Cyber Threat Intelligence from Honeypot Data using Elasticsearch

yesCyber attacks are increasing in every aspect of daily life. There are a number of different technologies around to tackle cyber-attacks, such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), firewalls, switches, routers etc., which are active round the clock. These systems generate alerts and prevent cyber attacks. This is not a straightforward solution however, as IDSs generate a huge volume of alerts that may or may not be accurate: potentially resulting in a large number of false positives. In most cases therefore, these alerts are too many in number to handle. In addition, it is impossible to prevent cyber-attacks simply by using tools. Instead, it requires greater intelligence in order to fully understand an adversary’s motive by analysing various types of Indicator of Compromise (IoC). Also, it is important for the IT employees to have enough knowledge to identify true positive attacks and act according to the incident response process. In this paper, we have proposed a new threat intelligence technique which is evaluated by analysing honeypot log data to identify behaviour of attackers to find attack patterns. To achieve this goal, we have deployed a honeypot on an AWS cloud to collect cyber incident log data. The log data is analysed by using elasticsearch technology namely an ELK (Elasticsearch, Logstash and Kibana) stack

Deception Honeypots : Deep Intelligence

En un món on Internet és una eina fonamental pel desenvolupament de les empreses, que volen créixer i establir-se en el mercat econòmic global, la seguretat dels seus sistemes informàtics es converteix en una necessitat. La constant evolució de les tecnologies, promou un ambient en el qual els mètodes que es fan servir per atacar els sistemes informàtics, evolucionen encara més ràpid que les pròpies tecnologies, crean un estat on és pràcticament impossible garantir la integritat i la seguretat completa dels sistemes. La majoria dels mètodes actuals de seguretat, tenen com a objectiu la prevenció o detecció. Per aquest motiu aquest treball implementa els honeypots d'alta interacció, amb els quals podem implementar un factor proactiu en la nostre seguretat, atraient als atacants a un espai controlat, per aprendre els seus mètodes i fer servir aquesta informació per protegir els sistemes reals. En aquest article, es proposa el desenvolupament d'un honeypot d'alta interacció i la seva implementació, en una xarxa similar al entorn de producció d'una empresa per enganyar possibles atacants.In a world where Internet is a key element for the development of any company, that wants to rise and establish in the economic global market, the security of the computer systems used in the company's becomes an imperious need. The constant evolution of technology, provides an environment where the methods used to attack the computer systems evolve even faster than the technologies itself, creating a state where it is practically impossible to assure the integrity and complete security of the systems. Most actual security methods and policies, act only as a prevention or detection solution. Therefore in this paper we implement high interaction honeypots, which allow a new proactive factor in our security, to attract the attackers into a controlled environment, where we can learn their methods and use that information to protect the real systems. In this paper we will propose the development of a high interaction honeypot, and its implementation in a network, which we could find in a real bussines environment.En un mundo donde Internet es una herramienta basica para el dessarrollo de las empresas, que quieren crecer y establecer-se en el mercado economico global, la seguridad de sus sistemas informàticos se convierte en una necesitat. La constante evolucion de las tecnologias, promueve un ambiente en el que los metodos que se usan para atacar los sistemas informàticos evolucionan aun mas rápido que las propias tecnologias, creando un estado donde es practicamente imposible garantizar la integridad y seguridad de los sistemas. La mayoria de los metodos actuales de seguridad, tienen como objetivo la prevención o detección. Por este motivo en este trabajo implementa honeypots de alta interacción, con los quales se puede implantar un factor pro-activo en la seguridad, atraiendo a los atacantes a un espació controlado, para aprender sus metodos i usar esta información para proteger los sistemas reales. En este Articulo, se propone el desarrollo de un honeypot de alta interacción i su implementación, en una red similar a la de un entorno de producción de una empresa para engañar a posibles atacantes

Cyber Attack Modelling using Threat Intelligence. An investigation into the use of threat intelligence to model cyber-attacks based on elasticsearch and honeypot data analysis

