rhillny Absent Member.
Absent Member.

Re: Hunting Ransomware using ArcSight: proactive detection & response

So without that content using this arb is useless?

0 Likes
Super Contributor.. vigneshwar Super Contributor..
Super Contributor..

Re: Hunting Ransomware using ArcSight: proactive detection & response

That threat intel extract script that runs from Cron in your environment is the pre-requisite to this package and the use cases that come with it. Otherwise it is useless.

Thanks

Vignesh

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Hi Ronald,

We're working on major update to use case, it will have a fully updated logic that uses not only external threat intel but also scoring. ETA is 2 weeks.

Meanwhile I see that google drive access may not be optimal transfer mechanism for you, though we have to deliver threat intel feed somehow. What would be most simple acceptable transport for you?

Thanks,

Andrii

0 Likes
abezverkhyi Honored Contributor.
Honored Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Hi Linh,

Good question! Historical correlation is added to advanced package that we plan to share in 2 weeks. Main goal to use historical correlation here is because there is a time drift in delivery of threat intel feed and delivery of firewall and proxy events to manager. While latter is easy to fix, the first one is not that obvious. For example: if you had a connection to ransomware distribution website at 9:00 a.m. caught in web proxy log and that URL got reported as malicious at 10:00 a.m. to abuse.ch threat feed with timestamp as 9:00 a.m. you won't catch the connection with real-time correlation rule and will miss it. It also takes some time to deliver intel feed abuse.ch -> SOC Prime -> google drive -> your premises running script.

That's the basic principle. I let ​ comment a bit more detailed on technical side.

Does this help?

Thanks,

Andrii

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Hi ,

We use historical correlation in Advanced package (in this post Basic package is available). Historical correlation is made by schedule rule group functionality. Rule group is scheduled to run every hour and correlates all events from previous hour with the lists of ransomware IPs and URLs. This allows to detect connections to new ransomware sites that are detected as abuse with delay. Also it covers TI data delivery delays to SIEM.

Aleks

0 Likes
Aleks Super Contributor.
Super Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Hi Karan,

To make it work, you need to edit script ransomware-basic-to-siem.sh and set parameters where to send events:

syslog_server =

syslog_port =

syslog_proto =

this must be IP address or hostname of server with Syslog Daemon SmartConnector, port that SmartConnector is listened to and protocol (udp or tcp).

And schedule this script on Linux server to run every 6 minutes.

After that you should see events in ESM.

To test script and data delivery just check /All Active Lists/SOC Prime Solutions/Ransomware Hunter Basic/Source Lists. They should not be empty.

If lists are empty, make sure the script is running. Try to run it manually. Check whether event are coming to ESM: open Active Channel ../Ransomware Basic/Ransomware Basic Events. Then check whether rule folders ../Ransomware Basic/Realtime Analysis and Update Source Lists are Deployed to Real Time.

After that you can test rules with Test Alert Connector. Install Test Alert SmartConnector and send test events to ESM. You can find example how to do it Are you a smart connector?  page 37. Fill fields that are mentioned in filter ../Ransomware Hunter Basic/Perimeter Devices Successful Events or Perimeter Devices Unsuccessful Events and add Request URL or Destination Address from Source Lists Ransomware URL Realtime or Ransomware IP Realtime.

You should see your test event in Active Channel ../Ransomware Hunter Basic/Ransomware Suspicious Events or on Dashboard.

Aleks

0 Likes
acorrea331 Contributor.
Contributor.

Re: Hunting Ransomware using ArcSight: proactive detection & response

Team,

Thank you for this, we definitely could use this in my environment and I have been tasked with implementing.  However, this appears to be specifically only for ESM.  Is there a version of this for Logger?

0 Likes
Super Contributor.. vigneshwar Super Contributor..
Super Contributor..

Re: Hunting Ransomware using ArcSight: proactive detection & response

Yes. Here is the one for Logger. Same source. Different implementation using a Perl wrapper I think.

https://marketplace.saas.hpe.com/arcsight/content/ransomware-activity

Thanks

Vignesh

0 Likes
Highlighted
Super Contributor.. vigneshwar Super Contributor..
Super Contributor..

Re: Hunting Ransomware using ArcSight: proactive detection & response

Haven’t seen any Intel from this source on WannaCry. Has anyone else seen any intel related to this latest ransomware that is wreaking havoc across the globe?

Thanks

Vignesh

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.