Professional Documents
Culture Documents
2018 19AFC6P01NIA2CWReport16033230MilanShrestha PDF
2018 19AFC6P01NIA2CWReport16033230MilanShrestha PDF
net/publication/338549126
Module Code & Module Title FC6P01NI Final Year Project Report Assessment
Weightage & Type 50% Final Report Year and Semester 2018-19 Autumn Threat
Detection and Alert System
CITATIONS READS
0 325
1 author:
Milann Shrestha
Islington College
1 PUBLICATION 0 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Milann Shrestha on 13 January 2020.
I would also like to thank my brother, Mr. Nishan Maharjan, for his real-world and
impactful teaching with experiences on cybersecurity and helping me to decide the topic for the
Final Year Project. I would also like to thank Islington College for providing me an opportunity to
work on a project that enhanced my skill before facing the real world of Information Technology.
Abstract
Organizations of all sizes are fighting in the same security battle while the attackers keep
changing the threat landscape by developing new tools and targeting victim machine. However,
their process along with motives have not changed. Traditionally, the security measures were all
driven to into incident response. The idea of Threat Hunting challenges the concept by introducing
one of the dynamic approaches to cybersecurity. Nowadays, the company simply deploys the
SIEM for the event management from log sources and allow to monitor continuously. Using
various log sources for the analysis and discover the attack pattern with possible evidence is the
general definition of threat detection with text logs. Therefore, the main aspect of Threat Detection
and Alert System is to automate the process and simplify the threat hunting by visualizing and
alerting the discoveries. This project proposes and evaluates the Threat Detection System and The
Elasticsearch Stack, an enterprise-grade logging repository and search engine, a solution for active
threat detection and visualization platform in Linux environment.
This report describes the project with vision, the process of development and the future plan
for the project. Starting with brief introductions to threat hunting, current scenario along with case
study, and how the project can stand out to be a solution, the aim, and objectives to achieve the
proposed system is included in the first chapter. Followed by the background, the analysis from
the survey and brief explanation about the related project and considered methodology and the
pre-development stages are covered in the next chapter. The unit testing for ensuring proposed
functions of the system is demonstrated following the considered methodology, DSDM. The
project is then critically analyzed concluding with legal-ethical implications, limitations and
describing the further work.
Table of Contents
Chapter 1: Introduction ............................................................................................................. 1
2.3.4 Respond................................................................................................................... 13
8.8 Survey............................................................................................................................. 65
IP Internet Protocol
OS Operating System
IR Incident Response
Chapter 1: Introduction
1.1 Introduction to topic
According to the NIST Cybersecurity Framework, “Detection” falls under the third step of
securing system. Threat detection from the network is a special procedure for securing any
system. It is being conducted by modern organizations that acquire delicate assets which
offer the values of the company. The network traffic is constantly monitored and analyzed.
Logs are pulled from different resources and after that examined for conceivable threats.
Security experts then analyze the logs and correlate them with obtained information from
multiple threat intelligence, deducing the patterns for a possible attack. This project aims
to help the network administrator in their threat detection process by automating the
repetitive task and filtering out the avoidable information.
A Banking Trojan, Emotet Malware was a successful child of a threat family that is
considered to be a modular platform capable of inviting a variety of different attacks. The
researchers found that the malware was actually spread throughout the financial institutions
as Banking Trojans by common spam campaigns like payment themed emails
(MalwarebytesLabs, 2019). The attachment contained the micro virus enabled document
or included as a malicious link or phishing domains. The threat actors initially were focused
on stealing banking information: email address, passwords and other financial details of
institute customers. Since, the Emotet is regarded as the escape hole for other threat attacks
such as Botnets & RATs, Cryptomining and Phishing, the actors behind the Emotet appear
to be dealing as the distribution channel for another threat group. As stated by US-CERT,
up to $1 Million amount has already cost due to its infection (Bontchev, 2017).
1 | Milan Shrestha
Threat Detection and Alert System
The investigators from Cisco Cognitive Intelligence group prepared an analytical report
that suggests the top categories of security incidents faced by the organization from July
2018.
Other
Phishing
Botnet & RATs
Dominantly, Botnet & RATs covered the security incident with 58% that included the
hazardous botnet threats and CnC such as Andromeda and Xtrat. In the second place,
crypto mining is the most popular DNS threats dated in early 2000, still on the chart with
30% security incidents. Although the unnoticeable percentage portion hold by Phishing
and the Banking Trojans, 9% and 2% respectively, both threats, with no doubts has the
equal and disastrous capability to any victims network (efficientIP, 2018).
The year 2017 was recorded as the year for cyber-attacks since the attacking vectors like
WannaCry and NotPetya were introduced an awareness globally. Business groups are
dedicated and more focused to understand and prevent the popular cyber threats used by
the threat actors or cybercriminal, statically, many of which are based on DNS queries.
