Unboxing Use Cases with IBM Security QRadar

Detecting
Advanced Threats

Responding to advanced persistent threats (APT) is resource intensive, time consuming and time sensitive. From advanced threat actors to nation states, attackers operate low and slow to avoid setting off alarms and pose some of the greatest risk to organizations.

  • Real time threat intelligence
  • Identify patient zero
  • Abnormal connection behavior
  • Powershell
  • DNS attack

Real time
threat intelligence

Scenario

Security operation centers faced with overwhelming amounts of data must narrow the funnel and accelerate throughput without creating false positives to effectively mitigate a threat. Less noise allows analysts to focus on the critical events and IOCs.

Scheduled database queries give attackers the chance to do more damage but real time monitoring enables faster detection. Real time event processing provides immediate notification before an attack spreads, and real-time event log enrichment specifies critical environmental data.

Solution

  • Discovers, interprets and classifies network assets, devices, users and applications automatically
  • Analyzes and correlates across multiple data sources to identify known and unknown threats automatically
  • Reduces and prioritizes events into a few actionable offenses, according to their importance and business impact
  • Allows for custom rules and tailored anomaly detection settings

Continue scrolling for next section

Identify
patient zero

Scenario

Security teams must find the initial point of attack and figure out how the malicious payload was disseminated beyond the point of entry.

Compromised entities need to be quarantined to prevent the spread of the attack. What, if any, peripheral actions were taken to circumvent cleanup activities.

Solution

  • Searches historical network activity to identify anomalous communications (I,e., patient zero)
  • Reconstructs raw network data back to its original form and retraces the security incident
  • Identifies suspect or unexpected content and activity in network communications
  • Generates multiple views of data including relationships, timelines, source and threat category
  • Uses data pivoting and follow data linkages

Continue scrolling for next section

Abnormal connection behavior

Scenario

Unusual or illogical volume, time or geography in connection can indicate an attack, which can be through rogue services and systems, malware and worm propagation, communication with IP blacklist and unauthorized or tunneled services.

Hosts exhibiting infection behaviors must be addressed and remote attackers blocked before they make it into the network. Back scatter must be identified as well as traffic that’s allowed from and/or to known blacklisted sources. Ports should be scanned to verify security policies.

Solution

  • Customizes default rules to detect unusual network activity.
  • Generates alerts and offenses based on:
    • Clean/quarantine events from a single IP Address
    • Existing services that have stopped or crashed
    • When a highly valued server suddenly starts using new applications or communicates with outside assets
    • Multiple firewall drop/reject/deny events and IDS alerts from a single IP Address
    • Multiple failed events from a single IP Address that is not part of the known internal network
    • Allowed events from an IP Address that are not part of the known network and are known to have/use malware
    • Appearance of new hosts and services on the network

    Continue scrolling for next section

    Powershell

    Scenario

    With many pre-built scripts, this difficult to detect attack has become a tool of choice for conducting file less malware attacks and provides unprecedented access to a machine's inner core — including unrestricted access to Windows APIs.

    Commands are executed from memory without ever writing to disk and can be used to gather data, steal system information, dump credentials, pivot between systems, create backdoors and more.

    Solution

    • Processes baselining to detect anomalous/unusual/malicious processes.
    • Enhances Windows security log detection through offenses, rules, building blocks, reference sets including:
      • PowerShell malicious use
      • File-less UAC bypass
      • Hidden windows processes
      • Credential dumping
      • ‘file-less’ memory attacks
      • Metasploit PsExec implementation
      • Code obfuscation
      • Privilege Escalation
      • Scheduling a task over multiple hosts

      Continue scrolling for next section

      DNS attack

      Scenario

      Many organizations do not monitor their DNS traffic for malicious activity. But DNS as a tunnel can be established while hiding data inside the DNS requests, which can be turned into real data on the destination DNS server.

      Malicious software uses DNS to get data out of the company network or receive commands/updates from a command and control server.

      Solution

      • Utilize QNI flows or logs with domain information from other devices including:
        • DNS Servers
        • Proxies
        • Apache Webservers
        • Other BIND compatible devices
      • Detect and monitor outbound requests to malicious sites
      • Drill down and identify DNS trends and activity using DNS analyzer dashboard
      • Detect DGA, tunneling or squatting domains being accessed from within network