This repository contains a mini-project report on "CYBER THREAT DETECTION AND RESPONSE". The project focuses on designing and implementing a comprehensive solution for real-time cyber threat detection and response within a simulated environment. It aims to provide a realistic and educational setting for cybersecurity analysts to practice detecting, analyzing, and responding to simulated cyber threats.
- Introduction
- Objectives
- Scope
- Methodology
- Key Technologies and Tools
- Simulated Environment
- Attack Scenarios
- Detection and Response Mechanisms
- Setup Guide (High-Level)
- Acknowledgements
In today's interconnected world, cybersecurity is a paramount concern due to the rapid evolution of digital technologies and the expansion of the attack surface for cyber threats. Threat actors exploit vulnerabilities, leading to data breaches, financial losses, and reputational damage. Traditional security measures are often insufficient against the dynamic nature of modern cyber threats. This project addresses the challenge of swiftly detecting and effectively responding to cyber threats by shifting towards dynamic and proactive detection mechanisms.
The primary objectives of this project are:
- Develop a Real-Time Threat Detection and Response System: Design and implement a solution capable of identifying and neutralizing cyber threats as they emerge, utilizing advanced cybersecurity techniques like behavioral analysis, anomaly detection, and threat intelligence integration. Automated response mechanisms will be developed to mitigate identified threats.
- Implement Advanced Cybersecurity Techniques and Tools: Explore and deploy cutting-edge technologies to bolster digital infrastructure resilience against diverse attack vectors. This includes leveraging endpoint protection solutions, network intrusion detection systems (NIDS), Security Information and Event Management (SIEM) platforms, threat intelligence feeds, sandboxing, and machine learning.
- Establish a Simulated Cyber Environment: Set up a realistic environment with attacker and victim systems to simulate real-world cyber attack scenarios. This involves deploying virtualized infrastructure using hypervisor technologies like VirtualBox or VMware to emulate various computing environments. Scripted attack scenarios will simulate malware infections, phishing, ransomware, and Advanced Persistent Threats (APTs).
- Evaluate the Effectiveness of the System: Conduct rigorous testing against a wide range of cyber threats, measuring performance in terms of detection accuracy, false positive rates, response time, and overall effectiveness.
- Provide Insights into Best Practices: Document and share insights gained from the project to inform cybersecurity practitioners and organizations about emerging cyber threats and effective defense strategies.
This project focuses on the development and implementation of a real-time threat detection and response framework for modern computing environments. The key components include:
- Setting up a Simulated Cyber Environment: Using virtualization technologies (VirtualBox or VMware) to create attacker and victim systems, configuring VMs to emulate diverse environments.
- Leveraging Open-Source Cybersecurity Tools and Frameworks: Utilizing tools such as the Sliver C2 framework, Sysmon, LimaCharlie EDR, and YARA for threat detection and response.
- Conducting Cyber Attack Simulations: Executing various simulations like
lsass.exememory dump attacks, ransomware attacks, phishing campaigns, and APTs. - Assessing Efficacy of Detection and Response Mechanisms: Evaluating performance based on detection accuracy, false positive rates, response time, and overall effectiveness.
- Providing Documentation and Guidelines: Documenting methodology, architecture, implementation details, and findings, along with user guides and tutorials.
The project systematically develops, tests, and evaluates the real-time threat detection and response framework through several stages:
- Setup and Configuration: Establishing the necessary infrastructure using VirtualBox/VMware for attacker and victim systems, and installing/configuring cybersecurity tools like Sliver C2, Sysmon, LimaCharlie EDR, and YARA.
- Attack Simulation: Conducting cyber attack simulations (e.g.,
lsass.exememory dump, ransomware) within the simulated environment using the Sliver C2 framework to generate security events and telemetry data. - Threat Detection: Implementing detection mechanisms using behavioral analysis, signature-based detection, and anomaly detection techniques with Sysmon, LimaCharlie EDR, and YARA to monitor and analyze security events in real-time.
- Threat Response: Developing automated response mechanisms (e.g., blocking malicious processes, isolating compromised systems, alerting security personnel) to mitigate detected threats.
