Transcription
NAVALPOSTGRADUATESCHOOLMONTEREY, CALIFORNIAAPPLIED CYBEROPERATIONS CAPSTONEREPORTSIEM-ENABLED CYBER EVENT CORRELATION(WHAT AND HOW)byFidel E. Christopher and Kurt J. MyersSeptember 2018Project Advisors:John D. FulpGurminder SinghApproved for public release. Distribution is unlimited.
THIS PAGE INTENTIONALLY LEFT BLANK
Form Approved OMBNo. 0704-0188REPORT DOCUMENTATION PAGEPublic reporting burden for this collection of information is estimated to average 1 hour per response, including the time for reviewinginstruction, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collection ofinformation. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestionsfor reducing this burden, to Washington headquarters Services, Directorate for Information Operations and Reports, 1215 JeffersonDavis Highway, Suite 1204, Arlington, VA 22202-4302, and to the Office of Management and Budget, Paperwork Reduction Project(0704-0188) Washington, DC 20503.1. AGENCY USE ONLY(Leave blank)2. REPORT DATESeptember 20183. REPORT TYPE AND DATES COVEREDApplied Cyber Operations Capstone Report4. TITLE AND SUBTITLESIEM-ENABLED CYBER EVENT CORRELATION (WHAT AND HOW)5. FUNDING NUMBERS6. AUTHOR(S) Fidel E. Christopher and Kurt J. Myers7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES)Naval Postgraduate SchoolMonterey, CA 93943-50009. SPONSORING / MONITORING AGENCY NAME(S) ANDADDRESS(ES)N/A8. PERFORMINGORGANIZATION REPORTNUMBER10. SPONSORING /MONITORING AGENCYREPORT NUMBER11. SUPPLEMENTARY NOTES The views expressed in this thesis are those of the author and do not reflect theofficial policy or position of the Department of Defense or the U.S. Government.12a. DISTRIBUTION / AVAILABILITY STATEMENTApproved for public release. Distribution is unlimited.12b. DISTRIBUTION CODEA13. ABSTRACT (maximum 200 words)This capstone evaluates the capabilities and potential usefulness of a Security Information and EventManagement (SIEM) system in the detection of malicious network activities. The emphasis of this projectwas to select and configure a Free and Open Source SIEM (FOSS) to perform automated detection andalerting of malicious network events, based upon predefined indicators of compromise. To test thesefunctionalities, a virtual lab network consisting of a combination of Windows servers and Windows andLinux workstations was built to provide a proof of concept environment for testing the chosen FOSS SIEM.From within the lab network, a series of malicious cyber actions were executed to evaluate how well ourconfigured FOSS solution detected and reported them. As SIEM solutions are increasingly deployed to helpautomate cyber defense, we hope this study motivates the adoption of FOSS solutions by organizations thatmay not be able to afford a commercial solution, or—perhaps—may simply prefer the advantages offree and open-source solutions.14. SUBJECT TERMSSecurity Information and Event Management, incident detection, log analysis15. NUMBER OFPAGES13316. PRICE CODE17. SECURITYCLASSIFICATION OFREPORTUnclassified18. SECURITYCLASSIFICATION OF THISPAGEUnclassified19. SECURITYCLASSIFICATION OFABSTRACTUnclassified20. LIMITATION OFABSTRACTUUStandard Form 298 (Rev. 2-89)Prescribed by ANSI Std. 239-18NSN 7540-01-280-5500i
THIS PAGE INTENTIONALLY LEFT BLANKii
Approved for public release. Distribution is unlimited.SIEM-ENABLED CYBER EVENT CORRELATION (WHAT AND HOW)PO1 Fidel E. Christopher (USN) and CPO Kurt J. Myers (USN)Submitted in partial fulfillment of therequirements for the degree ofMASTER OF SCIENCE IN APPLIED CYBER OPERATIONSfrom theNAVAL POSTGRADUATE SCHOOLSeptember 2018Reviewed by:John D. FulpProject AdvisorGurminder SinghProject AdvisorAccepted by:Dan C. BogerChair, Department of Information Sciences Departmentiii
THIS PAGE INTENTIONALLY LEFT BLANKiv
