malware - Recent Infected IPs - 1 day

    This watchlist will be used to keep track of IP addresses of systems that have been seen with malware infections within the last day.  The list will be set up as a manual list, and will be updated with an alarm that we will configure in a later section of this document.  When new systems are added to this list, we will also trigger a notification to administrators.  Systems will age off the list after 24 hours, so you will get one notification per system per day, at maximum.  Feel free to modify the expiration values to better meet your needs, if desired.

      • Watchlist Type: Static
      • Values Expire: Yes, 1 days
      • Data Type: IP Address

     

    4.2 Correlation Rules

    In this use case we won't create any unique correlation rules.  However, it does likely make sense to ensure that all malware-related correlation rules are incorporated into the Malware - Noteworthy Sig IDs watchlist.  The sample list above provides a good starting point; feel free to add or remove from it over time as you see fit.

     

    4.3 Alarms

    In this example we have 2 watchlists that we'd like to maintain automatically, based on the flow of events into the McAfee SIEM.  In order to accomplish this, we will set up a pair of alarms to maintain the watchlists.

      1. Open up the Alarm Manager (System Properties/Alarms) and click Add to define a new alarm.
      2. The Alarm Wizard opens.  In the Summary tab, provide a name for your alarm (suggestion: "Malware - New Infected Host detected"), and give it a severity (suggestion: 75).  You will also need to define an assignee for the alarm, and you may also choose to enter a description.  Click Next > when complete.
        malware-alarm-1.png
      3. On the Condition tab, select Field Match.
      4. Next we will build the logical conditions that will cause this alarm to trigger.  Click and drag an AND gate into the central panel
        And.png
      5. Then drag a match component into the structure of the AND gate.
        match.png
        You'll be prompted to configure the match component (aka Filter Field).  For this filter field, we will configure it to match when
        Normalization Rule is Malware.
        norm-rule.png
      6. Drag a second match component into the structure of the AND gate.  For this filter field, configure it to match when the Signature ID is on the Malware - Noteworthy Sig IDs
        watchlist.  In order to ensure this alarm does not trigger too frequently, we add this filter to ensure that we only see alarms related to the most important malware events.
        alarm-filter2.png
      7. Drag a third match component into the structure of the AND gate.  For this filter field, configure it to match when the Destination IP address is NOT on the Malware - Recent Infected IPs - 1 day
        watchlist.
        recent-ips.png
      8. When complete, your Alarm Condition tab should look roughly like this. 
        recent-ip-alarm-cond.png
        Note that we have also reduced the Maximum Trigger Frequence down to zero minutes.  This will ensure that the alarm fires for every event.  Click Next > to go to the Devices tab.
      9. On the Devices tab, select any devices in your environment that may generate malware-related events.  For best performance, it's preferred not to assign alarms to devices that won't trigger the alarm.  Be sure that your correlation engine is selected here, at a minimun.  Click Next > to go to the Actions tab.
      10. On the Actions tab, you should find that Log Event is already selected. We also need to ensure that our target IP address is appended to the Malware - Recent Infected IPs watchlist.  Select the checkbox for Update Watchlist, then press Configure.
      11. Configure this action to append the Destination IP to your Malware - Recent Infected IPs - 1 day watchlist.  Click OK to save.
        malware-update-watchlist.png
      12. Click finish to save your alarm.  You're done with the first alarm of two.
      13. Once your first alarm is completed, repeat steps 1-11 a second time, with 3 minor differences.
        • In step 2, give it a different name ("Malware - new signature ID detected")
        • In step 6, the alarm should trigger when the Signature ID is NOT on Malware - Recent Sig IDs - 7 days watchlist
        • In step 10, you will want to append the Signature ID to Malware - Recent Sig IDs - 7 days watchlist
      14. Repeat steps 1-11 a third time, with 3 minor differences. (Note: this step requires SIEM 9.4.1 or later.  Watchlists are not supported for this data type in earlier SIEM versions)
        • In step 2, give it a different name ("Malware - new threat name detected")
        • In step 6, the alarm should trigger when the Threat_Name is NOT on Malware - Recent Threats- 7 days watchlist
        • In step 10, you will want to append the Threat_Name to Malware - Recent Threats - 7 days watchlist


    4.3 Views

    Next we will import a predefined dashboard, which will serve as the basis for this use case.  Once imported, we will customize and tune it to meet our needs


    4.3.1 Import Tracking Malware dashboard

      1. Obtain a copy of the dashboard definition file: "use-case-tracking-malware-view.vpx" (attached below).  Store it in an accessible location on your workstation.
      2. In the ESM UI, Click the Manage Views 3ManageViewsIcon.png icon in the top center
      3. Select a location in the View tree where you would like to store your new view.  As a suggestion, you might create a folder for "McAfee Use Cases"
      4. In the View Manager, click Import
      5. Click Choose File and browse to the location of the "use-case-tracking-malware-view.vpx" file.
      6. Click Upload to complete the upload.

     

    4.3.2 Customize Tracking Malware dashboard

    The Tracking Malware dashboard has several elements that leverage the custom watchlist Malware - Noteworthy Sig IDs, defined above. You will need to incorporate your custom watchlist into the view in order for it to operate as intended.

