This guide describes how to deploy the LogRhythm Current Active Threat (CAT) Module, intended to help organizations detect and respond to trending network security events within the security industry at large. These threats may also occur in a localized environment. This module incorporates an innovative method to pre-tune AIE Rules for all environments, provide event progression rule alerting, and create the base architecture for IOC-based AIE Rules to be auto-deployed within the organization’s environment.
The CAT Module contains licensed content that is available only to registered customers with a valid maintenance contract.
CAT Module Background
The CAT module was created to provide LogRhythm clients with two types of functionality, Emerging Threat Event Detection and Known Persistent Threat Event Detection, and one architectural framework allowing for pre-tuned AIE Rules.
Emerging Threat Event Detection
These AIE Rules are centered around the Canary Lists and the Canary Rules. They are designed to trigger upon the successive events of industry Threat Intelligence list content derived from LogRhythm’s TIS and curated Threat Intelligence lists from LogRhythm Labs’ Threat Research Team.
Known Persistent Threat Event Detection
These AIE Rules are designed to identify and alert on IOC related events that affect large numbers of LogRhythm clients and have a large media presence. These include events such as:
- WannaCry, which successfully compromised more than 200,000 systems in more than 150 countries within 24 hours.
- NetPetya, which successfully compromised 10,000+ bank, oil and gas, and US pharmacy businesses within 48 hours.
- BadRabbit, Mirai, Locky, Krack, or anything dealing with EternalBlue can fall into this category.
These events require immediate action to be taken by clients to ensure they can detect targeting or compromised systems within their environment.
Pre-Tuned AIE Rules
The CAT Module provides an architectural platform for specialized AIE Rules, built by LogRhythm Labs’ in-house malware and network analysts, to be deployed directly into the client’s environment, supplying them with AIE Rules built in direct response to these types of events. This allows the client’s SOC to use their finite resources to focus on remediation and not on intensive analysis operations.