NetWitness Community

RSAAdmin · ‎2012-09-06

Informer is the best way to automate queries to look for things that concern you. And the things that concern you are also known as use cases. Here is a list of 25 or so use cases that every organization should implement.

Uncontrolled Overt Encrypted Channels

Ssh outbound to organizations
SSH outbound to home computers
SSL to gmail, yahoo, other webmail
SSL to dropboxes
SSL to backup storage sites

Unknown Covert Encrypted Channels

Unusual ssl to foreign countries
SSL to threat sources
SSL over unusual ports
Icmp tunnels
Tor usage

Filesharing

Bittorrent/gnutella
Ftp to warez/drop box sites

Passive Vulnerability Awareness

Out of date OS
Out of date Browsers
Bad java versions
Bad flash versions

Other:

Security tools download
Clear text passwords
Confidential keyword detection (DLP)
Snort integration
Top subjects in email to detect phishing
Protocol anamolies
Exfiltration via photography
Tuning Reports
Analysis of Service Type Other
Custom Feed Integration
Bandwidth monitoring to partners
Email attachment visualization

If you'd like to know how to integrate any of these and are stuck trying to configure your own Informer box, let us know. And feel free to share some of your own use cases!

RSAAdmin · ‎2012-09-12

Any chance you could share your Informer rules for these use cases?

TIA,

Ray

RSAAdmin · ‎2012-09-12

Unfortunately, there is no one-size-fits-all informer content for these as each requires analysis and customization for each organization. In addition, filtering of known good activity also needs to occur prior to identifying the bad traffic.

For instance- an easy one. Outdated browsers. Your policy states only IE8 and above is used outbound to the Internet. You can't simply look for browsers- you also have to eliminate directionality. You can look at browsers outbound by looking for browsers where org.dst exists (this eliminates RFC1918 addresses automatically) and org.dst != "yourorg.dst" That yourorg.dst must be customized.

A harder one would be unusual SSL to foreign countries. You have to be knowlegeable to know what is authorized first, and eliminate those countries or destination domains from the query, either by filtering or applying a list in Informer. Again, research, analysis and customization is required.

The good news is that each use case can be fulfilled one at a time, the content creator gets really adept at analysis, and unusual traffic gets identified pretty quickly. And the use cases can be fulfilled usually in less than two hours each with careful analysis and investigation.

RSAAdmin · ‎2012-09-12

Gotcha... I agree , SSL will be tough one! Appreciate your quick input.

-Ray

Anonymous · ‎2012-09-19

Below is a sample format we use to document use cases for customers. It would be useful to have a common format for sharing this information. In regards to Fielder excellent post, he could still list 90% of the content for the 25 sample use cases and comment as required. This would help a lot of customers that have less NetWitness experience or have had staff transition events.

Rule Name:	JVM Download of EXE
Purpose:	Alert on a download of an executable by a Java client. This is a tactic of many exploit kits and is highly correlated with malicious activity when combined with simple false
Risk on Alert:	HIGH
False Positives Reduction:	Whitelist (or exclude) the following oracle.com sun.com internal IP addresses country.dst does not exist
Select	sessionid, time, ip.src, ip.dst, alias.host, filename, client
Where	filetype = 'windows executable' && client contains 'java'
Then
Other comments:	Tune this alert based on false positives to exclude websites that trigger alert. In several circumstances we have seen filenames with jpg to disguise the executable. NetWitness should correctly identify the file as an executable.

- Rob

RSAAdmin · ‎2012-09-28

Hi Rob,

This is excellent , could you share more such rules that are used by customers ?

Are these rule sets posted to live ?

-Sunila

NetWitness Community

25 or so Starter Use Cases for Monitoring