Automated detection testing – to integrate automated attack simulation and triaging with the right event logs

Abstract

Malicious attacks have grown in popularity and impact during this decade since malicious incidents have become more frequent, and information on the internet makes them easier to run. More investigation and evaluation in cybersecurity are needed, whether it be the Red or Blue teams, both offensive and defensive aspects in cybersecurity. Since the government makes some laws about cybersecurity, the company has to concern about it than before. This project aims to solve the problems that automatically detect suspicious activity based on system logs and check the relationship between them. There is a product about the automated attack simulation on the target hosts; the attacks are from Atomic Red Team, based on MITER's ATT&CK. We are using the Wazuh platform to collect the system log of the client hosts to analyze and show in a dashboard; it is a cybersecurity monitor product that gathers the system log in different locations and customizes detection rules to trigger suspicious events. Thus, this project contains two primary parts; first is a program that automatically simulates attacks on the target host after building Wazuh rules and shows it on a user interface; the second is a visualization of the events log in a graph, which finds the relationship between the event logs to help the analysts to check the actual cyber attacks chains, and provided a way to let them customize the rules to capture the attack chains which they wanted to investigate. We created over a hundred Wazuh detection rules to trigger suspicious attack events, and they aim to provide alerts to two products using. The automated attack and detection program is written in Python; it uses the Python Socket to connect with the backdoor agent in target hosts, send attack commands, and execute them on hosts to achieve the automated attack simulation, then using Elasticsearch API to connect Wazuh database to fetch the alerts to achieve the automated detection. The web application for visualization of the event logs and correlation used HTML, CSS, and JavaScript as the front end and Python Django as the back end to create the correlation graphs. Because of the scope of our project, Windows and MacOS are not included in our work since we will be designing attack instances and detection rules only for Linux computers. Finally, our applications will be used by PwC to help them with their daily work.