Cyber-attacks have become an increasing threat to organisations as well as the wider public. This has led to greatly negative impacts on the economy at large and on the everyday lives of people. Every successful cyber attack on targeted devices and networks highlights the weaknesses within the defense mechanisms responsible for securing them. Gaining a thorough understanding of cyber threats beforehand is therefore essential to prevent potential attacks in the future. Numerous efforts have been made to avoid cyber-attacks and protect the valuable assets of an organisation. However, the most recent cyber-attacks have exhibited the profound levels of sophistication and intelligence of the attacker, and have shown conven- tional attack detection mechanisms to fail in several attack situations. Several researchers have highlighted this issue previously, along with the challenges faced by alternative solu- tions. There is clearly an unprecedented need for a solution that takes a proactive approach to understanding potential cyber threats in real-time situations. This thesis proposes a progressive and multi-aspect solution comprising of cyber-attack modeling for the purpose of cyber threat intelligence. The proposed model emphasises on approaches from organisations to understand and predict future cyber-attacks by collecting and analysing network events to identify attacker activity. This could then be used to understand the nature of an attack to build a threat intelligence framework. However, collecting and analysing live data from a production system can be challenging and even dangerous as it may lead the system to be more vulnerable. The solution detailed in this thesis deployed cloud-based honeypot technology, which is well-known for mimicking the real system while collecting actual data, to see network activity and help avoid potential attacks in near real-time. In this thesis, we have suggested a new threat intelligence technique by analysing attack data collected using cloud-based web services in order to identify attack artefacts and support active threat intelligence. This model was evaluated through experiments specifically designed using elastic stack technologies. The experiments were designed to assess the identification and prediction capability of the threat intelligence system for several different attack cases. The proposed cyber threat intelligence and modeling systems showed significant potential to detect future cyber-attacks in real-time.Government of Qata

Towards Identifying Human Actions, Intent, and Severity of APT Attacks Applying Deception Techniques -- An Experiment

Attacks by Advanced Persistent Threats (APTs) have been shown to be difficult to detect using traditional signature- and anomaly-based intrusion detection approaches. Deception techniques such as decoy objects, often called honey items, may be deployed for intrusion detection and attack analysis, providing an alternative to detect APT behaviours. This work explores the use of honey items to classify intrusion interactions, differentiating automated attacks from those which need some human reasoning and interaction towards APT detection. Multiple decoy items are deployed on honeypots in a virtual honey network, some as breadcrumbs to detect indications of a structured manual attack. Monitoring functionality was created around Elastic Stack with a Kibana dashboard created to display interactions with various honey items. APT type manual intrusions are simulated by an experienced pentesting practitioner carrying out simulated attacks. Interactions with honey items are evaluated in order to determine their suitability for discriminating between automated tools and direct human intervention. The results show that it is possible to differentiate automatic attacks from manual structured attacks; from the nature of the interactions with the honey items. The use of honey items found in the honeypot, such as in later parts of a structured attack, have been shown to be successful in classification of manual attacks, as well as towards providing an indication of severity of the attack

Predication Attacks Based on Intelligent Honeypot Technique

Honeypot combined with machine learning techniques is offered as a model for intrusion detection presented in the current research. Recent years have seen an uptick in the number of security initiatives implemented by every type of business. This requires anticipatory analysis of a potential attack in order to achieve the desired result. Honeypots are one of the instruments used to observe malicious actors in action. A honeypot is a type of network system used to detect intrusions into computer networks by observing and analysing the actions of potential intruders in a controlled, but vulnerable, setting. Improved outcomes in terms of true positives and false positives were also presented thanks to the use of the Decision Tree (DT). Both the overall accuracy in detecting attacks and the false alarm rate are enhanced by the suggested model-based honeypot and machine learning

