POTENTIAL DISGUISING ATTACK VECTORS ON SECURITY OPERATION CENTERS AND SIEM SYSTEMS

R. Drahuntsov, D. Rabchun
{"title":"POTENTIAL DISGUISING ATTACK VECTORS ON SECURITY OPERATION CENTERS AND SIEM SYSTEMS","authors":"R. Drahuntsov, D. Rabchun","doi":"10.28925/2663-4023.2021.14.614","DOIUrl":null,"url":null,"abstract":"In this article we highlight several potential vectors of attacks that can be carried out on a monitoring capacities powered by SOC SIEM using its common features and misconfigurations. Widely spread problems like excessive amounts of false positive alerts or not absolutely accurate configuration of the correlation rules may lead to situation where an attacker is able to trigger an undesired state of the monitoring system. We’ve find three potential vectors for evasion the SIEM powered SOCs monitoring. The first vector grounds on mechanisms used to collect event data – log collectors: the malfunctioning SIEM state can be achieved with generating and submitting the bogus event data to the processing party like SIEM. Fake data flow may cause generation of mistaken alerts which can confuse the analytics stuff. The second vector employs some of the attacker’s knowledge about actual SIEM configuration – exploitation of correlation rule flaws. Taking into account the fact that correlation rules are mostly hand-written, they are prone to some logic flaws – certain detection rules may not be triggered by all of the malicious attack indicators. An attacker with knowledge about that feature may fulfill the unrecorded conditions and trick the SIEM to treat the attack flow as benign activity. The last researched vector is based on redundantly sensitive detection rules which produce a lot of false positive alarms but are not removed. An attacker may trigger the malfunctioning alarm continuously to distract the analytics stuff and perform its actions under the cover of noise. Those discussed vectors are derived from analysis of the actual SIEM installations and SOC processes used as best practices. We have no actual indicators that those attacks are carried out “in wild” at the moment of issuing of this article, but it is highly probable that those tactics may be used in the future. The purpose of this research is to highlight the possible risks for the security operation centers connected with actual processes and practices used in industry and to develop the remediation strategy in perspective.","PeriodicalId":198390,"journal":{"name":"Cybersecurity: Education, Science, Technique","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cybersecurity: Education, Science, Technique","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.28925/2663-4023.2021.14.614","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 1

Abstract

In this article we highlight several potential vectors of attacks that can be carried out on a monitoring capacities powered by SOC SIEM using its common features and misconfigurations. Widely spread problems like excessive amounts of false positive alerts or not absolutely accurate configuration of the correlation rules may lead to situation where an attacker is able to trigger an undesired state of the monitoring system. We’ve find three potential vectors for evasion the SIEM powered SOCs monitoring. The first vector grounds on mechanisms used to collect event data – log collectors: the malfunctioning SIEM state can be achieved with generating and submitting the bogus event data to the processing party like SIEM. Fake data flow may cause generation of mistaken alerts which can confuse the analytics stuff. The second vector employs some of the attacker’s knowledge about actual SIEM configuration – exploitation of correlation rule flaws. Taking into account the fact that correlation rules are mostly hand-written, they are prone to some logic flaws – certain detection rules may not be triggered by all of the malicious attack indicators. An attacker with knowledge about that feature may fulfill the unrecorded conditions and trick the SIEM to treat the attack flow as benign activity. The last researched vector is based on redundantly sensitive detection rules which produce a lot of false positive alarms but are not removed. An attacker may trigger the malfunctioning alarm continuously to distract the analytics stuff and perform its actions under the cover of noise. Those discussed vectors are derived from analysis of the actual SIEM installations and SOC processes used as best practices. We have no actual indicators that those attacks are carried out “in wild” at the moment of issuing of this article, but it is highly probable that those tactics may be used in the future. The purpose of this research is to highlight the possible risks for the security operation centers connected with actual processes and practices used in industry and to develop the remediation strategy in perspective.
查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
对安全操作中心和siem系统潜在的伪装攻击媒介
在本文中,我们重点介绍了几个潜在的攻击向量,这些攻击可以利用SOC SIEM的常见功能和错误配置对其监控能力进行攻击。大量的误报警报或不完全准确的相关规则配置等广泛存在的问题可能导致攻击者能够触发监视系统的不希望的状态。我们发现了三个潜在的载体可以逃避SIEM驱动的soc监控。第一个向量基于用于收集事件数据的机制——日志收集器:故障SIEM状态可以通过生成虚假事件数据并将其提交给处理方(如SIEM)来实现。虚假的数据流可能会导致产生错误的警报,从而混淆分析人员。第二个向量利用了攻击者对实际SIEM配置的一些了解——利用相关规则缺陷。考虑到关联规则大多是手写的,容易存在一些逻辑缺陷——某些检测规则可能不会被所有的恶意攻击指标触发。了解该特性的攻击者可能会满足未记录的条件,并欺骗SIEM将攻击流视为良性活动。最后研究的向量是基于冗余敏感检测规则的向量,该规则产生了大量的误报,但没有被去除。攻击者可能会不断触发故障警报,以分散分析人员的注意力,并在噪音的掩护下执行其操作。这些讨论的向量来自于对实际SIEM安装和SOC流程的分析,它们被用作最佳实践。在这篇文章发表的时候,我们没有实际的迹象表明这些攻击是在“野外”进行的,但这些战术很有可能在未来被使用。本研究的目的是强调安全运营中心与工业中使用的实际流程和实践相关的可能风险,并制定正确的修复策略。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
自引率
0.00%
发文量
0
期刊最新文献
DESIGN OF BIOMETRIC PROTECTION AUTHENTIFICATION SYSTEM BASED ON K-AVERAGE METHOD CRYPTOVIROLOGY: SECURITY THREATS TO GUARANTEED INFORMATION SYSTEMS AND MEASURES TO COMBAT ENCRYPTION VIRUSES MODEL OF CURRENT RISK INDICATOR OF IMPLEMENTATION OF THREATS TO INFORMATION AND COMMUNICATION SYSTEMS SELECTION OF AGGREGATION OPERATORS FOR A MULTI-CRITERIA EVALUTION OF SUTABILITY OF TERRITORIES GETTING AND PROCESSING GEOPRODITIONAL DATA WITH MATLAB MAPPING TOOLBOX
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1