Autonomous Incident Response

Trabalho de Projeto de Mestrado, Segurança Informática, 2022, Universidade de Lisboa, Faculdade de CiênciasInformation security is a must-have for any organization willing to stay relevant and grow, it plays an important role as a business enabler, be it from a regulatory perspective or a reputation perspective. Having people, process, and technology to solve the ever growing number of security incidents as fast as possible and with the least amount of impact is a challenge for small and big companies. To address this challenge, companies started investing in Security Orchestration, Automation, and Response (SOAR) [39, 68, 70]. Security orchestration is the planning, integration, cooperation, and coordination of the activities of security tools and experts to produce and automate required actions in response to any security incident across multiple technology paradigms [40]. In other words, the use of SOAR is a way to translate the manual procedures followed by the security analysts into automated actions, making the process faster and scalable while saving on human resources budget. This project proposes a low-cost cloud native SOAR platform that is based on serverless computing, presenting the underlying details of its design. The performance of the proposed solution was evaluated through 364 real-world incidents related to 11 use cases in a large multinational enterprise. The results show that the solution is able to decrease the duration of the tasks by an average of 98.81% while having an operating expense of less than $65/month. Prior to the SOAR, it took the analyst 75.84 hours to perform manual tasks related to the 11 use cases. Additionally, an estimated 450 hours of the analyst’s time would be used to run the Update threat intelligence database use case. After the SOAR, the same tasks were automatically ran in 31.2 minutes and the Update threat intelligence database use case ran 9.000 times in 5.3 hours

СИСТЕМА КОРЕЛЮВАННЯ ПОДІЙ ТА УПРАВЛІННЯ ІНЦИДЕНТАМИ КІБЕРБЕЗПЕКИ НА ОБ’ЄКТАХ КРИТИЧНОЇ ІНФРАСТРУКТУРИ

Modern information infrastructure consists of a large number of systems and components that require constant monitoring and control. To identify, analyze and eliminate possible cyber threats, it is recommended to use a single common solution - the so-called SIEM systems. SIEM technology collects event log data, detects unusual activity through real-time analysis, identifies threats, generates alerts, and suggests appropriate action scenarios. Today, the number and quality of SIEM systems has grown significantly, and the latest technologies of artificial intelligence, the Internet of Things, and cloud technologies are used to ensure fast and effective detection of threats. Thus, the work carried out a study of modern SIEM systems, their functionality, basic principles of operation, as well as a comparative analysis of their capabilities and differences, advantages and disadvantages of use. In addition, a universal system of event correlation and management of cyber security incidents at critical infrastructure facilities was developed and experimentally investigated. Models of the operation of the hybrid security data storage have been developed, which allow the indexing service to access external data storages, to perform scaling when the volume of data increases, to ensure high search speed, etc. Models, methods and algorithms for the operation of a distributed data bus have been developed, which allow for high speed processing of large flows of information, minimal delays in data processing, high resistance to failures, flexibility and expandability of storage. The proposed system is designed to solve a number of current cyber security problems and meets the main requirements of international standards and best global practices regarding the creation of cyber incident management systems.Сучасна інформаційна інфраструктура складається з великої кількості систем та компонентів, що потребують постійного моніторингу та контролю. Для виявлення аналізу та усунення можливих кіберзагроз рекомендовано використовувати єдине спільне рішення – так звані SIEM-системи. SIEM збирає дані журналів подій, визначає нетипові дії за допомогою аналізу в реальному часі, визначає загрози, генерує сповіщення та пропонує вжити відповідні сценарії заходів. Сьогодні кількість та якість SIEM систем значно виросла, а для забезпечення швидкого та ефективного виявлення загроз використовуються новітні технології штучного інтелекту, інтернету речей та хмарних технологій. Таким чином, в роботі проведено дослідження сучасних SIEM систем, їхньої функціональності, основних принципів роботи, а також представлено порівняльний аналіз їх можливостей та відмінностей, переваг та недоліків використання. Крім того, розроблена та експериментально досліджена універсальна система корелювання подій та управління інцидентами кібербезпеки на об’єктах критичної інфраструктури. Розроблено моделі функціонування гібридного сховища даних безпеки, які дозволяють сервісу індексації отримувати доступ до зовнішніх сховищ даних, провести масштабування при зростанні обсягу даних, забезпечити високу швидкість пошуку тощо. Розроблено моделі, методики та алгоритми функціонування розподіленої шини даних, які дозволяють забезпечити високу швидкість обробки великих потоків інформації, мінімальні затримки на обробку даних, високу стійкість до відмов, гнучкість і розширюваність сховища. Запропонована система призначена для вирішення низки актуальних задач кібербезпеки та відповідає основним вимогам міжнародних стандартів та найкращих світових практик щодо створення систем управління кіберінциденти

Modern SIEM Analysis and Critical Requirements Definition in the Context of Information Warfare

Today Security Information and Event Management (SIEM) systems are used to prevent information loss in computer systems and networks. There are many approaches to SIEM realization. This paper is devoted to the analysis of existing SIEM and their characteristics in accordance with international standards and specifications, as well as a comparative description of their capabilities and differences, advantages and disadvantages. These results will be used in research project realization devoted to open source SIEM development and implementation in critical infrastructure to improve the cybersecurity level in the context of information warfare and cyber threats realization

