Targeted attack
IBM® QRadar® can help you detect targeted threats, such as when an employee unknowingly opens an attachment in a phishing email.
In the Targeted Attack use case, a file that is downloaded from a phishing email results in malware that infects an employee's workstation, and a connection to a Command and Control server (C&C) is established. The attacker uses the infected workstation to move laterally within the network infrastructure, searching to find critical company assets.
With a firewall in place between the infected workstation and the server network, QRadar detects an excessive number of firewall deny events, and generates an offense. As the attack continues, QRadar also detects that a local database connection was established to a server that is hosting critical data, and that the infected workstation is now being used to download data from this server. All of these events are chained together into a single offense for investigation.
Simulating the threat
To see how QRadar detects the attack, watch the Targeted Attack simulation video.
- On the Log Activity tab, click Show Experience Center.
- Click Threat simulator.
- Locate the Targeted Attack simulation and click Run.
Content | Description |
---|---|
Events | Misc GET Request Firewall Drop ESTABLISH SFTP Session Open SFTP Session Closed |
Log sources | Experience Center: Bluecoat @
bluecoat.think2019.test Experience Center: Checkpoint @ checkpoint.firewall-1.test.com Experience Center: Oracle DB @ 192.168.15.125 Experience Center: LinuxOS @ 192.168.15.25 |
The events play in a loop and the same use case repeats multiple times. To stop the simulation, click Stop on the Threat simulator tab.
Detecting the threat: QRadar in action
The Custom Rules Engine (CRE) component of QRadar is responsible for processing incoming events and flows. The CRE compares the events and flows against a collection of tests, which are known as rules, and the rules create offenses when specific conditions are met. The CRE tracks the rule tests and incident counts over time.
Knowing that an offense occurred is only the first step. QRadar makes it easier for you to do an in-depth analysis and identify how it happened, where it happened, and who did it. By indexing the offense, all events with the same threat name appear as a single offense.
Investigating the threat
- Open the IBM QRadar Experience Center app.
- In the Threat simulator window, click the Read
More link for the simulation, and select the type of content that you want to review.
Alternatively, from the Log Activity tab, you can run the quick search called EC: Targeted Attack Events to view all events that are associated with the offense.