Encountering social engineering activities with a novel honeypot mechanism

Communication and conducting businesses have eventually transformed to be performed through information and communication technology (ICT). While computer network security challenges have become increasingly significant, the world is facing a new era of crimes that can be conducted easily, quickly, and, on top of all, anonymously. Because system penetration is primarily dependent on human psychology and awareness, 80% of network cyberattacks use some form of social engineering tactics to deceive the target, exposing systems at risk, regardless of the security system's robustness. This study highlights the significance of technological solutions in making users more safe and secure. Throughout this paper, a novel approach to detecting and preventing social engineering attacks will be proposed, combining multiple security systems, and utilizing the concept of Honeypots to provide an automated prevention mechanism employing artificial intelligence (AI). This study aims to merge AI and honeypot with intrusion prevention system (IPS) to detect social engineering attacks, threaten the attacker, and restrict his session to keep users away from these manipulation tactics

HuntGPT: Integrating Machine Learning-Based Anomaly Detection and Explainable AI with Large Language Models (LLMs)

Machine learning (ML) is crucial in network anomaly detection for proactive threat hunting, reducing detection and response times significantly. However, challenges in model training, maintenance, and frequent false positives impact its acceptance and reliability. Explainable AI (XAI) attempts to mitigate these issues, allowing cybersecurity teams to assess AI-generated alerts with confidence, but has seen limited acceptance from incident responders. Large Language Models (LLMs) present a solution through discerning patterns in extensive information and adapting to different functional requirements. We present HuntGPT, a specialized intrusion detection dashboard applying a Random Forest classifier using the KDD99 dataset, integrating XAI frameworks like SHAP and Lime for user-friendly and intuitive model interaction, and combined with a GPT-3.5 Turbo, it delivers threats in an understandable format. The paper delves into the system's architecture, components, and technical accuracy, assessed through Certified Information Security Manager (CISM) Practice Exams, evaluating response quality across six metrics. The results demonstrate that conversational agents, supported by LLM and integrated with XAI, provide robust, explainable, and actionable AI solutions in intrusion detection, enhancing user understanding and interactive experience

Enhancing Anomaly Detection Techniques for Emerging Threats

Despite the Internet being an apex of human achievement for many years, criminal behaviour and malicious activity are continuing to propagate at an alarming rate. This juxtaposition can be loosely attributed to the myriad of vulnerabilities identified in existing software. Cyber criminals leverage these innovative infection and exploitation techniques to author pervasive malware and propagate devastating attacks. These malicious actors are motivated by the financial or political gain achieved upon successful infiltration into computer systems as the resources held within are often very valuable in nature. With the widespread developments in the Internet of Things (IoT), 5G, and Starlink satellites, unserved areas of the world will experience a pervasive expansion of connected devices to the Internet. Consequently, a barrage of potential new attack vectors and victims are unfolding which requires constant monitoring in order to manage this ever growing problem. Conventional rule-based intrusion detection mechanisms used by network management solutions rely on pre-defined attack signatures and hence are unable to identify new attacks. In parallel, anomaly detection solutions tend to suffer from high false positive rates due to the limited statistical validation of ground truth data, which is used for profiling normal network behaviour. When considering the explosive threat landscape and the expanse of connected devices, current security solutions also face challenges relating to the scale at which attacks need to be monitored and detected. However, recent innovations in Big Data processing have revealed a promising avenue in which scale is addressed through cluster computing and parallel processing. This thesis advances beyond current solutions and leverages the coupling of anomaly detection and Cyber Threat Intelligence (CTI) with parallel processing for the profiling and detection of emerging cyber attacks. This is demonstrated through the design, implementation, and evaluation of Citrus: a novel intrusion detection framework which is adept at tackling emerging threats through the collection and labelling of live attack data by utilising diverse Internet vantage points in order to detect and classify malicious behaviour using graph-based metrics, as well as a range of Machine Learning (ML) algorithms. This research provides innovative contributions to the cyber security field, including the public release of an open flow-based intrusion detection data set. This data set encompasses emerging attack patterns and is supported by a robust ground truth. Furthermore, Citrus advances the current state of the art through a novel ground truth development method. Citrus also enables both near real-time and offline detection of emerging cyber attacks under optimal computational costs. These properties demonstrate that it is a viable and practical solution for next generation network defence and resilience strategies