    To customize the Tracking Malware dashboard:

    1. Edit the view by clicking the Edit icon in the top center.  You will enter edit mode:
      edit-view.png
    2. Click on the view panel labeled Noteworthy Malware Events by Severity.  It will be highlighted with an orange border.
    3. In the Properties panel on the right side, click the Edit Query button.  This will open the Query Wizard.
    4. In the Query Wizard, click the Filters button
    5. In the filter editor, scroll down to the field Signature ID and click the small filter funnel icon.
    6. Select your Malware - Noteworthy Sig IDs watchlist.  Click OK.
      watchlist-sig-filter.png
    7. Click OK again to dismiss the Query Wizard and see the results of your changes.
      finished-malware-view.png
    8. Save your changes by clicking the Save button in the View Editing Toolbar, and then click the yellow 'x' icon to close it and exit editing mode.
      save-malware-view.png

     

    4.4 Reports

    As a final setup step, we will import a report template and schedule a weekly report that we'll use to capture a regular view of the malware situation.

      1. Obtain a copy of the dashboard definition file: "use-case-tracking-malware-report.rpx" (attached below).  Store it in an accessible location on your workstation.
      2. Open the Reports Manager via the icon in the top-right corner, then click the Add button to define a new report.
        reports.png
      3. The Report Editor will open.  Fill in the fields as follows
        1. Report Name: Use Case - Tracking Malware - Weekly
        2. Condition: Monday at 12:00 AM
        3. Format: Report PDF
        4. File saved to ESM: checked (optionally select other delivery methods if desired)
        5. Prefix: Malware_Report_Weekly

          malware-report-delivery.png
        6. In the layout selection section, click the Import button.  Browse to the file "use-case-tracking-malware-report.rpx" and upload the report template.  Ensure the Weekly Malware Report template is selected.
        7. In the final "Filters" section, set Time Range to Previous Week.
        8. Click Save to save your new report.


    Your Weekly Malware Report is now scheduled to run weekly. If you choose, you may run it immediately via the Run Now button in the Report Manager.

    run-now.png

     

    5 Concept of Operations

    With the Tracking Malware use case fully built out, you can now begin to leverage your work to track infected systems in your environment, and respond in a prioritized manner.

     

    Monitor Tracking Malware view.

    The Tracking Malware view has been designed to provide a wide range of high-level summary information about malware in your environment.  The various panels each provide information that's useful to establish a broader picture.  It's recommended that you review this dashboard regularly, to help understand the baseline activity in your network.

     

    Respond to Alarms.

    We configured three alarms:

    • Newly infected host detected - Fires when a host is infected, at most once/day.
    • New signature ID detected - Fires when a malware event occurs that has not been seen for the last 7 days.
    • New threat detected - Fires when a threat event occurs that has not been seen for the last 7 days.

    These alarms should fire fairly infrequently, and are intended to serve as good starting points for incident response and remediation.  If you find that they are firing too frequently, consider modifying the expiration times configured in the associated watchlists.

     

    As you become comfortable with how this use case works for you, consider adding additional actions to these alarms, such as automatically opening and assigning cases to track remediation, or leveraging email notifications for critical incidents.

     

    Tune as necessary.

    Also, remember that these alarms are designed to trigger only on events that are on the Malware - Noteworthy Sig IDs watchlist.  This watchlist also drives values populated in the Tracking Malware dashboard.  You can add or remove sig IDs from this list to easily modify the sensitivity level of the alarms.  A simple way to add sig IDs to the watchlist is via the action menu available in any view element that displays event summary.

     

    For example: in the screenshot below, we see high volumes of activity associated with the Hiloti trojan.  We'd like to add this to the list of noteworthy sig IDs to better track it and support remediation. 

     

    hiloti.png

    To do so, we click on the bar representing the event type we'd like to add to the noteworthy sig IDs watchlist.  Then open the Actions menu and select Append to Watchlist. You will be presented with a list of  watchlists that are of the appropriate type.  Select Malware - Noteworthy Sig IDs and click OK to save.  From this point forward, your newly selected event will show up in the appropriate views and alarms.

     

    append-hiloti-results.png


    Distribute report

    Finally, as you become comfortable with the Tracking Malware use case, and the data that it brings to the surface, you have a regularly scheduled report that you may choose to distribute to interested parties to provide awareness of malware in your corporate environment.

     

    6 Going Further

    This use case provides a starting point to help you track malware, and infected systems, in your environment.  There are many different tactics and approaches you could add on to this use case to automate manual processes related to malware, or make the existing ones more effective.

     

    One area that is a ripe target for experimentation is in the area of correlation rules.  McAfee provides a wide range of pre-built rules designed to identify activity patterns that are closely linked to malware.  However, as malware authors adjust their tactics, so must the defender.  As you investigate incidents, look for patterns of behavior in your own environment that you can use to identify malicious behaviors early.  Be sure to categorize any new malware-related correlation rules properly (under Normalization Category: Malware) in order to ensure they are picked up properly by the views, alarms, and reports.  Please consider sharing your thoughts and customizations below.