CYBER ADVANCED WARNING SYSTEM USER GUIDE. Version 2.1

Transcription

1 CYBER ADVANCED WARNING SYSTEM USER GUIDE Version 2.1

2 Version 2.1, 11/3/2016 NSS Labs, Inc. 206 Wild Basin Road Building A, Suite 200 Austin, TX US NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, copied/scanned,stored on a retrieval system, ed or otherwise disseminated or transmitted without the express written consent of NSS Labs, Inc. ( us or we ). Please read the disclaimer in this box because it contains important information that binds you. If you do not agree to these conditions, you should not read the rest of this report but should instead return the report immediately to us. You or your means the person who accesses this report and any entity on whose behalf he/she has obtained this report. The information in this report is subject to change by us without notice, and we disclaim any obligation to update it. The information in this report is believed by us to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at your sole risk. We are not liable or responsible for any damages, losses, or expenses of any nature whatsoever arising from any error or omission in this report. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY US. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NONINFRINGEMENT, ARE HEREBY DISCLAIMED AND EXCLUDED BY US. IN NO EVENT SHALL WE BE LIABLE FOR ANY DIRECT, CONSEQUENTIAL, INCIDENTAL, PUNITIVE, EXEMPLARY, OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and/or software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet your expectations, requirements, needs, or specifications, or that they will operate without interruption. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners

3 Introduction 1 Subscriptions 2 Free 2 Paid 2 Activating CAWS 3 Administration 5 Adding a User 5 Editing a User 6 Resetting a Password 7 Deleting a User 7 Adding a Profile 8 Editing a Profile 9 Deleting a Profile 10 Navigating CAWS 11 Selecting a Date Range 12 Using Global Search 12 Using the Dashboard to View Threat Summaries 13 Total Applications Compromised 13 Total Active Exploits 13 URLs - Last 30 Days 13 URLs Hosting Exploits 14 Average TTL - 30 Days 14 Exploits Bypassing Security Products 14 Exploits Blocked by Security Products 14 Top Application Families Targeted 14 Top Platforms Targeted

4 Chapter 3 Opening a Threat Detail Page 14 Threat Details Summary 15 HTTP Traffic 16 Chain of Events 17 Command and Control 17 Validating Active Threats 19 Total Number of Exploits 20 Targeted Applications 20 Newly Targeted Applications 21 Unique Suspicious File Hashes 21 New Shell Code Captures 22 Top Applications Targeted 22 Using Defenses to Measure Security 25 Bypassing All Security 25 Total Bypassing Security 26 Exploits Targeting Applications 27 Threats Bypassing Security Products 28 Bypasses by Application 28 Risk Modeling 30 Submit URL

5 INTRODUCTION This User Guide introduces you to the Cyber Advanced Warning System (CAWS) threat awareness and dynamic threat modeling suite. Use this guide to learn how to activate your account and navigate the suite. The CAWS platform includes the following modules: The Dashboard displays summaries from Active Threats and Defenses. See Using the Dashboard to View Threat Summaries for more information. Active Threat displays active threat information, including target applications, platforms, source countries, URLs, and source IPs. See Validating Active Threats for more information. Defenses displays information about threats specific to your layered security defenses. Use Defenses to build custom profiles that reflect the attack surfaces and vulnerable layer security defenses. See Using Defenses to Measure Security for more information. Risk Modeling allows you to create what-if simulations that compare security products against one another in real-world environments and demonstrate how the products perform over time. See Risk Modeling for more information

6 SUBSCRIPTIONS CAWS offers two subscription levels: Free and Paid. Free A free subscription provides: One seat with one profile with three security devices per profile No two devices from the same category Limited access to Active Threats Threat Details features Ability to use Defenses No access to Risk Modeling Up to 20 URL submissions per hour Paid An annual subscription provides: One seat with unlimited profiles included and unlimited devices per profile Full access to use of Active Threats, including automation features, such as exporting (PCAP, SAZ, Shell) Ability to use Defenses Ability to use Risk Modeling to compare profiles and create reports Unlimited URL submissions - 2 -

