Instrumentation & Measurement Magazine 25-6 - 35

ELK-Stack, we describe the data collected from one game scenario
played on the cyber range platform on 22 December by 2
players for each team. For this specific scenario, the focus is on
the Events Logs (System Logs and Security Logs) as well as the
network traffic. To this extent, logs are saved to match the objectives
of the scenario, in which a malicious actor has the goal
to infiltrate in as many networks that he/she is able.
A security event is detailed in Fig. 2, Fig. 3, Fig. 4 and Fig. 5.
Starting with a top-level overview, Fig. 2 shows a time series of
the logs over 24 hours. The red bar represents the security-related
logs which can be an indication of malicious actions, and
thus these logs require further investigation.
User autheticantion logs can show if a malicious actor is
systematically probing the system with brute force attacks to
guess the password. Fig. 3 displays the high number of failed
login attempts, from which it can be perceived that something
malicious is happening. Therefore, knowing the host's
baseline activity and the users, more investigation is used to
identify which user created the failed login attempts. These attempts
were coming from a nonregistered account, which is a
clear indicator of an attack.
Following the failed logins, an unauthorized user with
" root " permissions generates a lot of events, as depicted in Fig.
4. If the root user opens files and executes unusual commands,
it is assumed that he/she tries to scan the network using
" nmap " command. Furthermore, an unusual script called
" evil.py " is created or edited on the system.
Regarding the IP related logs, we can observe that the user
tries to change the routing configuration. As the attacker tries
to exploit the compromised machine as a stepping stone to
move into another network, he adds a routing command that
will permit him to access the 10.39.254.0/24 network, while the
traffic will be routed via 10.91.244.7 (Fig. 5).
The game scenario described here is more simplistic compared
to a real attack, as it is expected that in real life, the
attacks will be more sophisticated. Nonetheless, the game still
demonstrates the efficacy of the tools and the viability of the
approach.
Despite the fact that the demonstrated tools are suitable
for detecting malicious activity, there is another challenge that
needs to be addressed regarding the tendency towards false
positives/negatives. False positives can have multiple causes,
for example, lack of a baseline, as it is hard to determine in the
specific context what is considered as normal activity, what is
incorrectly labeled data that can affect the detection of malicious
activities and where ill-tuned alert rules are either too
specific or too broad. Therefore, ELK focuses more on the
behavior than on the tools, by configuring rules that are independent
of the data source and facilitate the detection process
for attack indicators.
Conclusion
Fig. 3. Brute force attack example.
Fig. 4. Used commands during incident.
Fig. 5. Routing command for pivoting.
September 2022
This article discusses the objectives of an SOC for monitoring
an infrastructure as well as presents the ELK-Stack
and its use in this context,
while the different
Log sources according
to their information and
priority are presented. In
addition, ELK-Stack in action
is showcased, where
a cyber incident was
able to be detected and
the attacker's intentions
were mapped. Dur ing
the game scenario, we
are able to log network
traffic, authentication attempts,
used commands,
files and accessed applications.
These logs are an
indicator of the malicious
actions to gain control
of a system by guessing
its password, and then
how it is used as a stepping
stone to attack other
IEEE Instrumentation & Measurement Magazine
35
Instrumentation & Measurement Magazine 25-6

Table of Contents for the Digital Edition of Instrumentation & Measurement Magazine 25-6