IoT oriented SIEM tools

openNowadays, most devices can connect and communicate data. One example is IoT devices, technological devices that can communicate information gathered from the environment with a high degree of automation, communicating the data through networks. New IoT devices and increasingly reliable and fast wireless networks make it easy to collect large amounts of data with high accuracy. The introduction of these new technologies has created new vulnerabilities in complex systems, allowing an attacker to breach them more easily. Attackers use these devices, which generally lack important protections because they are composed of minimal hardware. Generally, the attackers' goal is to capture data, create malfunctions, steal sensitive and personal information and more. In order to protect and limit the actions of possible attackers, new software has been developed to neutralise or reduce vulnerabilities in a complex system. An example of software that belongs to this category is SIEM which is analysed in this thesis. They make it possible to analyse real-time data and logs to understand the system situation. They give the possibility of creating a history of the information collected by the system, indexing the data allowing efficient and fast analysis. In addition, they make it possible to visualise the collected data in a user-friendly way. The introduction of artificial intelligence has made these tools more precise, allowing the automatic creation of thresholds that generate alerts in critical situations if exceeded. These tools may also be able to autonomously analyse the environment, identify any vulnerability in the system, and respond to certain situations autonomously. In this thesis, SIEM and IoT are combined. The purpose is to evaluate the effectiveness of the tool in protecting a complex system that also consists of IoT devices. Greenhouse sensors are simulated communicating data using the MQTT protocol. DoS attacks are performed in the system and the network status is collected using SIEM. With the use of the SIEM, user-friendly visualisations are made available to the security teams to easily analyse and evaluate the status of the system. In conclusion, the combination of IoT devices and SIEM is effective and easy to implement, thanks in part to the use of the MQTT data protocol. This provides end-users with a tool that allows them to easily detect and resolve vulnerabilities that may be present within a complex system, relating to security, authentication and authorisation. They can also evaluate the information collected by the sensors. Thanks to the low cost of implementation, and ease and intuitiveness of deployment, this combination can also be easily used by end-users without high economic means and in any field, becoming a tool accessible to anyone.Nowadays, most devices can connect and communicate data. One example is IoT devices, technological devices that can communicate information gathered from the environment with a high degree of automation, communicating the data through networks. New IoT devices and increasingly reliable and fast wireless networks make it easy to collect large amounts of data with high accuracy. The introduction of these new technologies has created new vulnerabilities in complex systems, allowing an attacker to breach them more easily. Attackers use these devices, which generally lack important protections because they are composed of minimal hardware. Generally, the attackers' goal is to capture data, create malfunctions, steal sensitive and personal information and more. In order to protect and limit the actions of possible attackers, new software has been developed to neutralise or reduce vulnerabilities in a complex system. An example of software that belongs to this category is SIEM which is analysed in this thesis. They make it possible to analyse real-time data and logs to understand the system situation. They give the possibility of creating a history of the information collected by the system, indexing the data allowing efficient and fast analysis. In addition, they make it possible to visualise the collected data in a user-friendly way. The introduction of artificial intelligence has made these tools more precise, allowing the automatic creation of thresholds that generate alerts in critical situations if exceeded. These tools may also be able to autonomously analyse the environment, identify any vulnerability in the system, and respond to certain situations autonomously. In this thesis, SIEM and IoT are combined. The purpose is to evaluate the effectiveness of the tool in protecting a complex system that also consists of IoT devices. Greenhouse sensors are simulated communicating data using the MQTT protocol. DoS attacks are performed in the system and the network status is collected using SIEM. With the use of the SIEM, user-friendly visualisations are made available to the security teams to easily analyse and evaluate the status of the system. In conclusion, the combination of IoT devices and SIEM is effective and easy to implement, thanks in part to the use of the MQTT data protocol. This provides end-users with a tool that allows them to easily detect and resolve vulnerabilities that may be present within a complex system, relating to security, authentication and authorisation. They can also evaluate the information collected by the sensors. Thanks to the low cost of implementation, and ease and intuitiveness of deployment, this combination can also be easily used by end-users without high economic means and in any field, becoming a tool accessible to anyone

Development of Incident Response Playbooks and Runbooks for Amazon Web Services Ransomware Scenarios

