Walkthrough of an Attack and Protection with the McAfee ESM

Version 2

    Introduction

     


    We're going to take a look at a walkthrough of a typical attack on an environment protected by McAfee Enterprise Security Manager (ESM). We will see the McAfee ESM detect the attack, identify what’s under attack, and use that information to enable security scans and enforce lockdown policies to secure the environment immediately. In addition, we’ll add this new piece of intelligence to our watchlist and prevent future attacks from this source. While we’re following the attack, keep in mind that these are correlation rules and dashboards are part of a downloadable content pack, so many aspects of this demo are easy to set up.


     

    The Attack

     

    Image that one day we receive an alert in the McAfee ESM. This is an alert that is part of the Firewall content pack and can be automatically installed on your McAfee ESM. This alarm signifies that one of your High Value Hosts has opened up a successful FTP connection to a server outside of your organization. You find it odd but you can dig deeper with just a few clicks.

     

    01.png

     

    You can instantly identify the event associated with this alert and pull out all the relevant data that you need to investigate this incident, such as the involved IP addresses, protocol, and when this event was created.

     

    02.png

     

    Hmm, that’s odd, when we look at the geolocation information of the event, and here we can see that the destination of that FTP communication was to an unknown server in China. This definitely requires some additional attention.

     

    03.png

     

    Our next step is to find more information about this destination server. We can change our view to the Firewall View and use the destination IP address to filter our results and only focus on the information we’re interested in. Here we can drill down into the details of the events associated with this IP address and as we review the details of the event, we can also review the packet information that was sent over by the firewall that had initially identified this communication. Additionally, we can easily perform a check with McAfee’s Global Threat Intelligence and see the threat status of the destination IP address. When we look at the IP address details, the Threat Details of the address is also easily available. We can tell that this service has been identified as a Malware server and we should be very concerned that our server is sending it files over ftp. The WHOIS lookup information is also available.

     

    04.png

     

    Since we’re concerned that there may be Data Exfiltration occurring on that server, we can immediately enable security countermeasures on the system by using the McAfee ePO tagging system. We can assign it multiple tags with a single assignment. I’m going to assign it the Enable Hardened Firewall tag, which will block all incoming and outgoing ports to that computer other than the management ports, as well as the Run Full Scan tag, which will perform a full scan of the system for any malware. The malware scan will take a while, but the results will be sent back to the McAfee ESM after it completes.

     

    05.png

     

    Now that we’ve identified that this address as malicious, we can add the site to a Malicious IP Addresses Watchlist to monitor this address in the future. This would help us identify further communications with this address and we can be notified automatically. We would also want to reimage the system to ensure the removal of any remnants of the malware that might be on the system.

     

    06.png

     

    So there we have it. From initial detection to fully removing the malware from the environment, we can see how simple it is to put together the information we need to remediate an intrusion event.