Final-Connect-Image.jpg

Active Defense: Hash Sets

Posted by Michael Wood   |   December 22, 2015

w-wood_4.jpgWe know that SOC/IR teams suffer from alert overload on a daily basis.  Too many tools resulting in too much data being passed to the teams.  In reviewing those alerts, these folks need to review tons of data to confirm or disprove the alert validity.  SOC and IR pros look for ways to limit the data that they have to review.

CounterTack’s Active Defense can alleviate overload issues by whitelisting using SHA-1 Hash sets.  As an Analyst whitelists their environment, they can add modules SHA-1(s) and product details to a Hash set.  When I create these whitelist hash sets I like to label them as “Known Good”.   If by chance you have a golden image, you can create a CSV file of the SHA-1 of that image and upload it to Active Defense.  When adding a CSV file, you will need all of the column headers “SHA-1, Product, Product Version, Manufacturer, Added On, and Added By.” Otherwise it will not accept the CSV hash set, (see example of the format below).

w-wood_5.jpg

You can add CounterTack’s hash set that whitelists over forty thousand  files.  Analysts can also upload National Institute of Standards Technology’s (NIST) “Minimal” or the “Unique” hash sets.  Pro Tip: When uploading a NIST zip file, wait until it’s completely loaded and status goes to “Ready”… otherwise it will not complete.

When you have whitelisted as many files as you feel gives you the best ability to quickly identify malicious code on your network, and ruled out the “Known Good,” what happens to ALL of the malicious hashes that you get from Intelligence feeds, responding to IR events on the network, etc..?   Active Defense does not have an add malicious hash set(s) option.  I do it the same way that I add my “Known Good” hash sets but also utilize the whitelist and network groups to have Active Defense do the work of finding known malicious hash on your network.  I make separate hash sets into families of malware or threat actors (see picture below).  

w-wood_1.png

Once you have created the malicious hash sets click on the “Whitelist” tab and select “Action New”. A pop-up will open “Whitelist Definition complete Name “Remote Access Tool (RAT)” then click the plus sign next to the  “AND” from the selection select “Module-Hash Set”. Leave the “Equals,” click in “Enter a Value” and select the desired hash set. In this case, I selected my hash set named “RAT” and click “ok”.

w-wood_2.png

Now that we have our hash set added to Whitelist we can create Network Groups. Navigate to the Network tab then select “Group Actions” and click on “Add Group”. A pop-up window will open, name the group and select the tab “Whitelist Filters”.  Check the Name of the whitelist and click the enable button on the right side of the pop-up window (check mark goes way once enabled).  Lastly, click ok and a new Network group has been made.

w-wood_3.png

This set up will allow SOC/ IR departments to employ Hash Sets with the whitelisting to automate finding known malware in your environment.  This will save cycles for SOC/IR to focus on the unknown malicious code! Let us know if you have any questions. 

Topics: Next-gen endpoint security, Hash Sets, Active Defense

Subscribe to Email Updates

Posts by Topic

see all