Core CSP 7.1 User Guide - hstechdocs.helpsystems.com

User GuideCore CSP 7.1

Copyright Terms and Conditions

The content in this document is protected by the Copyright Laws of the United States of America and other countries worldwide. The unauthorized use and/or duplication of this material without express and written permission from HelpSystems is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to HelpSystems with appropriate and specific direction to the original content. HelpSystems and its trademarks are properties of the HelpSystems group of companies. All other marks are property of their respective owners.

202009020412

Overview 1

Dashboard Management Console 3

Widgets 4

Widget Setup 4

Widget Details 5

Threats 15

Methodology 15

Threats Database 15

Reports 19

Executive Report 19

Health Check Report 20

Threat Trends Report 20

Raw Data Reports 21

Diagnostics 23

Audit Log 24

Bandwidth 25

Connected Clients 26

Packet Loss 26

Temporary Files 27

Requests 27

Visibility 27

Setup 29

ArcSight 29

Categories 31

Cloud 31

Custom Threats 33

License 33

LDAP 35

Open Access 36

User Guide www.helpsystems.com page: iii

Table of Contents

Radius 37

Password Policies 37

PerfTech 38

Sensors 40

Servers 40

Syslog 42

Termination 43

Threat_Updates 44

User Interface 45

Users 45

Visibility 47

Whitelists 48

Index 51

Glossary 52

page: iv www.helpsystems.com User Guide

Table of Contents

OverviewCore CSP identifies malicious activity originating from subscriber devices on the CSP network, including PC, tablet or mobile devices. Core CSP sits out-of-band inside the service provider’s network and monitors DNS requests from the subscriber’s IP address, identifying which subscriber’s are infected with advanced malware.

Core CSP passively monitors extremely large networks. Working out-of-line inside a service provider’s network, Core CSP won’t impede network performance and is undetectable by the criminal entities trying to evade detection.

The MC's primary interface is accessed via a web browser. Supported web browsers include:

l Internet Explorer 11

l Firefox(version 31 and above)

User Guide www.helpsystems.com page: 1

page: 2 www.helpsystems.com User Guide

Dashboard Management ConsoleCore Security’s Core CSP Management Console (MC)—aka the Dashboard—provides visibility into Core CSP findings, including evidence gathered, threat and asset status, as well as ongoing trends within a subscriber network by processing information obtained from Sensors monitoring mirrored traffic.

From the CSP Dashboard, actionable intelligence is available for further analysis.

The Dashboard is designed to be the primary user screen within Core CSP.

Dashboard elements are user-persistent. When new user accounts are created, the MC populates various default graphs and reports. However, any changes performed by a user are saved to the user’s account and are available upon subsequent logins.

Current UserThe Dashboard is easily modified through the use of drag-and-drop widgets. Dashboard modifications are user-specific. The current user account is displayed on the upper right corner of the Display; changes made to the Dashboard are saved to this account.

Objects listed in the Widget Dashboard may be added to the Main Display, which may extend various pages in length; scroll bars allow access to subsequent pages.


Dashboard Management Console / Widgets

WidgetsWidgets are pre-packaged objects located in the Management Console's Dashboard, designed to allow close to real-time generation of reports, behaviors and data related to assets and their communication patterns within your network.

Widgets are a way to customize a web page’s displayed data. Widgets are graphical objects designed to be dragged-and-dropped within the dashboard. They contain some user-configurable options, but for the most part, are “as-is” report/display items.

They are persistent to the user; widgets may be added multiple times into a user's Dashboard, to allow quick views of the same data, possibly with emphasis on different elements (at a user's discretion).

The screen below displays the Dashboard widget design.

Widget SetupThe Core CSP Dashboard can be customized through the use of drag-and-drop Widgets.

Widgets are the graphs, charts, and tables that display findings from the Core CSP system.

Widgets may be added more than once to the Main Display. Information available in a widget may be sorted in various ways to correlate data by adding multiple instances of a widget.

Data in a removed widget is unaffected by the widget’s removal.

Customization is user-account specific.

l Dashboard widgets display by default at login and from the Dashboard tab.


Dashboard Management Console / Widget Details

l Additional widgets are available from the Add a New Widget scrolling window at the bottom of the Dashboard page.

Widget Layout:

Widget Tools:Widgets are managed with the following tools:

l Move widgets within the Dashboard using the Move icon:

l Edit widget title and date ranges Dashboard using the Edit icon:

l Remove widgets using the Remove icon:

Widget DetailsThe widgets listed below comprise the main Dashboard display.



