This post is part two of Event Categories and Recommended UseCase, you can see part one :
The guidelines provided in this article help SOC professionals in understanding and respond to security monitoring requirements in a more professional manner. Additionally, the use cases and correlation rules proposed in this article aid in making the security monitoring service more relevant to the threat landscape. The use cases recommended are for the event source category.
Antivirus
Anti-malware software helps in the prevention, detection, and removal of malicious software. The modern-day antivirus programs are capable of providing protection against malicious browser help objects (BHO), key loggers, backdoors, Trojans, root-kits, worms, adware, spyware, spam, phishing attacks, APT, privacy threats, and DDOS attacks.
The common detection method includes:
Sandboxing – Behavioral-based detection by allowing the program execution in a sandboxed environment and capturing all its actions.
Data mining – Data mining and machine learning algorithms classify the behavior of a file (as either malicious or benign) given a series of file features that are extracted from the file itself.
Signature-based detection – Compares the suspected file or pattern with its signature database to detect known threats.
Heuristics – Compares the suspected files or pattern with the generic signature specific to a Virus Family. Behavioral-based – Detection based on the behavioral pattern of the malware.
Rootkit detection – A combination of advanced detection techniques is used for this.
Event Categories
The three major categories of events to be considered from an Antivirus event source for effective security monitoring are –
- AV Definition/Signature Database Status events–Helps the Security Analyst detect the state of protection and virus and spyware signature definitions updates.
- Scan-antivirus scan-related events.
- Treatment–events related to the action done to the infected files.
Recommended Use Cases and Correlation Rules
| No | Use Case | Event Type /Category | Correlation Rule |
| 1 | To monitor antivirus software logs to track if detected viruses are cleaned properly. | AV Scan | Failed AV mitigation or cleaning detected, possible persistent virus infection. |
| 2 | Identify machines that are not updated to the latest AV definitions. | AV Update | Detect unprotected end points, possible Antivirus disable attempt. Detect Anti-virus stop, start, update failures. |
| 3 | Identify machines that are updated to the latest AV definitions. | AV Update | Report of the Current AV protection Posture |
| 4 | Identify quarantine action failed events. | AV Scan | Report of Anti-virus trends; prevented, detected, remediated |
| 5 | To monitor antivirus software logs to track the level, AV Scan type & scope of infection | AV Scan | Report type & scope of Virus infection Anti-virus trends; prevented, detected, remediated. Top malware attacks by sources. Top unusual traffic to and from sources. Top source and destinations of malicious connections Top systems with multiple infections / top systems re-infected. Top systems with suspicious malware activity. |
| 6 | Identify events where the user chose to quarantine a file. | AV-Treatment | Detect user-initiated quarantine action. |
| 7 | Identify events where the user chose to delete an item. | AV-Treatment | Track forced file removal events. |
| 8 | Identify events where the user chose to ignore an item. | AV-Treatment | Report AV recommended action bypass attempts |
| 9 | Identify events of the applications that were quarantined and restored. | AV-Treatment | Detect failed quarantine-restore attempts. |
End-point Threat Protection, Application Control , Whitelisting solution
End-point security monitoring tools are used for prevention and detection of threats against the devices which they are running on. Though the threat visibility of the attack is limited the end-point devices communicate with its server to share information about the data. So, this makes it important to monitor end-point security server and client event data. SIEM boxes should have policies to correlate activities on end points servers and clients.
Application white listing solutions allows the execution of specific application based on defined policies related to users, groups, systems and other attributes. The trust worthiness of an application can be determined by verifying the software vendors trusted certificates or with the path value used by the applications. Legitimacy of an application can also be checked with the hash values of files affiliated with an application using common hashing protocols.
Behavior analytics also plays a considerable role in the detection of rogue applications. It is not easy to define generic use cases for this kind of event sources. The features offered by the solutions should be analyzed case by case for developing effective use cases.
Recommended Use Cases and Correlation Rules
| No | Use Case | Event Type /Category | Correlation Rule |
| 1 | Type To identify & prevent the use of unauthorized software in enterprise environment. Detect the malicious software implantation, propagation, scanning & intrusion nearly real time | Rogue software | Installation of unauthorized software and the use of rogue applications |
| 2 | Detect & prevent zero-day attack initiation & progress in enterprise environment nearly real time | Zero Day | Detect possible zero-day tack initiation |
| 3 | To identify the data access attempts & to prevent the data loss by strict monitoring f files, directories, USB’s & other removable devices. | External devices | Detect possible data exfiltration attempts. Top and unusual Web and database application access. |
| 4 | Detect & prevent malicious software infection / propagation from USB’s & other removable devices. | External devices | Detect unauthorized removable device in use |
| 5 | To monitor access requests to fixed-function end-point devices, such as point-of sale (POS), medical equipment, Industrial control systems, SCADA, aeronautical system & to prevent unauthorized access attempts. | POS | Detect unauthorized access attempts to fixed-functions in end points |
| 6 | To perform user/Administrator activity monitoring to ensure compliance | UAM | Detect unusual user activity |
| 7 | To perform malware impact assessment to aid investigation with details like time & type of attack, mode of propagation, which endpoints have been infected and which machines are engaged in suspicious activity | Impact Assessment | Detect suspicious end point Activity |
Author: Mohammad Ghanbari
Jake
Thank you!