By Chris Thomas and Mike Sconzo
In the Black Hat Asia NOC we worked to ensure the wireless network was available for presenters and attendees. As part of our monitoring, we kept an eye open for any malware present on the network. RSA NetWitness® Suite's Malware Detection capabilities look for network sessions containing file-types typically associated with malware delivery, and extracts them for analysis. During the conference, for the system alerted against possible unknown malware. This particular alert triggers when our analysis methods return a very high score while Community-based analysis returns a very low score - indicating there are no antivirus (AV) signatures and no community knowledge of the file (Figure 1).
Figure 1 Malware dashboard with alerts
The Analysis summary reveals that the top indicators are from our Sandbox analysis (Figure 2). RSA NetWitness partners with Cisco AMP Threat Grid for sandbox analysis.
Figure 2 Top indicators from sandbox analysis
RSA NetWitness Network Session analysis shows indicators for the delivery of the file with some Warning and Suspicious level alerts (Figure 3).
Figure 3 Network Session analysis results
The sandbox analysis from Cisco AMP Threat Grid also displays what the file did as it ran, with a number of high confidence indicators (Figure 4).
Figure 4 Cisco Amp Threat Grid analysis
To obtain more insight into the actions the executed sample took we pivot across to the Cisco AMP Threat Grid portal for their detailed analysis (Jessica Bair from Cisco AMP Threat Grid has written more about the detection from Cisco's perspective in her blog post), which shows a breakdown of their Behavioral Indicators and Network Indicators. This detailed analysis also reveals the domains and IP addresses used for check-in/Command and Control (C2) (Figure 5).
Figure 5: Cisco Amp Threat Grid domains and IP addresses
To determine if the sample infected any systems on the Black Hat Asia network, we input these network indicators back into RSA NetWitness, looking for C2 traffic. By querying for network traffic using the hostname or IP address from the Cisco AMP Threat Grid portal, we verified that the malware executable did not communicate on the Black Hat Asia wireless network to reach out to the C2 server (Figure 6).
Figure 6 RSA NetWitness network traffic query
In addition to querying for the indicators, RSA NetWitness also ingests threat intelligence information from various sources. We currently support CSV and STIX formatted data (TAXII support will be available in RSA NetWitness Suite version 11.0 later this year). Not only can you keep track of when these indicators are present in your environment, but it's possible to add more context around the intelligence source, thus enabling you to make appropriate response decisions (Figure 7).
Figure 7 RSA NetWitness threat intelligence display
By making threat hunting easier, and enabling the analysis output (intelligence) back into the product for easy on-going detection customers can level-up their operational maturity. This entails a combination of the right features to highlight suspicious behavior, driving a work flow that allows analysts to dive deeper, and ingesting standard data formats to aid in detection and provide context.
Our time in the Black Hat NOC is always a great experience. It allows us to get additional exposure in a live environment and make sure our products are delivering value both internally and externally (both to the NOC and our partners).It's even better when we're able to leverage our products and our ecosystem to hunt for interesting and malicious behavior, understand what the root cause of the behavior is, and follow up with easy addition of IOCs to find that behavior in the future.
Author: Chris Thomas
Category: RSA Fundamentals
Keywords: Black Hat Asia, Indicators, Malware, Network, NOC, RSA NetWitness Endpoint, Sandbox, SOC