POTENTIAL DISGUISING ATTACK VECTORS ON SECURITY OPERATION CENTERS AND SIEM SYSTEMS
DOI:
https://doi.org/10.28925/2663-4023.2021.14.614Keywords:
Security Operation Center; SIEM; Evasion; Disguise; Monitoring; Defense evasion; Adversary tacticsAbstract
In this article we highlight several potential vectors of attacks that can be carried out on a monitoring capacities powered by SOC SIEM using its common features and misconfigurations. Widely spread problems like excessive amounts of false positive alerts or not absolutely accurate configuration of the correlation rules may lead to situation where an attacker is able to trigger an undesired state of the monitoring system. We’ve find three potential vectors for evasion the SIEM powered SOCs monitoring. The first vector grounds on mechanisms used to collect event data – log collectors: the malfunctioning SIEM state can be achieved with generating and submitting the bogus event data to the processing party like SIEM. Fake data flow may cause generation of mistaken alerts which can confuse the analytics stuff. The second vector employs some of the attacker’s knowledge about actual SIEM configuration – exploitation of correlation rule flaws. Taking into account the fact that correlation rules are mostly hand-written, they are prone to some logic flaws – certain detection rules may not be triggered by all of the malicious attack indicators. An attacker with knowledge about that feature may fulfill the unrecorded conditions and trick the SIEM to treat the attack flow as benign activity. The last researched vector is based on redundantly sensitive detection rules which produce a lot of false positive alarms but are not removed. An attacker may trigger the malfunctioning alarm continuously to distract the analytics stuff and perform its actions under the cover of noise. Those discussed vectors are derived from analysis of the actual SIEM installations and SOC processes used as best practices. We have no actual indicators that those attacks are carried out “in wild” at the moment of issuing of this article, but it is highly probable that those tactics may be used in the future. The purpose of this research is to highlight the possible risks for the security operation centers connected with actual processes and practices used in industry and to develop the remediation strategy in perspective.
Downloads
References
Butler, M. (2009). Benchmarking Security Information Event Management (SIEM). SANS.
(2019). The impact of security alert overload. CriticalStart.
Swift, D. (2010). Successful SIEM and log management strategies for audit and compliance. SANS.
Sacher, D. (2020). Fingerpointing false positives. Digital Threats: Research and Practice, 1(1), 1–7. https://doi.org/10.1145/3370084
2014 SIEM Efficiency Report. (2014). Netwrix.
Hardening siem solutions. (2019). NSA
The critical elements of improving the effectiveness of a security operation center. (2021). SecureOps.
Zimmerman, C. (2014). Ten Strategies of a World-Class Cybersecurity Operations Center. Bedford.
Bojana Vilendečić, Ratko Dejanović & Predrag Ćurić. (2017). The impact of human factors in the implementation of SIEM systems. J. Of Electrical Engineering, 5(4). https://doi.org/10.17265/2328-2223/2017.04.004
Improving the Effectiveness of the Security Operations Center. (2019). Ponemon Institute LLC.
Vielberth, M., Bohm, F., Fichtinger, I., & Pernul, G. (2020). Security Operations Center: A Systematic Study and Open Challenges. IEEE Access, 8, 227756–227779. https://doi.org/10.1109/access.2020.3045514
Attacking SIEM with Fake Logs -. (2020). LetsDefend Blog. https://letsdefend.io/blog/attacking-siem-with-fake-logs/