7 Activating CAWS ACTIVATING CAWS You will receive an message that contains a hyperlink to the Cyber Advanced Warning System login page. You must activate your account within 72 hours of receiving the , or the link expires. If your link expires, request a new activation on the login page. To activate your account: 1. Click the hyperlink in the system-generated from CAWS. The website displays the NSS Labs Inc. Cyber Advanced Warning System End User Agreement. If the link is not active, copy the web address in the and paste it into the address field of a browser window. NSS supports Google Chrome and Firefox browsers. 2. Read the end user agreement, scrolling to the end. Click I agree. The end user agreement closes, and the website displays the Set Password page. 3. Type your user name in the User Name or Address field. The user name is typically the address that NSS used to set up your account. 4. Type a secure password in the Password field. The password must have the following characteristics: At least 8 characters or longer At least 1 uppercase letter At least 1 lowercase letter At least 1 numeral or special character No blank spaces 5. Retype or paste the password into the Confirm Password field. 6. Click Submit

8

9 ADMINISTRATION The CAWS Administration menu allows you to add and edit Users and Profiles. CAWS has two user levels: Reviewers have read-only access to the system. They can see all data and create simulations in Risk Modeling if they have a subscription, but they cannot create or edit profiles. Administrators have the same privileges as reviewers, but they can also create users. Administrators use the User Configuration page to edit user profiles, reset passwords, or delete users. You can create multiple profiles to compare various security product to different competitors. Use the Profile summaries page to edit, delete, or copy profiles. You can find a profile or multiple profiles by entering all or part of the Profile Name, Description, Device, or other search term in the Filter field. Adding a User Administrators manage users through the CAWS Administration module. To add a new user: 1. From the menu bar, select Administration > Create a New User. The User Configuration/Add page displays

10 Chapter 4 2. Type the user s Address, First Name, and Last Name in the provided fields. 3. Select the correct role from the User Role list. Reviewers can view CAWS events and existing profiles, and create risk scenarios. Administrators can create and modify profiles and create and deploy risk scenarios, as well as view CAWS events. If you want to add more than one user, select Add Another. 4. Click Add User. CAWS sends the new user an with login information. The new user name displays in the List Users and is greyed out until the user activates the account. Editing a User To edit a user: 1. From the menu bar, select Administration > View/Edit Users. The User Configuration/List Users page displays

11 Administration 2. Right-click the icon next to the appropriate user name. 3. Select Edit User. The Edit User page opens. 4. Edit the following fields as needed: Address First Name Last Name User Role 5. Click Save User. Resetting a Password To reset a password: 1. From the menu bar, select Administration > View/Edit Users. The User Configuration/List Users page opens. 2. Right-click the icon next to the appropriate user name. 3. Select Reset Password. The system sends an to the user with a hyperlink and instructions for resetting the password. Deleting a User To delete a user: 1. From the menu bar, select Administration > View/Edit Users. The User Configuration/List Users page opens

12 Chapter 4 2. Click the icon next to the user to be deleted. 3. Select Delete User. A Confirmation page displays. 4. Click Delete. Click the icon in the right-hand corner to export the information to a CSV format file. Adding a Profile To add a profile: 1. From the menu bar, select Administration > Create a New Profile. The Profile Configuration/Add page opens. 2. Type a meaningful Name and Description. 3. Optional: Clear the Notifications to opt out of receiving notifications. 4. The Notifications option generates a summary of all exploits that bypass any of the security devices associated with this profile. 5. Select an application from the Applications list. Choose a single application, multiple applications, an entire application group, or all of the applications offered

13 Administration 6. Select a platform from the Platforms list. Choose a single platform, multiple platforms, or the entire platform group. 7. Select a security product device from the Devices list. Choose a single device, multiple devices, or the entire device group. 8. To add more than one profile, select Add Another. 9. Click Add Profile. Editing a Profile To edit a profile: 1. From the menu bar, select Administration > View/Edit Profiles. The List Profiles page displays. 2. Right-click the icon next to the name of the profile you want to edit, select Edit. The Edit Profile page displays. Click the name of the profile you want to delete. The Edit Profile page displays. 3. Make the desired changes, and click Save Profile

14 Chapter 4 Deleting a Profile To delete a profile: 1. From the menu bar, select Administration > View/Edit Profiles. The List Profiles page displays. 2. Right-click the icon next to the name of the profile you want to delete, select Delete. A confirmation page displays. Click the name of the profile you want to delete. The Edit Profile page displays. Click Delete to delete the profile

