Business Unit
BOCHK Use Case Scenarios
Strictly Private
and Confidential
4 July 2016
Draft
Contents
Contents
IBM Qradar Use Case Scenarios for the below mentioned domains:
1.
Insider Threats Detection
2.
E-Banking/External Threats Detection
3.
APT Detection
4.
Malware Detection
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
2
Insider Threats Detection
SIEM Use Case Scenarios
PwC
4 July 2016
3
Insider Threats Detection
Contents
1. Possible data exfiltration attempt
Objective:
To trigger an alert notification, if any unauthorized transfer of data from a critical server is
detected over the network.E.g.Sensitive data being transferred outside via P2P, backdoor/
spyware program, and if any unauthorized port is enabled.
Possible data exfiltration attempt
detected
Netflow traffic
Network Flows
Data being transferred
outside via P2P, IRC
Access logs
Alert
Spyware/Backdoor Detected
Windows/Linux Server
SIEM
Correlation
Engine
Access on unauthorized
ports
Firewall traffic
Firewall
Data Sources: Windows/Linux Server Logs, Network Flows
Indicators Of Compromise (IOC): Unusual Outbound Network Traffic, Mismatched Portapplication Traffic
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
4
Insider Threats Detection
Contents
2. Possible compromised account
Objective:
To trigger an alert/notification, if a user account(E.g. Admin) is accessed from two different
source IPs at the same time inferring that the use account may be compromised.
User Authentication Logs
Possible compromised account
Source IP: 192.168.1.11
Hostname: MachineA
UserID: Admin
Active Directory
User Authentication Logs
LDAP server
Alert
SIEM
Correlation
Engine
Source IP: 192.168.5.13
Hostname: MachineB
UserID: Admin
Source IP: 192.168.9.17
Hostname: MachineC
UserID: Admin
User Authentication Logs
VPN logs
Data Sources: Active Directory, LDAP Logs VPN Authentication Logs
Indicators of Compromise (IOC): Anomalies In User Account Activity and Other Log-In Red
Flags
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
5
Insider Threats Detection
Contents
3. Possible brute force password attack
Objective:
To trigger an alert in order to capture any attempt of brute force attack intended to gain
unauthorized access of a system or an application
Possible brute force password attack


User Authentication Logs
AD/LDAP/Web Server
Alert
SIEM
Correlation
Engine

Multiple Login failures
from same source
address using Same
userID
Multiple Login failures
from same source
address using different
userIDs
Multiple Login failures
from multiple source IPs
using Same userID
Data Sources: Active Directory, LDAP, Web Servers, VPN, Application Authentication Logs
Indicators of Compromise (IOC): Anomalies In Privileged User Account Activity, High
Counts Of Failed Logons
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
6
Insider Threats Detection
Contents
4. Outgoing request to malicious URL
Objective:
To trigger an alert if a machine/server showcases any suspicious behavior towards accessing
a malicious or a blacklisted URL
Outgoing request to malicious
URL
Proxy logs
Web Proxy Server
Alert
SIEM
Correlation
Engine
Suspicious system behavior that
generates web request to URLs
with Threat Intelligence based
correlation for blacklisted and
malicious URLs.
Threat Intelligence logs
Threat Intelligence Source
Data Sources: Proxy Server Logs, Threat Intelligence Feed
Indicators of Compromise (IOC): Unusual Outbound Network Traffic, Geographical
Irregularities, Protocol Anomalies
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
7
Insider Threats Detection
Contents
5. Data leakage by Outgoing employee
Objective:
To trigger an alert if an employee shares confidential data through web or email, rule will
correlate the HRMS data for outgoing employees with Proxy and Email Servers
Data leakage by outgoing
employee
List of outgoing employees
HRMS Database
Proxy logs
Alert
SIEM
Correlation
Engine
Web Proxy Server
Correlation of HRMS data for
resigned employees with Proxy
and Email Servers to trigger an
alert if the employee shares
confidential data through web or
email
Email logs containing Sender and Recipient
information
E-Mail Server
Data Sources: Proxy Server Logs, Threat Intelligence Feed
Indicators of Compromise (IOC): Unusual Outbound Web Traffic, Geographical
Irregularities
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
8
E-Banking/External Threats
Detection
SIEM Use Case Scenarios
PwC
4 July 2016
9
External Threats Detection
Contents
6. Possible online banking fraud
Objective:
To trigger an alert/notification to capture possible online banking fraud scenarios, for
example: Correlate e-Banking PIN change with large money transfers
Possible online banking fraud
Alert
Authentication/Transaction Logs
eBanking Application Logs
SIEM
Correlation
Engine
If a large amount of money
was transferred or a big
online transection happens
followed by e-Banking PIN
change.
