Correlation features and Use Cases

Automated log analysis and management accelerate threat detection. Evidence of an attack can often be found in your devices, systems, and application logs. UTMStack can be used to aggregate and analyze log data automatically.
Generic Signature-based and Rule-Based Analysis
  1. 1.
    Log-based intrusion detection: Actively monitors and analyzes data from multiple log data points in real-time.
  2. 2.
    Brute-Force attack detection: Attempts to break user credentials by performing massive requests.
  3. 3.
    Denial of services: Deny applications or systems availability by overflowing requests.
  4. 4.
    File integrity monitoring: For both files and Windows registry settings in real-time, detects changes to the system and maintains a forensic copy of the data as it changes over time.
  5. 5.
    Rootkit and malware detection: Process- and file-level analysis detects malicious applications and rootkits.
  6. 6.
    Unauthorized attempts of privileged access usage. Suspicious activity and privilege escalation attempts.
  7. 7.
    Security policy monitoring: UTMStack leverages SCAP. SCAP is a standardized compliance-checking solution for enterprise-level infrastructure. The National Institute of Standards and Technology (NIST) maintains a line of specifications to maintain enterprise systems security.
  8. 8.
    Compliance auditing: Application- and system-level auditing ensures compliance with common standards, such as PCI-DSS, CIS, HIPAA, and GLBA benchmarks.
  9. 9.
    System inventory: Collects system information, such as installed software, hardware, utilization, network services, and listeners.
  10. 10.
    File Classification: Audits critical or classified files for access, changes, or movement.
  11. 11.
    Privileged Identity Monitoring: Alerts on the suspicious activity of secret accounts and changes on critical groups such as Administrators and Domain Admins.
Heuristic and Rule-based Analysis
  • Impossible travel: Logon attempts from uncommon locations or places where physical constraints wouldn’t allow the user to travel to in a reasonable time.
  • Potentially Bad Traffic: Potentially Bad Traffic is traffic that is definitely out of the ordinary and is potentially indicative of a compromised system
  • Attempted Information Leak: Attempted information collection (survey) is a set of processes and techniques (Footprinting, Scanning & Enumeration) used to discover and collect covert information about a target system. Information leaks or reconnaissance attacks classified as Attempted Information Leaks are not proof that an information-gathering attempt has been successful.
  • Attempted Denial of Service: This alert belongs to the group of rules called "attempted-dos." A Denial-of-Service (DoS) attack shuts down a machine or network, making it inaccessible to its intended users.
  • Attempted User Privilege Gain: Monitors for attackers trying to elevate privileges to an unauthorized level. An attacker with access to a user account can use various types of system vulnerabilities to elevate the privileges and access data which are not authorized.
  • Decode of an RPC Query: Decode of an RPC Query: Detects RPC-related attacks, vulnerabilities, logging purposes, and protocol detection. Servers running with Portmapper are susceptible to a distributed reflected denial-of-service (DRDoS) attack. A remote Procedure Call (RPC) is a protocol that one program can use to request a service from a program located in another computer on a network without understanding the network's details.
  • Executable Code Detection: Executable code was detected and detected traffic targeting vulnerabilities found in or delivered through executable files, regardless of platform. Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. If successfully executed, the shellcode can provide the attacker access to the target machine across the web. A shellcode is a code injected into a vulnerable program's memory in the form of a byte string.
  • Suspicious String Detection: A suspicious string was detected. It checks whether an individual line is likely an attempt at confusing the reader (spoof detection), such as "pаypаl" spelled with Cyrillic 'а' characters.
  • Suspicious Filename Detection: A suspicious filename was detected. These artifacts are typically associated with malware or intruder activity. The existence of winsrv.exe, svchost.exe, or svchost.dll in specific locations is typically malicious.
  • Attempted Login Using a Suspicious User. This alert is generated due to the use of a suspicious login attempt; if successful, the attacker may have gained superuser access to the host. It notifies you of suspicious sign-in activity for one of your users. For example, A user doesn't follow their usual sign-in pattern, such as signing in from an unusual location, or there was a successful login from a suspended user's account.
  • System Call Detection: System calls are usually made when a user-mode process requires access to a resource. Then it requests the kernel to provide the help via a system call. Most attacks that involve a file require at least two system calls: a first one to open the file and a second to modify it.
  • Network Trojan Detection: Discovered software code of a Trojan Network Attack. A Trojan horse, or Trojan, is malicious code or software that looks legitimate but can take control of your computer. A Trojan is designed to damage, disrupt, steal, or inflict some other harmful action on your data or network. A Trojan acts like a bona fide application or file to trick you.
  • Client Was Using an Unusual Port: A client used an unusual port. If an application uses a unique port that pretends to be a standard application port, it indicates a sign of compromise.
  • Detection of a Network Scan: Detection of a Network Scan. They are often harbingers of future attacks.
  • Generic Protocol Command Decode: A protocol instruction was decoded. Protocol decoding is the most wanted feature in logic analyzers. Protocol decoding is the (automatic) process of analyzing the logic signals and interpreting them according to a specific protocol.
  • Access to a Potentially Vulnerable Web Application: A web application is a software application that runs on a remote server. In most cases, Web browsers are used to access Web applications over a network, such as the Internet.
