In my last post I mentioned I would be posting about Razor Policy in more depth.  A Policy contains rules and a rule has conditions. In order for any policy to be considered a potentially actionable event, all of the Conditions must match.  The Condition groups are Net.Shares, Net.DNS, Net.Session, Net.Port, Net.IP, and Net.Packet.  Each condition group can contain multiple sub items.

One of the things that I find exceptionally useful in Razor is the DNS crossreferencing data. This allows you to use types of registrar information as a condition when making a rule. This information can contain the name, fax, phone, email, address, country, or even the zip code. This function proved to be a huge time saver when we noticed an attacker using the same email address when registering domains. It took all of about 2 minutes to set up the Policy that could have taken hours of analysis for the same end result using primitive methods.

Let’s take a look at Policy creation. After logging into the Razor Dashboard, click the Policies button on the left navigation panel it will bring you to the Policies page. Click on “Actions” dropdown and go to “Create Policy’. The first thing we are going to do is give our Policy a name. I’ve found that each team tends to have its own naming schemes. We’ll call today’s NOMORESLACKING10192011, for testing purposes only of course.

Next we are going to look at what rules we want to add to this Policy. The “Actions” button inside the Policy Editor is a little different as it will allow you to select Create New Rule, Select Existing Rules(s), Remove Rule(s), and the admin options are Save List and Column Chooser. We are going to select Create New Rule in this case. For familiararity purposes we’ll use a site that we all know and at some point perhaps have used, ThePirateBay.org. Let’s name the rule so it’s easily identifiable for future use, ThePirateBay.org.

The reason I chose ThePirateBay.org is that one misclick on an advertisment could land you on a potentially malicious site, or on a shady singles site. KEEP IT OFF THE CORPORATE NETWORK PEOPLE. So to get things started, let’s go over to Robtex and see what kind of useful information we can find on ThePirateBay.org. We have a few pieces of information we can use here. In this case we are going to use the ‘Or’ logic for better coverage. The useful pieces of information in this case are going to be the Registrant Name, Registrant Phone, and Registrant Email. Once the definitions have been created click OK.

Now that we have ThePirateBay.org rule created, let’s look at the Response Actions selection. The options that we have are:

• Trace and Archive - records a capfile for analysis
• Analyze Binaries - downloads a binary, and analyzes it in a VM using REcon
• Reset Session – blocks traffic from … (is easily the most used and it’s what we will be using today since we don’t want any of the wares ThePirateBay.org has to offer.)

Once you have the Response Action enabled, click Save at the bottom right-hand corner of the browser. That’s it. Simple as that! In the next post I will be going into deep analysis on the data that is acquired through a Policy.

This is the first installment of several Razor blog posts. Razor is a network monitoring and deep content inspection appliance that sits on the perimeter of a network monitoring inbound and outbound traffic. I'm not going into any deep analysis or Policy creation details because it's a little too much information for one blog post. I wanted to touch on how fast Razor is able to give you network activity results once it's been set up.

As soon as you login you are brought to the Dashboard and can tell what has been happening on the network since your last check in. The Event Timeline displays the number of events and the time they occurred. The Event Timeline is the first stop I make after logging in to make sure there isn't any unusual influx in network traffic. The Event Distribution displays a pie chart representation of the total events observed. Between the both of them they can usually tell me what kind of a day I'm going to have within the first 30 seconds of logging in.

At this point I like to go into the events section to see what is causing the reported activity. There are several ways to sort but in this case we are sorting by Timestamp during the initial review. One of the new features in Razor (and Active Defense) I've found useful is the ability to drag a column up to the grouping bar which adds some extra sorting abilities. I will be cover this more in depth in a future blog.

Just like most other network devices you are able to pull back the PCAP (Packet Capture) file if applicable in the Results column and fire it up in Wireshark to view the packets for any anomalies. In the Actions column you have the ability to use the Create an Analysis Job if a .exe or PDF file is captured. Once an executable or PDF file is captured, an analysis "Job" is created for the captured sample (called a Specimen), and the sample is detonated inside of a guest VMware VMimage using REcon. REcon records and graphs malware behavior at runtime so you can extract critical data from an unknown executable. This feature is only available if you choose to Trace and Archive the activity when setting up the policy.

In my experience, most management will opt to use the Reset Session option while making the Policy to kill the connection rather then choose the Trace and Archive policy feature. Razor does not block any traffic like a firewall. Instead, it copies all traffic and injects a reset packet if there is a policy in place. Within the first minutes of logging in you already have actionable items for the day and if there are any and relevant information that needs to be relayed to management.

-- Charles Copeland