Sentinel: How does Exploit detection work

Exploit detection

Exploit Detection (Mapping Service)

Sentinel provides the ability to cross-reference event data signatures with Vulnerability Scanner data. Users are notified automatically and immediately when an attack is attempting to exploit a vulnerable system. This is accomplished through:

§Advisor Feed

§Intrusion detection

§Vulnerability scanning

§Firewalls

Advisor provides a cross-reference between event data signatures and vulnerability scanner data. Advisor feed has an alert and attack feed. The alert feed contains information about vulnerabilities and threats. The attack feed is a normalization of event signatures and vulnerability plug-ins. For information about Advisor installation, see the Sentinel Installation Guide.

Supported Products

It will require at least one vulnerability scanner and either an IDS or firewall from each category above. The IDS and Firewall DeviceName (rv31) has to appear in the event. Also, IDS and Firewall must properly populate the DeviceAttackName (rt1) field (such as, WEB-PHP Mambo uploadimage.php access).

The Advisor feed is sent to the database and then to the Exploit Detection Service. The Exploit Detection Service will generate one or two files depending upon what kind of data has been updated.

The Exploit Detection Map Files are used by the Mapping Service to map attacks to exploits of vulnerabilities.

Vulnerability Scanners scan for system (asset) vulnerable areas. IDS' detect attacks (if any) against these vulnerable areas. Firewalls detect if any traffic is against any of these vulnerable area. If an attack is associated with any vulnerability, the asset has been exploited.

The Exploit Detection Service generates two files located in:

$ESEC_HOME/sentinel/bin/map_data

The two files are attackNormalization.csv and exploitDetection.csv.

The attackNormalization.csv is generated after

§Advisor feed

§DAS Startup (if enabled in das_query.xml, disabled by default)

The exploitDetection.csv is generated after one of the following:

§Advisor feed

§Vulnerability scan

§Sentinel Server Startup (if enabled in das_query.xml, disabled by default)

By default, there are two configured event columns used for exploit detection and they are referenced from a map (all mapped tags will have the scroll icon).

§Vulnerability

§AttackId

When the vulnerability field (vul) equals 1, the asset or destination device is exploited. If the vulnerability field equals 0, the asset or destination device is not exploited.

Sentinel comes pre-configured with the following map names associated with attackNormalization.csv and exploitDetection.csv.

There are two types of data sources:

§External - retrieves information from the agent

§Referenced from Map - retrieves information from a map file to populate the tag.

The AttackId tag has the Device (type of the security device, e.g. - Snort) and AttackSignature columns set as Keys and uses the NormalizedAttackID column in the attackNormalization.csv file. In a row where the DeviceName event tag (an IDS device such as Snort, information filled in by Advisor and Vulnerability information from the Sentinel Database) is the same as Device and where the DeviceAttackName event tag (attack information filled in by Advisor information in the Sentinel Database via the Exploit Detection Service) is the same as AttackSignature, the value for AttackId is where that row intersects with the NormalizedAttackID column.

The Vulnerability tag has a column entry "_EXIST_”, which means that map result value will be 1 if the key is in IsExploitWatchlist (exploitDetection.csv file) or 0 if it is not. The key columns for the vulnerability tag are IP and NormalizedAttackId. When an incoming event with a DestinationIP event tag that matches the IP column and an AttackId event tag that matches NormalizedAttackId in the same row, the result is a one (1). If no match is found in a common row, the result is zero (0).