Threat Intelligence

by Cody Dumont
July 1, 2014

The hunt for vulnerabilities is an ongoing and never-ending effort, however for SecurityCenter users there is a new weapon in this battle.  The new weapon is threat intelligence provided by ThreatGRID.  Using Nessus plugin 74442 (Microsoft Windows Known Bad AutoRuns & Scheduled Tasks), SecurityCenter users will be able to pinpoint autoruns and/or scheduled tasks that are created by malware. 

ThreatGRID combines advanced malware analysis with deep threat analytics and content to empower security teams to proactively defend against attacks and malware outbreaks. ThreatGRID analyzes millions of malware samples a month, harvested globally, and generates terabytes of rich, actionable content every day, to provide customers unmatched scale, coverage, and protection from global threats. 

The dashboard and its components are available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The dashboard can be easily located in the SecurityCenter Feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tags autorun and malicious. The dashboard requirements are:

  • SecurityCenter 4.8.1
  • Nessus 5.2.6

This dashboard includes two new components, “Threat Intelligence - Microsoft Windows Known Bad AutoRuns & Scheduled Tasks” and “Threat Intelligence - Known Bad AutoRun Network Bar Chart”, along with seven other updated components. The new components are:

  • Threat Intelligence - Microsoft Windows Known Bad AutoRuns & Scheduled Tasks: This component provides a list of infected hosts that have been identified with plugin 74442.  The systems identified in this table are most likely compromised and should be immediately removed from the network.  The next step would be to follow an incident response policy and determine if an incident needs to be declared.  Additionally, a forensic analysis should be considered to determine the extent of the compromise.  The table uses the IP Summary tool and is sorted based on repository, and displays the IP Address, NetBIOS Name, FQDN, and OS CPE string.  
  • Threat Intelligence - Known Bad AutoRun Network Bar Chart: This component provides a list of networks with infected hosts that have been identified with plugin 74442. The networks identified in this chart contain hosts that are most likely compromised and should be immediately removed from the network.  The next step would be to follow an incident response policy and determine if an incident needs to be declared.  Additionally, a forensic analysis should be considered to determine the extent of the compromise.  The chart uses the Class C Summary tool and is sorted based on total hosts identified within each network.  

The remaining components are updated components from the following dashboards:

  • Behind the Mask - Monitoring your network for Advanced Persistent Threats (APT) can be a difficult task. However, Tenable customers have the full resources of Tenable Network Security to help.  This dashboard has been put together by one of Tenable's malware research analysts in response to the 'Behind the Mask' discussion posting. The dashboard can be easily located in the SecurityCenter Feed by selecting the “Security Industry Trends” category, and then selecting the tags of “anomalies” and “backdoor”. 
  • Enhanced Botnet Detection - This dashboard was designed to be used with the Enhanced Botnet Detection in Nessus, including the plugin update to divide inbound and outbound connection results. The dashboard can be easily located in the SecurityCenter Feed by selecting the “Discovery & Detection” category, and then selecting the tags of “analysis” and “intrusion”. 
  • Exploitable by Malware - This dashboard provides a detailed view into the exploitability of your network.  This series of components shows which vulnerabilities are exploitable by malware, and then compares the exploitability to attack frameworks. The dashboard can be easily located in the SecurityCenter Feed by selecting the “Threat Detection & Vulnerability Assessments” category, and then selecting the tags of “malicious” and “threat”. 
  • Indicators - This dashboard displays close to 100 different indicators of compromise and suspicious activity based on malicious file hashes, anomalies in network traffic, correlated attacks, and much more. The dashboard can be easily located in the SecurityCenter Feed by selecting the “Monitoring” category, and then selecting the tags of “botnet” and “exploit”. 
  • Unknown Process - This dashboard displays unknown processes, Microsoft Windows autoruns, gray area processes, and known installed software across a series of components.  This dashboard can be easily located in the SecurityCenter Feed by selecting the “Threat Detection & Vulnerability Assessments” category, and then selecting the tags of “regex” and “processes”.

These dashboards have also been updated with the new Nessus plugin. For SecurityCenter users who are currently using these dashboards, the dashboards will need to be downloaded from the feed again to receive the update.