15.3 iTRAC

This section gives and idea relevant to iTRAC.

15.3.1 Instantiating a Process

An iTRAC process can be instantiated on the iTRAC server by using one of the following methods to associate an iTRAC process to an incident:

  • Associating an iTRAC process to the incident at the time of incident creation

  • Associating an iTRAC process to the incident after the incident is created

  • Associating an iTRAC process to an incident as an action when deploying a correlation rule

For more information on associating a process to an incident, see Section 4.0, Correlation Tab and Section 5.0, Incidents Tab.

NOTE:If you want to perform all of the iTRAC scenarios, you must go through them in the order they are presented.

Example Scenario: Creating a Simple Two-Tiered iTRAC Process for a Possible Network Attack

This process is a series of steps that you can take if there is a possible attack on your system.

The example procedure does the following:

  • Asks the user to decide if a preliminary look indicates that the network has been attacked. This leads to a decision step.

    NOTE:All decision steps provide different execution paths, depending on the value of the variable defined in the previous step.

  • The Collect Data step reviews the data to make a better determination if there has been an attack.

  • If there has been an attack, iTRAC takes measures to prevent another attack and sends an e-mail to the supervisor indicating that proper measures have been taken. If there is no attack, iTRAC sends an e-mail to the supervisor indicating that there is not an attack.

Figure 15-3 iTRAC Process

To create this iTRAC process:

  1. Click the iTRAC tab.

  2. In the navigation pane, click iTRAC Administration > Template Manager.

  3. In the Template Manager window, click Add.

    The iTRAC Process Builder displays with a Process Details window.

  4. Use the name iTRAC Tutorial. Optionally, add a description.

  5. From the Step Palette pane, drag and drop three manual steps, two mail steps, and two Decision Steps. Rename and the attributes to the steps as follows by right-clicking and selecting Edit Step.

    1. Manual Step-0 to Decide If Hacked.

      1. Set the Role to Analyst.

      2. Click Associate, then click Add.

      3. Specify Hacked in the Name field.

      4. In the Process Variables window, select the Variable Type as String.

      5. Set the Default Value to yes.

      6. (Optional) Under the Description tab, specify Initial evaluation of events to determine if there has been an attack.

      7. Click OK.

      8. Select the newly created association, then click OK until the step is renamed.

    2. Manual Step-1 to Collect Data:

      1. Set the Role to Analyst.

      2. Click Associate.

      3. Select Hacked, then click OK.

      4. (Optional) Under the Description tab, specify To further evaluate after collecting of events to determine if there has been an attack.

      5. Click OK to rename the step.

    3. Manual Step-2 to Prevent Future Attacks:

      1. Set Role to Analyst.

      2. (Optional) Under the Description tab, specify Take measures to stop the attack. (firewall, router or other intrusion protection method). Also, if possible, determine how the attacked was done.

      3. Click OK to rename the step.

    4. Mail Step-3 to Not Hacked:

      1. In the To field (because this is for a tutorial), provide your e-mail address. When this step finishes, sends you an e-mail.

      2. In the From field, provide a made up address such as me@nowhere.com.

      3. In the Subject field, specify We have not been hacked.

      4. (Optional) Under the Body tab, specify This e-mail is generated from a tutorial (simulation) iTRAC process.

      5. Click OK.

    5. Mail Step-4 to Prevent Future Attacks:

      1. In the To field, specify your e-mail address.

      2. In the From field, specify a made up e-mail address.

      3. In the Subject field, specify Proper Attack Measures Taken.

      4. (Optional) Under the Body tab, specify This e-mail is generated from a tutorial (simulation) iTRAC process.

    6. (Optional) Decision Step-5 to Hacked:

      Under the Description tab, provide a description such as Preliminary decision if there has been an attack or not.

    7. (Optional) Decision Step-6 to Hacked or Not:

      Under the Description tab, provide a description such as Decision if there has been an attack or not.

  6. Right-click Start and select Add Start Transition. Select Decide If Hacked as the destination.

  7. Right-click Decide If Hacked and select Add Transition. Specify the following:

    • Name: Specify Decision.

    • Type: Select Unconditional.

    • Destination: Hacked.