Each is reviewed in the following sections:

Connections by ThreatThe Connections by Threat widget graphs the number of DNS lookups per threat per day.

Destination Domain By CountryThe Countries widget displays the number of malicious DNS queries by destination.

Infected Mobile Subscribers Over TimeThe Infected Mobile Subscribers Over Time widget graphs the number of mobile subscribers that were actively infected on each day during an adjustable time interval.



Infected Subscribers Over TimeThe Infected Subscribers Over Time widget graphs the number of subscribers that are infected on each day during an adjustable time interval.

Infections by ThreatThe Infections by Threat widget graphs the number of infections per threat per day.

Internal vs External DNS UsageThe Internal vs External DNS Usage widget shows the percentage of clients querying internal and external DNS servers.



MSRT ThreatsThe MSRT Threats (Malicious Software Removal Toolkit) widget displays the count of infected subscribers broken down by MSRT Threat.

Malicious Mobile Queries DetectedThe Malicious Mobile Queries Detected widget shows the number of malicious mobile DNS queries over the past 24 hours.



Malicious Queries DetectedThe Malicious Queries Detected widget displays the number of malicious DNS queries over the past 24 hours.

Mobile Threats by NameThe Mobile Threats by Name widget shows the count of infected mobile subscribers broken down by Damballa Threat.



Threat IntentsThe Threat Intents widget displays the count of infected subscribers broken down by Threat Intent.

Threats by Industry NameThe Threats by Industry Name widget displays a count of infected subscribers broken down by industry name.



Threats by NameThe Threats by Name widget displays the count of infected subscribers broken down by threat.

Top 10 Threats by SeverityThe Top 10 Threats by Severity widget displays the top 10 most active threats by severity.

Top DNS DomainsThe Top DNS Domains widget displays the number of malicious queries by domain.

Total Infected SubscribersThe Total Infected Subscribers widget displays the number of infected subscribers.





Total Infections DetectedThe Total Infections Detected widget displays a count of the total number of infections detected with in the last 24 hours.

Unique Threats DiscoveredThe Unique Threats Discovered widget displays a count of unique threats detected on the network.



ThreatsCore Security actively identifies and classifies threats on a minute-by-minute basis, utilizing threat behavior profiles associate with newly observed threat behavior to known threats (i.e., identify a threat as a variant of known threats) or to identify (and name) the threat as previously unseen.

The Threats menu is a search-enabled local repository of threat information, updated periodically by Core Security via Threat Updates (provided by dhq.damballa.com). Users can search for any characteristic of a threat and its associated malware. The default Threat page is a report on threats added and updated within the past 30 days.

MethodologyOperator Names assigned by Damballa Research are randomly-generated names for known and unknown threat actors. Malware threats are often identified by Core CSP and Damballa Research well in advance of the security industry at large. Damballa Research initially identifies a threat actor via the “three-unique-word-combination” naming convention, and performs an in-depth analysis to corroborate the observed threat traits with that of known threat actors. If a match is found (and the malware is found to be a variant of a known threat), the threat is then tagged with the commonly known Industry Name, used by threat security vendors. Otherwise, newly discovered (and previously unseen) threats are identified only by the Operator Name

Threats DatabaseThe threats in the Core CSP Threat Database includes Threat name followed by the industry name in the header above the Criminal Operation Summary.

SearchThe Threat search field is used to sort the Threat Database by Threat Actor or Industry name.


Threats / Threats Database

Criminal Operation SummaryThe Criminal Operation Summary identifies the following descriptions:

Global Severity: A score in the range of 1-100, assigned by Damballa Labs, representing a grading of “maliciousness” (comprised of a threat’s propagation abilities, amount of data loss associated with, or general asset inoperability attributed to the threat, among the parameters tracked) as seen globally. This score cannot be altered via the MC, though local behavior can eventually affect this score, if local behavior is shared with Damballa.

First Operational Globally: A date representing when a threat was first detected globally, by the industry at large.

Most Recent Update: A date representing the last time the threat’s information was updated. This field may denote a varying period of time between updates; this is normal for widely known threats, where behaviors and descriptions are well known within the security industry at large.


Threats / Threats Database

DescriptionThreat behaviors: describes how the threat operates.

Observed traits: characteristics of the threat activity.

Capabilities: describes the extent of threat’s malicious activity.



ReportsThe compiled reports within CSP summarize network infections, device status, and infection trends.

The Report categories include:

Executive Report - Overview of the infection activity in your network over the last month. This includes infection rates, top threat behavior, and top infected assets by category.

Health Check Report - Verifies all Core CSP devices are performing optimally. This includes features at a glance, sensor bandwidth, and busiest interfaces.