  • Web Application Attack: Serious weaknesses or vulnerabilities allow criminals to gain direct and public access to databases to churn sensitive data. Many of these databases contain valuable information (e.g., personal data and financial details), making them a frequent target of attacks. Most web application attacks occur through cross-site scripting (XSS) and SQL injection attacks. TCP port 80 for HTTP supports the web traffic that web browsers receive and is the most used in web-based attacks.
  • Misc Activity or Attack: Some behavior that may be considered a policy warning was detected. Misc activity rules include detections for various traffic patterns that do not easily fit into other specific class types. This includes detecting DNS requests to less common top-level domains like .top, .win, and .trade, detecting traffic to parts used by adware and other potentially unwanted applications (PUAs), and detecting suspicious HTTP user-agent strings.
  • Generic ICMP Event: A "ping" packet was detected. An Internet Control Message Protocol (ICMP) flood attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo requests (pings).
  • Potential Corporate Privacy Violation: Potential Corporate Privacy Violation because someone is trying to exfiltrate data over Non-Compliant DNS traffic. Detection of access to Kickass porn includes NSFW and porn content. NSFW is an abbreviation for words like Not Suitable For Work, but mostly accepted as Not Safe For Work.
  • Attempt to Login by a Default Username and Password: Login by a default username and password. The initial stages of most attacks involve enumerating the legitimate system and user identities. This process is necessary to determine vulnerabilities to attempt an exploit.
  • Targeted Activity: Refers to unauthorized changes by software to the operating system, registry entries, other software, or files and folders.
  • Exploit-kit: An exploit kit is a toolkit that can probe for and exploit code that takes advantage of vulnerabilities to gain unauthorized access or control of a computer or device.
  • External IP Check: Device Retrieving External IP Address Detected. Hacked IP addresses can also be used for DDoS attacks (“distributed denial-of-service”)
  • Domain Check: Domain Observed Used for C2 Detected. C2 is the command and control malware domain. It is used to download payloads or perform data exfiltration.
  • Pup Activity: A Potentially Unwanted Program, also called in short as PUP, is software that contains adware, installs toolbars, or has other unclear objectives.
  • Credential Theft: Successful Credential Theft Detected. It is the process of stealing credentials—the first stage of a credential-based attack.
  • Social Engineering: Possible Social Engineering Attempted. Malicious activity is accomplished through human interactions. It uses psychological manipulation to trick users into making security mistakes or giving away sensitive information.
  • Coin mining: Crypto Currency Mining Activity Detected. The most common way to mine cryptocurrency on standard hardware is to install Crypto mining client software and leave it running in the background.
  • Command and control: Malware Command and Control Activity Detected. A command-and-control [C&C] server is a computer controlled by an attacker or cybercriminal, which is used to send commands to systems compromised by malware and receive stolen data from a target network. It can be used to disseminate orders that can steal data, spread malware, and disrupt web services.
Machine Learning Anomaly-based Analysis
The Machine learning module creates baselines for metrics such as Network traffic, user behavior, common applications and processes. This baselines allow the engine to define patterns of what can be considered “normal infrastructure and environment activity”.
When a certain process or user behavior falls outside the baseline, then a “rule” violation occurs and the Machine learning algorithm correlates it. If the result of the correlation throws a risk level higher than 1 (informative event), an alert is generated for further investigation.
Machine learning module currently monitors:
  • User behavior
  • Firewalls behavior
  • IPS Logs
  • Network Activity
  • VPN activity
  • Logs from all Systems
Threat Intelligence
Analyses all available security IP Feeds, mainly related to on-line attacks, on-line service abuse, malwares, botnets, command and control servers and other cybercrime activities.
To accomplish this, we include the following IP lists:
Fullbogons: includes IPs that should not be routable in the Internet. It includes bogons which lists private and reserved IPs, but it also includes IPs that are allocated to a local registry, but they are not currently assigned to anyone, ISP, corporation, or end user.
Spamhaus: drop and drop: DROP and EDROP are advisory "drop all traffic" lists, consisting of netblocks that are "hijacked" or leased by professional spam or cyber-crime operations (used for dissemination of malware, trojan downloaders, botnet controllers).
Dshield: summarizes the top 20 attacking class C (/24) subnets over the last three days. The Internet Storm Center of SANS Institute, collects firewall and IDS logs from hundreds of thousands of computers around the globe
Malware lists - the Command and Control IPs: There are several malware lists that are very focused. They only track IPs that are actively used by specific malwares or trojans. We include most the Abuse.ch and Bambenek Consulting lists. Namely: feodo,sslbl, zeus_badips, bambenek_c2 which includes all Bambenek Consulting lists
Cloud and SaaS Solutions Rule-based analysis
All UTMStack modules apply to SaaS and Cloud environments. However, there are specialized rules for monitoring these environments.
  1. 1.
    API management monitoring: Detects suspicious activity or attempts to get information from Cloud APIs
  2. 2.
    Unauthorized Resources access: Attempts to access resources that are misconfigured or exposed to the Internet.
  3. 3.
    SaaS and PaaS specific rules: Rules created to address specific known threats on SaaS applications and PaaS.