Integration of Splunk Enterprise SIEM for DDoS

Attack Detection in IoT

Marian Hristov Maria Nenova Georgi Iliev Dimiter Avresky
Faculty of Telecommunications Faculty of Telecommunications Faculty of Telecommunications Technical University of Sofia
Technical University of Sofia Technical University of Sofia Technical University of Sofia Sofia, Bulgaria
Sofia, Bulgaria Sofia, Bulgaria Sofia, Bulgaria [email protected]
[email protected] [email protected] [email protected]

Abstract — Nowadays Security Information and Event attacks, including the Dyn cyber-attack from October 2016
2021 IEEE 20th International Symposium on Network Computing and Applications (NCA) | 978-1-6654-9550-9/21/$31.00 ©2021 IEEE | DOI: 10.1109/NCA53618.2021.9685977

Management (SIEM) is a common element of the security stack [7]. Another instance of a DDoS attack, affecting over 900 000
of every big and medium size company. The SIEM is becoming customers, involving Mirai was in November 2016 against the
a vital part of the defense strategy along with firewalls, network Deutsch Telecom [8]. The evolved version of the malware
Intrusion Prevention System / Intrusion Detection System
managed to exploit Zyxel routers which was a new type of
(IPS/IDS), web/mail security appliances, and Antivirus (AV)
solutions. Therefore this paper aims to propose a solution for vulnerable equipment. During its peak, Mirai botnet
improving the security posture of an organization by controlled over 600 thousands infected IoT devices with
implementing Splunk Enterprise SIEM. The monitoring of approximately 480 CnC servers [8].
various systems in real-time could be a challenge for the security
analysts in the Security Operation Center (SOC). With the use
The Mirai botnet is built up of five components: the virus,
of Splunk, all relevant logs are collected and stored in one carries ten attack vectors (i.e., Generic UDP, VSE, DNS, Plain
instance which allows the designing of a “single pane of glass” UDAP, TCP SUN, TCP ACK, TCP STOMP, GRE IP, GRE
solution. To illustrate the capabilities of the Splunk Enterprise Ethernet, and HTPP); the CnC server; the infected IoT device
SIEM, the proposed solution has four real-time alerts for (bot); reporting server and loader server [8]. To compromise a
detection of different cases of suspicious and/or malicious device, Mirai uses brute-force or password dictionary attacks.
activity. One of them is specifically designed to alert for the Then the new member (bot) sends its identity and credentials
presence of a Mirai Internet-of-Things (IoT) malware infection to the CnC server and starts scanning in order to exploit other
within the organization. devices.
Keywords – SIEM, real-time alert, OSINT, IoT. The proposed paper presents a method for a basic
investigation (triage) of the alarm, IP reputation check of the
I. INTRODUCTION
destination system with OSINT, and recommendations for
The increasing number of cyber threats in recent years, and isolation of the internal device. It is crucial to quarantine the
especially during the Global Covid 19 pandemic, has led to a IoT system to mitigate the risk of malware spreading across
need for development of more robust detection systems and the environment and transforming other devices in remotely
mechanisms for rapid incident response [1]. Daily hundreds, controlled bots, suitable for launching DDoS attacks or
even thousands of systems are attacked and breached, leading mining cryptocurrency [9][10].
to financial losses and/or reputation damages for the
corporations. II. SIEM OVERVIEW
The concept of “security at the perimeter” no longer The Security Information and Event Management (SIEM)
suffices the requirements for secure networks [2]. Typically, is a tool for management of security events [11]. It works by
threat actors use tactics and techniques for evading the collecting log and event data generated by various systems.
security controls of an organization and target vulnerabilities An example of different type of logs are:
and misconfigurations, also known as “technical debt”, to gain • Logs, coming from security equipment –
privileged access to restricted resources and cause significant Antivirus software; IPS/IDS; Web proxy; Threat
damage to company assets and information [3]. Vulnerability Management software; network
devices (firewalls, routers, switches, etc.)
Considering those implications, this paper aims to propose
a solution for the integration of a Splunk Enterprise SIEM [4] • Logs, coming from OS – System events; Audit
in a local network to increase the level of visibility in a given records
company environment and subsequently increase its security • Logs, coming from application - Connection and
posture. This is explored through a number of tests which session information; Usage information;
reproduce different cases of potentially malicious actions. Significant operational action
One of them is the detection of an internal IoT system [5],
potentially infected by Mirai Botnet malware [6], attempting The main functions of a SIEM solution are:
to communicate with the Command and Control (CnC) server • Log collection: gathers information from various
in order to be used as a zombie in a DDoS network. Mirai types of source systems and stores it in a centralized
which is a Linux malware, primarily targeting IoT devices was location, allowing the access to historical data.
observed in some of the largest and most disruptive DDoS