  8. Click OK

  9. Right-click Hacked? and select Add Transition. Specify the following:

    • Name: Not Hacked.

    • Type: Select else.

    • Destination: Not Hacked.

  10. Click OK.

  11. Right-click Not Hacked and select End Transition.

  12. Right-click Hacked? and select Add Transition. Specify the following:

    • Name: Specify Hacked.

    • Type: Select Conditional.

    • Destination: Collect Data.

  13. Click Set > EXP.

    1. Select Variables and Values.

    2. Select Attribute Hacked.

    3. Select Condition equals.

    4. Specify a value of yes.

    5. Click OK until the transition is complete.

  14. Right-click Collect Data and select Add Transition. Select and specify the following:

    • Name: Hacked or Not?

    • Type: Unconditional

    • Destination: Hacked or Not

  15. Right-click Hacked or Not and select Add Transition. Specify the following:

    • Name: Not Hacked.

    • Type: Else.

    • Destination: Not Hacked.

  16. Right-click Hacked or Not and select Add Transition. Specify the following:

    • Name: Hack Happened.

    • Type: Conditional.

    • Destination: Prevent Future Attacks.

  17. Click Set > EXP.

    1. Select Variables and Values.

    2. Select Attribute Hacked.

    3. Select Condition equals.

    4. Specify Value of yes.

    5. Click OK until the transition is complete.

  18. Right-click Prevent Future Attacks and select Add Transition. Specify the following:

    • Name: Proper Measures Taken.

    • Type: Unconditional.

    • Destination: Measures Taken.

  19. Right-click Measures Taken and select Add End Transition.

  20. Click Save. Your new process should appear in the Template Manager.

Example Scenario: Running an iTRAC Process for a Possible Network Attack

The following example assumes the following:

NOTE:If you assign steps to other roles, you need to log out and then log in as a user assigned to that role and accept the process. For simplicity, the following example is assigned to one role.

To run this process, this process must first be assigned to an incident.

To start or terminate a process:

  1. Click the Incident tab.

  2. Click Incidents > Create Incidents.

  3. Specify the following:

    • Title: iTRAC Tutorial.

    • Category: Other.

    • Responsible: assign this incident to yourself.

  4. Click the iTRAC tab, then select iTRAC Process Tutorial.

  5. Click Create.

    Because this is a tutorial incident and not a true incident, it can be deleted without negatively affecting your Sentinel setup.

  6. From anywhere in the Sentinel GUI, click the Analyst group (yellow bar) under View Work Items.

    Your bar might already be partially green, indicating that you have accepted (acquired) an iTRAC Process.

    All of the processes assigned to the Analyst role display.

  7. To accept a work item, select iTRAC Tutorial and click Acquire.

    If the View Work Item list bar was yellow as illustrated above, it changes with an addition of a green bar.

  8. Click the green bar under View Work Items. In the Work Items window, click View Details.

    The red highlighted step indicates what step this process is currently in.

  9. To start the steps within this process, click the Process Details tab.

    For this manual step, the variable yes is specified. Providing another value such as no or else (no attack) results in an e-mail that completes the process. For example, if initial assessment is that there is an attack and the hacked variable is equal to yes, you click Complete to complete this step.

  10. In the Work Items window, select the process and click View Details. The Collect Data step should be highlighted in red. As before, this is a manual step.

  11. Click the Process Details tab.

  12. Again, the variable page displays. In the previous step of the iTRAC Process, Collect Data is a step to further determine by analyzing the events of interest if an attack has occurred. For example, assume that an attack has occurred. Leave the default value of yes. If this were a real attack, it is beneficial to add clear notes or attachments as to the information about this attack.

  13. Click Complete.

  14. In Work Items window, select the process and click View Details. The Prevent Future Attacks step should be highlighted in red. As before, this is a manual step.

  15. In this manual step, take measures to harden the network to prevent future attacks. When this is done, you should add notes and attachments as to the information about this attack.

  16. Click Complete.

    The next step is an automatic e-mail step indicating that proper anti-attack measures have been taken. The iTRAC Process is removed from the Work Items window.

    If you go to the Process View window or if you double-click this process, it appears as Complete.