Threat Trends Report - Identifies threats and compares activity for current and previous month.

Executive ReportAn overview of network infections over a the last 30 days.


Reports / Health Check Report

Health Check ReportVerifies all CSP devices are performing optimally.

Threat Trends ReportEvaluates your deployment's subscriber infection trends over the current and previous month.


Reports / Raw Data Reports

Raw Data ReportsThe raw data reports in CSP include .json and .csv files summarizing infection details.



DiagnosticsDiagnostics provide a comprehensive view of the network and system. They provide information pertaining to the MC and Sensors currently deployed in the environment, and the interactions these devices have with your network.

The Diagnostic menu's interface is divided into the following sections (select the hyperlinks for more detailed information pertaining to the displayed information):


Diagnostics / Audit Log

Audit Log on page 24: A listing of user login information.

Bandwidth on page 25: A summary overview of the network bandwidth seen by the Sensors.

Connected Clients on page 26: Summary graph.

Packet Loss on page 26: An overview of overall data loss due to possible network issues.

Temporary Files on page 27: Available to download command-line generated files, i.e., PCAP files.

Requests on page 27: A breakdown of overall DNS requests displayed as requests/second, as initiated by the connected clients within the network.

Visibility on page 47Visibility: An overview of device visibility within the network.

Audit LogThe Audit Log identifies system activity including timestamp, user information (IP address of individual accessing the system, or local access), and actions performed (also accessible via the CLI). The Audit log is retained for 30 days.

To view Audit Log entries:

1. Enter filter text in the field provided.

2. Click Filter.

3. OPTIONAL: to enter advanced filter data, click show advanced filters and enter


Diagnostics / Bandwidth

additional filter data.

BandwidthThe Bandwidth graphs show the sensor traffic for the past 24 hours.


Diagnostics / Connected Clients

Connected ClientsThe Connected Clients graphs show DNS clients connected in the network for the past year. Discrepancies in these statistics may indicate outbreak activity in a the network.

Packet LossThe Packet Loss graphs show percentages of packet loss over time. High packet loss counts may indicate a variety of network problems.


Diagnostics / Temporary Files

Temporary FilesTemporary files stored in CSP are available for download from the MC or Sensor. These files are distributed and must be under 1MB, with no special characters in file names, and the files cannot be stored in a /tmp sub-directory.

RequestsThe Requests graphs show the number of DNS requests per minute over the past 24 hours for each sensor.

VisibilityVisibility refers to the a Sensor’s ability to inspect network traffic of interest, to include the DNS traffic. Improper placement of the Sensor and/or mirroring of incorrect network traffic streams blocks Visibility and hinders Core CSP’s ability to determine if endpoints are infected.


Diagnostics / Visibility


SetupThe administration of Core CSP is the central repository for the MC and Sensor configuration settings. The Setup menu is used to configure system and integration settings.

Available settings are detailed in the following sections:

ArcSightArcSight provides CEF events when Core CSP identifies evidence of a Subscriber IP making a DNS query for a C&C Domain (DNS Query). Events include other relevant information such as information on the threat and forensic information captured by Core CSP.

Integration with HP Arcsight ESM is enabled under the Setup menu in the MC. Connectivity from the MC to HP Arcsight ESM is established using UDP Port 514. Information exported to Arcsight is formatted using the Common Event Format (CEF), described in the CEF format section of this chapter.


Setup / ArcSight

To configure ArcSight enter the following ArcSight Server settings.

1. Destination Hostname: IP address or hostname to where notifications are sent.

2. Source Port: Port number used to send notifications.

3. Destination Port: Port number of the ArcSight Receiver used to receive notifications.

4. Notification Interval: Time period for CSP to summarize activity and send it.

NOTE: Integration Notification Interval is globally shared among all integrations.

Enter the following Notification Filtering settings.

1. Select the checkbox to Filter notifications that Damballa CSP generates by threat.

2. Enter threats (one per line) in the text box provided.

3. Select the MSRT Threats checkbox.

4. Click Save.


Setup / Categories

Categories

CloudThe Cloud Settings option allows the MC to use Damballa’s Cloud Intelligence to bolster the Local Intelligence resident on the MC with Global Intelligence gathered via by Damballa Research (DHQ). Data is encrypted locally on Core CSP prior to submission to the Cloud and does not track request identification. The cloud-based services available are:

l Damballa Support Access - Allows support access for remote diagnostics.

l Automatic Threat Updates - Allows threat updates in subscriber database.

l Data Sharing - Allows access to Damballa Labs for optimal detection.

