Developing an Adaptive Threat Hunting Solution: The Elasticsearch Stack (Masters Thesis)

I had the opportunity to write a Thesis for my Security Masters Program at the University of Houston (Program Website here for those interested). It was a long, but fun experience that allowed me to put my research skills to use, and pushed me to implement the ELK Stack as a potential SIEM replacement solution. I hope you find this helpful or at least get some ideas out of it to implement it at your organization.

Abstract

Organizations of all sizes are fighting the same security battles while attackers keep changing the threat landscape by developing new tools and targeting victim endpoints; however, their attack kill chain along with motives have not changed, as their attacks initialize the same way and their end goal is usually data exfiltration of Intellectual property, or credit card information. This thesis proposes and evaluates The Elasticsearch Stack solution (ELK), an enterprise-grade logging repository and search engine to provide active threat hunting in a Windows enterprise environment. The initial phases of this thesis focus on the data quality, unsupervised machine learning, and newly developed attack frameworks such as MITRE’s (ATT&CK) as prerequisites to developing the proposed solution. Lastly, by using publicly known Attack Kill Chain methodologies such as Mandiant’s, several attack use cases were developed and tested against the ELK stack to ensure that logging was adequate to cover most attack vectors.

 

The Paper may be accessible Below:
 
https://uh-ir.tdl.org/uh-ir/handle/10657/3108

 

Again, thanks for reading, and let me know if you have any questions.

 

0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Richard
5 years ago

hi Pablo, I enjoyed reading the paper, it flows nicely and great illustrative examples; nice to see ATT&CK framework referenced. For alerting not sure if you aware of ElastAlert? it works nicely and integrated into various ops monitoring tools. On the SIEM replacement considerations, given that a key distinction from a “mere” log collection solution is correlation capability between seemingly unrelated events to identify a malicious activity; did you have any thoughts on that as part of your research? Either way, nice job!