Project Description
Genesis is a 'DNIF Open Source' project which aims at exhibiting a detailed process of ingesting large volumes of real-time data inside DNIF and performing operations on it and generating alerts. DNIF also serves as analytics tool to be able to query our data to look for a specific item or chain of events. The main objective of this project is to work on real-time dataset, parse the data , store the data in the DNIF platform and perform analysis and provide the users the result in a form of Dashboard.
Please refer https://github.com/dnif/SOC18-genesis/wiki to understand the step by step process carried out during each phase of the project in detail for a better understanding.
Selection of the Datasource
The datasource which was chosen was based on thorough discussion and based on real-world test cases. Upon discussion we were able to understand that upon multiple type of attacks in the present cyberworld, bruteforce attacks / dictionary attacks are one of the most troublesome attack in front of the cyberworld.
Hence, we have chosen the datsource : http://bruteforcers.net
as our database. This datasource simply provides us data based on the bruteforce attacks which has been made to the specific network.
Need
Rapid communication of threats, attacks and cyber security alerts helps to quickly detect, respond and contain cyber-attacks. In-depth analysis can be also performed on the attacks and vulnerabilities to prevent future attack and provide a solution. Detecting Brute Force Attacks
Brute force attacks are difficult to stop, but they aren’t difficult to spot. Some of the methods to detect the attacks are as follows:
•Each failed login attempt records an HTTP 401 status code, so monitoring log files can let you know if you’re under attack.
•Several failed login attempts from the same IP address
•Logins with multiple username attempts from the same IP address
•Logins for a single account from many different IP addresses
•Failed login attempts from alphabetically sequential usernames and passwords
•Logins with a referring URL of someone’s mail
•Excessive bandwidth consumption over the course of a single session
•A large number of authentication failures
Prevention Methods
The simplest defense for Brute Force attacks is to maintain cyber hygiene like:
•Users should have complex passwords that are long and use a combination of letters, special characters, numbers and upper- and lower-case letters.
From an IT perspective, prevention measures include
•Locking a login page for a certain amount of time after failed logins,
•Extending the time between two logins when a wrong password is entered,
•Two-factor authentication,
•Using CAPTCHA to prevent automated attacks,
•Locking out an IP address with multiple failed logins.
•Using pattern of attacks and allocate control based resources likewise so as to avoid the attempts of attack
•Implementation of web application based and multi layered firewall would help to avoid such attacks
Though these steps may hinder some attacks, for persistent hackers, it may just slow down their efforts, not stop them. And more sophisticated hackers—particular those using botnets—can circumvent some of these measures.In fact, some prevention methods, such as locking accounts, can backfire. Perpetrators can abuse the security measure and lock out hundreds of user accounts and launch a denial of service (DoS) attack.
While not all cyber attacks can be thwarted, we can make it more difficult for them to follow through with malicious activity.
Hence we can concur that, the best way to detect a bruteforce attack is by proper analysis and user sensitivity or attentiveness towards cyber hygiene.
Platform
As mentioned earlier , the project is based on DNIF platform. But the platform had certain dependencies and certain other tools as belows:
• Virtual Box
• JetBrains: PyCharm Community Edition
• Ubuntu 16.04 or above
• Docker
Tools
All kinds of tools for parsing, creating and editing can be used for Threat Intelligence. But in this project we used simple Python based code to parse the data out of the data source. This helped us to use Python based libraries like Beautiful Soup ver 4.0 in our code. Using the same we were also free to store the data in the required format i.e., the xls/json/csv formats to store the data and further post the data to the platform used (DNIF). As per the need of posting the data we also used certain tools like Postman to POST the data but parallelly same functionality using the code.