In today’s digital landscape, enterprises encounter myriad cybersecurity challenges that jeopardize their critical digital assets. Modern cyber threats have evolved drastically, adapting to the proliferation of cloud technologies that drive organizations towards platforms like AWS that offer convenience, cost-reduction, and reliability. However, this transition introduces new security risks because threat actors are motivated to craft and deploy advanced malware explicitly targeting the cloud. Ransomware emerged as one of the most impactful and dangerous cyber threats, still in 2023, encrypting data and demanding payment (usually in untraceable tokens) for the decryption key. Confidentiality, integrity, and availability of cloud assets stand perpetually vulnerable, and sometimes, unprepared businesses suddenly hit by ransomware cannot find a way out. Besides financial loss and operation disruption, the breach of sensitive information compromises trust, leading to reputational damage that's hard to mend. Corporations are urged to develop robust defensive strategies to identify, contain, and recover from ransomware and other cloud threat exploitation. Traditional cybersecurity approaches must rapidly reshape to manage emerging menaces. Hence, they require new specialized and well-structured incident response plans to become the bedrock of the security tactics. This thesis dives into the complexities of designing and implementing accurate incident response Playbooks and Runbooks, focusing on handling the common danger of ransomware, especially within Amazon Web Services (AWS). This research journey is strictly connected to the real-world context, resulting from a six-month internship within Bynder, a digital asset management leader company. This experience culminated in conceptualizing the step-by-step procedures against ransomware incidents in cloud infrastructures, improving communication, and coordinating actions during high-pressure situations

Security Enhancement Deploying SIEM in a Small ISP Environment

Diplomová práce se zaměřuje na zvýšení bezpečnosti v prostředí malého poskytovatele internetu nasazením SIEM systému. Dostupné systémy jsou porovnány a zhodnoceny v souladu s požadavky zadávající firmy. Projekt nasazení systému SIEM je navržen, implementován a zhodnocen v souladu s unikátním prostředím firmy.This master’s thesis is focused on improvement of security in small ISP environment by deploying SIEM system in the company. The available systems are compared and evaluated to cover the requirements. The selected SIEM system deployment is proposed, implemented and evaluated in accordance to the firm’s unique characteristics.

Monitoring Network Flows in Containerized Environments

With the progressive implementation of digital services over virtualized infrastructures and smart devices, the inspection of network traffic becomes more challenging than ever, because of the difficulty to run legacy cybersecurity tools in novel cloud models and computing paradigms. The main issues concern i) the portability of the service across heterogeneous public and private infrastructures, that usually lack hardware and software acceleration for efficient packet processing, and ii) the difficulty to integrate monolithic appliances in modular and agile containerized environments. In this Chapter, we investigate the usage of the extended Berkeley Packet Filter (eBPF) for effective and efficient packet inspection in virtualized environments. Our preliminary implementation demonstrates that we can achieve the same performance as well-known packet inspection tools, but with far less resource consumption. This motivates further research work to extend the capability of our framework and to integrate it in Kubernetes

Real-time big data processing for anomaly detection : a survey

The advent of connected devices and omnipresence of Internet have paved way for intruders to attack networks, which leads to cyber-attack, financial loss, information theft in healthcare, and cyber war. Hence, network security analytics has become an important area of concern and has gained intensive attention among researchers, off late, specifically in the domain of anomaly detection in network, which is considered crucial for network security. However, preliminary investigations have revealed that the existing approaches to detect anomalies in network are not effective enough, particularly to detect them in real time. The reason for the inefficacy of current approaches is mainly due the amassment of massive volumes of data though the connected devices. Therefore, it is crucial to propose a framework that effectively handles real time big data processing and detect anomalies in networks. In this regard, this paper attempts to address the issue of detecting anomalies in real time. Respectively, this paper has surveyed the state-of-the-art real-time big data processing technologies related to anomaly detection and the vital characteristics of associated machine learning algorithms. This paper begins with the explanation of essential contexts and taxonomy of real-time big data processing, anomalous detection, and machine learning algorithms, followed by the review of big data processing technologies. Finally, the identified research challenges of real-time big data processing in anomaly detection are discussed. © 2018 Elsevier Lt

Office 365, Azure AD, and Exchange Online audit automation

El present document estudiarà l'actualització dels serveis d'auditoria d'Office 365, Exchange Online i Azure AD d'Ackcent. Dividint-ho en tres passos principals, sent el primer la migració a una solució sense servidor d'una infraestructura d'auditoria de correu electrònic amb l'objectiu de revisar dinàmicament la configuració mitjançant l'enviament de correus electrònics amb diferents indicadors d'amenaça. L'objectiu de la primera part és fer una plataforma independent per auditar sense dependències de proveïdors d'infraestructura de tercers. La segona part serà actualitzar una llista de control de seguretat amb noves comprovacions per revisar la configuració en profunditat. Finalment, s'investigarà la possibilitat d'automatitzar l'anàlisi del control mitjançant eines de tercers i implementacions personalitzades. La segona i tercera fase del projecte tindran com a objectius millorar la qualitat dels controls que s'analitzaran per a l'auditoria i reduir el temps que dediquen els arquitectes de seguretat a realitzar una auditoria.The present document will study the update of Ackcent's Office 365, Exchange Online, and Azure AD audit services. Dividing it into three main steps, being the first one migration to a server-less solution of an email audit infrastructure aimed to dynamically review the configuration by sending emails with different threat indicators. The objective for the first part is to make an independent platform to audit without dependencies on third-party infrastructure providers. The second part will be to upgrade a security control list with new checks to review the configuration deeply. Finally, the possibility of automatizing the control analysis will be investigated using third-party tools and custom implementations. The second and third stages of the project will have objectives to improve the quality of the controls being analyzed for the audit and reduce the amount of time spent by the security architects to perform an audit