Desarrollo de la herramienta MISP para inteligencia de ciberamenazas

MISP (Malware Information Sharing Platform) es una plataforma de inteligencia de amenazas de código abierto para compartir, almacenar y correlacionar Indicadores de Compromiso (IOCs) de ataques dirigidos e información de vulnerabilidades. No sólo para almacenar, compartir y colaborar en análisis de malware, sino también para utilizar la información de esos indicadores para detectar y prevenir futuros ataques, fraudes o amenazas contra infraestructuras TIC, organizaciones o personas. Durante un incidente de ciberseguridad, los IOCs son pistas y pruebas de una violación de datos. Estas huellas digitales pueden revelar no sólo que se ha producido un ataque, sino a menudo, qué herramientas se utilizaron en el ataque y quién está detrás de ellas. Al ser de código abierto, nos permitirá la integración, programación, creación de reglas y revisión de conexiones para prevenir esos posibles ataques, pero para ello, uno de los principales intereses sobre esta plataforma es obtener y compartir IOCs.MISP (Malware Information Sharing Platform) is an open source threat intelligence platform for sharing, storing and correlating Indicators of Compromise (IOCs) of targeted attacks and vulnerability information. Not only to store, share and collaborate on malware analysis, but also to use the information from those indicators to detect and prevent future attacks, fraud or threats against ICT infrastructures, organizations, or individuals. During a cybersecurity incident, IOCs are clues and evidence of a data breach. These digital footprints can reveal not only that an attack has occurred, but often, what tools were used in the attack and who is behind them. Being open source, will allow us to integrate, program, create rules and review connections to prevent these possible attacks, but to do so, one of the main interests on this platform is to obtain and share IOCs.MISP (Malware Information Sharing Platform) és una plataforma d'intel·ligència d'amenaces de codi obert per compartir, emmagatzemar i correlacionar Indicadors de Compromís (IOCs) d'atacs dirigits i informació de vulnerabilitats. No només per emmagatzemar, compartir i col·laborar en anàlisi de malware, sinó també per utilitzar la informació d'aquests indicadors per detectar i prevenir futurs atacs, fraus o amenaces contra infraestructures TIC, organitzacions o persones. Durant un incident de ciberseguretat, els IOC són pistes i proves d'una violació de dades. Aquestes empremtes digitals poden revelar no només que s'ha produït un atac, sinó sovint quines eines es van utilitzar en l'atac i qui hi ha darrere. Com que és de codi obert, ens permetrà la integració, programació, creació de regles i revisió de connexions per prevenir aquests possibles atacs, però per això, un dels principals interessos sobre aquesta plataforma és obtenir i compartir IOCs

Anomaly Detection Analysis with Graph-Based Cyber Threat Hunting Scheme

As advanced persistence threats become more prevalent and cyber-attacks become more severe, cyber defense analysts will be required to exert greater effort to protect their systems. A continuous defense mechanism is needed to ensure no incidents occur in the system, one of which is cyber threat hunting. To prove that cyber threat hunting is important, this research simulated a cyber-attack that has successfully entered the system but was not detected by the IDS device even though it already has relatively updated rules. Based on the simulation result, this research designed a data correlation model implemented in a graph visualization with enrichment on-demand features to help analysts conduct cyber threat hunting with graph visualization to detect cyber-attacks. The data correlation model developed in this research can overcome this gap and increase the percentage of detection that was originally undetected / 0% by IDS, to be detected by more than 45% and can even be assessed to be 100% detected based on the anomaly pattern that was successfully found