Security Onion — (Part 2) Tools
In Part 1, I have installed Security Onion on a Virtual Machine. Now I will go over the tools that is provided with Security Onion and this will brief introduction. I will provide resources at the bottom of the page if you wish to learn more about it. At the time of writing this, I am using the latest version 2.3.260.
If the Security Onion web interface does not load, check the container services. Login to the Virtual Machine and after you have logged in type:
$ sudo so-status
If the status displays “STARTING” or “WAITING_TO_START”, the docker containers are still loading. If “MISSING” is shown, then it is not installed, or it was not installed successfully during the installation. Remember, the more RAM the Virtual Machine has the faster it can load these services.
Kibana
Kibana is an open-source data visualization and exploration tool developed by Elastic. It is typically used in conjunction with Elasticsearch, a distributed search and analytics engine. Kibana provides a user-friendly web interface that allows users to explore, analyze, and visualize data stored in Elasticsearch indexes. With Kibana, you can create a variety of visualizations, such as line charts, bar graphs, pie charts, and geospatial maps, to gain insights from your data. It’s widely used in applications involving log analysis, business intelligence, and real-time monitoring.
Using Kibana
When clicking on the Kibana link from the side menu, the web application will open a new tab or window as shown in Figure 1. The login credentials are the same as the security onion.
Dashboards
By default, Security Onion — Home dashboard will load first. On this databoard, it shows the following panels: Security Onion — Navigation, Security Onion — All Logs, Security Onion — Logs Over Time, Security Onion — Data Overview, Security Onion — Dataset, Security Onion — Modules, and Security Onion — Log Count By Node.
I will go into greater detail in Part 3 of this series as this web application uses “Hunt” from the Security Onion main page.
Other Dashboards
To view other dashboards, click on “Dashboard” and this will list dashboards that is available for viewing/configuring. You can also create your own dashboard to suit your own needs.
Grafana
Grafana is an open-source analytics and monitoring platform commonly used for time-series data visualization. It supports various data sources, including Prometheus, Graphite, Elasticsearch, and many others. Grafana’s strength lies in its ability to create interactive and customizable dashboards that display time-series data in real-time. It is popular in the IT and DevOps communities for monitoring system metrics, application performance, and network statistics. Grafana’s intuitive interface allows users to build rich visualizations and set up alerts based on specific conditions.
Using Grafana
The dashboards that are included in Security Onion, they display real-time of the system.
Dashboard
Security Onion has provided dashboards. One of the dashboard is called “Eval”.
Logging In
By default the site is configured to use an anonymous account. To login, the password needs to be reset. You can view the discussion at GitHub Grafana Unable to login · Security-Onion-Solutions/securityonion · Discussion #8741 · GitHub or run the following command below toreset the password.
$ sudo docker exec -it so-grafana grafana-cli --homepath "/usr/share/grafana" admin reset-admin-password admin
After reseting the password, the login credentials are:
- Username: admin
- Password: admin
After you login, the web application will require a new password as shown in Figure 3.2.
As you see in Figure 3.3, the side menu now displays more options to configure Grafana. If you want to learn more about Grafana, I provided a link at the Resources section of the page.
CyberChef
CyberChef is a web application designed for cryptographic operations, data analysis, and manipulation. It provides a visually driven and user-friendly interface to perform a wide range of data transformations, conversions, and cryptographic tasks. Users can use CyberChef to encode and decode data using various algorithms, perform operations like XOR or bitwise calculations, and manipulate data in formats like JSON, XML, and Base64. CyberChef is commonly used by cybersecurity professionals, developers, and enthusiasts for tasks like malware analysis, decoding encoded data, and solving complex data puzzles.
Using CyberChef
On the side menu, it shows the difference types of operations that is able to perform as shown in Figure 4. For this example, I will use the “Analyse Hash” type.
I am going to analyze a hash value that the Apache site has provided. With this hash value, I do not know which hash function was used. On the right side of the panel, there is a hash value for the Apache HTTPD file “httpd-2.4.57.tar.bz2” and has a hash value of dbccb84aee95e095edfbb81e5eb926ccd24e6ada55dcd83caecb262e5cf94d2a
When putting the hash value in the input box, the output shown in Figure 5. To verify if hash function SHA-256 was used, we can use the built in certutil in Windows. The tool can be used in the command prompt or PowerShell by typing this commmand “certutil -hashfile httpd-2.4.57.tar.bz2 SHA256”.
Hash length: 64
Byte length: 32
Bit length: 256Based on the length, this hash could have been generated by one of the following hashing functions:
SHA-256
SHA3–256
BLAKE-256
ECOH-256
FSB-256
GOST
Grøstl-256
HAVAL-256
PANAMA
RIPEMD-256
Snefru
A great feature that CyberChef has is the ability to save your recipes as shown in Figure 6 or you can use the deep link which allows you to share the recipe to other users.
Playbook
Playbook is a documented set of procedures and instructions outlining how to respond to specific situations or incidents. Playbooks are commonly used in incident response and security operations to ensure that teams follow predefined steps when dealing with cybersecurity incidents, system outages, or other critical events. Playbooks typically include details about detection, containment, eradication, and recovery steps, along with communication protocols and relevant resources.