- Evaluation and Validation: Assessing the system's effectiveness and efficiency through extensive testing against known attack scenarios and benchmarks, evaluating key performance metrics.
The project leverages a variety of tools and technologies:
- VirtualBox/VMware: For setting up virtual machines to simulate attacker and victim systems.
- Sliver C2 Framework: Used for command and control (C2) operations and adversarial simulation.
- Sysmon (System Monitor): For advanced endpoint monitoring and logging critical system activities.
- LimaCharlie EDR (Endpoint Detection and Response): A comprehensive security platform for cross-platform EDR, log shipping, and threat detection.
- YARA: For malware identification and analysis, used for automated scanning based on predefined signatures.
- Ubuntu (Attacker VM): A lightweight, command-line interface (CLI) focused environment suitable for server applications and command-line operations.
- Windows 11 (Victim VM): The target system vulnerable to simulated cyber attacks.
- SSH Client: For remote access to the Ubuntu VM from the host system.
The project establishes a simulated environment consisting of two virtual machines:
- Attacker VM: An Ubuntu Linux machine used to initiate simulated cyber attacks with the Sliver C2 framework.
- Victim VM: A Windows 11 virtual machine that is compromised and monitored for threats.
Network configuration for both VMs is set to static to ensure seamless communication.
The project simulates various cyber attack scenarios to evaluate the effectiveness of the detection and response mechanisms:
lsass.exememory dump attacks.- Ransomware attacks.
- Phishing campaigns.
- Advanced Persistent Threats (APTs).
Threat detection and response are facilitated by:
- LimaCharlie EDR: Monitors system logs, detects threats, and triggers predefined response rules on the victim machine.
- D&R Rules: User-defined rules are created for specific threat scenarios, enabling automated responses.
- YARA Scanning: Automated scanning identifies malware based on predefined signatures, with D&R rules triggering actions upon detection.
- Behavioral Analysis: Identifies deviations from normal behavior patterns for detecting unknown and emerging threats.
- Signature-Based Detection: Identifies known threats by comparing patterns against a database of known malware signatures.
- Threat Intelligence Integration: Incorporates external threat feeds and intelligence reports to enhance detection capabilities.
Before proceeding with the setup, ensure your system meets the following prerequisites:
- Minimum System Requirements: At least 8GB of RAM (16GB or more recommended).
- Disk Space: Approximately 80-100GB of storage space.
- Virtualization Enabled: Ensure virtualization is enabled in your system's BIOS settings.
- VirtualBox Installed: Download VirtualBox from its official website.
- Ubuntu and Windows 11 ISOs: Have the ISO files for Ubuntu Server (for Attacker VM) and Windows 11 (for Victim VM) ready.
General Setup Steps:
- Virtual Machine Setup: Create and configure both Ubuntu Attacker and Windows 11 Victim VMs in VirtualBox.
- Network Configuration: Configure static IP addresses for both VMs to ensure network connectivity.
- SSH Client Access (for Ubuntu Attacker VM): Install and enable SSH client on your host machine and copy the public key to the Ubuntu VM for passwordless authentication.
- Disable Windows Defender: Permanently disable Microsoft Defender on the Windows 11 Victim VM to prevent interference with cybersecurity activities.
- Configure Sysmon: Install and configure Sysmon with a pre-configured configuration (e.g., SwiftOnSecurity's) on the Windows 11 Victim VM for enhanced system monitoring.
- Install LimaCharlie EDR Sensor: Sign up for LimaCharlie, create an organization, add a sensor for Windows 11, and install it on the Victim VM. Configure LimaCharlie to ship Sysmon event logs.
- Setup Attack System (Ubuntu VM): Access the Ubuntu VM via SSH, download and configure the Sliver C2 server binary, granting executable permissions.
- Detection and Response Rule Design: Design and implement detection and response rules within the LimaCharlie EDR platform based on known attack patterns and IOCs. Integrate YARA signatures for malware identification.
This mini-project report was submitted to Osmania University, Hyderabad, in partial fulfillment of the requirements for the award of Bachelor of Engineering in Computer Science and Engineering (IOT, CS, BCT).
Submitted by:
- Abdul Samad
- Mohammed Abdul Raqeeb
- Mohammed FasiUddin Arsalaan