Endpoint Content

This topic discusses the changes in RSA Content based on the NetWitness Endpoint being integrated with the RSA NetWitness Platform in version 11.3.

For RSA NetWitness Platform 11.3, a new content pack is being delivered, the Endpoint Content bundle. Additionally, new Endpoint content is being delivered out-of-the-box with 11.3:

Live Content Pack

In Live, select the drop-down menu for Medium, and select endpoint to search for Endpoint specific content. You can also deploy the Endpoint bundle to get all of the Endpoint content at once.

netwitness_endpoint_livesearch.png

Live Services Feedback

RSA recommends that you enable the File Reputation option, which performs the following tasks:

  • Analyzes file hash information (by Reversing Labs)
  • Returns meta for the file (malicious, suspicious, known, known good, unknown)
  • Malicious and suspicious files influence the risk score

Go to ADMIN > System > Live Services, and scroll down the page to see the Additional Live Services options.

netwitness_livefeedback_filereputation.png

Application Rules

Make sure the Endpoint Server is forwarding alerts to a capturing Log Decoder. For details, see the "Configuring Metadata Forwarding" topic in the NetWitness Endpoint Configuration Guide.

Once matched, the rule will alert to one of four hunting keys: boc, ioc, eoc, or analysis.file.

netwitness_endpointserver_apprules.png

Investigation Feed

The Investigation feed enriches the events with risk level and MITRE ATT&CK classification on match to an application rule. UEBA queries the meta for use in the models. Go to the INVESTIGATE > Navigate view to see the meta.

netwitness_endpoint_investigationfeed.png

File Category Lua Parser

The file category Lua parser enriches the events with file category classification:

  • Combination of standard directory path location + filename

    • Reconnaissance tool
    • Windows process
    • Scripting engine
    • Office application
  • UEBA queries the meta for use in the models

netwitness_endpoint_filecatlua.png

ESA Rules

Once you add the Endpoint Concentrator as a Data Source, and deploy the Endpoint Risk Scoring Rule Bundle, ESA begins forwarding alerts as follows:

  • Medium, High and Critical alerts forwarded to the Risk Score Service (configurable)
  • High and Critical to Respond

netwitness_endpoint_esarules.png

netwitness_endpoint_esarules2.png

To change severity (Low, Medium, High, Critical), you need to use nw-shell. For details, see the NetWitness Shell User Guide.

Risk Scores

Risk scores are used across the RSA NetWitness Platform.

NetWitness creates risk scoring incidents for suspicious files and hosts when defined risk score thresholds are crossed. In the background, it calculates risk scores for each file and host:

  • Critical and High priority alerts from NetWitness Respond
  • Medium priority Endpoint alerts from ESA

NetWitness Respond calculates risk score using a combination of the number of distinct alerts and the severity of alerts associated with the file or host.

Risk Score: Files and Hosts

You can view global file risk scores across hosts.

netwitness_riskscore_files.png

You can also view risk scores on your hosts.

netwitness_riskscore_hosts1.png

netwitness_riskscore_hosts2.png

If you reset the risk score, you will delete all related alerts, and set the score to zero.

Risk Score: Reputation Service

Files can be blacklisted, graylisted, or whitelisted.

Blacklisting:

  • Blacklisted or reputation service reported files will increase the risk score

  • Application rules match with high severity

    • Blacklisted File
    • Writes Blacklisted File
    • Runs Blacklisted File
    • Malicious File
    • Writes Malicious File
    • Runs Malicious File

  • Application rules match with medium severity:

    • Suspicious File
    • Writes Suspicious File
    • Runs Suspicious File

netwitness_status_blacklist.png

Graylisting:

  • Marking a file as graylisted will not affect the risk score

  • Application rules match with default of low severity and so are not, by default, included in the calculation:

    • Graylisted File
    • Writes Graylisted File
    • Runs Graylisted File

Whitelisting:

  • Marking a file as whitelisted will remove the related alerts and adjust the score.
  • Some files cannot be whitelisted, such as important OS processes, scripting engines and tools commonly used during attacks.

For more details on changing file status, see the "Change File Status" topic in the NetWitness Endpoint User Guide.

Respond

Alerts are related to risk scores:

  • Each alert can have an entity mapping to a host or filename for risk score calculation
  • Only alerts of Critical, High or Medium severity are used for risk-score mapping
  • Only Critical and High alerts are visible within the Respond workflow

netwitness_riskscore_respond.png

Reports

Reports have been updated and expanded for 11.3:

  • Endpoint Scan Data Host Report
  • Endpoint Scan Data File and Process Outliers
  • Endpoint Scan Data Autorun and Scheduled Task
  • Endpoint Network Activity
  • Endpoint Machine Summary

The 11.1 and 11.2 reports have been relabeled to include the version (11.1 or 11.2) at the beginning of the report name. Similarly, the 11.3 Rules have the 11.3 label at the beginning of their name.

MITRE ATT&CK™

The MITRE ATT&CK™ Framework is useful for classifying attacker tactics and techniques. It describes action from Initial Access through Exfiltration and Command and Control. It can be used to describe the types of attacker techniques can be detected.

netwitness_mitre_enterprise.png

MITRE's ATT&CK™ Navigator is a web application to visualize all three ATT&CK matrices:

ATT&CK Navigator stores information in JSON files, where each JSON file is a layer containing multiple techniques which can be opened in the Navigator web interface. The JSON contains content in STIX 2.0 format which can be fetched from a TAXII 2.0 server of your own choice. For example, we can fetch ATT&CK content from MITRE's TAXII 2.0 server through APIs.

netwitness_mitre_navigator.png

Application rules have been tagged according to this framework, and they can be viewed within INVESTIGATE > Navigate meta keys:

  • Investigation Category = Tactic
  • Investigation Context = Technique
  • Used within the UEBA models

netwitness_mitre_application.png

Custom Endpoint Content

The process for adding custom Endpoint content is as follows:

  1. Add the app rule on the Log Decoder
  2. Create a custom feed to add risk level and MITRE ATT&CK tags
  3. Add the rule to ESA Endpoint Risk Scoring Rule Bundle
  4. Extend the Risk Score configuration

For a detailed walk through of how to create a custom Endpoint ESA alert which can be consumed for Risk score calculation of Hosts and Files, please see the following blog post on RSA Link: Custom Endpoint Content for Risk Scoring in version 11.3.