IBM Security QRadar

 View Only

Need help to monitor data exfiltration ?

By Gladys Koskas posted Mon November 23, 2020 03:49 PM

  
Estimated reading time: 4 minutes


This picture could replace a thousand words... But you've seen recently that I have a lot of things to say :)

So let's talk about it ! The Ponemon Institute "Cost of a Data Breach Report 2020" report, commissioned by IBM, reveals that the average cost of a data breach in 2020 is 3.86 Million dollars.
If you think about it, there are many ways to make the cost of a data breach increase very quickly. Obviously, the amount of information exfiltrated is playing a big role in that cost, but the type of data is also a significant factor. Customer information, employee information and other PII are precious in terms of competition and regulation (ie: GDPR). This sort of information can be sold for a lot on the black market and therefore is actively being looked for. What to say about stolen Intellectual Property? It could just lead to a disaster for a company...

Another big factor is time. Exfiltrating PII or Intellectual Property over a longer period of time can make a big difference in the cost of a data breach.


280 days is the average time for discovering and containing a data breach... You know it, you need to monitor potential exfiltration of data! But where to look? What to look at? Data exfiltration is one of the most complex behavior to monitor because of the difficulty of finding where to look.

Disgruntled employee, human error / misconfiguration, phishing, malware, these are all potential sources of exfiltration. File share, database, laptops, mailboxes, the list of places to monitor could be shortened to “everything” in the infrastructure.

Ok, I’ll stop with the bad news, and bring some good news! The IBM QRadar Data Exfiltration Content Extension can help you to get more visibility to manage this risk, with the least configuration possible.


In this blog we are going to answer a few questions with scenarios included the content pack, such as:

  • How do I monitor sensitive files with lightweight maintenance?
  • Can I do something with my network data?
  • Is there a way to catch when a normal behavior becomes suspicious?

The IBM QRadar Data Exfiltration Content Extension is meant to work with many devices types such as Cloud, Mail, Proxy, Firewall, IDS/IPS, DLP, covering a maximum of the perimeter (let's meet at the" QRadar Configuration" --> "Properties" section for more details on the content covered by default).

 

Scenarios Highlights

How do I monitor sensitive files with lightweight maintenance?

Adding the name of each file that is sensitive to a rule or reference set is almost an impossible task to achieve. And what about when the filename is changed for some reason? The Files in Sensitive File Directories Rule takes care of the problem.

The only prerequisite is to populate the Sensitive File Paths Reference Set with the location of folders that contain sensitive files. The rule then automatically adds the names of the files seen in an event related to the location you identified to another reference set.

Apply Files in Sensitive File Directories on events which are detected by the Local system
and NOT when an event matches any of the following BB:CategoryDefinition: File Deleted Events
and when the event matches Filename (custom) is not N/A
and when any of File Directory (custom) are contained in any of Sensitive File Directories - AlphaNumeric


With this rule, monitoring sensitive files becomes very easy at this point.

The IBM QRadar Data Exfiltration Content Extension provides rules to watch for sensitive files shared with a guest user or group in a cloud environment such as AWS or Office 365.

Apply Sensitive File Uploaded to a Publicly Accessible Folder on events which are detected by the Local system
and when an event matches any of the following BB:CategoryDefinition: Object Upload Events
and when an event matches any of the following BB:Exfiltration: Files in Sensitive Directories
and when any of File Directory (custom), Storage Name (custom) are contained in any of Publicly Accessible Folders - AlphaNumeric (Ignore Case)

It also contains a rule to monitor if a sensitive file is being uploaded to a publicly accessible folder.

Apply Sensitive File Shared with a Guest User or Group on events which are detected by the Local system
and when an event matches any of the following BB:CategoryDefinition: Link Shared Events
and when any of Target User Area (custom) are contained in any of Guest Login Users - AlphaNumeric (Ignore Case)
and when an event matches any of the following BB:Exfiltration: Files in Sensitive Directories

g38Nt3zbSne0MxvXUdyD_temp.png

It also becomes easy to monitor if these files are being sent to suspicious destinations.

Apply Email containing Sensitive File Sent to Potentially Hostile Host on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Mail
and when BB:Exfiltration: Files in Sensitive Directories match at least 1 times with the same MessageID (custom) in 5 minutes after BB:BehaviorDefinition: Potentially Hostile Email Host match

Or simply outside of the organization

Apply Email containing Sensitive File Sent to External Host on events which are detected by the Local system
and when an event matches any of the following BB:DeviceDefinition: Mail
and when BB:Exfiltration: Files in Sensitive Directories match at least 1 times with the same MessageID (custom) in 5 minutes after BB:BehaviorDefinition: External Email Addresses match


Note
: Once again, you don't need to feed QRadar with all the email addresses of your organization, simply populate the Building Block with the domain name(s) used by the company, and let QRadar do the rest.

