Threat hunting for adversary impact inhibiting system recovery

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-26 DOI:10.1016/j.cose.2025.104464

Naif Alsharabi , Akashdeep Bhardwaj , Abdulaziz Ayaba , Amr Jadi

{"title":"Threat hunting for adversary impact inhibiting system recovery","authors":"Naif Alsharabi , Akashdeep Bhardwaj , Abdulaziz Ayaba , Amr Jadi","doi":"10.1016/j.cose.2025.104464","DOIUrl":null,"url":null,"abstract":"<div><div>The rise of advanced cyber threats targeting critical system recovery mechanisms necessitates proactive and scalable threat-hunting solutions. This research introduces a novel methodology leveraging a Linux-based Elasticsearch server to detect adversary techniques that inhibit system recovery (T1490). By integrating Elasticsearch for centralized log storage, Kibana for dynamic visualization, and Lucene for precise query search, the proposed platform offers a cost-effective and adaptable alternative to proprietary SIEM solutions. The methodology emphasizes real-time identification of indicators of compromise (IOCs) such as shadow copy deletions, suspicious commands, and backup configuration modifications, enabling security teams to uncover adversarial behaviors before they disrupt recovery processes. Practical implementation demonstrates the platform's flexibility across diverse IT environments, accommodating logs from endpoints with varying operating systems and infrastructures. The study further highlights the adaptability of the approach, with Kibana dashboards and Lucene queries tailored to specific organizational needs, making it a versatile tool for enterprises. Additionally, the research underscores the significance of proactive detection by moving beyond traditional reactive methods, positioning organizations to address system recovery threats effectively. This work bridges a critical gap in cybersecurity by offering a scalable, open-source threat-hunting platform that aligns with the growing need for robust defenses against evolving adversary techniques. The findings hold practical significance for enhancing incident response strategies and bolstering organizational resilience, paving the way for future integration with advanced threat intelligence feeds and automated detection mechanisms. This novel approach not only strengthens the security landscape but also provides a blueprint for cost-efficient, real-world applications in defending against adversary techniques designed to inhibit system recovery.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104464"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001531","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The rise of advanced cyber threats targeting critical system recovery mechanisms necessitates proactive and scalable threat-hunting solutions. This research introduces a novel methodology leveraging a Linux-based Elasticsearch server to detect adversary techniques that inhibit system recovery (T1490). By integrating Elasticsearch for centralized log storage, Kibana for dynamic visualization, and Lucene for precise query search, the proposed platform offers a cost-effective and adaptable alternative to proprietary SIEM solutions. The methodology emphasizes real-time identification of indicators of compromise (IOCs) such as shadow copy deletions, suspicious commands, and backup configuration modifications, enabling security teams to uncover adversarial behaviors before they disrupt recovery processes. Practical implementation demonstrates the platform's flexibility across diverse IT environments, accommodating logs from endpoints with varying operating systems and infrastructures. The study further highlights the adaptability of the approach, with Kibana dashboards and Lucene queries tailored to specific organizational needs, making it a versatile tool for enterprises. Additionally, the research underscores the significance of proactive detection by moving beyond traditional reactive methods, positioning organizations to address system recovery threats effectively. This work bridges a critical gap in cybersecurity by offering a scalable, open-source threat-hunting platform that aligns with the growing need for robust defenses against evolving adversary techniques. The findings hold practical significance for enhancing incident response strategies and bolstering organizational resilience, paving the way for future integration with advanced threat intelligence feeds and automated detection mechanisms. This novel approach not only strengthens the security landscape but also provides a blueprint for cost-efficient, real-world applications in defending against adversary techniques designed to inhibit system recovery.

查看原文本刊更多论文

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.