978-1-6654-9550-9/21/$31.00 ©2021 IEEE

Authorized licensed use limited to: ULAKBIM UASL - GAZI UNIV. Downloaded on November 29,2024 at 11:28:01 UTC from IEEE Xplore. Restrictions apply.
 • Log normalization: ensures that the data received
from various sources is unified and constructed in a
common model, which eases the data structure
operations.
• Log aggregation: aggregates the data based on
common attributes, thereby eliminating duplicates
• Log correlation: the ability to create a correlation
between events from several systems, varying in
formats and times. Correlation is defined as ‘single
actionable event’ [11]
• Reporting: relates to presenting the gathered data in
a format of historical reports and real-time Figure 2. Splunk Indexer
monitoring.
In addition to the main functions, most modern SIEM • Search Head – once the data is indexed, the Search
solutions utilize Artificial Intelligence and Machine Learning Head enables querying for different events using
to increase the detection accuracy and automating the Search Processing Language (SPL). It is also utilized
response to security incidents. Some of the new features are: for creating different reports, charts, and dashboards.
The Splunk Search Head is presented on Figure 3.
• Chronological analysis of events with the same
involved system (IP or Hostname) or user;
• Risk analysis based on historical events;
• IP/Domain reputation check in OSINTs;
• User and Entity Behavior Analytics (UEBA);
• Execution of suspicious file in a restricted
environment (sandbox);
• Suggestions of further steps for mitigating the
threat.
III. SPLUNK STRUCTURE
The Splunk Enterprise SIEM structure is composed of
three main components (Search Head, Indexer, and
Forwarder). Each one of them has a unique role in the
establishment of the complete SIEM solution. The Splunk
structure is presented on Figure 1.

Figure 3. Splunk Search Head

• Forwarders – collects and forwards the information

to the indexer or to another forwarder. It consumes
minimal resources from the system on which it is
installed and has insignificant impact on its
operational performance. The Splunk Forwarder is
presented on Figure 4.

Figure 1. Splunk structure

Splunk Enterprise SIEM components:

• Indexer – used for processing logs and storing them
in indexes to aid the data analysis and search. The
Splunk Indexer is presented on Figure 2. Figure 4. Splunk Forwarder

