威胁搜索对手影响抑制系统恢复

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-03-26 DOI:10.1016/j.cose.2025.104464

Naif Alsharabi , Akashdeep Bhardwaj , Abdulaziz Ayaba , Amr Jadi

{"title":"威胁搜索对手影响抑制系统恢复","authors":"Naif Alsharabi , Akashdeep Bhardwaj , Abdulaziz Ayaba , Amr Jadi","doi":"10.1016/j.cose.2025.104464","DOIUrl":null,"url":null,"abstract":"<div><div>The rise of advanced cyber threats targeting critical system recovery mechanisms necessitates proactive and scalable threat-hunting solutions. This research introduces a novel methodology leveraging a Linux-based Elasticsearch server to detect adversary techniques that inhibit system recovery (T1490). By integrating Elasticsearch for centralized log storage, Kibana for dynamic visualization, and Lucene for precise query search, the proposed platform offers a cost-effective and adaptable alternative to proprietary SIEM solutions. The methodology emphasizes real-time identification of indicators of compromise (IOCs) such as shadow copy deletions, suspicious commands, and backup configuration modifications, enabling security teams to uncover adversarial behaviors before they disrupt recovery processes. Practical implementation demonstrates the platform's flexibility across diverse IT environments, accommodating logs from endpoints with varying operating systems and infrastructures. The study further highlights the adaptability of the approach, with Kibana dashboards and Lucene queries tailored to specific organizational needs, making it a versatile tool for enterprises. Additionally, the research underscores the significance of proactive detection by moving beyond traditional reactive methods, positioning organizations to address system recovery threats effectively. This work bridges a critical gap in cybersecurity by offering a scalable, open-source threat-hunting platform that aligns with the growing need for robust defenses against evolving adversary techniques. The findings hold practical significance for enhancing incident response strategies and bolstering organizational resilience, paving the way for future integration with advanced threat intelligence feeds and automated detection mechanisms. This novel approach not only strengthens the security landscape but also provides a blueprint for cost-efficient, real-world applications in defending against adversary techniques designed to inhibit system recovery.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"154 ","pages":"Article 104464"},"PeriodicalIF":4.8000,"publicationDate":"2025-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Threat hunting for adversary impact inhibiting system recovery\",\"authors\":\"Naif Alsharabi , Akashdeep Bhardwaj , Abdulaziz Ayaba , Amr Jadi\",\"doi\":\"10.1016/j.cose.2025.104464\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>The rise of advanced cyber threats targeting critical system recovery mechanisms necessitates proactive and scalable threat-hunting solutions. This research introduces a novel methodology leveraging a Linux-based Elasticsearch server to detect adversary techniques that inhibit system recovery (T1490). By integrating Elasticsearch for centralized log storage, Kibana for dynamic visualization, and Lucene for precise query search, the proposed platform offers a cost-effective and adaptable alternative to proprietary SIEM solutions. The methodology emphasizes real-time identification of indicators of compromise (IOCs) such as shadow copy deletions, suspicious commands, and backup configuration modifications, enabling security teams to uncover adversarial behaviors before they disrupt recovery processes. Practical implementation demonstrates the platform's flexibility across diverse IT environments, accommodating logs from endpoints with varying operating systems and infrastructures. The study further highlights the adaptability of the approach, with Kibana dashboards and Lucene queries tailored to specific organizational needs, making it a versatile tool for enterprises. Additionally, the research underscores the significance of proactive detection by moving beyond traditional reactive methods, positioning organizations to address system recovery threats effectively. This work bridges a critical gap in cybersecurity by offering a scalable, open-source threat-hunting platform that aligns with the growing need for robust defenses against evolving adversary techniques. The findings hold practical significance for enhancing incident response strategies and bolstering organizational resilience, paving the way for future integration with advanced threat intelligence feeds and automated detection mechanisms. This novel approach not only strengthens the security landscape but also provides a blueprint for cost-efficient, real-world applications in defending against adversary techniques designed to inhibit system recovery.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"154 \",\"pages\":\"Article 104464\"},\"PeriodicalIF\":4.8000,\"publicationDate\":\"2025-03-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825001531\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825001531","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

针对关键系统恢复机制的高级网络威胁的兴起需要主动和可扩展的威胁搜索解决方案。本研究介绍了一种新的方法，利用基于linux的Elasticsearch服务器来检测抑制系统恢复的攻击技术（T1490）。通过集成用于集中日志存储的Elasticsearch、用于动态可视化的Kibana和用于精确查询搜索的Lucene，该平台为专有的SIEM解决方案提供了一种经济高效且适应性强的替代方案。该方法强调实时识别入侵指标（ioc），如影子副本删除、可疑命令和备份配置修改，使安全团队能够在破坏恢复过程之前发现敌对行为。实际实现证明了该平台在不同IT环境中的灵活性，可以容纳来自具有不同操作系统和基础设施的端点的日志。该研究进一步强调了该方法的适应性，Kibana仪表板和Lucene查询针对特定的组织需求量身定制，使其成为企业的通用工具。此外，该研究强调了主动检测的重要性，超越了传统的被动检测方法，使组织能够有效地解决系统恢复威胁。这项工作通过提供一个可扩展的、开源的威胁搜索平台，填补了网络安全领域的关键空白，该平台与日益增长的对不断发展的对手技术的强大防御的需求保持一致。这些发现对于增强事件响应策略和增强组织弹性具有实际意义，为未来与高级威胁情报馈送和自动检测机制的集成铺平了道路。这种新颖的方法不仅加强了安全性，而且还为经济有效的实际应用程序提供了蓝图，以防御旨在抑制系统恢复的对手技术。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Threat hunting for adversary impact inhibiting system recovery

The rise of advanced cyber threats targeting critical system recovery mechanisms necessitates proactive and scalable threat-hunting solutions. This research introduces a novel methodology leveraging a Linux-based Elasticsearch server to detect adversary techniques that inhibit system recovery (T1490). By integrating Elasticsearch for centralized log storage, Kibana for dynamic visualization, and Lucene for precise query search, the proposed platform offers a cost-effective and adaptable alternative to proprietary SIEM solutions. The methodology emphasizes real-time identification of indicators of compromise (IOCs) such as shadow copy deletions, suspicious commands, and backup configuration modifications, enabling security teams to uncover adversarial behaviors before they disrupt recovery processes. Practical implementation demonstrates the platform's flexibility across diverse IT environments, accommodating logs from endpoints with varying operating systems and infrastructures. The study further highlights the adaptability of the approach, with Kibana dashboards and Lucene queries tailored to specific organizational needs, making it a versatile tool for enterprises. Additionally, the research underscores the significance of proactive detection by moving beyond traditional reactive methods, positioning organizations to address system recovery threats effectively. This work bridges a critical gap in cybersecurity by offering a scalable, open-source threat-hunting platform that aligns with the growing need for robust defenses against evolving adversary techniques. The findings hold practical significance for enhancing incident response strategies and bolstering organizational resilience, paving the way for future integration with advanced threat intelligence feeds and automated detection mechanisms. This novel approach not only strengthens the security landscape but also provides a blueprint for cost-efficient, real-world applications in defending against adversary techniques designed to inhibit system recovery.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.