A Federated Approach to Identifying Advanced Persistent Security Threats on Enterprise Computer Networks
Public project web repository for an Integration Project at Athabasca University. This will serve as the official central repository of project documents, deliverables, and source code.
Student
Wade W. Wesolowsky <wadew@false.ca>
Funding
Graduate Student Research Fund (GSRF) at Athabasca University provided funding to purchase computer hardware and networking devices.
Project Overview
Computer Security is an intense flash point of concern in the modern computing landscape. Many threats to computer systems both known and unknown prey on the mind of computer professionals. Advanced Persistent Security Threats (APST) are a species of clandestine attack which infiltrate computer systems to exfiltrate data and struggle to maintain an everlasting foothold inside the target network. They are of particular concern thanks to their use and sponsorship by state actors in proxy battles and covert operations. In this landscape we chart the rise of the threat and search for free and open source software which can be used on an enterprise network to detect the threat. Uncovering the threat will be a collaboration between the security tools cooperating together as components within a Federated Security Module (FSM) built using the Elasticsearch, Logstash, and Kibana (ELK) Stack. A federation between pfSense, Snort, Sweet Security (Zeek), Wazuh (OSSEC), and Honeytrap will offer a centralized data source from which their combined knowledge can be accessed. The efficacy of the federation will be evaluated using a test suite on a simulated enterprise network to provide us with opportunities for improvement and lessons learned for future research.
Prototype Lab Network Diagram
This diagram provides a high level overview of the network layout which was used for this project.
Security Tools Network Layout
This diagram shows which hosts different security tools are located on within the network.
FSM Kibana Plugin System Overview Diagram
This diagram shows how the FSM Kibana plugin works from a high level.
Project Software Repositories
The following repositories are some software and configuration files used in my project.
- APT Hunter
- Federated Security Module Plugin (fsm_plugin)
- HoneyTrap Configuration Files
- OSSEC Configuration File
Forked Software Repositories
The following repositories have been forked to provide source code for the various tools used in this research project. They are provided here as a static reference point. Many of the tools used in this project are under active development and are changing on a constant basis.
- APT_CyberCriminal_Campagin_Collections
- APTSimulator
- Bro / Zeek
- Elasticsearch
- Elasticsearch-py
- FlightSim
- HELK - The Hunting ELK
- Honeytrap
- Honeytrap Configs
- Honeytrap Docs
- Kibana
- Kibana Sample Plugin
- kibana-plugin-notes
- Logstash
- Pfsense
- Pfsense Docs
- Sigma
- SIGMA UI
- Snort3
- Snort FAQ
- Sweet Security
- Sysmon-Config
- tr-k4p-clock
- Wazuh
- Wazuh-API
- Wazuh Documentation
- Wazuh Kibana App
- Wazuh Ruleset
Project Reports
Oral Presentation Google Slides [Slides in PDF]
Disclaimer
This is an active research project which I am currently working on. All information is provided "AS IS" and may change without notice. I have provided this resource for the purposes of feedback and public dissemination of my research ideas.
Helpful Links
API Reference (Elastic JavaScript)
Developing new Kibana Visualizations
Elasticsearch client library for Node.js
Query Domain Specific Language (DSL)