Using Playbook
According to Security Onion documentation, the key components of a Play are:
- Objective and context.
- What are the follow-up actions required to validate and/or remediate when results are seen?
- The actual query needed to implement the Play’s objective.
Any results from a Play (low, medium, high, critical severity) are available to view within Dashboards, Hunt, or Kibana. High or critical severity results from a Play will generate an Alert within the Security Onion Console Alerts interface.
The final piece to Playbook is automation. Once a Play is made active, the following happens:
- The required ElastAlert config is put into production.
- ATT&CK Navigator layer is updated to reflect current coverage.
The lifecycle of a Play is as follows:
- Draft — Initial state
- Active — In Production
- Inactive — Temporarily moved out of production.
- Archived — Play has been superseded/retired.
FleetDM
FleetDM (Fleet Device Management): FleetDM, or Fleet, is an open-source tool developed by Kolide. It is a centralized management platform for osquery, an open-source endpoint security framework that allows querying and monitoring endpoints using SQL-like queries. FleetDM provides a web-based interface to manage and deploy osquery configurations across multiple endpoints, schedule queries, and view the results. It enables security teams to gain deep visibility into the security posture of their devices and helps with threat detection, incident response, and compliance monitoring.
Using FleetDM
To login, use the same login credentials as your Security Onion
On the dashboard, it shows the number of hosts connected by Operating Systems and an activity panel as shown in Figure 10. On the top navigation bar, it has the following links Hosts, Controls, Software, Queries, Schedule, and Policies.
Clicking Hosts on the top navigation bar, it will show all the host are configured onto the system. As of now, there is only one host which is securityonion. Clicking on the image shown in Figure 11, will display a table with the following columns:
- Host
- Status
- Issues
- Disk space available
- Operating system
- Osquery
- Private IP address
- MDM status
- MDM server URL
- Last fetched
Click on the hosts “securityonion” will show details about the host along with any software, schedule, and policies that’s been configured as shown in Figure 12.
If you want to learn more about FleetDM, I provided a link at the bottom of the page.
Navigator
Navigator, also known as MITRE ATT&CK Navigator, is a visualization and analysis tool developed by MITRE Corporation. It is designed to work in conjunction with the MITRE ATT&CK framework, which stands for Adversarial Tactics, Techniques, and Common Knowledge. The ATT&CK framework is a comprehensive knowledge base that catalogues real-world cyber adversary behavior and tactics used during different stages of the cyber-attack lifecycle. It provides a visual representation of the ATT&CK framework, which allows security professionals, threat hunters, and cybersecurity analysts to explore, analyze, and plan defensive strategies against various cyber threats effectively.
Demo
For this demo, I am going to compare and score two APTs (APT3 & APT29). I will need to create new layer and that can be created by clicking on the “+” icon. First, I need to rename “Playbook Coverage” to “APT3” as shown in Figure 14. This is done by clicking on the layer information icon or clicking the layer name.
Click on the search & multiselect (magnetifying glass icon). This will open side panel and it will list the following:
- Techniques
- Threat Groups
- Software
- Mitigations
- Data Sources
I will be using Threat Groups as our APTs are listed there. Search for APT3 and click “select” button. You will see it will add border to the related items. Clicking “view” link will open a new window and give you information about APT3. From the MITRE ATT&CK site, “APT3 is a China-based threat group that researchers have attributed to China’s Ministry of State Security.[1][2] This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.[1][3] As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.[4] In 2017, MITRE developed an APT3 Adversary Emulation Plan.[5]”.
Now I will assign APT3 a background color. This can be accomplished by using the paint icon as show in Figure 16 or setting a scoring number and this is done by clicking on scoring icon. For this demo, I will choose the scoring method as I want the application to score the controls. I have set the score 3.
Now I create a new layer by clicking on the “+” icon. Click on “Create New Layer” > “Enterprise” as shown in Figure 17.
I renamed the new layer to “APT23" and I am going to repeat the step from “APT3”, but this time I will give it a score of 2 as shown in Figure 18.
Scoring APT3 & APT29 layers
Create a new layer and select “Create Layer from other layers”. From the domain drop down select “Enterprise ATT&CK v11”. On the score expression text input, type “a+b” without the quotes as shown in Figure 19. Click to “Create” to continue.
The new layers show the results from both layers APT3 & APT29. From here you can save the results as image or export to Excel.
What does the scoring mean?
By assigning scores to tactics and techniques, security teams can focus on addressing the most critical threats and vulnerabilities first. This approach is tailored to the specific context of an organization, as different industries, environments, and threat landscapes might require different prioritization strategies.
The scoring in the Navigator is often done using a numerical scale, such as 0 to 3, where each number represents a different level of significance:
- 0 - Not applicable or not a concern.
- 1 - Low impact or relevance.
- 2 - Medium impact or relevance.
- 3 - High impact or relevance.
In part 3 of this series, I will go over the tools from the Secuity Onion web application.
