Lab7 (1)
pdf
keyboard_arrow_up
School
Centennial College *
*We aren’t endorsed by this school
Course
101
Subject
Information Systems
Date
Apr 3, 2024
Type
Pages
2
Uploaded by HighnessBraveryButterfly42
SRT411: Digital Data Analysis Winter 2023 pg. 1
SRT411: Lab 07 (5%)
Automated Threat Hunting Using ELK Stack
Objective In this lab, you will create an automated threat hunting system using ELK stack. What to do To complete this lab, these objectives must be completed:
To extract only interested log events from Sysmon
log.
To hunt for new sophisticated threats automatically using their dynamic behavior: By differentiating normal and abnormal events from Sysmon
log.
To segment events into classes using clustering process.
To identify the outliers and report malicious events.
To segment them, learn automatically and predict further events.
Visualize threat behavior dynamically. Tasks Task 0: Create a report 1.
Create a word document and write the details of your lab completion in it. This will serve
as proof that the lab was satisfactorily completed.
2.
Each heading should be a task (Task 1, Task 2, etc.), with screenshots and descriptions
that prove the task was completed satisfactorily. Fill these headings out as you complete
the lab.
Task 1: Building the Environment
Client VM: Windows with Sysmon
and Winlogbeat installed.
Server VM: Windows Server 20xx with ELK stack installed.
Configure Sysmon
to extract only suspicious events.
Configure Winlogbeat to ship only suspicious events to the server.
Attacker VM: Kali Linux machine Task 2: Inject Threats into The Client Machine & Stream them to ELK
Threats can be known or unknown, for this step we will inject the following three known threats into the client(Windows machine) using the attacker: 1.
Remotely access files and folders on shared drive on the victim’s machine by the
attacker and delete them.
2.
Remote registry access to create or delete files on victim’s registry.
3.
Using Kali’s NMAP scan the victim’s machine for open ports and inject malware
code into the machine using the vulnerable port. You can download a sample
malware [
fakeword.exe
] from chapter 1
https://www.malwaredatascience.com/code-and-data on your attacker and
then inject into the victim’s machine 4.
Malwares should be handled in safe and isolated environment. Download
malware only on your VM and never store them on your host machine. You should
responsibly use malware files and delete them once you are done.
Set detection rules in Elasticsearch to hunt threats automatically. Check the given paper for reference.
SRT411: Digital Data Analysis Winter 2023 pg. 2
Test your rules by injecting the threats and see whether they have been detected or not, when detected, analyze the details of the log recorded and the alerts raised by them. Task 3:Report Writing Write a report including the following:
List the 2022 top ten threats and how can they be detected in a threat hunting system.
Briefly define autonomous threat hunting system and what are the minimum requirements to develop one?
Compare the attack based versus data-based threat hunting. Pick the one you think is more beneficial than the other. Provide some examples or data to support your answer.
Include all the visuals in your report along with explanations.
Rules to classify different threats into categories like low, medium, and high risk.
Explain the data collected, how the suspicious events are recorded and shown in the visuals and how they are helpful in securing your system for future attacks.
Any lessons learned and recommendation for future work. Deliverables
The written report in pdf format
The data collected by Sysmon and Winlogbeat in csv format. Reference Links
https://www.elastic.co/security/threat-hunting
https://www.techtarget.com/searchsecurity/feature/Elastic-Stack-Security-tutorial-
How-to-create-detection-rules
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help