15 NAVIGATING CAWS CAWS opens to the Dashboard. This default home page summarizes critical information from Active Threats and Defenses. The menu bar on the left side of the page contains options for accessing each CAWS module. To expand the menu bar, click the arrow. Data panes in CAWS are interactive, allowing you to view the data in different ways or to view additional information. If you hover the cursor over a specific point, such as a high point or low point on a trend line, a message displays more information on that point. In the example, the message for the trend line shows the date of the threat and the application. Click and drag left or right within a pane to zoom in on data series. You can also zoom by scrolling the mouse wheel. Click the icon to display a data pane as a widget in a separate browser tab

16 Chapter 5 Click the Click the icon to print or download an image of the widget. icon in Risk Modeling to refresh the selected profile. Click a column header to sort the data. Selecting a Date Range The Dashboard displays the last 30 days of information, but you can select a different date range. To select a different date range: 1. Click the date icon in the top right corner. The Date widget expands. 2. Select one of the date range options, or specify a custom range. If you specify a custom range, type the appropriate dates in the From and To fields, or select the dates from the calendar. Custom ranges cannot be less than 30 days. 3. Click Apply. CAWS generates new data for the date range specified. The date range is applied to the current CAWS module. Using Global Search Use the search function to search by hashes, URLs, NSS IDs, and IP addresses. To perform a search: Each page in CAWS contains a global search field in the top navigation bar. To perform a global search, enter the search term in the field and press Enter

17 Navigating CAWS From the main menu bar, click the icon. Click the icon in the menu bar to view support information for CAWS. Using the Dashboard to View Threat Summaries The Dashboard is the default home page when you log in to CAWS, and summarizes global information from Active Threats and Defenses. Total Applications Compromised Displays the total number of applications tested the specified time period. Total Active Exploits Displays the total number of new, unique exploits CAWS detected the specified time period. URLs - Last 30 Days Displays the number of URLs crawled the specified time period

18 Chapter 5 URLs Hosting Exploits Displays the number of URLs found hosting exploits the specified time period. Average TTL - 30 Days Displays the average of the time to live (TTL) by hours the specified time period. Exploits Bypassing Security Products Displays the sum of the exploits that bypassed all security products in all profiles the specified time period. Exploits Blocked by Security Products Displays a line graph of the total number of exploits blocked based on your profiles the specified time period. Top Application Families Targeted Displays is a chart summarizing attacks on the top five applications the specified time period. Mouse over each section to view the total number of attacks for that application. Top Platforms Targeted Displays a chart summarizing attacks on the top five platforms the specified time period. Mouse over each section to view the total number of attacks for that platform. Opening a Threat Detail Page You can open a Threat Detail page in both Active Threats and Defenses. To open a Threat Details page: In Active Threats, click a widget to open the Threat Details page. Click any NSS ID hyperlink to open the Threat Details Summary page

19 Navigating CAWS In Defenses, click the Application tab, and click the appropriate hyperlinked application. The application s Threat Details page opens. Click the Click the icon in the right-hand corner to export the information to a CSV format file. icon in the right-hand corner to display the grid tools. Select or clear a column's check box to control whether the table displays the column. Threat Details Summary The Primary Information tab displays specific information about an individual threat, such as its time stamp, targeted application, victim, file hashes, and outbound connections. The Files section displays hash information about malicious files associated with the threat. Click an icon to view related threats, VirusTotal, and geolocation information. CAWS allows you to download a Packet Capture (PCAP) file, Session Archive Zip (SAZ), or Shell Code file so you can perform your own analysis

20 Chapter 5 HTTP Traffic The HTTP Traffic tab displays a log of the detailed HTTP traffic between the client and server

21 Navigating CAWS Chain of Events The Chain of Events tab displays a step-by-step playback of events for an exploit. This allows you to visualize the sequence of events leading up to and during an exploitation. To view a chain of events: Select the play button to automatically play through each step. Click an individual event in the Exploit Event Details list. Use the navigation icons to change the view of the Chain of Events. Clicking an individual event allows you to drill down for more information on each event. Command and Control The Command and Control tab displays the exploit detonation and the outbound server connections

22 Chapter 5 Use the navigation icons to change the view of the Chain of Events. Clicking an individual event allows you to drill down for more information on each event

