Portal de Periódicos da CAPES

Automated Threat Hunting Using ELK Stack - A Case Study

2019; Volume: 10; Issue: 5 Linguagem: Inglês

10.21817/indjcse/2019/v10i5/191005008

2231-3850

MOZA AL SHIBANI, E. Anupriya,

User Authentication and Security Systems

Modern threats are very much sophisticated and they bypass legitimate security tools.Static threat hunting methods are futile.The alternate threat hunting method is to dynamically analyze their entry and behavior in the network.The two popular methods to analyze threats are to use smart machine intelligent hunting software or monitor end point activity.The end point activities can be obtained from system log using Sysmon.The event logs are filtered to eliminate the normal day-to-day activities and the suspicious activities are forwarded to server with ELK stack.The server analyzes the process creation, parent processes and their behavior.Filter is applied on the server side to analyze and hunt the threats.As a case study, threatslike 1. Malicious code to remotely access files on shared drive and to delete them 2. Remote registry access to create or delete files on victim's registry 3. Malware codes to escalate rights and to delete files were injected on the victim client machine by a threat actor from another client.The system identified all the threats successfully and segmented them with alert message.The complete system was implemented on virtual environment on Windows with Oracle VM Virtual Box for creating virtual environment.1. Introduction In the modern world most of our day to day work, activities and procedures are automatized.The use of organization's network or use of internet has become an inevitable resource of work.On the other hand, technology developments have aided threat actors to use newer, stealthier ways to invade network and to gain persistence in the network.They use obfuscation techniques to defame or damage or to obtain ransom benefit.The general threats include computer virus, security software, Trojan horse, Adware and Spyware, Computer Worm, Denial of Service (DoS), Distributed Denial of Service (DDoS), Phishing, Rootkit, SQL Injection, and Man in the Middle Attacks (MITM).In the current statistical surface, every system is infected by one or other type of Malware.Malware is a generic term which covers all kinds of threats.Malicious software or in other term Malware in current digital world are modernized.Contrary to traditional malware, modern malware are highly stealthy focusing primarily on unknown vulnerabilities of the network.These modern malware attack randomly or on specific targets.The modern malware are well defined with clear goal.Due to these characteristics, the network defenses of today like Intrusion prevention system (IPS), antivirus software, firewalls, cloud led alternatives and virtual private networks are no longer sufficient to prevent modern malware entry and persistence in the network.Firewalls can inspect and monitor ports but cannot inspect communications that are happening through the ports.IDS/IPS prevents attacks with the help of signatures of known threats.Though literature states that IDS/IPS prevents unknown threats, in reality it is not the case.Unknown threats can be addressed only with rich understanding of vulnerability.Hence, known and unknown vulnerabilities play a vital role in the plane of threats.This necessitates anti-malware to be smart, intelligent enough to critically analyze not only the network traffic but also the processes that spawn them.Signature or list based security alternatives alone may not be effective.Also, in the current scenario of threats, threat actors use newer, stealthier to invade network and to gain persistence in the network.A plausible and easy way for threat actors is to repudiate as legitimate software like PowerShell and Windows Management Instrumentation.By using these tools, the modern malware deceit antivirus software and include themselves in whitelist of a network.This kind of threats are stateless and fileless.Once such threats are fileless malware variant of modern malware.