ABSTRACTThis capstone evaluates the capabilities and potential usefulness of a SecurityInformation and Event Management (SIEM) system in the detection of maliciousnetwork activities. The emphasis of this project was to select and configure a Free andOpen Source SIEM (FOSS) to perform automated detection and alerting of maliciousnetwork events based upon predefined indicators of compromise. To test thesefunctionalities, a virtual lab network consisting of a combination of Windows servers andWindows and Linux workstations was built to provide a proof-of-concept environmentfor testing the chosen FOSS SIEM. From within the lab network, a series of maliciouscyber actions were executed to evaluate how well our configured FOSS solution detectedand reported them. As SIEM solutions are increasingly deployed to help automate cyberdefense, we hope this study motivates the adoption of FOSS solutions byorganizations that may not be able to afford a commercial solution, or—perhaps—may simply prefer the advantages of free and open-source solutions.v
THIS PAGE INTENTIONALLY LEFT BLANKvi
TABLE OF CONTENTSI.INTRODUCTION.1A.WHAT IS A SIEM? .2B.EVENT LOGS.2C.AGGREGATION.3D.NORMALIZATION .4E.CORRELATION .5II.COMPARE AND CONTRAST OF OPEN-SOURCE SIEMS .7A.PRELUDE .71.Components .72.Offered Features .93.Ability to Integrate with Other Products.94.Minimum System Requirements .95.Compatible Host OSes .106.Ability to Generate Reports .107.Documentation .10B.OSSIM.101.Components .112.Offered Features .113.Ability to Integrate with Other Products and Systems .124.Minimum System Requirements .125.Compatible Host OS .136.Ability to Generate Reports .137.Documentation .13C.ELK .131.Components .142.Offered Features .153.Ability to Integrate with Other Products and Systems .164.Minimum System Requirements .175.Compatible Host OS .176.Ability to Generate Reports .177.Documentation .18III.CHOSEN SIEM .19A.PACKET CAPTURE .20B.NIDS AND HIDS.21C.NETWORK ANALYSIS TOOLS .21vii
IV.VIRTUAL TESTBED NETWORK .23A.BUILDING A SIEM TESTBED NETWORK .231.Hardware .232.Network Backbone .233.Software .24B.NETWORK TOPOLOGY .25V.ELK AND SECURITY ONION INSTALLATION ANDCONFIGURATION.27A.GATHERING RESOURCES .271.Building the Virtual Machine .272.Downloading Security Onion .27B.SECURITY ONION INSTALLATION.28C.SECURITY ONION CONFIGURATION AND ELKINSTALLATION .291.Security Onion Update .292.Setup Script Round 1: Initial Network Configuration .293.Setup Script Round 2: ELK Installation andConfiguration .304.Additional Configurations .33D.ELK CONFIGURATION .341.Elasticsearch .352.Logstash .373.Kibana .39VI.OSSEC INSTALLATION AND CONFIGURATION .55A.AGENT MANAGEMENT ON SECURITY ONION .55B.AGENT INSTALLATION AND CONFIGURATION ONLINUX.57C.AGENT INSTALLATION AND CONFIGURATION ONWINDOWS .60D.VERIFICATION OF OSSEC AGENT COMMUNICATIONFROM CLIENT TO SIEM .62VII.INCIDENT DETECTION AND CORRELATION WITH ELK .65A.MALICIOUS ACTIVITY CORRELATION .651.Port Scan .652.Online Password Cracking Attack .723.Web Server Attack .804.Windows Server Exploitation .88viii
B.FALSE POSITIVES AND FALSE NEGATIVES .97VIII. SUMMARY, CONCLUSION, AND FUTURE WORK .99A.SUMMARY .99B.CONCLUSION .100C.FUTURE WORK .101APPENDIX A. SNORT PRIORITIES .103APPENDIX B. OSSEC RULE CLASSIFICATION LEVELS .105LIST OF REFERENCES .107INITIAL DISTRIBUTION LIST .111ix
THIS PAGE INTENTIONALLY LEFT BLANKx
LIST OF FIGURESFigure 1.Testbed Network Diagram .26Figure 2.etc/network/interfaces configuration .33Figure 3.ufw firewall configuration .34Figure 4.List of Shards .36Figure 5.List of template.json Files .36Figure 6./etc/logstash directory .38Figure 7.Kibana Login Page .40Figure 8.Kibana Overview Dashboard .41Figure 9.Time range tab .42Figure 10.Auto-refresh tab .42Figure 11.Settings under the “Edit” Tab .43Figure 12.Sharing Dashboards and Snapshots .43Figure 13.Kibana Home Page .44Figure 14.Discovery Page .45Figure 15.Visualize Page .
Management (SIEM) system in the detection of malicious network activities. The emphasis of this project was to select and configure a Free and Open Source SIEM (FOSS) to perform automated detection and alerting of malicious network events, based upon predefined indicators of compromise. To test these
