Cyber Attacks Detection Using Open Source ELK Stack

Cyber Attacks Detection Using Open Source ELK Stack

연구 분야: Safety

학회: 2021 13th International Conference on Electronics, Computers and Artificial Intelligence (ECAI)

Nowadays, when computer technology plays an important role in our lives, attackers develop new techniques and tools that target these systems. Over time, there were hundreds of papers written with security methods that help to detect attackers inside corporate environments. Unfortunately, these days many of them seem to be obsolete or at least not so efficient because of few simple reasons: their focus was on either network or endpoint security, not both, they are very simplistic and easy to be by passed. In response to these deficiencies, a combined implementation using a mix of proactive techniques and threat anticipation mechanisms would bring a fast detection and a rapid response, by leveraging automation technologies. This new approach is applicable to small and mid-size enterprises and includes the ELK stack integrated with a robust security technology stack, as well as different open-source Threat Intelligence platforms. Thus, we put together an exhaustive system for cyber-attacks detection and analysis both at the network and endpoint level. In this paper, we achieved a series of attacks specific to an Advanced Persistent Threat (APT), using techniques from the MITRE ATT&CK matrix, which were detected using the ELK stack. We have integrated Elasticsearch with VirusTotal for automatically querying the hashes of some malicious files. Besides, we have enriched the network logs with geolocation information through the GeoIP processor in Logstash. Moreover, the integration of the ELK stack with the malware information sharing platform (MISP) allowed us to perform real-time searches and enrichments for indicators of compromise (IOCs). Lastly, with the help of Machine Learning algorithms in Elasticsearch, we were able to identify anomalies in the network traffic (DNS/HTTP data exfiltration).