BRAYDEN SAGA

Passionate about Software and Web Development

Studying Cybersecurity at Ngee Ann Polytechnic since 2023.



Configuring ELK Stack

Configuring ELK Stack

As part of the Cybersecurity Operations & Threat Intelligence Module, our team was tasked with simulating cyber attacks and implementing a detection strategy using a Security Information and Event Management (SIEM) system. My primary responsibilities included setting up the demonstration environment, simulating ransomware and phishing attacks, and configuring the SIEM to detect these threats. This was my first time setting up and working with a SIEM, and it proved to be an invaluable learning experience.

Setting Up the Demonstration Environment One of my key contributions was setting up the demonstration environment, which included the following components:

  • DVWA (Damn Vulnerable Web Application): Used to simulate web application vulnerabilities and attacks.
  • ELK Stack (Elasticsearch, Logstash, Kibana): Chosen as our SIEM tool for log aggregation, analysis, and visualization.
  • Windows Host: Configured to send logs to the SIEM for monitoring and analysis.

Challenges and Learning Points:

  1. Integration of Components: Ensuring that all components (DVWA, ELK Stack, and Windows Host) communicated effectively was challenging. I learned the importance of proper network configuration and the role of log forwarding agents (e.g., Winlogbeat for Windows) in sending logs to the SIEM.
  2. ELK Stack Configuration: Configuring Elasticsearch, Logstash, and Kibana required a deep dive into their documentation. I gained hands-on experience in setting up pipelines in Logstash to parse and enrich logs, and creating dashboards in Kibana for real-time monitoring.

Simulating Ransomware Attacks

For the ransomware simulation, I focused on detecting unauthorized access to multiple files, which is a common indicator of ransomware activity. Here’s how I approached it:

  1. Simulation: I used a script to simulate rapid access to multiple files on the Windows host, mimicking ransomware behavior.
  2. SIEM Detection: I configured an alert in Kibana to trigger when a user or process accessed an unusually high number of files within a short time frame. This involved writing a custom rule using Elasticsearch Query Language (ESQL).

Learning Points:

  • Indicator of Compromise (IoC): I learned how to identify key IoCs for ransomware, such as rapid file access and encryption patterns.
  • Alert Tuning: Initially, the alert generated false positives. I learned the importance of fine-tuning alert thresholds to balance sensitivity and specificity.

Simulating Phishing Attacks

For the phishing simulation, I integrated threat intelligence from Group IB, which provided a list of known phishing URLs. Here’s how I implemented the detection:

  1. Threat Intelligence Integration: I imported the list of phishing URLs into the SIEM and used Packetbeat on the Windows host to monitor outbound connections.
  2. Detection: I configured the SIEM to alert when a user attempted to connect to a known phishing domain. This involved creating a correlation rule in Kibana to match outbound connections with the threat intelligence data.

Learning Points:

  • Threat Intelligence: I gained experience in integrating external threat intelligence feeds into a SIEM and using them to enhance detection capabilities.
  • Packetbeat Configuration: I learned how to configure Packetbeat to capture and forward network traffic logs to the SIEM, which was crucial for detecting phishing attempts.

Overall Experience and Key Takeaways

This project was my first hands-on experience with a SIEM, and it significantly enhanced my understanding of cybersecurity operations. Here are some key takeaways:

  1. Importance of Log Collection: I learned that effective log collection from multiple sources (system logs, network logs, application logs) is the foundation of any SIEM implementation.
  2. Alert Configuration: I gained practical experience in configuring and tuning alerts to detect specific threats, which is critical for reducing false positives and ensuring timely incident response.
  3. Threat Simulation: Simulating real-world attacks in a controlled environment helped me understand the attacker’s perspective and the importance of proactive threat detection.
  4. Collaboration: Working in a team taught me the value of clear communication and division of tasks, especially in a complex project involving multiple tools and technologies.

Conclusion

Setting up the SIEM and simulating ransomware and phishing attacks were challenging but rewarding tasks. I now have a solid foundation in SIEM configuration, log analysis, and threat detection, which I can build upon in my future cybersecurity endeavours. This project not only enhanced my technical skills but also gave me a deeper appreciation for the role of SIEMs in modern cybersecurity operations.