Since, DNS is global, varied and dynamic being used priory used in traditional security
systems, the use of DNS based attacks are the most effective and popular targets among
the cybercriminals. The Cisco 2016 Security Report has concluded that 91% of malware
uses DNS for DoS amplification or communication with CnC servers. There has been some
serious business impact due to malicious DNS queries (Cisco, 2019). In 2017, around $1
2 | Milan Shrestha
Threat Detection and Alert System
trillion worth loss was registered in cyber-attack involving DNS based malware. The 2018
research shows the average cost damages caused by DNS-based cyber attacked has
increased by 57% as compared to results from 2017.
200
150
100
50
0
Socail Engineering Malware Dustribution
Exploiting humans, technically, social engineering has also been a major technique to
provoke victims to handout their information unknowingly. The threat actor uses web
services for the exploitations considered to be a Phishing Attack. It is the popular method
among the cybercriminals targeting popular and branded financial institution, e-commerce
sites, social media, and government. OneDrive, Microsoft Office 365, Facebook and
Amazon are the highest phished sites that cybercriminal uses since they are most
commonly used by general users and has scope for fraud. (Zscaler ThreatLabZ, 2019) The
report prepared by Phish Labs 2018, over 1.3 million sites were malicious phishing sites in
2017 discovering nearly 300,000 unique domains. In an annual threat report 2018
published by ThreatNix, cyberspace in Nepal is prone to human exploitation (social
engineering) dominating the global threat, Malware Distribution. Most of the data breach
cases are rooted in sphere phishing via emails (Threatnix, 2018).
3 | Milan Shrestha
Threat Detection and Alert System
Figure 3 % of respondent threats (left) and vulnerabilities (right) on 2013-2017 (Kessel, 2018)
Above chart shows the state of the cyber security awareness among the employees
according to the 20th Global Information Security Survey 2017-18, that increases the risk
while, the attacker and the innocents seem to be in relation for greatest immediate threats
(Touche, 2017). At this existing threat level, organizations are willing to acquire the key
elements of cyber security resilience with tools such as antivirus, intrusion detection and
prevention systems.
With such growing numbers of the event in cyberspace, Security Operations Center has
been a heart of the organizations for cyber threat detection and responses providing a
centralized and structured hub for all cybersecurity events. Therefore, SOCs are the next
common thing for adaptation to organizations but only 52% of survey respondents have it
on their corresponding firm (Kessel, 2018).
4 | Milan Shrestha
Threat Detection and Alert System
There are several services, currently available that claims to find threats from the
system/network automatically or without user interaction, but has been failing over the
year. The IDS attempts to automate the process by generating alarms on suspicious
activities, resulting in a huge number of false positive. The technique of feeding IP(s) and
Domain into threat intelligence with manual analysis of logs would be infeasible for any
analyst due to the sheer volume of activity being conducted on a network every second.
Security information and event management or SIEM has helped with managing the logs
but has been unable to filter out the avoidable fields. This can become a serious challenge
for an analyst at times.
Referring to my short interview during survey session with security analysts at Vairav
Technology (formerly known as Security Department of Rigo Technology Pvt. Ltd.) about
their problems faced while threat hunt, they shared their requirement of automation over
manual check-ups. Although the network analyst suggests deploying threat monitoring
system to their respective organizations, due to inefficacy in understanding risk factor by
the management, they doubt to invest in a system that is beyond organizations budget.
5 | Milan Shrestha
Threat Detection and Alert System
Secondly, the daunting tasks for an analyst to hunt for malicious IPs and domains over the
network logs need to be fixed. In this work, we present systematic solutions to the
aforementioned problems. This project aims to develop a system that auto-analyzes the
logs from Bro network security monitoring tool that includes the features of the signature-
based intrusion detection system (IDS). This development will settle the hectic task to filter
and parse logs continuously. Instead, the corresponding person can utilize his/her time to
understand the output of the logs. Visualizing the real-time suspicious activities in the
network and correlating the logs output with reputed cyber threat intelligence is another
important feature of this project.
With the reference to the analytical survey conducted, most of the candidates are aware of
the cyber threats and the level of threat risks in Nepal but has been found in the failure to
establish a system for threat detecting and monitoring system. This system works as an
open source project and can be optimized with further development in the upcoming
version. Being feasible and contribution to the open source community, the motivation for
6 | Milan Shrestha
Threat Detection and Alert System
developing this system can be a solution for creating a threat hunt scenario as a beginning
in the case of Nepal.
1.5.2 Objectives
The objectives followed during the development of this project are listed below that is in
accordance with the adaptation of software development methodology i.e. Dynamic
systems development method (DSDM).
An extensive study of the threat reports issued by security researchers from renowned
organizations such as Cisco, PhishLabs, and Rapid for the global and Vairav
Technology (formerly known as Rigo Technology) and ThreatNix for Nepal’s
cybersecurity status.
A comprehensive study of existing tools and techniques used for defending possible
threats from the network referenced with the survey conducted during the requirement
analysis phase of development.
Understanding the problem and coming up with the solution of automating the threat
detecting procedure supported by various frameworks and Application programming
interface (API).
Building up the knowledge on Cyber Threat Intelligence (CTI) services and its
providers like VirusTotal, Cisco Talos, Malwarebytes, Phishtank.
