Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Hunter How To Guide for SecurityCenter Continuous View™

Published byEvan Boone Modified over 8 years ago

Similar presentations

Presentation on theme: "Malware Hunter How To Guide for SecurityCenter Continuous View™"— Presentation transcript:

1 Malware Hunter How To Guide for SecurityCenter Continuous View™

2 Tenable provides Continuous Network Monitoring™ to identify vulnerabilities, reduce risk, ensure compliance, and “hunt malware”.

3 Hunting for Malware New versions of malware are released daily Making a new Dashboard for each malware can become complicated and time consuming. A new template was designed for malware hunting and can be customized for new malware. The new dashboard has Indicator of Compromise (IOC) components and template components.

4 Malware Hunter Dashboard Left Side –These components are developed to be customized by the organization for each new malware. –Each will be discussed in detail. Right Side –These components are Indicators of Comprise (IOC) and are not intended to be modified.

5 IOC Components There are 5 matrix components. These components provide several saved queries that can aid in the hunt for malware. Each of these components can be individually downloaded from the SecurityCenter feed or as a collection. These components contain indicators that may occur with normal traffic and should be investigated and/or monitored for suspicious events. Account Weakness - Suspicious Login Activity (Events from Last 72 Hours) Indicators - Malicious Process Monitoring Unknown Process - Microsoft Windows Autoruns Verizon 2015 DBIR - Forensic Indicators Verizon 2015 DBIR - Indicator of Compromise (IOC) Events

6 IOC Components

7 Template Components These components are templates that can be edited by the organization. Each component has a cell with the default filter and the other cells have sample content to be edited. Malware Hunter - DNS Domains Watchlist (Last 72 Hours) Malware Hunter - IP Address Any Event Traffic (Last 72 Hours) Malware Hunter - Malicious Process Detection Using MD5 Hashes Malware Hunter - Microsoft Windows Known Bad AutoRuns / Scheduled Tasks MD5 Hash Searches

8 Template Components

9 Malware Hunter Malicious Process Detection Using MD5 Hashes This component uses the Malicious Process Detection plugins to monitor for the associated MD5 hashes identified by the FBI. Additionally, an indicator is used to help identify all the Malicious Process Detection plugins currently in SecurityCenter. There are several plugins to identify malicious processes, of which some focus on operating systems such as Windows, Linux, or Mac OS X. Others allow for security administrators to input their own MD5 hashes and check for MD5 hashes identified by Mandiant. The indicators will change colors when a match is found. The red indicator “Malicious Process Detection” means that a match for the plugins is found. The remaining cells must be edited and the appropriate MD5 hash added to vulnerability text. The cells that require editing will turn purple when a match is located. Many types of malware can be identified by different MD5 hashes. Edit the component and place the respective hashes in the filters.

10 Malware Hunter Malicious Process Detection Using MD5 Hashes To edit the component, click on the arrow in the corner and select edit. Next, select the cell to be modified.

11 Malware Hunter Malicious Process Detection Using MD5 Hashes Next, edit the filter by selecting the pencil icon on the right hand side. –This is the Vulnerability Text field. –Put the full MD5 hash string in this field. Now change the indicators –Put in the last 6 characters for each MD5. –Make sure to input the string into both the default setting and match setting.

12 Malware Hunter Microsoft Windows Known Bad AutoRuns Scheduled Tasks MD5 Hash Searches This component provides indicators of possible malware using the reputation Microsoft Windows Known Bad AutoRuns / Scheduled Tasks plugin. Plugin 74442 (Microsoft Windows Known Bad AutoRuns / Scheduled Tasks) shows that the Windows system has one or more registry entries that are known to be associated to malware. The indicators will change colors when a match found. The red indicator “Bad AutoRun” means that a match for the plugin 74442 is found. The remaining cells must be edited and the appropriate MD5 hash added to the vulnerability text. The cells that require editing will turn purple when a match is located. Many types of malware can be identified by different MD5 hashes. Edit the component and place the respective hashes in the filters.

13 Malware Hunter Microsoft Windows Known Bad AutoRuns Scheduled Tasks MD5 Hash Searches To edit the component, click on the arrow in the corner and select edit. Next, select the cell to be modified.

14 Malware Hunter Microsoft Windows Known Bad AutoRuns Scheduled Tasks MD5 Hash Searches Next, edit the filter by selecting the pencil icon on the right hand side. –This is the Vulnerability Text field. –Put the full MD5 hash string in this field. Now change the indicators –Put in the last 6 characters for each MD5. –Make sure to input the string into both the default setting and match setting.

