Security Operations and How to Defend Against COVID-19-themed Cyber Threats

Micro Focus Frequent Contributor
Micro Focus Frequent Contributor
9 0 5,145

Greetings Cyber Defenders,

Update on April 28, 2020

We also have released a specific Threat Intel-based package, providing additional Threat Intel from Scan Titan and Anomali. Please see the blog post from our Senior Architect Pavan Raja for details.

Update on April 15, 2020

On top of the releases mentioned in our original blog post below, we now have released the official "CoronaVirus-related Malicious Monitoring" package for our Realtime Correlation platform, ArcSight ESM.

Original Post on April 5, 2020

Specific use cases suitable for realtime detection and relevant MITRE Techniques information are below:

CoronaVirus-related Malicious Monitoring

https://marketplace.microfocus.com/arcsight/content/coronavirus-related-malicious-monitoring

Coronavirus-related Malicious Monitoring package detects security threats which are related to coronavirus.

Following use cases are included in this package:

  • Coronavirus related suspicious files executed:
  • Macro Embedded on Coronavirus Office Document
  • Suspicious Coronavirus File Executed On Host
  • Coronavirus related suspicious traffic and email, based on intelligence Datafeed from MISP CIRCL
  • Dangerous Browsing to a Suspicious Coronavirus URL
  • Email Sent to Suspicious Coronavirus Address
  • Inbound Traffic from a Coronavirus Suspicious Address
  • Inbound Traffic from a Coronavirus Suspicious Domain
  • Outbound Traffic to a Coronavirus Suspicious Address
  • Outbound Traffic to a Coronavirus Suspicious Domain
  • Received Email from Suspicious Coronavirus Address
  • Suspicious Coronavirus File Hash Activity
  • Coronavirus Detected by Vendor

Following MITRE ATT&CK Techniques are covered as well:

  • T1048-Exfiltration Over Alternative Protocol
  • T1064-Scripting
  • T1190-Exploit Public-Facing Application
  • T1192-Spearphishing Link
  • T1193-Spearphishing Attachment
  • T1204-User Execution

Original Blog Post

We hope you and your loved ones are safe and sound, in today’s corona-ridden world.

With coronavirus-themed cyber-attacks skyrocketing, we are facing one of the largest cybersecurity challenges of our time.

Opportunistic cyber criminals are seeking to take advantage of the chaos, with targeted COVID-19 attacks such as:

  • Phishing scams that capitalize on victims’ fear of the virus, to deploy ransomware, etc…
  • Criminals disguising themselves as WHO to steal money or sensitive information
  • Web conference hijacking
  • Strain on infrastructure services as numerous workers become remote
  • DDoS on VPN & authentication systems
  • Two factor-authentication (2FA) bypass attacks

We believe there is hope after all, if existing defensive technologies are deployed properly.

This blog post will focus on how our customers can utilize Micro Focus ArcSight to help defend against COVID-19-themed cyber-attacks.

In the spirit of ArcSight’s next-gen SOC architecture, the following high-level capabilities exist:

  • Threat Intel to detect 0-day threats (using multiple indicator types, like malicious file hashes, domain names, email addresses….)
  • Real-time correlation to detect and stop malicious communications from known threat actors or email campaigns
  • Search and hunt queries to uncover attacks that have already taken place (before the real-time rules were implemented)
  • Real-time dashboards to provide true visibility across the enterprise
  • Machine Learning algorithms to identify misbehaving users. E.g. email recipients visiting a never-before-visited page or uploading large data to a page on first visit, etc…

We will provide links to existing content (packages, videos, etc…) and new ones as they become available.

Specialized ArcSight Content and Videos

 

  • ArcSight ESM Real-Time Correlation Package 2 – CoronaVirus-related Malicious Monitoring
    This second bundle of special content includes advanced dashboards and rules using tough-to-bypass TTP’s to address Coronavirus-themed threats. More information are at the top of this blog post.

package 1_high-resolution.png

  • Partner-Provided Free Content:
    COVID-19 Security Package from SOC Prime, which provides specific ArcSight Logger search and hunt queries to find and investigate incidents that have already taken place.

SOC_Prime_All_Corona-related_ArcSight_Content.PNG

Partner-Provided Free Content Details

Full List with SOC Prime's Free Package

Rule Name Rule Type MITRE ATT&CK Techniques
VBA DLL Loaded Via Microsoft Word Threat Hunting Sigma Spearphishing Attachment
Execution in Outlook Temp Folder Threat Hunting Sigma Spearphishing Attachment
Windows Shell Spawning Suspicious Program Threat Hunting Sigma Scripting
Suspicious Double Extension Threat Hunting Sigma Spearphishing Attachment
Encoded FromBase64String Threat Hunting Sigma Deobfuscate/Decode Files or Information, PowerShell
Suspicious Encoded PowerShell Command Line Threat Hunting Sigma PowerShell
Registry Persistence via Explorer Run Key Threat Hunting Sigma Registry Run Keys / Startup Folder
WMIExec VBS Script Threat Hunting Sigma Scripting
Scheduled Task Creation Threat Hunting Sigma Scheduled Task
Suspicious PowerShell Parameter Substring Threat Hunting Sigma PowerShell
New RUN Key Pointing to Suspicious Folder Threat Hunting Sigma Registry Run Keys / Startup Folder
Suspicious PowerShell Download Threat Hunting Sigma PowerShell

 

We will update this page with more content, as they become available.

Get information on how Micro Focus is working to help ensure business continuity for our customers during this time of transition due to the coronavirus by offering several product promotions.

The Micro Focus ArcSight Team

About the Author
MITRE ATT&CK, evasion, sandboxes, Next-gen SOC, SIEM, APT
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.