Analyzing the logs from Bro Network Security Monitor tool for parsing HTTP headers
and DNS queries for threat intelligence feeds.
Filtering out the parsed log to document based database i.e. elasticsearch (ES).
Since the project aims to automate the threat detection along with notifying the
concerned end user, the script is written on python programming language importing
required libraries.
7 | Milan Shrestha
Threat Detection and Alert System
The dashboard for monitoring the events, one of the elements of ELK stack, Kibana is
considered as SIEM framework for the project.
This project serves as the alert system, so the end users are notified with bot alert
system. Slack Client API provided by the Slack, a team collaboration service is used.
8 | Milan Shrestha
Threat Detection and Alert System
Chapter 2: Background
2.1 Requirement Analysis through Survey
To understand the features required for an efficient Threat Monitoring and Alert system, a
general survey with the self-made questionnaire was conducted. Since the project considers
network administrators and security analysts of organizations as an end user, the survey
was conducted with employees with fine knowledge about threats detection and interested
in the deployment of the system including Security Analysts, IT Officers, IT students,
Security Engineers from the various organization around Kathmandu.
25
20
No. of candidates
15
10
0
Security Analyst IT Officer IT Student Security Engineer
Position
From this survey, it was concluded that the Threat monitoring system was, in fact, a
necessity. Different opinions on whether to implement the system with existing IDS or
setting up the new environment was obtained. After compiling the survey in statistics, the
following requirements were enlisted:
9 | Milan Shrestha
Threat Detection and Alert System
In the case of Nepal, this project targets the network administrators of any organizations
that have high valued assets and those who cannot tolerate any kind of cyber threat events.
Since this project comes with the feature of alert and provides a platform to real-time
monitoring, the admin or the incident responders can take actions to detected threats.
Besides that, this project can be a handful to the security analysts from the SOC department
who continuously hunt for the threat. The automation of threat hunt process can save time
for them. According to findings from the survey, most of the analysts and correspondence
used the traditional technique for threat detection, that was manual check-up and were
positive about automating the procedure.
10 | Milan Shrestha
Threat Detection and Alert System
Figure 7 Growth in values after the implementation of the threat detection system
Before discussing the project system, it is necessary to understand how threat hunt is
described. Hunt Evil: Your Practical Guide to Threat Hunting mentions the phases of the
hunting process and clears out the myths that it cannot be fully automated since it requires
11 | Milan Shrestha
Threat Detection and Alert System
human analysts. As stated in the above chapters, the manual check-up or threat hunting can
become a tiresome job to the analysts and automating the tasks is one of the necessity. The
aspect that can be automated is to detected threats. As threats are detected, the analysts can
investigate for its root. SANS’s white paper by Eric Cole, Ph.D., titled Automating the
hunt for hidden threats points out the failure of traditional tools for threat detection such
as IDS and Antivirus. The author is indirectly inclined to the fact that security defense must
be able to adapt and upgrade according to modern times security events (Eric Cole, 2015).
The paper suggests such tools and organizations include more proactive techniques for
defending security events along with activities during the threat hunt.
Since, the final year project is partially based on those activities that author Eric Cole,
Ph.D., described as essential, those activities are:
To complete the activities listed above, the researchers have defined some steps as Threat
Hunting Cycle . The brief explanation of the steps are:
12 | Milan Shrestha
Threat Detection and Alert System
2.3.1 Planning
The analyst team creates a hypothesis to initiate the hunting process. The follow the rule
of starting it with small by prioritizing data of most interests to threat actors. The scopes
for analysis, consideration of methodologies, and criticality of assets are defined here in
this phase. The decision after planning is basically made based on hunting techniques or
the latest security trends. Moreover, the decision could also be made based on the risk
assessment that had already been conducted by the organizations.
2.3.4 Respond
After hunting phase for the malicious events, any sort of discovery is supposed to notify
the respective team, usually the IR team of the organization. Active response to the events
is a positive side for an organizations value as a concern for future possible malicious
events.
(Sqrrl, 2018)
13 | Milan Shrestha
Threat Detection and Alert System
Bro Bro
System Alerts
NSM Logs
An open source SIEM framework, Elasticsearch, Logstash, and Kibana, collectively ELK
stack is installed to manage the filtered log for detected threat information and displaying
for the real-time monitoring feature. The IP address and domain name are filtered out from
the logs and queried with threat intelligence platform, i.e. GetIPIntel and OpenPhish. The
scripts for detecting threats (malicious DNS queries and phishing domains) also pulls out
the information about the particular threat agent and ultimately set to visualize at Kibana
web portal. Alerting feature is also introduced along with an automatically generated
summary of threat report. For alerts, Slack is used as a primary application. Thus, providing
these features in a system will ease the security analyst as well as in the productivity of
possible threat detection.
14 | Milan Shrestha
Threat Detection and Alert System
2.4.1 Nimbus
2.4.2 Vectra
Vectra is another new automation based threat detection service that claims to be powered
AI for attack detection and its respond. This service comes with the IR features including
the identification of hidden tunnels in HTTP and DNS traffic that may evade security
enforcement sensors. Vectra possesses the Cognito Detect for cyberattack-detection and
threat hunting that automates high-risk threats instantly and triggers and correlates to host
so the security team could respond fast without advert data loss (Vectra, 2018).
