I worked on this very small project to get an idea of what SIEMs are and how they work. My intentions were to apply these skills in order to meet the demands of the many requirements for positions in the Cyber field. A SOC analyst, a position I have a lot of interest in uses SIEMs daily for their practice whose purpose is to organize data and help identify threats. In summary, a SIEM is used to aggregate logs and let the user know when an attack on their company has taken place. These SIEM tools identify mostly patterns, so if an attack does not match a pattern it can not attract as much attention. Overall I look forward to using this project as a stepping stone toward the cyber field and leading me to a position in cyber so I can grow my talents.
For my first project, I wanted to create my own SIEM just so I can understand how they function. Since I am fresh into this I used Josh Madakor as a resource to guide me. This mini project is called an Azure Sentinel. I create a honeypot to allow myself to monitor attacks and display this on a map. For this to work, I create my inbound firewall rule to priority 100. This is part of a Rule Collection Group Priority. This inbound rule will always take precedence first. The rule allows all ports and protocols through my firewall which allows for all traffic to enter my honeypot. Essentially, if the attacker knows the public IP and username/password, they have full access to my pc.
Like any SIEM I also needed a way to parse my logs. I first needed some sample data so I failed on purpose to log into my VM/honeypot a few times to get that sample data.
With a few of these data, I gathered them onto my azure workplace and trained it to identify what each data point meant.
All of this was just extracting custom fields so eventually, I could use an API to read this log with the correct headers. With everything in place and a simple, API call I was led to this.
With this, I was able to see the protocols and attempts made from around the country by people attempting to log onto my virtual machine.
Now that I have a sense of what a SIEM is, I could use tools that companies would use for their SIEM.
With the help of the YouTube channel “Blackperl”, I can understand the tools such as QRadar, Elastic SIEM, and ELK. I messed around with Elastic and ELK outside of this blog. Mostly I wanted to focus on IBM’s QRadar SIEM. What's great about IBM QRadar is that it can manage compliance mandates like HIPAA. QRadar, like many SIEMs, allows for all network devices to send traffic to it directly so a cyber-attack or even reconnaissance on a network device can be alerted. For this SIEM to work I needed to use an OVA file. An OVA file stores VM files and opens through a VM, not a host. For this VM I used the Centos Linux operating system. This OVA file has a tomcat server integrated within it. A tomcat server is just an open-source Java servlet container. We all know that HTTP displays static content of a webpage by just retrieving information from a web server. Well, if a website ever needs to display content that is more than just static, a serverlet is needed. An example could be running an API, which from previous experience is important for a SIEM. In summary, the tomcat is just a serverlet container.
We can see after running the OVA file there are multiple attempts to get the tomcat server to boot. Once the tomcat is finished all we need to do is run ifconfig in my system so I find the local website IP tomcat created for me.
At last, we are greeted by this, a Qradar SIEM. Right now there is no data on the screen.
From looking at the sample logs
I can tell it is impractical and hard to read. A SIEM can solve this.
With the simple command above allows for the sample logs to be pushed to the SIEM.
Now I can finally see a sample attack on a network.
Exploring the SIEM I can also find that I can even group the events by name.
By clicking on a sample log I get the below screen.
With the sample above I can tell the SIEM is alerting me to a program called Trojan.Piptea which is a “malicious program capable of downloading and executing additional malware products, and lowering the security settings of infected computer. It is often able to conceal the presence of its running process from the user.” I learned that if I get the paid edition of this SIEM, it has a run book on what I can do to resolve this issue.
Before anything else, I want to be able to parse log files. With the below steps, I followed through IBM’s docs, I can use their DSM which is “A log that receives events for parsing and normalizing to a standard format.” The below is the procedure I followed.
After some time and running more cases I was able to get the home screen to look like this
With some further exploration, I found a sample attempt of a buffer overflow.
Above is a buffer overflow attack. This can lead the attacker to create more vulnerabilities in other network devices if this attack is successful as well as gain access. With some Googling of the event name, I was able to understand that this attack was caused by “improper bounds checking when handling the ‘Type’ property of an ‘Object’ tag.” The IBM docs explanation was that this was done through an email to a possible user on the network. When they clicked on the link that was sent to them a malicious Microsoft explorer webpage appeared. The best remedy for this to not happen was if the user had updated their Microsoft explorer.
I skipped over a lot of how I got to the above screenshot but it was very simple thanks to IBM's great use of normalizing logs.
After all of this, I have the opportunity to mess around with QRadar. What I learned from it is.
There are plenty of legitimate IP sources I have to parse through and ignore since the source IP of the “attacker” is recognizable. Unfortunately, this sort of situation is a lot worse in the workplace. The amount of data can be a problem since it can hide the true dangerous actors attempting to gain access. Lots of security events are not investigated. In fact, almost 50% of events are not able to be looked at. Just as an addition, events from my SIEM or any SIEM get information from an active directory server. An AD is a database for users to authenticate themselves and gather resources. An event is made particularly through everything that has an IP address. Most if not all events in my SIEM were all security risks. Another addon from QRadar is the network activity tab, something other SIEMs do not have. This shows what happens after they log onto a device in a worst-case scenario. So through this network activity, we get a network flow. This tells the user the source, destination, and size of data. Network flows help the user through a SIEM since if an attack can turn off the logs, the network activity is still there and will show what is happening with packets. An attacker can’t change the network flow since if they do the packet will just be directed anywhere. Use cases for a SIEM is behind a firewall when events get through. Throughout my blog I spoke about how a SIEM organizes logs for the user, the technical term for this is Normalization. Like I covered before, SIEMs are critical for organizations since they need to meet compliance standards. If user health data gets leaked, that can become a HIPPA issue.
My goal for this short project was to understand what a SIEM is and how to use it. If I were to use a SIEM in a work environment I would be more comfortable thanks to learning about IBM's SIEM. Through some digging, IBM developed Watson for automation. Since SIEMs need data science technologies IBM paired Watson with QRadar for the premium version. This can definitely help the burden of digging through information to find patterns like the same source IP attacking a network. I reached that goal but I want to dive further into SIEMs which I will go over in my next learning blog.
See References
YouTube. (2021). Log Analysis Tutorial Detailed Demo in QRadar, 9 Tips to Reduce False Positives in Siem, Day 9. YouTube. Retrieved August 7, 2022, from https://www.youtube.com/watch?v=CM4lEgtVgf8&list=PLjWEV7pmvSa7cXTkCppnYHERUdy8Dd71x&index=3.
Ibm. (2015, October 1). IBM security® qradar® community edition get started guide. IBM. Retrieved August 7, 2022, from https://www.ibm.com/security/digital-assets/qradar/community-edition-quickstart-guide/#data-sources
“Hands-on Incident Response Using IBM QRadar.” YouTube, YouTube, 30 Oct. 2020, https://www.youtube.com/watch?v=yxtI4GlWNjQ. Accessed 7 Aug. 2022.
