QRadar Technical Blog: Using QRadar to check for WCry
After the events of the last few weeks you might wish to protect your network against a second invasion of the WannaCry malware. By all accounts the next instance may well be nastier than the first.
The first step is to download the WannaCry content pack from the IBM X-Force Exchange website - https://exchange.xforce.ibmcloud.com/. In order to complete the download you must have an IBM ID.
Once downloaded, login to QRadar, go to the Admin tab and click the Extensions Management icon. From this pop-up select ‘Add’ and then ‘Browse’ to the file that has been downloaded. Check the ‘install immediately’ box and click on Add to start the process. Follow the on-screen instructions to complete the task.
The App will install the following:
- Custom Functions (1)
- Custom Rules (9)
- Offense Types (1)
- Offense Types (1)
- Reference Data Keys (3)
- Reference Data Elements (495)
- QID Records (1)
The next step is to install the Threat Intelligence App, again available from the IBM X-Force Exchange website. Having downloaded the App, click on the Extensions Management icon in the Admin tab and click ‘Add’ then ‘Browse’, select the App, check the ‘install immediately’ box and ‘Add’.
This App will require two keys, the first is an authentication key obtained from the Authorized Services icon in the Admin tab. The other is the API key and password obtained from the IBM X-Force Exchange user panel under ‘Settings’
Clicking on the Authorized Services icon in the Admin tab brings up a list of all previously created services. Click Add to bring up the pop-up to build a new service. Give the service a name and check the ‘no expiry’ box. Leave the other values as default and click the Create Service button. QRadar returns you to the services list and by highlighting the new service the token at the top of the panel can be copied and stored in a text file for use later.
Similarly with the API Key and Password. Open the IBM X-Force website as above and login. After logging in there will be a small ‘person’ icon at the top right hand corner. Click on this and X-Force will display a user details panel where there is the word ‘Settings’ in the bottom left hand corner. Click on this and a new panel opens with a menu to the left, the second entry of which is “API Access”. Click on this and the right hand side displays a field entitled “API Key” and a button that says Generate. Click on this button and the key value will change and a new field entitled “API Password” will be displayed. Copy both of these fields to your text file.
Now we have to activate the appropriate collection in X-Force. Return to X-Force Exchange and using the hamburger at the top left, select Home. This will display the home page which has a Collections column on the right hand side. We are looking for a collection named “WCry2 Ransomware Outbreak”. If it doesn’t appear in this column, enter “wcry” in the search bar and a list of matching entries will be displayed. Click on the entry for this collection and it will be opened in a new page giving information about the malware. At the top right hand corner there is a button that says ‘Follow’. Clicking this will ‘attach’ the collection to your UserID and the button text will change to ‘Following’.
We are now ready to add this collection into our Threat Intelligence App in QRadar.
Start the process by opening the Admin tab. From the menu on the left, click on “Plug-ins” and then when the list is displayed, click on “Threat Intelligence”. This will display an icon called “STIX/TAXII Configuration”. Click on this icon.
This will open up a panel where new intelligence feeds can be added. At the top there is a button named “Add Threat Feed” with a down arrow next to it. Clicking on the down arrow displays a menu with “Add TAXII Feed” and “Configuration” as entries. Start with Configuration. This brings up a panel where the previously created and saved authentication token is entered. Click Save to complete this step.
Now click on Add TAXII Feed. The next panel has an input box called TAXII Endpoint. In here type:
In the box underneath select “HTTP Basic” from the list and after doing this two more input boxes are displayed, “API Key” and “API Password”. Use the values obtained earlier and copy them into the panel and click “Discover”. A pop-up will be displayed requesting values for Collection, choose “XFE Public Collections I follow” from the list, Observable Type, choose IPv4 Address and click Next. The pop-up displayed will now have a list of Reference Sets available in QRadar. From the list select WCry_IP (this was created in the first step). Press Next to complete the process and show the final summary pop-up. Click Save to finish the process and return to the “Configured Threat Intelligence Feeds” panel.
There will now be an entry for the feed pointing to the Reference Set - WCry_IP. The feed will poll every 60 minutes for updates.
This can be repeated for the other Observable Types, Host Name; File Name; File Hash. The applicable Reference Sets are: WCry_HostName; WCry_FileName; WCry_FileHash. This completes the four Observable Types.
Finally the addition rule should be understood, it is named “WCry Detect” and uses 8 building blocks to look for matching values in events and flows seen in QRadar. The building blocks provide OR tests for file names, file hashes, IP addresses and host names and triggering an alert if any matches are found.