15 | Milan Shrestha
Threat Detection and Alert System
2.4.3 Cybersponse
2.4.4 Phantom
16 | Milan Shrestha
Threat Detection and Alert System
APIs to connect and coordinate with the various platform. This platform was acquired by
Splunk to integrate with its security operations center to accelerate incident response
(Sawers, 2018). Phantom also pulls the data of any type and sources to trigger its IR
technology. This service is also known as an analyst-driven workflow system, since it hits
the automated SIEM, querying the threat intelligence for contextual information to aid with
decision making (Splunk, 2018).
By comparing the functions from the similar system with the system that is to be developed
in this project, most of the features were already included as per end users requirements,
and some of them could be added as the further version of the system. Since the project is
17 | Milan Shrestha
Threat Detection and Alert System
completely based on open source and custom scripting, the system comes with the
flexibility to mold with any additional components.
The project is based on the concept of automating the threat detection and introducing
various machine learning in IDS, the prevention of detected threats are considered. Yet,
the threats are anomaly centric so, the limitations can be the inability of correlation with
threat intelligence.
2.6.2 StoQ
Similar to the project, this analysis framework fully depends upon the open source systems
such as Bro, Suricata, and Elasticsearch and threat intelligence like fire-eye, virus total,
total hash and Yara for correlation. This project, developed in 2011, also aims to automate
and simplify the repetitive tasks done by the analysts. Tasks, such as parsing SMTP session,
extracting attachments, scanning and finally analyzing them are automated with a
collection of scripts (StoQ, 2017).
Although, the system architecture of StopQ and system that is developed in this project are
similar, the additional features are added overcoming the limitation of StopQ such as,
sending notifications, visualization and report generation.
18 | Milan Shrestha
Threat Detection and Alert System
19 | Milan Shrestha
Threat Detection and Alert System
2.7.5 Libraries
Brothon: This library for Bro IDS for Python will be used in the development of the
system. This library will allow the script to parse the Bro Logs. Brothon is a package that
supports the ingestion, processing, and analysis of Bro IDS data with python. Alternatives
of this library exist but comparatively, brothon is easy and meets the system requirements.
Elasticsearch API: This API will be used to post (pass) the information to the
elasticsearch SIEM. It will be used as the medium for Bro and Elasticsearch
communication
GetIPintel.net API: This IP intelligence service will be used to determine the likeliness
of IPs to be proxy or VPN or malicious.
OpenPhish API: With this API, the insider domain will be checked to the globally
recognized phishing site datasets. The alternative for this API can be Phishtank where we
can also find the registered phishing sites. Comparatively, the response from Open Phish
API was found a bit faster than that of Phishtank API.
Slack Client: Slack being a team collaboration tool, it provides a service to add an
application as a bot, using the slack client in python. This service is used to notify the
network admins of the company about detected threats and phishing URLs. Discord is
another platform for similar facilities, but the motive of these two application differs if it
comes in an institutional case.
PDFDoucument: To document the detection from Threat Detection System in Portable
Document Format (PDF), this library is used to automatically generate the report of set
time 24 hours.
20 | Milan Shrestha
Threat Detection and Alert System
Chapter 3: Development
3.1 Methodology Consideration
To start a project with smooth development phases, proper planning is required before
anything else. Proper planning can help to break down the hectic tasks at times, into smaller
manageable chunks. Since, this final year project includes substantial development from
script writing to the demonstration, several methodologies for software development life
cycle were considered.
In the software development life cycle, the waterfall model is a linear process for software
development phases. Before starting the development phase, planning and collecting the
requirements are done in this model. After the phase is completed, this model does not
suggest the developers review the same phase again. Thus, the initial phase, planning, and
requirement gathering are the most important in this software development model (Rouse,
2007).
21 | Milan Shrestha
Threat Detection and Alert System
Unlike any other SLDC model, the Big Bang model is unique and includes a minimum
planning phase. This model features not following any specific process. Time, Effort and
22 | Milan Shrestha
Threat Detection and Alert System
Resources are considered as an Input and software developed is an Output, which may or
may not be as per client’s requirement (Tutorials Point, 2019).
After these phases been conducted, the system is developed iteratively and incrementally
in Functional Model Iteration, Design & Build and Implementation Phase. In this duration,
project development is chunked into several Time boxes (Selected Business Solution,
2019).
23 | Milan Shrestha
Threat Detection and Alert System
24 | Milan Shrestha
Threat Detection and Alert System
II. Design
25 | Milan Shrestha
Threat Detection and Alert System
III. Build
The tool is build combining three scripts that are, dnsanalyzer.py, phishanalyzer.py and
main.py. Since we analyze the DNS and HTTP log from the Bro NMS, the dnsanalyzer.py
and phishanalyzer.py analyses the DNS queries and HTTP headers respectively, using the
python library bro_log_reader. The library is imported from Brothon package. Along with
that, other provided libraries by python are imported as per the requirement of the project.
