The 2022 ATT&CK Evaluations for Managed Services Call for Participation is now open. Click here to learn how to participate.
Home  >  Enterprise  >  Participants  >  Micro Focus  > Carbanak+FIN7 Configuration


Micro Focus Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE Engenuity comments are included in italics.


Product Versions

Management

  • ArcSight ESM Manager v.7.3.0.2454
  • ArcSight ESM Console v.7.3.0.2662.0
  • ArcSight Context Update October 2020.1015_125153

Endpoint Log Collection

  • ArcSight Smart Connector for Win64 v.8.1.0.8362.0
  • ArcSight Smart Connector for Linux64 v.8.1.0.8362.0
  • ArcSight FlexConnectors
  • ArcSight AUP v.8335

Network Log Collection

  • ArcSight Smart Connector for Linux64 v.8.1.0.8362.0 for ZEEK (formerly BRO)

Product Description

ArcSight ESM Manager

ArcSight Enterprise Security Manager (ESM) is an enterprise security operations solution that empowers security teams with real-time threat detection and response through a powerful, open, and intelligent SIEM (Security Information and Event Management). ArcSight ESM’s industry-leading correlation engine, modern security analytics UI, and integrated SOAR technology enables organizations to analyse and correlate every event that occurs across the organization--every login, logoff, file access, database query, etc.

ArcSight ESM helps SOCs to detect, escalate, and respond to documented threats in real-time. with accurate prioritization of security risks and compliance violations. Backed by intelligence feeds, customizable rulesets, default content (including MITRE ATT&CK dashboards), and marketplace content, ArcSight ESM is equipped to address any SIEM use case your organization faces, no matter how complex.

  • Correlate data from any source in real time to detect incidents before they become a breach.
  • Resolve issues faster: Answer who did what? Where? When? And how?
  • Collect, store, and analyse any event from any source.
  • Deliver packaged reports for PCI, SOX, and IT Governance through optional compliance packs.
  • Build and maintain a resilient security operation centre (SOC) through big data security analytics and automation.
  • Integrate your security operations across your IT environment with network operations, service desk, CMDB, business intelligence, Hadoop, email security, application security, threat feeds, etc.
  • Achieve unmatched breadth, depth, and speed of event collection with patented log management tools
  • Visualize, identify and analyse KPIs and incident metrics through ArcSight’s intuitive, web-based UI.
  • Automate response and repetitive tasks with integrated SOAR technology.

ArcSight ESM provides a central point for analysis of daily business operations. Armed with all this data, the real-time correlation capabilities of ArcSight ESM can detect unusual or unauthorized activities as they occur. Finally, the visualization and reporting capabilities of ArcSight ESM support personalized dashboards and on-demand or scheduled reports for administrators, managers, or auditors.

ArcSight Smart Connectors

ArcSight Connectors automate the process of collecting and managing logs with out-of-the-box SmartConnector support for over 480 data source types, and a custom FlexConnector creation framework, that enables organizations to collect data from any device and in any format. ArcSight Connectors normalize and categorize logs into a unified format known as Common Event Format (CEF), which is now an industry standard for log formatting. By leveraging CEF to structure and unify all their incoming data, organizations can extract more intelligence with less effort from the data stored in their data lakes and big data tools. Real-time data enrichment adds security context to raw data, making it instantly usable to any Micro Focus or third-party analytics tool, for insightful searching, reporting and analysing.

ArcSight Connectors also manage ongoing updates, upgrades, configuration changes, and administration of distributed deployments through a centralized web-based interface. Connectors can be deployed as software or on an appliance.

ArcSight Connectors enable your security organization to do the following:

  • Scale easily to manage extreme amounts of machine data across IT
  • Reduce the cost of handling large volumes of logs and events in various formats
  • Automate the process of managing Connectors to collect audit-quality log data
  • Share, upload, and download Connectors within the ArcSight community
  • Seamlessly integrate with the ArcSight platform, including ArcSight’s SIEM, UEBA,
  • Threat Hunting, and SOAR capabilities
  • Collect, aggregate, filter, and parse all your data with a broad set of built-in Connectors
  • Manage log records in hundreds of different formats from hundreds of vendors
  • Normalize and categorize logs with patented technology that enables full-text English searching on rich metadata
  • Reduce your storage costs significantly with high compression of log data (up to 10:1)
  • Automate bandwidth management with low footprint

Product Configuration

Day 1 & 2

  • Disable preventive security in Windows endpoints (firewall and Windows Defender)
  • Install Smart Connectors in each eligible VM:
    • Windows Native o Linux Audit File
    • Hollows Hunter Flex Connector
  • Install ESM Console in internal Windows VM
  • Create Active Directory Domain-Level GPO to achieve the following across all Windows VMs in the Domain:
    • Set “Success/Failure” log policy for entire item set in “Audit Policy”
    • Enable command line process creation auditing
    • Enable PowerShell auditing
  • Install latest Sysmon64.exe in all Windows VMs
  • Install portable Perl 5.28.2.1 and Python 3.8 on all Windows VMs
  • Schedule a task to start Hollows Hunter and scan all processes at boot in each Windows VM
  • Linux VMs: Modify /etc/audit/audit.rules to optimize events to the connector.
  • Install Snoopy from Github repository in Linux VM: https://github.com/a2o/snoopy and configure Syslog file connector to capture Snoopy Logger events
  • Install Security Onion VM with Cloud Configuration per the instructions found here:
    https://docs.securityonion.net/en/16.04/cloud-client.html?highlight=azure#microsoft-azure
  • Install ZEEK Smart Connector in Security Onion VM.