ArcSight and Malware Beaconing - 02-17-2010.pdf

File uploaded by jbradshaw@lastline.com on Mar 14, 2010
Version 1Show Document
  • View in full screen mode

Malware has evolved over the years into sophisticated code that incorporates error detection, stealth capabilities, as well as distributed command and control capabilities.  While security vendors constantly search for methods to identify and detect malware before it can infect a system, there is always the threat that a newer, more sophisticated method will bypass initial detection.  One of the biggest threats facing customers is the unknown sleeper agent awaiting instructions from a master controller to execute its payload.

In order for this command and control structure to work, there must be some form of communication that occurs between the zombie system(s) and the master controller. The regular checking in of a zombie with its master controller (MC) is commonly referred to as Malware Beaconing.  The purpose of this ArcSight Use Case is to document methods the ArcSight Enterprise Security Manager (ESM) correlation engine can assist security analysts in detecting these Malware Beacons.

Outcomes