Both scripts, dnsanalyzer.py, and phishanalyzer.py include a function which processes the
respective task. Function HTTP () in this analyzer.py checks the triggered domain if it’s
malicious or not whereas, function DNS () in dnsanalyzer.py, pass the DNS queries to
threat Intel APIs for its malicious status. The script is designed in a way that follows python
loops and conditions for constant analysis of passed bro logs (DNS and HTTP). The
findings are then included in a python dictionary converting it into a JSON format. Thus,
the elasticsearch object is allowed to post the JSON values to the elasticsearch.
26 | Milan Shrestha
Threat Detection and Alert System
The log analyzing scripts, DNS and HTTP have similar functions for detections,
posts to elasticsearch, bot alert, and report generations. They both include a function that
feed IP addresses to API for its detailed information such as Geo Locations and origins.
Such findings are notified in further builds of the project.
IV. Test
27 | Milan Shrestha
Threat Detection and Alert System
II. Design
III. Build
Following the build of Time box: 1, the findings are set to push data for visualizations.
This build falls under the scripts developed in Time box: 1, phishanalyzer.py and
dnsanalyzer.py. For posting the findings from the Threat Detection build, Elasticsearch
and Kibana web portal is used as SIEM framework. The Elasticsearch supports the
python library thus, imported in the scripts. The elasticsearch is hosted on localhost
(http://127.0.0.1:9200) where 9200 is default port number of hosting elasticsearch. The
28 | Milan Shrestha
Threat Detection and Alert System
findings of the previous build are appended into the dictionary and then converted to
JSON format, since elasticsearch intakes JSON data for proper indexing. After pushing
the objects packed with JSON formatted data to elasticsearch, the discover section of
elasticsearch notifies the connection to the scripts and the ELK server. In this part, all
the keys with their corresponding values are tabulated which makes one of the ‘must
have’ (Threat Categorization) feature easier to achieve. Benefited by Kibana, hosting
it on localhost, (http://127.0.0.1:9200 where 9200 is default port number for Kibana
web portal), the system purpose of visualization is made possible at efficient manner.
After achieving the indexes and objects from the build, the design of the dashboard is
done with the Visualization section of Kibana.
29 | Milan Shrestha
Threat Detection and Alert System
IV. Test
30 | Milan Shrestha
Threat Detection and Alert System
31 | Milan Shrestha
Threat Detection and Alert System
III. Build
According to the proposed time box, the Threat alert system and Report generation goal is
achieved with additional codes in the scripts. Again, the scripts are updated with libraries
and API services. For the bot development, we take SlackClient as an object, setting the
API key in variables. The finding from the previous build (Build from Timebox 1), is
pushed as an alert to the Slack client. The formatting of the message is done within the
script since it is developed as a common message format in all cases such as Alerting and
Reporting. For the threat bot, we have addressed it to dnsanalyzer.py and phishanalyzer.py
so that the alerting process executes right after detection enhancing the real-time properties.
32 | Milan Shrestha
Threat Detection and Alert System
33 | Milan Shrestha
Threat Detection and Alert System
IV. Test
34 | Milan Shrestha
Threat Detection and Alert System
Chapter 4: Testing
Testing is one of the important phases in developing a complete system. Since the
considered methodology i.e. DSDM includes testing right before deployment of the
system.
This project holds three main scripts. Each module holds a couple of APIs and
corresponding functions. Each module was tested and examine whether the unit component
of the system has achieved the expected result or not.
35 | Milan Shrestha
Threat Detection and Alert System
36 | Milan Shrestha
Threat Detection and Alert System
37 | Milan Shrestha
Threat Detection and Alert System
38 | Milan Shrestha
Threat Detection and Alert System
39 | Milan Shrestha
Threat Detection and Alert System
40 | Milan Shrestha
Threat Detection and Alert System
41 | Milan Shrestha
Threat Detection and Alert System
42 | Milan Shrestha
Threat Detection and Alert System
43 | Milan Shrestha
Threat Detection and Alert System
44 | Milan Shrestha
Threat Detection and Alert System
Before the initialization of the development phase of this project, research on several
journals, whitepapers, reports, and documentation was reviewed for a reference. The current
scenario of the proposed system and the problem it aimed to mitigate were observed. The
findings from the research were then addressed using this project as a solution. The software
development life cycle was chosen as Dynamic systems development method (DSDM), a
subdomain of Agile Methodology. As it suggests to breakdown the project into smaller builds,
the requirements for the system and the goals of each phase were identified.
One of the significant approaches of this project is that it is based on data feeds on threat
intelligence platform for threat detection. It uses GetIPIntel and OpenPhish as its platform to
retrieve information from the given feeds. GetIPIntel uses machine learning technology for
its malicious IP address analysis. Therefore, building a system that is based on such an
advanced algorithm surely provides a backup with trust and considerably false positive report.
The intelligence suggests hosting the API within a static network to avoid the blacklists.
