对安全操作中心和siem系统潜在的伪装攻击媒介

Cybersecurity: Education, Science, Technique Pub Date : 1900-01-01 DOI:10.28925/2663-4023.2021.14.614

R. Drahuntsov, D. Rabchun

{"title":"对安全操作中心和siem系统潜在的伪装攻击媒介","authors":"R. Drahuntsov, D. Rabchun","doi":"10.28925/2663-4023.2021.14.614","DOIUrl":null,"url":null,"abstract":"In this article we highlight several potential vectors of attacks that can be carried out on a monitoring capacities powered by SOC SIEM using its common features and misconfigurations. Widely spread problems like excessive amounts of false positive alerts or not absolutely accurate configuration of the correlation rules may lead to situation where an attacker is able to trigger an undesired state of the monitoring system. We’ve find three potential vectors for evasion the SIEM powered SOCs monitoring. The first vector grounds on mechanisms used to collect event data – log collectors: the malfunctioning SIEM state can be achieved with generating and submitting the bogus event data to the processing party like SIEM. Fake data flow may cause generation of mistaken alerts which can confuse the analytics stuff. The second vector employs some of the attacker’s knowledge about actual SIEM configuration – exploitation of correlation rule flaws. Taking into account the fact that correlation rules are mostly hand-written, they are prone to some logic flaws – certain detection rules may not be triggered by all of the malicious attack indicators. An attacker with knowledge about that feature may fulfill the unrecorded conditions and trick the SIEM to treat the attack flow as benign activity. The last researched vector is based on redundantly sensitive detection rules which produce a lot of false positive alarms but are not removed. An attacker may trigger the malfunctioning alarm continuously to distract the analytics stuff and perform its actions under the cover of noise. Those discussed vectors are derived from analysis of the actual SIEM installations and SOC processes used as best practices. We have no actual indicators that those attacks are carried out “in wild” at the moment of issuing of this article, but it is highly probable that those tactics may be used in the future. The purpose of this research is to highlight the possible risks for the security operation centers connected with actual processes and practices used in industry and to develop the remediation strategy in perspective.","PeriodicalId":198390,"journal":{"name":"Cybersecurity: Education, Science, Technique","volume":null,"pages":null},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"POTENTIAL DISGUISING ATTACK VECTORS ON SECURITY OPERATION CENTERS AND SIEM SYSTEMS\",\"authors\":\"R. Drahuntsov, D. Rabchun\",\"doi\":\"10.28925/2663-4023.2021.14.614\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"In this article we highlight several potential vectors of attacks that can be carried out on a monitoring capacities powered by SOC SIEM using its common features and misconfigurations. Widely spread problems like excessive amounts of false positive alerts or not absolutely accurate configuration of the correlation rules may lead to situation where an attacker is able to trigger an undesired state of the monitoring system. We’ve find three potential vectors for evasion the SIEM powered SOCs monitoring. The first vector grounds on mechanisms used to collect event data – log collectors: the malfunctioning SIEM state can be achieved with generating and submitting the bogus event data to the processing party like SIEM. Fake data flow may cause generation of mistaken alerts which can confuse the analytics stuff. The second vector employs some of the attacker’s knowledge about actual SIEM configuration – exploitation of correlation rule flaws. Taking into account the fact that correlation rules are mostly hand-written, they are prone to some logic flaws – certain detection rules may not be triggered by all of the malicious attack indicators. An attacker with knowledge about that feature may fulfill the unrecorded conditions and trick the SIEM to treat the attack flow as benign activity. The last researched vector is based on redundantly sensitive detection rules which produce a lot of false positive alarms but are not removed. An attacker may trigger the malfunctioning alarm continuously to distract the analytics stuff and perform its actions under the cover of noise. Those discussed vectors are derived from analysis of the actual SIEM installations and SOC processes used as best practices. We have no actual indicators that those attacks are carried out “in wild” at the moment of issuing of this article, but it is highly probable that those tactics may be used in the future. The purpose of this research is to highlight the possible risks for the security operation centers connected with actual processes and practices used in industry and to develop the remediation strategy in perspective.\",\"PeriodicalId\":198390,\"journal\":{\"name\":\"Cybersecurity: Education, Science, Technique\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.0000,\"publicationDate\":\"1900-01-01\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Cybersecurity: Education, Science, Technique\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.28925/2663-4023.2021.14.614\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Cybersecurity: Education, Science, Technique","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.28925/2663-4023.2021.14.614","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 1