Authorized licensed use limited to: ULAKBIM UASL - GAZI UNIV. Downloaded on November 29,2024 at 11:28:01 UTC from IEEE Xplore. Restrictions apply.
 The three types of Splunk forwarders are: Universal,
Heavy, and Light. Their purpose and advantages are listed
below:
• Splunk Universal Forwarder (SUF)– gathers logs
from all the machines SUF is installed on and
forwards them to the Splunk SIEM (Splunk
Enterprise or Splunk Cloud) or another forwarder
(Universal or Heavy). The most prominent
advantage is the minimal resources consumed from
the underlying system. Furthermore, it is a
replacement of the Splunk Light Forwarder.
• Splunk Heavy Forwarder – forwards data between
Splunk Enterprise instances or to a third-party
system. It has less capabilities compared to the
Splunk Indexer, nevertheless, still possess most of
functions of an indexer. The only exception is its Figure 5. Topology of the implemented SIEM solution
inability to execute distributed searches.
The Data Ingestion in Splunk Enterprise SIEM happens
• Splunk Light Forwarder - forwards data to Splunk
through the Add Data feature. The following three methods
Enterprise instance or to a third-party system. are available, presented on Figure 6 [12].
Unlike the Heavy forwarder, the Light forwarder is
less functional but consumes fewer resources from
the underlying system on which it is installed. Since
Splunk Enterprise version 6.0, the light forwarder is
no longer used (deprecated).
Figure 6. Data ingesting in Splunk Enterprise
Another key component of the Splunk platforms is the
query language, used for searching events in the console and • Upload – used for uploading files from the local
building reports – called Search Processing Language (SPL). machine which are only indexed once. Suitable for
SPL is based on SQL and Unix commands. Splunk transforms testing purposes or data which is not changed
the arrays of machine-generated data into time streams of frequently.
events, organized in indexes which ease the investigation
• Monitor - allows for continuous monitoring of local
through SPL queries in real-time.
files and directories that reside on the machine with
installed Splunk Enterprise instance.
IV. IMPLEMENTATION OF SPLUNK • Forward – remotely gathered information from
(DATA ONBOARDING / CREATION OF RULES) various systems within the organization that have
installed a Splunk forwarder. This is the main source
The implemented SIEM solution is based on a local of data in the production environments.
network built up of two Personal Computers (PC) that have a
The next step, after completing the onboarding phase and
connection between them. Splunk Enterprise is installed on a
the data is ingested in the SIEM, is the creation of rules for
PC A that represents the SIEM infrastructure in the corporate
triggering alerts. There are two alert types, scheduled and real-
network – usually, a server used only for monitoring and
time. Alert type definitions are based on alert search timing
storing the logs. The onboarded logs are in different indexes,
[13].
created before the data ingestion:
• Real-time alert with per-result triggering –
• Index “siem_local” contains the local logs of the
operates using a continuous real-time search to find
machine with installed Splunk SIEM – Security,
historical events. Every match triggers an alarm.
Application, and System
• Real-time alert with rolling window triggering –
• Index “remote_logs” contains the remote logs from
a machine with installed Splunk Universal Unlike the scheduled alert, this type of triggering
Forwarder - Security, Application, and System searches on a pre-defined rolling time window (for
instance every hour). Because it continuously
• Index “nips” contains remote IPS logs from a searches for alerts, the time window is rolled
Fortinet firewall with an IPS license forward in time and is used when the time interval is
The implemented SIEM solution is presented on Figure 5. contained in the event pattern.

Authorized licensed use limited to: ULAKBIM UASL - GAZI UNIV. Downloaded on November 29,2024 at 11:28:01 UTC from IEEE Xplore. Restrictions apply.
 • Scheduled alert – searches on a specific period of
time
This paper presents four rules for real-time alerts with per-
result triggering. Three out of them are for real-time
monitoring while the fourth rule is used only for reporting.
Their purpose is to capture different phases of a cyber-attack.
The first rule, called “Successful logins”, covers the
“gaining access” phase of a cyber-attack. It is triggered by
each match of an event with the following conditions: A) the
logs to be in index “siem_local” & B) the event ID to be 4624.
WIN event 4624 documents each successful attempt to logon
to the local computer regardless of logon type, location of the
user, or type of account. Since the successful login attempts in
the SIEM infrastructure are not a regularly occurring activity,
the SOC analyst should be vigilant with them and confirm
their legitimacy.
The second rule is designed to flag an attempt for Figure 7. Main details in the IPS log
communication with the CnC server from an internal
compromised system – part of the Data Exfiltration phase. It
is named “Malware IPS” and monitors for events from the
“nips” index categorized as malware beaconing by the Even though the IPS has successfully blocked the
Fortinet filter “Mirai.Botnet”. Mirai is a Linux malware that outbound communication, the internal system is still
primarily targets IoT devices by attempting default credentials compromised, and it should be isolated (quarantined) from the
or command injection exploits. internal network and then remediated. Otherwise, the
infection could be spread across the environment.
The third rule, called “Security log was cleared”, looks
for WIN event 1102. That event is logged whenever the A lookup for the destination IP reputation in publicly
Security log is cleared. The idea behind this rule is to notify available databases [14], reveals the affiliation to malware
about an attempt of covering track that is part of the ending activity. The system behind IP address 112.246.172[.]79 is
phase of a cyber-attack. located in Beijing, China (Figure 8) or uses a proxy server.

