Performance Evaluation Elastic Security as Open Source Endpoint Detection and Response for Advanced Persistent Threat Cyberattack

Zegar Pradipta Putra; Ruki Harwahyu; Evans Hebert

doi:10.62146/ijecbe.v2i2.49

Authors

Zegar Pradipta Putra Universitas Indonesia
Ruki Harwahyu Universitas Indonesia https://orcid.org/0000-0003-3580-9128
Evans Hebert National Taiwan University of Science and Technology

DOI:

https://doi.org/10.62146/ijecbe.v2i2.49

Keywords:

evaluation, elastic security, advanced persistent threat, endpoint detection and response, opensource

Abstract

Detecting APT using conventional information protection systems poses significant challenges. For instance, signature-based detection tools like antivirus primarily rely on predefined signature rules to identify malware. However, in scenarios like zero-day attacks where malware signatures are unknown, detection becomes unreliable. While EDR traditionally hinges on signature-based rules, recent advancements integrate machine learning techniques for enhanced detection capabilities. In this study, we conducted an evaluation of open-source EDR, specifically Elastic Security, for APT detection. APT attack vectors were simulated utilizing the Caldera Platform. The evaluation involved validating each attack vector sent by Caldera against detection alerts generated by Elastic Security. The detection outcomes revealed three categories: detected alerts conforming to predefined rules, undetected alerts despite predefined rules, and undetected alerts due to undefined rules. Some attack vectors lacked rule definitions, potentially resulting in elevated false positives. Additionally, certain attack vectors failed to trigger alerts despite rule definitions.

Author Biographies

Zegar Pradipta Putra, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

Ruki Harwahyu, Universitas Indonesia

Department of Electrical Engineering, Faculty of Engineering, Universitas Indonesia, Depok, Indonesia

Evans Hebert, National Taiwan University of Science and Technology

National Taiwan University of Science and Technology

References

International Telecommunication Union ( ITU ) World Telecommunication, “Individuals using the Internet (% of population) - Indonesia | Data.” Accessed: May 22, 2024. [Online]. Available: https://data.worldbank.org/indicator/IT.NET.USER.ZS?locations=ID

APJII, “Profil Internet Indonesia 2022,” 2022.

Badan Siber dan Sandi Negara, “LANSKAP KEAMANAN SIBER INDONESIA TAHUN 2022,” 2023.

Badan Siber dan Sandi Negara, “Laporan Tahunan Monitoring Keamanan Siber 2021 (compressed),” 2022.

S. H. Park et al., “Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection,” IEEE Access, vol. 10, pp. 20259–20269, 2022, doi: 10.1109/ACCESS.2022.3152574.

H. S. Galal, Y. B. Mahdy, and M. A. Atiea, “Behavior-based features model for malware detection,” Journal of Computer Virology and Hacking Techniques, vol. 12, no. 2, pp. 59–67, May 2016, doi: 10.1007/s11416-015-0244-0.

F. Dong et al., “Are we there yet? An Industrial Viewpoint on Provenance-based Endpoint Detection and Response Tools,” in CCS 2023 - Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security, Association for Computing Machinery, Inc, Nov. 2023, pp. 2396–2410. doi: 10.1145/3576915.3616580.

A. Kumar, C. S. Sajeesh, V. Sharma, V. K. Boppanna, A. S. Chouhan, and G. Joseph, “Endpoint Network Behavior Analysis and Anomaly Detection Using Unsupervised Machine Learning,” pp. 305–317, 2023, doi: 10.1007/978-981-19-4182-5_24.

A. Chuvakin, “Endpoint Threat Detection and Response Tools and Practices.” Accessed: May 22, 2024. [Online]. Available: https://www.gartner.com/en/documents/2596321

G. Karantzas and C. Patsakis, “An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors,” Journal of Cybersecurity and Privacy, vol. 1, no. 3, pp. 387–421, Jul. 2021, doi: 10.3390/jcp1030021.

Elastic, “Elastic Security overview | Elastic Security Solution [8.13] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/current/es-overview.html

W. U. Hassan, A. Bates, and D. Marino, “Tactical provenance analysis for endpoint detection and response systems,” in Proceedings - IEEE Symposium on Security and Privacy, Institute of Electrical and Electronics Engineers Inc., May 2020, pp. 1172–1189. doi: 10.1109/SP40000.2020.00096.

K. Subramanian and W. Meng, “Threat Hunting Using Elastic Stack: An Evaluation,” in 2021 IEEE International Conference on Service Operations and Logistics, and Informatics, SOLI 2021, Institute of Electrical and Electronics Engineers Inc., 2021. doi: 10.1109/SOLI54607.2021.9672347.

“Elastic Security | Elastic.” Accessed: May 23, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/index.html

“Fleet and Elastic Agent overview | Fleet and Elastic Agent Guide [8.13] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/fleet/current/fleet-overview.html

P. Kendrick, N. Criado, A. Hussain, and M. Randles, “A self-organising multi-agent system for decentralised forensic investigations,” Expert Syst Appl, vol. 102, pp. 12–26, Jul. 2018, doi: 10.1016/J.ESWA.2018.02.023.

“How to Build Agents — caldera documentation.” Accessed: May 22, 2024. [Online]. Available: https://caldera.readthedocs.io/en/latest/How-to-Build-Agents.html

“Learning the terminology — caldera documentation.” Accessed: May 23, 2024. [Online]. Available: https://caldera.readthedocs.io/en/latest/Learning-the-terminology.html

“Initial Access, Tactic TA0001 - Enterprise | MITRE ATT&CK®.” Accessed: May 22, 2024. [Online]. Available: https://attack.mitre.org/tactics/TA0001/

“Discovery, Tactic TA0007 - Enterprise | MITRE ATT&CK®.” Accessed: May 22, 2024. [Online]. Available: https://attack.mitre.org/tactics/TA0007/

“Unusual Discovery Signal Alert with Unusual Process Command Line | Elastic Security Solution [8.13] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/current/unusual-discovery-signal-alert-with-unusual-process-command-line.html

“Unusual Discovery Activity by User | Elastic Security Solution [8.13] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/current/unusual-discovery-activity-by-user.html#unusual-discovery-activity-by-user

“Defense Evasion, Tactic TA0005 - Enterprise | MITRE ATT&CK®.” Accessed: May 22, 2024. [Online]. Available: https://attack.mitre.org/tactics/TA0005/

“Disabling Windows Defender Security Settings via PowerShell | Elastic Security Solution [8.13] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/current/disabling-windows-defender-security-settings-via-powershell.html

“Disable Windows Firewall Rules via Netsh | Elastic Security Solution [8.13] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/current/disable-windows-firewall-rules-via-netsh.html

“Privilege Escalation, Tactic TA0004 - Enterprise | MITRE ATT&CK®.” Accessed: May 22, 2024. [Online]. Available: https://attack.mitre.org/tactics/TA0004/

“Disabling User Account Control via Registry Modification | Elastic Security Solution [7.17] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/7.17/prebuilt-rule-0-14-1-disabling-user-account-control-via-registry-modification.html

“Lateral Movement, Tactic TA0008 - Enterprise | MITRE ATT&CK®.” Accessed: May 22, 2024. [Online]. Available: https://attack.mitre.org/tactics/TA0008/

“Network-Level Authentication (NLA) Disabled | Elastic Security Solution [8.13] | Elastic.” Accessed: May 22, 2024. [Online]. Available: https://www.elastic.co/guide/en/security/current/network-level-authentication-nla-disabled.html