FEINT Deep Dive
---------------
What is FEINT actually doing?
Let's look at an empty Service-Now Incident form.
What data do we actually need?
How are we going to pre-fill the Caller PID?
FEINT is protected behind Virginia Tech's Login gateway, which can be used to supply the PID of the currently logged in user and their email address. ITSO staff updates this value once it has been discovered.
How do we look up a FireEye Alert?
----------------------------------
In the first version of FEINT, security analysts had to supply an individual Alert ID manually.
= = =
Assuming we've logged into the FireEye API with a username and password and obtained a FireEye API Token...
And given an Alert ID from FireEye...
We can use PHP CURL to query the FireEye API for the given Alert ID.
What does $alertJSON variable contain if successful?
(Note: Data example has been sanitized.)
*/ "name": "Tool.CoinMiner"
},
"md5sum": {}
}
},
"cnc-services": {
"cnc-service": {
"@attributes": {
"port": "443",
"protocol": "TCP"
},
"address": "149.123.123.123",
"channel": "{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"","pass":"","agent":"/ (Windows NT 10.0; Win64; x64) libuv/1.23.0 msvc/2017","algo":["cn","cn/r","cn/wow","cn/2","cn/1","cn/0","cn/half","cn/xtl","cn/msr","cn/xao","cn/rto","cn/gpu","cn/rwz","cn/zls","cn/double"]}}~~"
}
},
"static-analysis": {
"static": {}
},
"stolen_data": {
"@attributes": {
"event_id": "11934447"
},
"info": {
"@attributes": {
"type": "data_thefts"
}
}
}
},
/*--> THIS (AND THE NAME VALUE FROM ABOVE) IS THE STUFF WE REALLY CARE ABOUT <--*/
"src": {
"ip": "45.123.123.123",
"mac": "4c:96:14:99:99:99",
"port": "1120"
},
"alert-url": "https://somewhere.at.iso.vt.edu/event_stream/events_for_bot?ev_id=11934447",
"action": "notified",
"occurred": "2001-05-09T12:51:07.678-04:00",
"dst": {
"mac": "6c:9c:ed:99:99:99",
"port": "443",
"ip": "149.123.123.123"
}
/*--> ^^^ THIS IS THE STUFF WE REALLY CARE ABOUT ^^^ <--*/
}
}
?>
We can use the JSON data to fill out the various fields in a Service-Now Incident.
Two problems:
1. FireEye's Severity values don't match ITSO's Security Analyst's conclusions about severity.
2. FireEye often does not have adequate, layman-friendly descriptions of malware.
How do we populate the Severity and Malware Description fields?
Create a mySQL database to store:
- the FireEye's malware NAME value (the "Detected Issue"),
- a custom Severity value determined by ITSO staff
- a custom Description of the malware that is end-user-friendly
By using FireEye's malware NAME value as an INDEX, we create a way to look up custom Severity and Description values as determined by ITSO staff.
Now, whenever we look up an alert in FireEye, we can perform a lookup in the custom malware database for a matching entry and pre-fill the Severity and Malware Description fields.
Pre-filling other Service-Now fields using a PHP associative array:
(Note: They keys of the array correspond to Service-Now field variable names)
Now that we have our JSON data that we want to insert, we can query the Service-Now API using PHP CURL.
Assuming we have a valid Service-Now username and password:
What does the snAPIQuery() function look like?
Unable to connect to the Service-Now API.";
print "
Error info: ".curl_error($ch);
exit("
Halting execution since Service-Now could not be reached.");
}
curl_close($ch);
return $snResponse;
}
?>