Whereas, the OpenPhish processes the registered phish URL worldwide that is updated on a
daily basis. These features of both of the intelligence platform can be considered to be a
positive side for the developed system. The test cases for each intelligence features are
included in the Test section of the report.
The system features two ways of displaying the result of the program. According to the
results from the requirement gathering phase, the security analysts and network engineers
voted for graphical visualization over the text-based log. So, to keep up with the requirement
45 | Milan Shrestha
Threat Detection and Alert System
After the execution of the program, the only task needed to be done by the end users is the
incident response. Incident response is one of the vast and unpredictable subjects itself that
requires the human decisions making instead of automating it, thus the IR feature becomes
out of scope for this project. The developed system covers all the features that were promised
at the initial phase of this project except for the incident response that comes under threat
mitigation which was mentioned as won’t have the feature of the project.
Following bullets are the mentions from Chapter 9 that are considered illegal and worth
punishment, financially or imprisonment or both, if committed.
46 | Milan Shrestha
Threat Detection and Alert System
The occurrence of such criminal events continues, if proper techniques of detection are not
performed. The points above are prone to violation with the malicious domain quarries, once
the computers on the target network are victimized. So, the system developed in this project
is one of the tools thatsupport the legislation prepared by the Government of Nepal. Any
organization can acquire the Threat Detection and Alert System to identify the malicious
findings and protect the organization from future possible threats.
The system offers the facilities to monitor the non-content (without credentials) logs only
within a network as configured at the beginning, so the doubts on violating the privacy by
monitoring logs are escaped as one of the development strategies. At such conditions, the
ethical values and rights of the users will not be affected.
5.2 Limitations
Despite promising results, Threat Detection and Alert System still have drawbacks. The
methodologies for the threat detecting process meets its standard, but the scripts for data
feeding to threat intelligence decelerates based on various factor such as drop-in network
bandwidth. This may be considered as the deployment majors to carry out, but eventually, it
affects the system with a huge amount of logs to analyze and might not be able to handle
such load. However, the system still can run as developed ignoring the fact that it might face
a tiny lag.
Furthermore, the system touches the two logs but fails to analyze both simultaneously. The
script is written in a manner that first analyze the DNS logs first and then HTTP logs. This
flaw in the system is a major limitation of the system since it fails to deal with real-time
threat detection mechanism. Various methods can be adapted to fix such as ‘threading’, that
will be primary tasks to solve in further work.
47 | Milan Shrestha
Threat Detection and Alert System
48 | Milan Shrestha
Threat Detection and Alert System
Chapter 7: References
1. ABDULGHANI ALI AHMED, N. A. A., 2016. Real Time Detection of Phishing Websites,
Singapour: University Malaysia Pahang.
2. Alert Logic, 2017. Threat Monitoring, Detection & Responce, U.K.: Information Security.
3. Benjamin J. J. Voigt, Z. S., 2004. Dynamic System Development Method, s.l.: s.n.
4. Bontchev, V., 2017. Macro virus identification problem. FRISK Software International,
17(1), pp. 69-85.
5. CH. Ramaiah, D. A. C. R. S. A. P. P. K., 2018. Secure automated threat detection and
prevention (SATPD). International Journal of Enginerring& Technology, 7(2), pp. 86-89.
6. Chun-jing LU, H. Z. J.-y. L. R. Z., 2017. Network Security Log Analysis System Based on
ELK. Information Security Center, Beijing University of Posts and Telecommunications,
5(13), p. 554.
7. Cisco, 2019. Defending against today's critcal threats, Sanfrancisco: Cisco.
8. CyberSponse, 2018. About Cybersponse. [Online]
Available at: https://cybersponse.com/about/
[Accessed Dec 2018].
9. Daniel Dinis Teixeira, F. J. A. P. J. P. G. d. S., 2005. DSDM - Dynamic Systems
Development Methodology. , s.l.: s.n.
10. Delgado, P., 2018. Developing an Adaptive Threat Hunting Solution The Elasticsearch
Stack, Houston: College of Information and Logistics Technology.
11. efficientIP, 2018. A New Era of Network Attacks, New York: efficientIP.
12. Eric Cole, P., 2015. Automating the Hunt for Hidden Threats, s.l.: SANS Institute.
13. Government of Nepal, 2008. The Electronic Transactions Act, 2063 (2008). Kathmandu,
Nepal.
14. GUODONG ZHAO, K. X., 2015. Detecting APT Malware Infections Based on Malicious
DNS and Traffic Analysis, s.l.: IEEE Acess.
15. JIAN MAO, W. T., 2017. Phishing-Alarm: Robust and Efficient Phishing. 5(17), pp.
17020-17026.
16. Jin Cao, L. D. a. R. H., 2017. Statistical Network Behavior Based Threat Detection. IEEE
Conference on Computer Communications Workshops, 3(12), pp. 420-432.
17. Kessel, P. v., 2018. Cybersecurity regained: preparing to face cyber attacks, s.l.: EYGM.
18. MalwarebytesLabs, 2019. 2019 State of Malware, s.l.: MalwarebytesLabs.
49 | Milan Shrestha
Threat Detection and Alert System
50 | Milan Shrestha
Threat Detection and Alert System
automation/features.html#how-it-works
[Accessed Dec 2018].
