Targeted attack

IBM® QRadar® can help you detect targeted threats, such as when an employee unknowingly opens an attachment in a phishing email.

In the Targeted Attack use case, a file that is downloaded from a phishing email results in malware that infects an employee's workstation, and a connection to a Command and Control server (C&C) is established. The attacker uses the infected workstation to move laterally within the network infrastructure, searching to find critical company assets.

With a firewall in place between the infected workstation and the server network, QRadar detects an excessive number of firewall deny events, and generates an offense. As the attack continues, QRadar also detects that a local database connection was established to a server that is hosting critical data, and that the infected workstation is now being used to download data from this server. All of these events are chained together into a single offense for investigation.

Simulating the threat

To see how QRadar detects the attack, watch the Targeted Attack simulation video.

To run the simulation in QRadar, follow these steps:
  1. On the Log Activity tab, click Show Experience Center.
  2. Click Threat simulator.
  3. Locate the Targeted Attack simulation and click Run.
On the Log Activity tab, you can see the following incoming events that are used to simulate the use case:
Table 1. Incoming events for the Targeted Attack use case
Content Description
Events Misc GET Request

Firewall Drop

ESTABLISH

SFTP Session Open

SFTP Session Closed

Log sources Experience Center: Bluecoat @ bluecoat.think2019.test

Experience Center: Checkpoint @ checkpoint.firewall-1.test.com

Experience Center: Oracle DB @ 192.168.15.125

Experience Center: LinuxOS @ 192.168.15.25

The events play in a loop and the same use case repeats multiple times. To stop the simulation, click Stop on the Threat simulator tab.

Detecting the threat: QRadar in action

The Custom Rules Engine (CRE) component of QRadar is responsible for processing incoming events and flows. The CRE compares the events and flows against a collection of tests, which are known as rules, and the rules create offenses when specific conditions are met. The CRE tracks the rule tests and incident counts over time.

Knowing that an offense occurred is only the first step. QRadar makes it easier for you to do an in-depth analysis and identify how it happened, where it happened, and who did it. By indexing the offense, all events with the same threat name appear as a single offense.

Investigating the threat

To see the list of QRadar content that contributes to this simulation, including rules, saved searches, offenses, and reference sets, follow these steps:
  1. Open the IBM QRadar Experience Center app.
  2. In the Threat simulator window, click the Read More link for the simulation, and select the type of content that you want to review.

    Alternatively, from the Log Activity tab, you can run the quick search called EC: Targeted Attack Events to view all events that are associated with the offense.