Many cyber threats have already been identified, and RSA NetWitness has been actively delivering content related to these identified threats. The content required to hunt these threats are in the form of different resource types such as feeds, parsers, application rules and so on.
The RSA NetWitness Known Threats Pack enables analysts to deploy all the content required to identify and hunt known threats efficiently. The Known Threats pack contains a set of content specific to known identified threats such as malware, crimeware, RAT campaigns, and so on. When the pack is deployed, all the content with dependencies is automatically deployed. Analysts can then efficiently hunt previously known threats and keep track of known malicious IPs, domains and potentially compromised systems on the network.
Deployment:
You can deploy all of the items in the Known Threat Pack through Live. To deploy:
From the Security Analytics menu, click Live > Search.
In the Resource Type field, select Bundle.
Select the Known Threat Pack.
You can view the details page if you wish:
Select Deploy, then follow the steps in the wizard.
The Deployment Wizard lists the resources that are in the bundle.
Select the service or services on which to deploy the bundle.
Review your selections.
Click Deploy. Progress is shown in the dialog box, until completion.
Click Close to exit the wizard.
Threat Hunting and Investigation:
With all required content deployed to hunt known threats, analysts can now start looking for alerts, anomalous network activity and meta generated using various LUA parsers and rules. Keys to look for to start hunting and drilling down on to validate the alerts are Indicator of Compromise, Behaviors of Compromise, Enablers of Compromise, Session Analysis, Service Analysis, File Analysis and investigation meta. In depth protocol analysis which involves looking at headers user agents, host-names aliases and request codes will help further validating the alerts. More about this: Hunting guide - https://community.rsa.com/docs/DOC-62341
Investigation meta is used to provide a means to classify all logs and sessions in support of investigations and remediation. This is useful for front line analysts, because it minimizes the time dedicated to mining logs or sessions in support of their findings. More about this: https://community.rsa.com/docs/DOC-62303
Updates:
As new threats are identified, content related to those threats will be added to the Known Threats Pack. Monitoring changes periodically and deploying new content via Known Threat Pack will be help identifying and hunting latest threats in the cyber world.
Thanks to Michael Sconzo, Angela Stranahan, Raymond Carney, fcnm5cek2rdlpcoxhlzhlnen4qmoahzkjme9zra1tko=, Theresa Berardinelli, Scott Marcus and Jim Ward for their contribution.
References:
Known Threats Pack Documentation: https://community.rsa.com/docs/DOC-76524
Hunting Guide: https://community.rsa.com/docs/DOC-62341
Investigation feed Documentation: https://community.rsa.com/docs/DOC-62303
