Automated detection testing – to integrate automated attack simulation and triaging with the right event logs

Abstract

In this decade, the concern and impact of malicious attacks is growing, since the occurrence of malicious incidents are more frequently happened and easier to operate. Many companies and organizations are putting more effort on protecting their assets in cyberspace, causing more investigation and analysis in the security field is needed, no matter in Red Team or Blue Team. The project aims to provide a solution to automate the detection of adversary activity, based on event logs and correlation between them. It is an enhancement on a traditional SIEM architecture to help security analysts work effectively and efficiently. The project provides a way to do automated attack simulation on selected machines, attack tests are referenced from Atomic Red Team, which is based on MITRE's ATT&CK framework. The platform we used to collect logs on the target machine for analysis and display in the dashboard is Wazuh, which is a security monitoring solution used to collect event logs and detect malicious activity, then trigger alerts of suspicious events based on default or custom detection rules written in Wazuh. Therefore, the project can be mainly separated into two sections, one is the program that does automated simulation and displays the triggered alerts, after the writing of the Wazuh detection rules. Another section is the visualization of the events in an interactive graph, which provides intelligence on detecting a real cyberattack by correlating event logs in the graph, while the application also provides a way for the user to specify the correlation rule to correlate the events as the user wants. There are more than one hundred Wazuh custom rules developed by us to trigger the attack simulation, these are all XML according to the Wazuh rule syntax. The auto attack and detection program would be written in Python, it is used to connect to the target machine by socket to do command execution of our attack, then connect to Wazuh by Elasticsearch API to collect the event logs or alerts. While the web application used to display the alerted event logs and correlation is written in HTML, CSS, and Javascript, and relies on GoJS to create the graph of correlation. Due to the scope of our project, our main focus on creating attack cases and detection rules would be only on Linux machines, so Windows or Mac machines are not included in our project. The employees in PwC will at last use our applications to assist them in daily tasks.