Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

RFISI

 

Use the JSA Ready for IBM Security Intelligence (RFISI) Content Extension to complement the RFISI Threat Intelligence app.

JSA RFISI Content Extension V1.0.1

The following building blocks are removed in JSA RFISI Content Extension V1.0.1, because they are already included in JSA by default.

  • BB:HostDefinition: Mail Servers

  • BB:HostReference: Mail Servers

  • BB:PortDefinition: Mail Ports

The following table shows the reference sets that are updated in JSA RFISI Content Extension V1.0.1.

Table 1: Reference Sets in JSA RFISI Content Extension V1.0.1

Name

Description

Malicious URLs

Changed the refset element type toAlphaNumeric (Ignore Case).

Malware URLs

Changed the refset element type toAlphaNumeric (Ignore Case).

Phishing URLs

Changed the refset element type toAlphaNumeric (Ignore Case).

Rogue Process Names

Changed the refset element type toAlphaNumeric (Ignore Case).

Malware Hostnames

Changed the refset element type toAlphaNumeric (Ignore Case).

Malware Hashes MD5

Changed the refset element type toAlphaNumeric (Ignore Case).

Malware Hashes SHA

Changed the refset element type toAlphaNumeric (Ignore Case).

JSA RFISI Content Extension V1.0.0

The following table shows the rules and building blocks in JSA RFISI Content Extension V1.0.0.

Table 2: Rules in JSA RFISI Content Extension V1.0.0

Name

Description

RFISI: Internal Communication with a Malware URL

Notifies when an internal client loads a URL that is known to host malware.

RFISI: Internal Connection to Address Hosting Malware

Notifies when an internal system communicates with an IP address that is considered to be hosting malware.

RFISI: Internal Connection with Botnet Command and Control

Notifies when an internal host communicates with an IP address known to be a botnet command and control server.

RFISI: Internal Hosts Communicating with Anonymizer Host

Notifies when an internal host appears to be using an anonymous proxy or VPN. This generally indicates a policy violation but may also signal insider threat activity.

RFISI: Mail Server Sending Mail to SPAM Servers

Notifies when an internal mail server communicates with an IP address that is known to send spam. Typically no legitimate mail server will be considered a spam server so this may indicate illicit activity or an internal infection.

RFISI: Phishing Email sent to Internal Mail Server

Notifies when mail is received from a server associated with phishing campaigns. May indicate that insiders are being targeted for attack.

BB:HostReference: Mail Servers

No updates. Dependent on another rule and must be included in the extension framework.

BB:HostDefinition: Mail Servers

No updates. Dependent on another rule and must be included in the extension framework.

BB:PortDefinition: Mail Ports

No updates. Dependent on another rule and must be included in the extension framework.

The following table shows the reference data in JSA RFISI Content Extension V1.0.0.

Table 3: Reference Data in JSA RFISI Content Extension V1.0.0

Type

Name

Description

Reference Set

Malware Senders

Gets IP addresses of mail hosts known to send malicious emails (such as virus/malware attachments, and html exploits). If the providers don’t distinguish between these and other spam then all should go to the Spam Senders set.

Reference Set

Anonymizer IPs

Gets IP addresses of known anonymized services, such as VPN providers, TOR exit nodes and other proxies.

Reference Set

Botnet C&C IPs

Gets IP addresses known to be C&C servers rather than nodes. Where the provider doesn’t distinguish between nodes and C&C, all should go to the Botnet IP addresses set.

Reference Set

Botnet IPs

Gets IP addresses associated with botnet activity. Intended for nodes rather than C&C IP addresses but if the provider doesn’t distinguish between them then both go in this set.

Reference Set

Mail Servers

A list of mail servers in your environment.

Reference Set

Malicious URLs

Gets URLs for browser exploits and some other exploit types.

Reference Set

Malware Hashes MD5

Gets MD5 sums of malware files.

Reference Set

Malware Hashes SHA

Gets SHA (SHA-1, SHA-256, etc) sums of malware files.

Reference Set

Malware Hostnames

Gets the hosts (or IP addresses) of servers providing malware downloads. Hostnames are better due to virtual hosting.

Reference Set

Malware IPs

Meant for IP addresses associated with malware post-exploit communications.

Reference Set

Malware URLs

Gets URLs know to be malware downloads.

Reference Set

Phishing IPs

Gets IP address associated with phishing attempts.

Reference Set

Phishing Senders

Gets IP addresses of hosts that are known or suspected of sending phishing attempts.

Reference Set

Phishing Subjects

Gets subject lines from email campaigns that are known to be phishing attempts.

Reference Set

Phishing URLs

Gets the URLs associated with phishing emails.

Reference Set

Rogue Process Names

Gets process names or executable names for known malware, Trojans, and other rogue processes.

Reference Set

Spam Senders

Gets IP addresses of known spam servers. If the provider doesn’t distinguish between phishing and other spam then both go in this set.

Reference Map of Maps

Malware Senders Data

Holds extended data related to the Malware Senders reference set.

Reference Map of Maps

Anonymizer IPs Data

Holds extended data related to the Anonymizer IPs reference set.

Reference Map of Maps

Botnet C&C IPs Data

Holds extended data related to the Botnet C&C IPs reference set.

Reference Map of Maps

Botnet IPs Data

Holds extended data related to the Botnet IPs reference set.

Reference Map of Maps

Malicious URLs Data

Holds extended data related to the Malicious URLs reference set.

Reference Map of Maps

Malware Hashes MD5 Data

Holds extended data related to the Malware Hashes MD5 reference set.

Reference Map of Maps

Malware Hashes SHA Data

Holds extended data related to the Malware Hashes SHA reference set.

Reference Map of Maps

Malware Hostnames Data

Holds extended data related to the Malware Hostnames reference set.

Reference Map of Maps

Malware IPs Data

Holds extended data related to the Malware IPs reference set.

Reference Map of Maps

Malware URLs Data

Holds extended data related to the Malware URLs reference set.

Reference Map of Maps

Phishing IPs Data

Holds extended data related to the Phishing IPs reference set.

Reference Map of Maps

Phishing Senders Data

Holds extended data related to the Phishing Senders reference set.

Reference Map of Maps

Phishing Subjects Data

Holds extended data related to the Phishing Subjects reference set.

Reference Map of Maps

Phishing URLs Data

Holds extended data related to the Phishing URLs reference set.

Reference Map of Maps

Rogue Process Names Data

Holds extended data related to the Rogue Process Names reference set.

Reference Map of Maps

Spam Senders Data

Holds extended data related to the Spam Senders reference set.