32. Sqrrl, 2018. Hunt Evil: Your Practical Guide to Threat Hunting, s.l.: Sqrrl.
33. StoQ, 2017. stoQ: automation. simplified.. [Online]
Available at: https://stoq-framework.readthedocs.io/en/latest/
[Accessed 13 December 2018].
34. Threatnix, 2018. Threat Report 2018, Nepal, Kathmandu: ThreatNix.
35. Touche, W., 2017. Cyber risk reporting in the UK, s.l.: Governance in focus.
36. Tutorials Point, 2019. SDLC - Big Bang Model. [Online]
Available at: https://www.tutorialspoint.com/sdlc/sdlc_bigbang_model.htm
[Accessed Jan 2019].
37. Vectra, 2018. Cognito Detect is the most powerful way to find and stop cyberattackers in
real time. [Online]
Available at: https://vectra.ai/assets/cognito-detect-overview.pdf
[Accessed 2018 2018].
38. Zscaler ThreatLabZ, 2019. An analysis if SSL/TLS-based threat, San Jose: Zscaler.
51 | Milan Shrestha
Threat Detection and Alert System
Chapter 8: Appendix
8.1 MoSCow Prioritization
Must-Have Should Have Could Have Won't Have
M01: Threat S01: Bot Alert C01. Report W01. Threat
Detection Generation Mitigation
52 | Milan Shrestha
Threat Detection and Alert System
53 | Milan Shrestha
Threat Detection and Alert System
54 | Milan Shrestha
Threat Detection and Alert System
55 | Milan Shrestha
Threat Detection and Alert System
56 | Milan Shrestha
Threat Detection and Alert System
First most, the system is solely based on Linux (Debian) environment. So, the ISO of
Debian or any other Debian distro operating system should be installed on a machine,
The source code of the system should be in the same directory with root privilege so it
could access required services.
The machine must be pre-installed with python (version 3.7). The script must be installed
or saved in .py format.
Bro IDS should be installed and configured, so the traffics from configured interfaces could
be generated logs to analyse.
The path of the Bro logs should be set.
Install the deb package of ELK framework (especially, Elasticsearch and Kibana),
Services, Elasticsearch and Kibana should get initialize
Access the portal with localhost: 5601, by default for visualization.
The Slack bot for notification, it can be used from a web application or desktop application.
The credentials for Slack Client should be modified from the source code.
Following the above steps for setting up the system, we can successfully run the Threat Detection
and Alert System.
Note: The system is suggested to be run on a dedicated server with proper network configurations.
57 | Milan Shrestha
Threat Detection and Alert System
Elasticsearch Prerequisites
Step 1: install Java 1.8 JDK.
sudo apt-get install default-JRE
OpenJDK version "1.8.0_151"
OpenJDK Runtime Environment (build 1.8.0_151-8u151-b12-0ubuntu0.16.04.2-b12)
OpenJDK 64-Bit Server VM (build 25.151-b12, mixed mode)
{
"name" : "my-ctms-proj",
58 | Milan Shrestha
Threat Detection and Alert System
"cluster_name" : "elasticsearch",
"cluster_uuid" : "mTkBe_AlSZGbX-vDIe_vZQ",
"version" : {
"number" : "6.1.2",
"build_hash" : "5b1fea5",
"build_date" : "2018-01-10T02:35:59.208Z",
"build_snapshot" : false,
"lucene_version" : "7.1.0",
"minimum_wire_compatibility_version" : "5.6.0",
"minimum_index_compatibility_version" : "5.0.0"
},
59 | Milan Shrestha
Threat Detection and Alert System
8.7 Code
dnsanalyzer.py
#! /usr/bin/python3
reader = bro_log_reader.BroLogReader('/home/pastalins/Desktop/FYP/dns.log')
#definig paths of bro logs
already = [] #empty lists for non repeating dns querries for bro logs
set_list = [] #empty lists for corresponding soruce and destination ip
addresses
third = {}
for row in reader.readrows():
try:
dns_query = row['query'] #accerssing only rows of querry
if dns_query not in already:
already.append(dns_query) #appending non repeating
querry to the lists
ns_lookup = socket.gethostbyname(dns_query)
#print (dns_query,' = ',ns_lookup)
set_list.append({ns_lookup:[row['id.orig_h'],row['id.resp_h']]})
#appending to set_list[]
third[ns_lookup] =
[row['id.resp_h'],row['id.resp_p'],row['id.orig_p']]
except:
continue
#print(set_list)
#print(third)
alread2 = []
def dns(z):
z.h2('BAD IP address Found') #heading for report
messege = ''
unique_dns = 0 #constant for count
60 | Milan Shrestha
Threat Detection and Alert System
alread2.append(ip)
intel =
requests.get('http://check.getipintel.net/check.php?ip={}&contact=rocks_slash
@yahoo.com'.format(ip)) #API requests for DNS querry
