September 13, 2022
The ICMP-Unequal rule can detect indicators of compromise that default SIEM implementations often miss.
Exabeam is a powerful security information and event management platform on its own, but it truly starts to shine when configured with custom rulesets. These rules give organizations the ability to detect early indicators of compromise they might otherwise miss.
These rules go above and beyond what a default SIEM implementation is capable of. They can offer early visibility into unauthorized activity and give security analysts valuable data when conducting investigations.
Custom Rules Enhance Operational Security and Decision-Making
Custom rulesets are integral to the value that Castra offers its customers because every organization’s IT infrastructure is unique. Traffic that a remote-enabled enterprise with a distributed workforce considers perfectly normal might be extremely suspicious in a more centralized setting. There is no way to optimize an organization’s security posture with a one-size-fits-all approach.
By carefully fine-tuning our custom rulesets on a case-by-case basis, Castra can set rules that fully correspond to its customers’ business logic. This enables early detection and provides comprehensive insight into the techniques, tactics, and procedures attackers are using.
Ultimately, this provides analysts with a wealth of high-quality data, allowing them to improve the timing and accuracy of incident investigations.
"Custom rules help security professionals make better decisions with greater speed and confidence."
Tony Simone, Co-Founder
Case in Point: The ICMP-Unequal Rule
The ICMP-Unequal rule is an excellent example of the impact custom rules can have on operational security. It relies on the Internet Control Message Protocol, a major component of the TCP/IP suite and part of the Network layer of the OSI model.
The ICMP plays a vital role in host-to-host network communication, acting as an error reporting and query service for datagrams. Any IP network device can send ICMP datagrams, and this protocol acts as the messenger that relays information between senders and receivers. It sends echo and echo reply messages using the well-known PING command, which makes up most of the traffic it is responsible for.
This is important because cyber criminals can hide their activities using ICMP tunneling software. This allows attackers to control compromised machines using the ICMP protocol like a secret VPN. Pingback is just one example of malware that relies on this kind of exploit.
Under normal conditions, ICMP pings and their response packets should be roughly the same size – between 64 and 76 bytes in total. However, this can change when an attacker hijacks ICMP to build a tunnel into a victim’s network.
When that happens, it can create an uneven distribution of packet size between incoming and outgoing data. If incoming pings are much larger than their outgoing reply messages (or vice versa), the ICMP-Unequal rule will track that activity and generate an alert if incoming and outgoing packet sizes are consistently out of balance.
In its default configuration, many SIEMs are likely to miss this. There is no out-of-the-box functionality for defining regular ICMP traffic according to the IT architecture of a particular organization. That can only be achieved with a custom rule, created with the specifics of that organization in mind.
Make the Most of Exabeam with Castra Expertise
Exabeam works by assigning risk scores to the activities it tracks, enabling analysts to quickly respond to security incidents. Maximizing Exabeam’s performance isn’t just about giving it more data to ingest. It also requires leveraging custom rules and setting risk thresholds that correspond to the real-world risk profile of the organization in question.
Castra is a managed detection and response vendor that specializes in creating and implementing complex custom rulesets in Exabeam. Let our security operations personnel help you achieve security and visibility beyond what default SIEM deployments can offer.