 

Can I do something with my network data ?

Yes! Take advantage of your flows to monitor large outbound data transfer to an external storage website or a suspicious destination. The IBM QRadar Data Exfiltration Content Extension includes 6 event searches and 5 flow searches that can be used to create anomaly rules and help you detect when a behavior is suspicious.

VPoIJTKqSIyjTvjVi9HR_temp.png


The searches are not only monitoring obvious exfiltration of data, they are also accounting for slow exfiltration of data over days.

Note: These searches are available for both flows and events!

 

Is there a way to catch when a normal behavior becomes suspicious?

Seeing an authorized access to 1 or 2 documents on the same location seems absolutely normal, Seeing 10 or 15 of them in a short period of time suddenly becomes more suspicious.

Catch anomalies regarding access or download of files with 4 rules tracking if a user is engaging in a reconnaissance behavior or is actively downloading an abnormal amount of documents.

OA8JZsPDTxip4RZaSdw3_temp.png


Apply Excessive File Downloads Events From the Same Source IP on events which are detected by the Local system
and when an event matches any of the following BB:CategoryDefinition: Object Download Events
and when the event matches Filename (custom) is not N/A
and when the event matches NOT ((NETWORKNAME(destinationip)='Net_172_16_0_0') OR (INCIDR('192.168.2.0/24', sourceip))) AQL filter query
and when at least 10 events are seen with the same Source Address, Log Source and different Filename (custom) in 5 minutes
 

Other Use Cases

The IBM QRadar Data Exfiltration Content Extension, with its 35 rules and 11 saved searches, provides a wide set of rules and tools to monitor potential exfiltration of data efficiently.

The content pack includes a pulse dashboard, which can help to have a global overview of your environment.


QRadar configuration

Install the DSM

Download and install the DSM relevant to your environment via Auto-Updates or Fix Central.

 

Enable X-Force

The content pack contains some rules based on reputation. Enable X-Force to benefit from these rules.

 

Install the Content Extensions

 
Rules

The IBM QRadar Data Exfiltration Content Extension is available on the App Exchange.

 

Properties

The pack contains Custom property definition placeholders. This means that you can copy the Custom Properties provided and adapt them to your environment by adding expressions under that definition. You can also download our sets of Custom Properties identified below.

 

  • Predefined Properties

Many Custom Properties have been developed for the devices covered by the IBM QRadar Data Exfiltration Content Extension. To get the list of what is available, just search for the device type you are looking for on the App Exchange.

 

The IDS/IPS devices we built properties for are:

  • Fortinet FortiAnalyzer
  • Checkpoint
  • Palo Alto
  • Cisco Firepower
  • etc.
 

The cloud devices we built properties for are:

  • Office 365
  • AWS
  • Azure
  • IBM Cloud
  • etc.

 

The proxy devices we built properties for are:

  • Cisco Ironport
  • Bluecoat
  • Squid
  • Zscaler
  • etc.
 

The email devices we built properties for are:

  • Postfix
  • Microsoft Exchange
  • Cisco Ironport
  • Lastline
  • Proofpoint

 

We keep releasing new properties to offer a better device coverage, don’t hesitate to have a look from time to time !

 

  • Using the placeholders

Let's take the example of the Excessive File Downloads Events From the Same Source IP Rule.

Apply Excessive File Downloads Events From the Same Source IP on events which are detected by the Local system
and when an event matches any of the following BB:CategoryDefinition: Object Download Events
and when the event matches Filename (custom) is not N/A
and when the event matches NOT ((NETWORKNAME(destinationip)='Net_172_16_0_0') OR (INCIDR('192.168.2.0/24', sourceip))) AQL filter query
and when at least 10 events are seen with the same Source Address, Log Source and different Filename (custom) in 5 minutes

This rule would work the same way for any log source type (including custom types), as long as QRadar parses the Filename and the event is classified as any of the following categories : Audit.File Download Attempt, Audit.File Download Failure, Audit.File Download Success, Audit.Object Download Attempt, Audit.Object Download Failure, Audit.Object Download Success.

 

Custom Property placeholders are meant to be reused to adapt the content to any environment.
 
Custom Event Properties UI:

 


DSM Editor:


Like for every content pack we build, we try to make it general enough for it to work with a maximum of environments/devices, but also precise and smart enough to make its adaptation to your needs easy to handle.

The topic being so wide, this pack obviously doesn’t cover all the use cases related to data exfiltration, but it is a good base to get you started. We’re open to any suggestion for additional use cases to cover in this pack.

Please find our latest version of the IBM QRadar Data Exfiltration Content Extension on the App Exchange and don't hesitate to give us any feedback or ideas, these packs are built for you, tell us what you need.

If you are interested in reading more about QRadar Security Content, you can find the complete list of blog entries here.

0 comments
104 views

Permalink