a_txt = intel.text
decode = str(a_txt)
print ('IP Address:{}\nCriticality Score:{}\n--
---'.format(ip, decode, dns_query))
if decode == '1':
print ('\nCriticality Score matched
with Malicious Limit\n')
try:
es =
Elasticsearch('localhost:9200') #hosting Elasticsearch at localhost
my_dictionary = {} #a
dictionary that carries all message to elasticsearch and slack bot
my_dictionary['src_ip'] = ip
my_dictionary['dest_ip']
=third[ip][0]
my_dictionary['src_port'] =
third[ip][2]
my_dictionary['dest_port'] =
third[ip][1]
my_dictionary['@timestamp'] =
datetime.utcnow().isoformat()
my_dictionary['threat-intel'] =
'http://getipintel.net'
my_dictionary['query-type'] =
'DNS-Query'
my_dictionary['unique-dns'] =
unique_dns
find =
requests.get('https://ipapi.co/{}/json/'.format(str(ip))) #name server
look up api
b_txt = find.text
in_json = json.loads(b_txt)
#print(in_json)
my_dictionary.update(in_json)
es.index(index = 'ctms-test-1',
doc_type = 'ip-info', body = my_dictionary)
# es.index(index = 'my-CTMS',
doc_type = 'info', body = my_dictionary)
messege = messege + "Source IP:
{}\nSource Port: {}\nDestination IP: {}\nDestinatio Port: {}\nOrijin:
{}\nLatitude:{}\nLogitude :{}\nTimestamp:
{}\n".format(my_dictionary['src_ip'],
my_dictionary['src_port'],
my_dictionary['dest_ip'],
61 | Milan Shrestha
Threat Detection and Alert System
my_dictionary['dest_port'],
my_dictionary['org'],
my_dictionary['latitude'],
my_dictionary['longitude'],
datetime.now().isoformat())
print (messege)
unique_dns = unique_dns + 1
phishanalyzer.py
#!/usr/bin/python3
#!/usr/bin/python3
#importing required libraries
from slackclient import SlackClient
import ast
from pdfdocument.document import PDFDocument
from datetime import datetime
from elasticsearch import Elasticsearch
import json
62 | Milan Shrestha
Threat Detection and Alert System
reader = bro_log_reader.BroLogReader('/home/pastalins/Desktop/FYP/http.log')
#defining paths for accessing bro logs (HTTP)
def http(z):
z.h2('Phishing Domain')
messege = ''
unique_http = 0
for p in phish_list:
for q in bro_domain_list:
# try:
if q == p:
print ('Phishing Domain Found :', p)
only_domain = p.split("//")[-
1].split("/")[0].split('?')[0] #extracting domain from URL
print(only_domain)
domain_lookup =
socket.gethostbyname(only_domain) #getting nslookup of domain
es = Elasticsearch('localhost:9200')
my_dictionary = {}
my_dictionary['ip'] = domain_lookup
my_dictionary['unique-http'] = unique_http
my_dictionary['phish-url'] = q
my_dictionary['threat-intel'] = 'openphish'
my_dictionary['type'] = 'HTTP-query'
my_dictionary['@timestamp'] =
datetime.utcnow().isoformat()
# except:
# pass
63 | Milan Shrestha
Threat Detection and Alert System
#print (messege)
z.p(messege)
#http()
main.py
#! /usr/bin/python3
import requests
z = PDFDocument('Threat-Report.pdf')
z.init_report()
z.h1("Threat Report")
z.h3("© Threat Detect and Alert System, Author Milan Shrestha\n ")
z.generate()
payload={
"filename":"Threat-Report.pdf",
# "timestamp":datetime.now().isoformat(),
"token":'=api key==',
"channels":['#threat-alert'],
}
r = requests.post("https://slack.com/api/files.upload", params=payload,
files=my_file)
64 | Milan Shrestha
Threat Detection and Alert System
8.8 Survey
65 | Milan Shrestha
Threat Detection and Alert System
66 | Milan Shrestha
Threat Detection and Alert System
67 | Milan Shrestha
Threat Detection and Alert System
68 | Milan Shrestha
Threat Detection and Alert System
69 | Milan Shrestha
Threat Detection and Alert System
70 | Milan Shrestha
Threat Detection and Alert System
71 | Milan Shrestha
Threat Detection and Alert System
72 | Milan Shrestha
Threat Detection and Alert System
73 | Milan Shrestha
Threat Detection and Alert System
74 | Milan Shrestha
Threat Detection and Alert System
75 | Milan Shrestha
Threat Detection and Alert System
76 | Milan Shrestha
Threat Detection and Alert System
77 | Milan Shrestha
Threat Detection and Alert System
78 | Milan Shrestha
Threat Detection and Alert System
79 | Milan Shrestha
Threat Detection and Alert System
80 | Milan Shrestha
Threat Detection and Alert System
81 | Milan Shrestha
Threat Detection and Alert System
82 | Milan Shrestha
Threat Detection and Alert System
83 | Milan Shrestha
Threat Detection and Alert System
84 | Milan Shrestha
Threat Detection and Alert System
85 | Milan Shrestha
Threat Detection and Alert System
86 | Milan Shrestha