Data Sources: Custom Application E-banking Application Logs
Indicators of Compromise (IOC): Unusual Inbound Web Traffic, E-banking
Transaction/Access Logs
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
10
External Threats Detection
Contents
7. Account accessed from A malicious/blacklisted source
IP/domains
Objective:
To trigger an alert if an e-Banking account is accessed from a known malicious or a blacklist
Source IP or a domain correlated with x-force threat intelligence feed.
Account accessed from a
known malicious/blacklisted
source IP
Authentication/Transactio n Logs
eBanking Application Logs
Alert
SIEM
Correlation
Engine

An account was accessed
from a known malicious/
blacklisted source IP.

Feeds from a Threat
intelligence source are
correlated with the
Application to capture
such suspicious activity
Threat Intelligence logs
Threat Intelligence Source
Data Sources: Custom Application: E-banking Application Logs, Threat Intelligence Feed
Indicators Of Compromise (IOC): Unusual Inbound Traffic, Source IP, Source Domain, User
Account
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
11
External Threats Detection
Contents
8. Same user logon from different geolocation
Objective:
To trigger an alert if an e-Banking account is accessed from two different countries/time
zones in a short period of time.
Same account accessed from
two different countries
Authentication/Transaction Logs
eBanking Application Logs
Alert
SIEM
Correlation
Engine
An account was accessed
from a different country or
time zone within 5 hours,
this may infer that use
account is compromised or
hacked
Threat Intelligence logs
Threat Intelligence Source
Data Sources: Custom Application: E-banking Application Logs, Threat Intelligence Feed
Indicators of Compromise (IOC): Unusual Spikes In Incoming Or Outgoing Network Traffic,
Access From IP Addresses In Unexpected Geographic Locations
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
12
APT Detection
SIEM Use Case Scenarios
PwC
4 July 2016
13
APT Detection
Contents
9. Communication on non-standard ports
Objective:
To trigger an alert if a network communication is detected on a non- standard port.
Network Flows traffic
Network Flow analytics
Alert
SIEM
Correlation
Engine
APT detected on Machine
Firewall logs
Internet Firewall
Data Sources: Network Flows, Internet Firewall
Indicators of Compromise (IOC): Connections On Unusual Ports Or Protocols, Unusual
Inbound & Outbound Network Traffic, Mismatched Port-application Traffic
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
14
APT Detection
Contents
10. Anomalies in privileged user account activity or
permission changes
Objective:
TO trigger an alert if the Anomalies in Privileged User Account Activity or the changes in
permissions are detected in the network.
DB audit logs
DB
Alert
SIEM
Correlation
Engine
APT detected on Machine
Windo ws server Auth logs
Windows Server
Data Sources: Database Audit Logs, Windows Server Logs
Indicators of Compromise (IOC): Anomalies In Privileged User Account Activity, Unusual
Database Activity
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
15
Malware Detection
SIEM Use Case Scenarios
PwC
4 July 2016
16
Malware Detection
Contents
11. Multiple malicious files detected on A single host
Objective:
To identify an infected machine/system in the network containing multiple malicious files
which could not be cleaned by the anti-virus software.
End point activity logs
End-Point Server
Antivirus logs
Antivirus Server
Alert
SIEM
Correlation
Engine
Infected Machine
Threat Intelligence logs
Threat Intelligence Source
Data Sources: Antivirus/End Point Logs, Threat Intelligence Feed
Indicators of Compromise (IOC): File Hash Code, Sensitive System Settings Like Registry,
System Folders
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
17
Malware Detection
Contents
12. Possible malware outbreak in the network
Objective:
To trigger an Incident/Alert Notification in real-time in case of a Malware Outbreak in the
Organization's network or in a particular subnet of interest to stop the infection as soon as
possible.