15 Malware Hunter DNS Domains Watchlist (Last 72 Hours) This component provides a series of indicators that report on DNS query events detected by PVS and logged to LCE. Each malware version often uses some sort of a call-home or command-and-control method to contact the malware source. This matrix allows the analyst to monitor specific DNS patterns. Search for DNS queries captured by PVS using the “PVS-DNS_Client_Query” Normalized Event. –The raw message will contain a statement similar to this: The most recent DNS query performed was for: www.google.com to the server at 10.31.15.1 The “DNS Client Query” indicator turns blue when data is present. The other indicators need to be modified to contain a FQDN of the domain name the organization is looking for. The FQDN can be searched for using keyword searches and Boolean logic. However, there is one important detail to remember: when searching the syslog text, all punctuation is removed and replaced with an AND, resulting in www.google.com being translated to www AND google AND com. Edit the component and place the respective DNS entries in the filters.

16 Malware Hunter DNS Domains Watchlist (Last 72 Hours) To edit the component, click on the arrow in the corner and select edit Next, select the cell to be modified.

17 Malware Hunter DNS Domains Watchlist (Last 72 Hours) Next, edit the filter by selecting the pencil icon on the right hand side. –This is the Syslog Text field. –Put the FQDN string or pattern in this field. Now change the indicators –Put the FQDN for each indicator. –Make sure to input the string into both the default setting and match setting.

18 Malware Hunter IP Address Any Event Traffic (Last 72 Hours) This component indicates if specific IP addresses have been seen in LCE events over the last 72 hours. These events were collected using PVS, LCE Client, NetFlow, or by other LCE collection methods. Each of these cells must be modified to reflect the targeted malware. Each malware version often uses some sort of a call- home or command-and-control method to contact the malware source. This component allows the analyst to track any communication with the malicious addresses. Edit the component and place the respective IP addresses in the filters.

19 Malware Hunter IP Address Any Event Traffic (Last 72 Hours) To edit the component, click on the arrow in the corner and select edit

20 Malware Hunter IP Address Any Event Traffic (Last 72 Hours) Next, edit the filter by selecting the pencil icon on the right hand side. –The address field is not present by default and needs to added. –Put the address or subnet that is known to host malware. Now change the indicators –Put the address or subnet for each indicator. –Make sure to input the string into both the default setting and match setting.

21 Hunting for Malware To summarize, hunting for malware requires IOC components and custom components. –The IOC components are provided via the SecurityCenter feed and do not require updating. –IOC components contain queries that are valid. However, they should be monitored for malicious activity. –The custom components are also available the SecurityCenter feed. –The custom components need to be updated for each type of malware. For more support check out the Discussion Forums and Customer Support Portal – Indicators of Compromise and MalwareIndicators of Compromise and Malware –Tenable Customer Support Portal

22

Download ppt "Malware Hunter How To Guide for SecurityCenter Continuous View™"

Similar presentations

Web Center Certification Administration Web Center Certification Training Intuit Financial Services University.

Web Center Certification Administration Web Center Certification Training Intuit Financial Services University.
Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.

Web Hosting. The purpose of this Startup Guide is to familiarize you with Own Web Now's Web Hosting. Own Web Now offers two web hosting platforms, one.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Using the Self Service BMC Helpdesk

Using the Self Service BMC Helpdesk
Training Course: Task List. Agenda Overview of the Task List Screen Icons across the top Making Appointments Viewing Appointments & Filters Working Your.

Training Course: Task List. Agenda Overview of the Task List Screen Icons across the top Making Appointments Viewing Appointments & Filters Working Your.
Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.

Standardized Threat Indicators Tenable Formatted Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect.
Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.

Leveraging Continuous View to Hunt Malware. Why hunt for malware? Scanned services Unauthorized systems Patches Config Unauthorized software Malware Malware.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
ZIMS With Medical Release 2.0 R2 An overview of the Medical Module in ZIMS 1.

ZIMS With Medical Release 2.0 R2 An overview of the Medical Module in ZIMS 1.
Refresher Instruction Guide Strategic Planning and Assessment Module

Refresher Instruction Guide Strategic Planning and Assessment Module
X-Media V2.0 www.jayex.com Healthcare Training Jayex Technology Limited X-Media V2.0 March 2010 v3.10.1.

X-Media V2.0 Healthcare Training Jayex Technology Limited X-Media V2.0 March 2010 v
Breaking Kill Chains A “How To” Guide for SecurityCenter.

Breaking Kill Chains A “How To” Guide for SecurityCenter.
1 Welcome To Siebel Training Welcome To Siebel Training.

1 Welcome To Siebel Training Welcome To Siebel Training.
The Components There are three main components of inDepth Lite, inDepth and inDepth+ Real Time Component Reporting Package Configuration Tools.

The Components There are three main components of inDepth Lite, inDepth and inDepth+ Real Time Component Reporting Package Configuration Tools.
SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,

SecurityCenter Reporting Nessus Scan Report. SecurityCenter Reports For customers who use Nessus for vulnerability scanning and then move to SecurityCenter,
Salesforce1 Mobile App Jan. 2015.

Salesforce1 Mobile App Jan
User Responsibility A “How To” Guide for SecurityCenter.

User Responsibility A “How To” Guide for SecurityCenter.
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.

SecurityCenter & Palo Alto Configuration Guide. About this Guide This guide provides an overview of how to get the most from Palo Alto firewalls when.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Similar presentations

Ads by Google