Greetings Cyber Defenders,
Update on April 28, 2020
We also have released a specific Threat Intel-based package, providing additional Threat Intel from Scan Titan and Anomali. Please see the blog post from our Senior Architect Pavan Raja for details.
Update on April 15, 2020
On top of the releases mentioned in our original blog post below, we now have released the official "CoronaVirus-related Malicious Monitoring" package for our Realtime Correlation platform, ArcSight ESM.
Original Post on April 5, 2020
Specific use cases suitable for realtime detection and relevant MITRE Techniques information are below:
CoronaVirus-related Malicious Monitoring
Coronavirus-related Malicious Monitoring package detects security threats which are related to coronavirus.
Following use cases are included in this package:
- Coronavirus related suspicious files executed:
- Macro Embedded on Coronavirus Office Document
- Suspicious Coronavirus File Executed On Host
- Coronavirus related suspicious traffic and email, based on intelligence Datafeed from MISP CIRCL
- Dangerous Browsing to a Suspicious Coronavirus URL
- Email Sent to Suspicious Coronavirus Address
- Inbound Traffic from a Coronavirus Suspicious Address
- Inbound Traffic from a Coronavirus Suspicious Domain
- Outbound Traffic to a Coronavirus Suspicious Address
- Outbound Traffic to a Coronavirus Suspicious Domain
- Received Email from Suspicious Coronavirus Address
- Suspicious Coronavirus File Hash Activity
- Coronavirus Detected by Vendor
Following MITRE ATT&CK Techniques are covered as well:
- T1048-Exfiltration Over Alternative Protocol
- T1190-Exploit Public-Facing Application
- T1192-Spearphishing Link
- T1193-Spearphishing Attachment
- T1204-User Execution
Original Blog Post
We hope you and your loved ones are safe and sound, in today’s corona-ridden world.
With coronavirus-themed cyber-attacks skyrocketing, we are facing one of the largest cybersecurity challenges of our time.
Opportunistic cyber criminals are seeking to take advantage of the chaos, with targeted COVID-19 attacks such as:
- Phishing scams that capitalize on victims’ fear of the virus, to deploy ransomware, etc…
- Criminals disguising themselves as WHO to steal money or sensitive information
- Web conference hijacking
- Strain on infrastructure services as numerous workers become remote
- DDoS on VPN & authentication systems
- Two factor-authentication (2FA) bypass attacks
We believe there is hope after all, if existing defensive technologies are deployed properly.
This blog post will focus on how our customers can utilize Micro Focus ArcSight to help defend against COVID-19-themed cyber-attacks.
In the spirit of ArcSight’s next-gen SOC architecture, the following high-level capabilities exist:
- Threat Intel to detect 0-day threats (using multiple indicator types, like malicious file hashes, domain names, email addresses….)
- Real-time correlation to detect and stop malicious communications from known threat actors or email campaigns
- Search and hunt queries to uncover attacks that have already taken place (before the real-time rules were implemented)
- Real-time dashboards to provide true visibility across the enterprise
- Machine Learning algorithms to identify misbehaving users. E.g. email recipients visiting a never-before-visited page or uploading large data to a page on first visit, etc…
We will provide links to existing content (packages, videos, etc…) and new ones as they become available.
Specialized ArcSight Content and Videos
- Video: Achieving True Zero-Day Protection with ArcSight, MITRE ATT&CK, and MISP CIRCL
How ArcSight, CIRCL MISP and MITRE ATT&CK matrix can be used to provide real-time protection against ongoing COVID-19-themed attacks. CIRCL MISP’s up-to-date Threat Intel and its near-real-time integration with ArcSight ESM will be the differentiator, in achieving these capabilities.
- ArcSight ESM Real-Time Correlation Package 1 – Basic dashboards and rules using CIRCL MISP Threat Intel to address Coronavirus threats
- ArcSight ESM Real-Time Correlation Package 2 – CoronaVirus-related Malicious Monitoring
This second bundle of special content includes advanced dashboards and rules using tough-to-bypass TTP’s to address Coronavirus-themed threats. More information are at the top of this blog post.
- Video How-to: Using MISP Threat Intelligence with ArcSight ESM
Installation and configuration steps for ArcSight’s MISP Model Import Connector, available out-of-the-box with ArcSight ESM correlation engine.
- Partner-Provided Free Content:
COVID-19 Security Package from SOC Prime, which provides specific ArcSight Logger search and hunt queries to find and investigate incidents that have already taken place.
- Partner-Provided Paid Content:
COVID-19 Security Package from SOC Prime from their Threat Detection Marketplace.
Partner-Provided Free Content Details
Full List with SOC Prime's Free Package
|Rule Name||Rule Type||MITRE ATT&CK Techniques|
|VBA DLL Loaded Via Microsoft Word||Threat Hunting Sigma||Spearphishing Attachment|
|Execution in Outlook Temp Folder||Threat Hunting Sigma||Spearphishing Attachment|
|Windows Shell Spawning Suspicious Program||Threat Hunting Sigma||Scripting|
|Suspicious Double Extension||Threat Hunting Sigma||Spearphishing Attachment|
|Encoded FromBase64String||Threat Hunting Sigma||Deobfuscate/Decode Files or Information, PowerShell|
|Suspicious Encoded PowerShell Command Line||Threat Hunting Sigma||PowerShell|
|Registry Persistence via Explorer Run Key||Threat Hunting Sigma||Registry Run Keys / Startup Folder|
|WMIExec VBS Script||Threat Hunting Sigma||Scripting|
|Scheduled Task Creation||Threat Hunting Sigma||Scheduled Task|
|Suspicious PowerShell Parameter Substring||Threat Hunting Sigma||PowerShell|
|New RUN Key Pointing to Suspicious Folder||Threat Hunting Sigma||Registry Run Keys / Startup Folder|
|Suspicious PowerShell Download||Threat Hunting Sigma||PowerShell|
We will update this page with more content, as they become available.
Get information on how Micro Focus is working to help ensure business continuity for our customers during this time of transition due to the coronavirus by offering several product promotions.
The Micro Focus ArcSight Team
Join our Community | ArcSight User Discussion Forum | ArcSight Idea Exchange | What is Threat Intelligence? | What is a Security Operations Center (SOC)?