Threat Hunting Using GRR Rapid Response

Rasheed, Hussein; Hadi, Ali; Khader, Mariam

doi:10.1109/ictcs.2017.22

Cited by 21 publications

(13 citation statements)

References 1 publication

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Reference [12] created memory corruption and persistent attacks using Metasploit on GRR clients and responded to them using GRR's hunt functionality (i.e., GRRScanMemoryHunt, NetworkStatusHunt, GRRRegistryFinderHunt). Using GRR's cronjob, hunt tasks were scheduled, and memory, network status, and Windows registry-key analysis were performed, resulting in a welldocumented analysis of the limitations of slow detection caused by the hunt cycle taking a long time (~5-10 min).…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

et al. 2022

View full text Add to dashboard Cite

Detecting the latest advanced persistent threats (APTs) using conventional information protection systems is a challenging task. Although various systems have been employed to detect such attacks, they are limited by their respective operating systems. Furthermore, they are developed as closed platforms and cannot be customized to meet user environments. To overcome these limitations, open-source endpoint detection and response (EDR) techniques are needed. In this study, we construct one that integrates opensource security frameworks combining GRR (Google Rapid Response) and osquery. A threat-detecting case study is conducted to validate the feasibility of the proposed open-source EDR system. Additionally, APT coverage for the proposed EDR system is analyzed using MITRE's Adversarial Tactics, Techniques, and Common Knowledge model. The assessment result shows that APT tactics having high levels of threat detection using non-customized osquery configurations comprise 28.5 % of all detections, which is lower than the other response levels. The performance of open-source EDR can be increased by customizing osquery for specific purposes and environments. Open-source EDR combining GRR and osquery has the potential to provide the detection-coverage efficient threat detection system and has the advantage of flexible integration with other applications; it can also be developed for evolving system environments such as cloud and internet of things.INDEX TERMS advanced persistent threat, behavior-based detection, cyber-attack, detection criteria, remote live forensics, open source based EDR.

show abstract

Section: Related Workmentioning

confidence: 99%

“…This way, the GRR can resolve resource-hogging issues. Flows can be done on thousands of Contribution Limitation [12] Responded to memory corruption and persistent attacks using GRR hunt functionality.…”

Section: A Grrmentioning

confidence: 99%

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

et al. 2022

View full text Add to dashboard Cite

show abstract

“…The research in [25] discussed about using Grr Rapid Response on hunting threat activities on computer networks before an accident happen. The experiment is carried out by exploiting the client's remote code by configuring the rear door of the victim system.…”

Section: B Grr Rapid Response Frameworkmentioning

confidence: 99%

Forensic Analysis of Docker Swarm Cluster using Grr Rapid Response Framework

Sunardi¹,

Riadi²,

Sugandi³

2019

ijacsa

View full text Add to dashboard Cite

An attack on Internet network does not only happened in the web applications that are running natively by a web server under operating system, but also web applications that are running inside container. The currently popular container machines such as Docker is not always secure from Internet attacks which result in disabling servers that are attacked using DoS/DDoS. Therefore, to improve server performance running this web application and provides the application log, DevOps engineer builds advance method by transforming the system into a cluster computers. Currently this method can be easily implemented using Docker Swarm. This research has successfully investigated digital evidence on the log file of containerized web application running on cluster system built by Docker Swarm. This investigation was carried out by using the Grr Rapid Response (GRR) framework.

show abstract

“…Client GRR secara periodik akan melakukan request pada server frontend Grr untuk menjalankan sebuah aksi tertentu berupa flows. Server Grr merupakan infrastruktur yang terdiri dari komponen Frontend, Worker, Server UI dengan antarmuka berbasis Web, dan sebuah endpoint Application Programming Interface (API) yang memungkinkan investigator forensik untuk dapat menjadwalkan aksi-aksi yang ingin dijalankan oleh client Grr untuk menampilkan dan melakukan pemrosesan terhadap artefak digital yang dikumpulkan (Rasheed, Hadi, & Khader, 2017). Grr dapat bekerja secara berskala sehingga investigator forensik dapat secara efektif melakukan akuisisi dan pemrosesan data yang berasal dari banyak komputer atau client Grr.…”

Section: Gambar 1 Frekuensi Serangan Komputer 12 Bulan Terakhirunclassified

Analisis Forensik Solid State Drive (SSD) Menggunakan Framework Rapid Response

Nasrulloh¹,

Sunardi

Riadi

2019

JTIIK

View full text Add to dashboard Cite

Teknologi komputer pada empat tahun terahir ini mengalami perkembangan yang pesat. Bersamaan dengan itu juga berdampak negatif salah satunya adalah berupa kejahatan komputer. Kejahatan komputer akan meninggalkan jejak aktivitas kejahatan, maka perlu dilakukan analisa dengan ilmu dan metode forensik untuk mendapatkan barang bukti. Bagaimana jika terjadi kejahatan komputer pada media penyimpanan komputer berjenis non-volatile memory dan dilakukan secara live forensik. Pada penelitian ini dilakukan proses forensik pada Solid State Drive (SSD) dengan framework Grr Rapid Response pada kasus kehilangan data (lost data) suatu organisasi. Langkah kerja forensik mengimplementasikan dari National Institute of Standards Technology (NIST). Framework Grr Rapid Response digunakan untuk memberikan tanggapan terhadap insiden forensik digital yang difokuskan pada lingkungan forensik jarak jauh, framework ini berbasis arsitektur client server. Hasil penelitian ini menunjukkan langkah kerja forensik NIST dapat diimplementasikan pada proses pengambilan bukti digital dengan metode akuisisi secara live forensik, kemampuan tool forensik pada proses eksaminasi Grr Rapid Response pada Workstation (Client Grr) dengan media simpan SSD, bukti digital dapat ditemukan dan dikembalikan. Bukti digital yang dapat dikembalikan berupa file dokumen, dan hasil validasi pada bukti digital tersebut memiliki nilai hash yang sama dari dua algoritma validasi bukti digital yang diimplementasikan, MD5 dan SHA-1. Sehingga hasil integritas dari dokumen tersebut menunjukkan bahwa bukti digital tersebut identik. AbstractComputer technology in the last four years has experienced rapid development. At the same time, it also has a negative impact, one of which is a computer crime. Computer crime will leave traces of criminal activity, so it is necessary to analyze with forensic science and methods to obtain evidence. What if there is a computer crime on a computer storage medium of a type of non-volatile memory and carried out live forensics In this study a forensic process on Solid State Drive (SSD) was carried out with the Grr Rapid Response framework for lost data in an organization. The forensic work step is implemented from the National Institute of Standards Technology (NIST). The Grr Rapid Response Framework is used to provide responses to incidents of digital forensics focused on remote forensic environments, this framework is based on a client server architecture. The results of this study indicate that NIST's forensic work steps can be implemented in the process of taking digital evidence with live forensic acquisition methods, the ability of forensic tools in the Grr Rapid Response examination process on Workstations (Client Grr) with SSD storage media, digital evidence can be found and returned. Digital evidence that can be returned is a document file, and the results of the validation of digital evidence have the same hash value from the two digital proof validation algorithms implemented, MD5 and SHA-1. So the results of the integrity of the document so that the digital evidence is identical.

show abstract

Threat Hunting Using GRR Rapid Response

Cited by 21 publications

References 1 publication

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

Forensic Analysis of Docker Swarm Cluster using Grr Rapid Response Framework

Analisis Forensik Solid State Drive (SSD) Menggunakan Framework Rapid Response

Contact Info

Product

Resources

About