Possible malware outbreak in the network/
subnet
End point Activity logs
End-Point Server
Antivirus logs
Alert
Antivirus Server
SIEM
Correlation
Engine
Threat Intelligence logs
Threat Intelligence Source
Data Sources: Antivirus/End Point Logs, Threat Intelligence Feed
Indicators of Compromise (IOC): File Hash Code, Sensitive System Settings Like Registry,
System Folders, Unusual Inbound & Outbound Network Traffic
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
18
Contents
Summary
#
Area Name
Use Case Description
IOC
Qradar Module
1
Insider Threats
Detection
Possible Data Exfiltration
Attempt Detected
Unusual Outbound
Network Traffic,
Mismatched PortApplication Traffic
QFlow Processor
,QRadar Event
Processor
2
Insider Threats
Detection
Possible Compromised
Account
Unusual Outbound
Network Traffic,
Mismatched PortApplication Traffic
QRadar Event
Processor
3
Insider Threats
Detection
Possible Brute Force
Password Attack
Unusual Inbound
Traffic, Anomalies In
Privileged User
Account Activity,
High counts of failed
logons
QRadar Event
Processor
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
19
Contents
Summary
#
Area Name
Use Case Description
IOC
Qradar Module
4
Insider Threats
Detection
Outgoing request to malicious
URL
Unusual Outbound
Network Traffic,
Geographical
Irregularities,
Protocol Anomalies
QRadar Event
Processor, X-Force
Threat Intelligence
5
Insider Threats
Detection
Data Leakage by Employee on
Notice Period
Unusual Outbound
Network Traffic,
Geographical
Irregularities
QRadar Event
Processor, X-Force
Threat Intelligence
6
E-Banking/External
Threats Detection
Possible online banking
Fraud Detection
Unusual Inbound
Traffic, e-banking
transection/Access
logs
QRadar Event
Processor
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
20
Contents
Summary
#
Area Name
Use Case Description
IOC
Qradar Module
7
E-Banking/External
Threats Detection
Account access from a
malicious/blacklisted source IP
Unusual
Inbound Traffic,
Source IP,
Source Domain,
User Account
QRadar Event
Processor, X-Force
Threat Intelligence
8
E-Banking/External
Threats Detection
Same User Logon from Different
Geolocation
Unusual spikes
in incoming or
outgoing
network traffic,
Access from IP
addresses in
unexpected
geographic
locations
QRadar Event
Processor, X-Force
Threat Intelligence
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
21
Contents
Summary
#
Area Name
Use Case Description
IOC
Qradar Module
9
APT Detection
Communication on nonstandard ports
Connections on
unusual ports or
protocols, Unusual
Inbound &
Outbound Network
Traffic, Mismatched
Port-Application
Traffic
QRadar Event
Processor,QFlow
Processor
10
APT Detection
Anomalies in Privileged User
Account Activity or
permission changes
Anomalies In
Privileged User
Account Activity,
Unusual database
activity
QRadar Event
Processor
11
Malware Detection
Multiple malicious files
detected on a single host
File Hash Code,
Sensitive system
settings like registry,
system folders
QRadar Event
Processor,X-Force
Threat Intelligence
BOCHK Use Case Scenarios
PwC
Strictly private and confidential
Draft
4 July 2016
22
Contents
Summary
#
12
Area Name
Malware Detection
BOCHK Use Case Scenarios
PwC
Use Case
Description
Possible Malware
Outbreak in the Network
Strictly private and confidential
Draft
IOC
File Hash Code,
Sensitive system
settings like registry,
system folders, Unusual
Inbound & Outbound
Network Traffic
Qradar Module
QRadar Event
Processor, X-Force
Threat Intelligence
4 July 2016
23
Thank You!
This publication has been prepared for general guidance on matters of interest only, and does
not constitute professional advice. You should not act upon the information contained in this
publication without obtaining specific professional advice. No representation or warranty
(express or implied) is given as to the accuracy or completeness of the information contained
in this publication, and, to the extent permitted by law, [insert legal name of the PwC firm], its
members, employees and agents do not accept or assume any liability, responsibility or duty
of care for any consequences of you or anyone else acting, or refraining to act, in reliance on
the information contained in this publication or for any decision based on it.
© 2016 [insert legal name of the PwC firm]. All rights reserved. In this document, “PwC” refers
to [insert legal name of the PwC firm] which is a member firm of PricewaterhouseCoopers
International Limited, each member firm of which is a separate legal entity.