Real-Time Forensics Through Endpoint Visibility

Kieseberg, Peter; Neuner, Sebastian; Schrittwieser, Sebastian; Schmiedecker, Martin; Weippl, Edgar

doi:10.1007/978-3-319-73697-6_2

Cited by 7 publications

(4 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, the real-world environment was not sufficiently considered in the log reduction algorithm, wherein all threat alerts were assumed to be reduced by the default EDR tool. Kieseberg et al [15] compared the features and functions of Google's GRR, Facebook's osquery, and Mozilla's InvestiGator, representative remote live forensic solutions of Google, Facebook, and Mozilla, respectively, and analyzed whether these programs accurately detected malicious programs. These companies routinely check thousands of computers.…”

Section: Detection Of Cyberattacks By Using Threat Detectorsmentioning

confidence: 99%

“…In this section, the capability and performance of various commercial open-source threat detection systems were analyzed. The main open-source threat detectors considered were open-source host intrusion detection system (HIDS) security (OSSEC), TheHive, and Whids [21], which were analyzed by using Kieseberg et al's comparison metrics [15].…”

Section: Open-source Threat Detector Analysismentioning

confidence: 99%

See 1 more Smart Citation

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Jeon¹,

Lee²,

Lee³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

Recently, with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic, the possibility of cyberattacks through endpoints has increased. Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats. In particular, because telecommuting, telemedicine, and teleeducation are implemented in uncontrolled environments, attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information, and reports of endpoint attacks have been increasing considerably. Advanced persistent threats (APTs) using various novel variant malicious codes are a form of a sophisticated attack. However, conventional commercial antivirus and anti-malware systems that use signature-based attack detection methods cannot satisfactorily respond to such attacks. In this paper, we propose a method that expands the detection coverage in APT attack environments. In this model, an open-source threat detector and log collector are used synergistically to improve threat detection performance. Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks, as defined by MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response (GRR), an open-source threat detection tool, and Graylog, an open-source log collector. The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11% compared with that conventional methods.

show abstract

Section: Detection Of Cyberattacks By Using Threat Detectorsmentioning

confidence: 99%

Section: Open-source Threat Detector Analysismentioning

confidence: 99%

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Jeon¹,

Lee²,

Lee³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

show abstract

“…During this period, attackers had enough time to complete their attacks and cover their tracks. Furthermore, [13] described the system structure and functionality of GRR, osquery, and Mozilla InvestiGator, comparing their performances by establishing representative features that were successfully handled. Although both studies suggest the limitations of EDR, there is a limitation in that they do not specifically address the solution.…”

Section: Related Workmentioning

confidence: 99%

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

et al. 2022

View full text Add to dashboard Cite

Detecting the latest advanced persistent threats (APTs) using conventional information protection systems is a challenging task. Although various systems have been employed to detect such attacks, they are limited by their respective operating systems. Furthermore, they are developed as closed platforms and cannot be customized to meet user environments. To overcome these limitations, open-source endpoint detection and response (EDR) techniques are needed. In this study, we construct one that integrates opensource security frameworks combining GRR (Google Rapid Response) and osquery. A threat-detecting case study is conducted to validate the feasibility of the proposed open-source EDR system. Additionally, APT coverage for the proposed EDR system is analyzed using MITRE's Adversarial Tactics, Techniques, and Common Knowledge model. The assessment result shows that APT tactics having high levels of threat detection using non-customized osquery configurations comprise 28.5 % of all detections, which is lower than the other response levels. The performance of open-source EDR can be increased by customizing osquery for specific purposes and environments. Open-source EDR combining GRR and osquery has the potential to provide the detection-coverage efficient threat detection system and has the advantage of flexible integration with other applications; it can also be developed for evolving system environments such as cloud and internet of things.INDEX TERMS advanced persistent threat, behavior-based detection, cyber-attack, detection criteria, remote live forensics, open source based EDR.

show abstract

“…Further to proposing a cognitive approach to watchlist screening, this paper addresses H-M and M-M interactions in the form of an e-interviewer. The biometricenabled watchlist as a part of cognitive checkpoint is closely related to forensics [40], [44], [50] and cyberphysical forensics [43].…”

Section: Generic Trends As a Summarymentioning

confidence: 99%