NOTE: Data is encrypted locally on Core CSP prior to submission to the Cloud and does not track requestor identification.

Select the check boxes corresponding to a service to opt in, then click Save.


Setup / Cloud


Setup / Custom Threats

Custom Threats

.

LicenseThe License can be updated by Core Security through the Licensing screen.

To upload a license: 1. ClickBrowse. 2. Select the file.


Setup / License

3. ClickSave.


Setup / LDAP

LDAP


Setup / Open Access

Open Access


Setup / Radius

Radius

Password PoliciesThe Password Policies include options to set up security parameters.


Setup / PerfTech

Enter preferred strength and expiration policies, then click Save.

PerfTech PerfTech Integration settings are used to configure threat notifications. PerfTech is used by the ISPs to alert the end user (subscriber) of the botnets they may have, using in-browser notifications. When Core CSP detects a malicious lookup, a detection alert is sent to PerfTech. PerfTech then injects an in-browser notification to the end user.


Setup / PerfTech


Setup / Sensors

To set up PerfTech: 1. Enter the Destination Hostname: This is the hostname of the PerfTech device.

2. Integration Notification interval: Interval when alerts are sent to PerfTech (min. 5 min - no max).

3. Subscriber Notification Interval: interval between alerts delivered to subscriber/end-user (in hours min 1 hour - no max).

4. Subscriber CIDRs to notify: CIDR range - default should be 0.0.0.0/0.

The CIDR ranges inserted here restrict the PerfTech notifications to only alert on subscribers within the identified CIDR range(s). The default CIDR of 0.0.0.0/0 alerts on ALL subscriber IP addresses on the network.

Enter the following Notification Filtering settings.

5. Select the checkbox to Filter notifications that Core CSP generates by threat.

6. Enter threats (one per line) in the text box provided.

7. Select the MSRT Threats checkbox.

8. Click Save.

SensorsThe Sensors screen is used to authorize sensors for submitting evidence to Core CSP. Authorizing a sensor enables it to send suspicious or malicious traffic to the MC.

To authorize sensors: 1. Click Authorize to grant permission for a specified sensor to submit evidence.

2. Click Decline if the sensor is not recognized or not yet ready.

3. Click Deauthorize to terminate evidence submission from specified Sensors, if necessary.

ServersThe Servers screen is used to configure Proxy, SMTP, and NTP server settings.


Setup / Servers


Setup / Syslog

To configure servers: 1. Enter Proxy settings:

Hostname - IP address or hostname of the proxy server used to access DHQ and the Bastion VPN.

Port - Port of the proxy server used to access DHQ and the Bastion VPN.

Username - Username for the proxy used to communicate with the Bastion VPN.

Password - Password for the proxy used to communicate with the Bastion VPN.

Auth Type - Name of the authentication mechanism when connecting to the Bastion VPN through a proxy,BasicorNTLM.

2. Enter SMTP settings:

Hostname - Mail server used to send and receive messages from the MC.

Port - Port used for mail delivery.

HELO Name - FQDN identifier MC uses to identify itself to the SMTP server.

Authentication - Method of authentication on SMTP server-None, Plain, Login,orMD5.

Username - Username for the SMTP authentication.

Password - Password for the SMTP authentication.

Auth Type - Name of the authentication mechanism when connecting to the Bastion VPN through a proxy,BasicorNTLM.

3. Enter the NTP server name used by the system.

4. Click Save.

SyslogThe Syslog screen includes settings for alerts.


Setup / Termination

To set up Syslog Integration: 1. Select the checkbox to Allow Damballa CSP to publish alerts to Syslog.

2. Enter a Destination Hostname.

3. Select the Send Header checkbox to publish Syslog header information to the Syslog server.

4. Select a Syslog Facility from the drop-down menu.

5. Select a severity level from the Alert Severity drop-down menu.

6. Enter a Source Port from where data may be delivered.

7. Enter a Destination Port to send data to the Syslog device.

8. Click Save.

TerminationThe Termination screen is used terminate malicious communications initiated by infected assets attempting to communicate with C&C entities. This traffic is terminated based on CIDR specifications and threat parameters, including MSRT and/or selected threats.


Setup / Threat_Updates

To set up Termination: 1. From the Setup menu, select Termination.

2. Select the checkbox to Allow Damballa CSP to terminate malicious traffic in your network.

3. Specify network address ranges to terminate in the text box provided.

4. Enter network address ranges to never terminate within specified CIDRs in the text box provided.

5. Enter threats to selectively terminate in the text box provided.

6. Select the checkbox to selectively terminate the selected threats manually entered.

7. Select the checkbox to termination MSRT threats, if necessary.

8. Click Save.

9. Log into DShell to set up termination routes.

10. Enter: cd /config/global/termination/.

11. Set value enable_dns to true.

NOTE: This is identical to enabling "Allow Damballa CSP to terminate malicious traffic in your network” in the UI.