23 VALIDATING ACTIVE THREATS Active Threats show active exploits and the applications targeted in active campaigns. Use Active Threats information to help determine the best actions to take for reducing risk, such as changing the security control policy. Active Threats provides a summary of the latest exploit information, and allows you to perform quick research into the latest exploits. The Active Threats summaries display the following: Total Number of Exploits Targeted Applications Newly Targeted Applications Unique Suspicious File Hashes New Shell Code Captures Unique Detected Connections Threat Encounters Top Applications Targeted

24 Chapter 6 Total Number of Exploits The Total Number of Exploits page displays specific information about an individual threat, such as the victim, targeted application, and number of outbound connections. It also displays the time stamp of when the test was run. Click an NSS ID hyperlink to open the Threat Details Summary page to view information on that particular threat. Targeted Applications The Targeted Applications summarizes attacks on the top applications the specified time period. Mouse over each bar to view the total number of attacks for that application

25 Validating Active Threats Newly Targeted Applications The Newly Targeted Applications page displays the number of newly targeted applications and the number of threats encountered within the current time frame. If an application name is a hyperlink, it has threats associated with it. Click the hyperlink to open its Threat Details Summary page. If an application name is not a hyperlink, it was not exploited and has no Threat Details Summary page. Unique Suspicious File Hashes Displays a list of file hashes that are known or suspected to be malware

26 Chapter 6 New Shell Code Captures Displays a list of captured exploits that contain new shell code captures. The list displays the NSS ID, detection time stamp, platform, targeted application, file count, and connection count. Top Applications Targeted The Top Targeted Applications is a bar graph showing the number of attacks on the five most highly targeted applications. You can toggle between bar graphs with tabs for targeted Applications, software families, and vendors. Hover over any bar to view data in more detail. Click the Families tab to view a bar graph showing the applications grouped by software family. Click the Vendors tab to view a bar graph showing the applications grouped by vendor

27 Validating Active Threats

28 Chapter

29 USING DEFENSES TO MEASURE SECURITY Defenses displays information about exploits specific to your layered security defenses. Use Defenses to build custom profiles that reflect the attack surfaces and vulnerable layer security defenses. The Defenses summaries display the following: Bypassing All Security Total Bypassing Security Exploits Targeting Applications Threats Bypassing Security Products Bypasses by Application Bypassing All Security Displays the number of exploits that have bypassed all defenses associated with the selected profile

30 Chapter 7 Click the number of critical threats to open the corresponding Critical Threat Summary page. Total Bypassing Security Bypassing All Security lists all exploits that have bypassed all security products associated with your selected profile

31 Using Defenses to Measure Security Click the number of threats to open the corresponding Threat Details page. Exploits Targeting Applications The Exploits Targeting Applications page displays the number of exploits targeting applications in a profile

32 Chapter 7 Threats Bypassing Security Products Threats Bypassing Security Products displays a count of exploits that have bypassed all security products associated with this profile. Click a device to open a Threat Detail page. Bypasses by Application Displays the total number of bypasses per application

33 Using Defenses to Measure Security Clicking an application displays information on the NSS ID, test time stamp, platform, target application, and more. Click the NSS ID hyperlink to display the Opening a Threat Detail Page page

34 RISK MODELING Risk Modeling allows you to view and understand how your existing profiles are performing, and to compare security products and applications against your live data. Here are a few examples of how risk modeling can be used to improve security: Situational awareness: Monitor which applications are being targeted by threat actors and determine how exploits relate to failures in deployed security products. This information helps prioritize security policy changes, patch cycles, and security product updates. Compare profiles: Evaluate up to three different security products side by side to compare their efficacy against current threats and exploits. Security reports: Extract data to analyze product performance and build business cases. To compare a profile: 1. From the menu bar, select Risk Modeling. The Risk Modeling page displays. 2. Select a single profile, or multiple profiles. 3. Click Compare. The Risk Modeling details page displays a comparison of your selected profiles

35 Chapter

36 SUBMIT URL The Submit URL feature allows you to submit URLs for analysis. To submit a URL: 1. From the menu bar, click Submit URL. The Submit URL page displays. 2. Type a URL in the Submit URL field. 3. Click Submit URL