摘要

在本文中，我们重点介绍了几个潜在的攻击向量，这些攻击可以利用SOC SIEM的常见功能和错误配置对其监控能力进行攻击。大量的误报警报或不完全准确的相关规则配置等广泛存在的问题可能导致攻击者能够触发监视系统的不希望的状态。我们发现了三个潜在的载体可以逃避SIEM驱动的soc监控。第一个向量基于用于收集事件数据的机制——日志收集器:故障SIEM状态可以通过生成虚假事件数据并将其提交给处理方(如SIEM)来实现。虚假的数据流可能会导致产生错误的警报，从而混淆分析人员。第二个向量利用了攻击者对实际SIEM配置的一些了解——利用相关规则缺陷。考虑到关联规则大多是手写的，容易存在一些逻辑缺陷——某些检测规则可能不会被所有的恶意攻击指标触发。了解该特性的攻击者可能会满足未记录的条件，并欺骗SIEM将攻击流视为良性活动。最后研究的向量是基于冗余敏感检测规则的向量，该规则产生了大量的误报，但没有被去除。攻击者可能会不断触发故障警报，以分散分析人员的注意力，并在噪音的掩护下执行其操作。这些讨论的向量来自于对实际SIEM安装和SOC流程的分析，它们被用作最佳实践。在这篇文章发表的时候，我们没有实际的迹象表明这些攻击是在“野外”进行的，但这些战术很有可能在未来被使用。本研究的目的是强调安全运营中心与工业中使用的实际流程和实践相关的可能风险，并制定正确的修复策略。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

POTENTIAL DISGUISING ATTACK VECTORS ON SECURITY OPERATION CENTERS AND SIEM SYSTEMS

In this article we highlight several potential vectors of attacks that can be carried out on a monitoring capacities powered by SOC SIEM using its common features and misconfigurations. Widely spread problems like excessive amounts of false positive alerts or not absolutely accurate configuration of the correlation rules may lead to situation where an attacker is able to trigger an undesired state of the monitoring system. We’ve find three potential vectors for evasion the SIEM powered SOCs monitoring. The first vector grounds on mechanisms used to collect event data – log collectors: the malfunctioning SIEM state can be achieved with generating and submitting the bogus event data to the processing party like SIEM. Fake data flow may cause generation of mistaken alerts which can confuse the analytics stuff. The second vector employs some of the attacker’s knowledge about actual SIEM configuration – exploitation of correlation rule flaws. Taking into account the fact that correlation rules are mostly hand-written, they are prone to some logic flaws – certain detection rules may not be triggered by all of the malicious attack indicators. An attacker with knowledge about that feature may fulfill the unrecorded conditions and trick the SIEM to treat the attack flow as benign activity. The last researched vector is based on redundantly sensitive detection rules which produce a lot of false positive alarms but are not removed. An attacker may trigger the malfunctioning alarm continuously to distract the analytics stuff and perform its actions under the cover of noise. Those discussed vectors are derived from analysis of the actual SIEM installations and SOC processes used as best practices. We have no actual indicators that those attacks are carried out “in wild” at the moment of issuing of this article, but it is highly probable that those tactics may be used in the future. The purpose of this research is to highlight the possible risks for the security operation centers connected with actual processes and practices used in industry and to develop the remediation strategy in perspective.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Cybersecurity: Education, Science, Technique

自引率

0.00%

发文量