12. Add termination routes (term_route).

There is no limit to adding termination routes, but termination packets are only sent to IPs that match a term_route CIDR:

Example: > ip term_route add eth1 0.0.0.0/0 192.168.1.1.

NOTE: Termination packets are only sent to valid gateways (unless ARP requests are spoofed for non-existent gateways).

Threat_Updates


Setup / User Interface

User InterfaceThe User Interface screen includes login preference options.

To set up the User Interface: 1. Enter a Session Timeout interval for login time.

2. Optional: enter a Custom Title, Message or Logo for the Login page.

3. Click Save.

4. Optional: Run the Web Wizard again, if necessary.

UsersThe Users screen is used to add, edit, or delete users. Passwords may also be reset in the User screen.


Setup / Users

NOTE: A "Role" is assigned in this screen, but created in the CLI of the DShell.

To add a New User: 1. Click the New User icon

2. Enter a Username, Full Name, Email, and Role.

3. Click Save.


Setup / Visibility

Figure 5-20: Users Edit

To edit or delete users: 1. Click the pencil icon to display the user fields.

2. Enter modified information in the Full Name, Email, and Roles fields as necessary.

3. Select the Disabled checkbox, if applicable.

4. Click Change Password to reset password.

5. Click Save to save changes, or click Delete to remove user from the system.

VisibilityVisibility refers to the a Sensor’s ability to inspect network traffic of interest, to include the DNS traffic. Improper placement of the Sensor and/or mirroring of incorrect network traffic streams blocks Visibility and hinders Core CSP’s ability to determine if endpoints are infected.


Setup / Whitelists

WhitelistsThe Whitelists screen is used to manually enter IP addresses and external domains known to be safe from malicious activity. These item will not be reported on.


Setup / Whitelists

To set up Whitelists: 1. Enter the IP addresses from which to suppress evidence in the text box provided.

2. Enter the domain from which to suppress evidence in the text box provided.

3. Click Save.



IndexC

Connecting

Bastion VPN 42

Csv 21

D

Dashboard Widgets 4

Deauthorize 40

DNS 9

F

FQDN 42

H

Health Check Report 20

HELO Name 42

J

Json 21

L

License 33

M

Malicious Queries Detected 9

Maliciously Controlled Assets widget 10

MD5 42

MSRT 8

N

Newly Infected Assets widget 8

NTLM 42

Number

ArcSight Receiver 30

O

Operator Names 15

P

Password Policies 37

PerfTech 38

R

Research_notes 21

S

Sensors 40

Servers 40

SMTP

Username 42

T

Termination 43

Threat Trends Report 20

U

User Interface 45

Users 45

W

Whitelists 48

Widgets 4


Index

Glossary /

Glossary.

.jsonThe JSON (Java Script Object Notification) file format is used to transmit structured data over various network connections.

C

Command and ControlAlso referred to as "C&C." A malicious third-party communicating with and controlling an asset without the knowledge or consent of that asset's rightful owner. Command and Control is enacted via a networked infrastructure, referred to a C&C infrastructure, or simply a C&C. This infrastructure represents a sophisticated network created by criminal operators, and as such is purposefully obfuscated.

CSPCommunications Service Provider

D

Data SharingYielding additional port mapping data to Damballa CSP via Cloud settings.

DNS QueryAsset performing DNS name resolution. NOTE: this coupled with patterns of suspicious asset behavior and querying malicious site makes DNS evidence more compelling. The patterns of malware infection are also easily seen by retrieving DNS query evidence. Malware families contain patterns associated with their behavior, and DNS resolution to domains associated with serve-malware operators is a strong piece of evidence

M

MSRTMalicious Software Removal Tool

N

NX RewritingRedirecting rules which load existent domains.


Glossary /

S

SensorAn appliance that passively monitors and captures network events indicating threats on an asset and send it to the Management Console.

T

ThreatA broad category of entities that breach a network using tools (i.e., malware) and techniques (i.e., fluxing).

W

WhitelistA whitelisted assets is deemed to be secure and is excluded from Damballa CSP analysis.


Date post:	09-Apr-2022
Category:	Documents
Upload:	others
View:	12 times
Download:	0 times

Core CSP 7.1 User Guide - hstechdocs.helpsystems.com

Documents