Identification of Key Indicators for the selected Dataset
| Key Indicators | ||
|---|---|---|
| Sr No. | Key Indicators | Description |
| 1. | Internal ID | Indicates a unique identification for each bruteforce attack in the network originating from a given IP Address from a specific location. |
| 2. | Date | Indicates Current Date of the originated attack. |
| 3. | IP Address | Source IP Address for the Identified attack on the network. |
| 4. | Type | Type of the server in the Network. |
| 5. | Country | Country from which the attack originated. |
| 6. | Organization | Organization from which the attack originated. |
- Install the DNIF package. Follow the steps from here
- Clone the repository using the following command:
git clone https://github.com/dnif/SOC18-genesis.git Genesis_Bruteforce
- Open the location of the file
a. For replicating a Static Dataset (at a instance of time)
cd Genesis_Bruteforce\Static
Run the python file
python BruteForceStatic.py
Follow the steps to post the local dataset
b. For getting Dynamic Dataset
cd Genesis_Bruteforce\Dynamic
Change the IP address Location in the code `#code to POST command
headers = {'content-type': 'application/json'}
url = 'http://<IP Address>/json/receive'
data=json.dumps(out)
requests.post(url, out)
r=requests.post(url, out)
Run the python file
python BruteForceDynamic.py
Query Used
_fetch * from bruteforcenew limit 1000
>>_aggcount_unique $Country
According to this report we can identify the origin of the attack and create a more preventive environment. From the report Brazil is the origin of most attacks so if an request from that location arrives on network we divert it to a reCAPTCHA page so that we examine if the request is automated or not if it’s an automated request then it would be blocked. So Top 5 countries on the list get diverted to preventive environment.
Query Used
_fetch * from bruteforcenew where $Type=Wordpress limit 100
>>_aggcount_unique $Organization
From this report we can establish that from which organization most Wordpress brute force script attack occurs. So if a request from Top 10 organisation comes it would get blocked or it would be taken to the preventive environment like reCAPTCHA. So to mitigate the attack. If an organization continuously increases its attacks then all the request from that website would get blocked until it is resolved.
Query Used
_fetch * from bruteforcenew limit 100
>>_aggcount_unique $Country
Chart Type : Geo Map
Country_CodeFields : $Country
Value :Count_Unique
From above data we can conclude the region from which most attacks originates so requests from South Asia, South and North America are more likely to be monitored and go through reCAPTCHA page then the request originated from Oceanic region. Multilayer firewall are applied for the request originated from risky location.
Query Used
_fetch * from bruteforcenew where Date=18-05-2018 AND $Type=SSH limit 1000
>>_aggcount_unique $Country
Pie Chart
This data allow us to analyse amount of SSH attack originated from a particular country on a specific date. So from this data we can block all the request originated from China on 18/05/2018 as 9 brute force ssh attack happed only on 18/05/2018 so all the request originating from China would be blocked until further preventions are taken. Requests originates from U.S.A. are diverted to reCAPTCHA page for detecting Automation attacks or script attack.
Query Used
_fetch * from bruteforcenew limit 1000
>> _agg max $Organisation
Result: netvision
From this data we determine which Organisation generates most brute force attack. So that we can block all the request originated from that Organisation.
Query Used
_fetch * from bruteforcenew limit 100
>> _agg max $Country
Result : n/a
From above data we can determine which country producing most attacks from which we can block the entire request originating from a country or using preventive measures like Multilayer firewall and reCAPTCHA test for determining automation attacks.
Query used
_fetch $IPAddress , $Country , $Organization from bruteforcenew where $Country=India AND $Type=Wordpress AND $Date=18-05-2018 limit 100>>_aggcount_unique $IPAddress , $Organization
From this data we can examine each IP Address and amount of attack it generates so that it can be blocked and strictly prohibit any further connection with most attacks generated from a specific IP Address. From above data we can see that 223.189.229.208 which is from Airtel Organisation.
Query used
_fetch * from bruteforcenew limit 1000>>_aggcount_unique $Type
From this information we can examine that which brute force attack happens and it amount. So from this information we can conclude WORDPRESS type has most attack and can set up mitigation techniques like reCAPTCHA and Multilayered Firewall for blocking any request with this and also create new techniques to mitigate it.
Query Used
_fetch * from bruteforcenew limit 1000
>>_aggcount_unique $Date,$Type
From this information we can determine type of attack happened on a specific date and according to that we can create an model to predict which type of attack most likely to happen on specific date using time series analysis.