The fourth rule, used only for reporting, is based on WIN

event 4625 which is logged for every failed attempt to logon.
Unlike the successful logins which require immediate actions,
the failed logins could be reviewed once per day in the form
of a scheduled report, allowing for identification of anomalies.
V. TESTING THE IMPLEMENTED SOLUTION
Each of the four rules is tested by reproducing the log
activity needed for the cases (e.g. clearing the Security log
through Event Viewer to generate event 1102). The generated
alarms are followed by an email notification for the first three
rules. The fourth is implemented with a scheduled report that
triggers once a day and covers the period of the last 24 hours.
In addition to the detection methods for different phases of
a cyber-attack, this paper aims to propose techniques for a
basic investigation based on the generated alerts. The
proposed investigation procedure is focused on the second
rule - “Malware IPS” which is intended to detect the attempts
of a compromised IoT system to communicate with the CnC Figure 8. IP location
server.
It is detected to scan the Internet for several open ports
Upon receiving an email notification with a basic (Figure 9) and for well-known vulnerabilities in Eir D1000,
summary of the activity and a link to the alert, the SOC analyst Netgear, and GPON routers as well as for unprotected web
would be able to review the details of the alarm, presented in servers which might be exploited (Figure 10).
Figure 7.

Authorized licensed use limited to: ULAKBIM UASL - GAZI UNIV. Downloaded on November 29,2024 at 11:28:01 UTC from IEEE Xplore. Restrictions apply.
 Learning. Further, it explores the Splunk structure and its main
components, such as: Indexer, Search Head, and Forwarders.
A brief summary of the types of Splunk forwarders
(Universal, Heavy, and Light) is presented as well as the query
language, used for searching events in the console and
building reports – SPL. The proposed topology of the
implemented SIEM solution consists of two PCs with installed
Splunk Enterprise and Splunk Universal forwarder on them.
Once the logs are ingested in the SIEM and all necessary
rule-configurations are implemented, a method for basic
investigation is applied. Such method includes utilization of
OSINT (Open Source Intelligent Tool) for IP reputation
lookup. This reveals the affiliation to a malware activity is
identified for the IP address with which the internal
compromised system attempts to communicate.
The paper concludes with a discussion of future
development plans of the solution which include the
Figure 9. Ports and directories scanned by the IP integration of a Splunk Deployment server. With it, most of
the onboarding work will be automated by creating
configurational templates and sending them to the new
devices in the network.
REFERENCES
[1] Website for Cyber Security Statistics:
https://purplesec.us/resources/cyber-security-statistics
[2] N. Skabcovs and A. Latkov, "Enterprise security perimeter — E-mail
server protection," 2011 Baltic Congress on Future Internet and
Communications, 2011, pp. 54-57, doi: 10.1109/BCFIC-
RIGA.2011.5733237.
[3] R. Al-Shaer, J. M. Spring and E. Christou, "Learning the Associations
of MITRE ATT & CK Adversarial Techniques," 2020 IEEE
Conference on Communications and Network Security (CNS), 2020,
pp. 1-9, doi: 10.1109/CNS48642.2020.9162207.
[4] O. Ozulku, N. F. Fadhel, D. Argles and G. B. Wills, "Anomaly
detection system: Towards a framework for enterprise log management
of security services," World Congress on Internet Security (WorldCIS-
2014), 2014, pp. 97-102, doi: 10.1109/WorldCIS.2014.7028175.
[5] Y. Chen and H. Chien, "IoT-based green house system with splunk data
analysis," 2017 IEEE 8th International Conference on Awareness
Science and Technology (iCAST), 2017, pp. 260-263, doi:
10.1109/ICAwST.2017.8256458.
[6] Fortinet IPS filter knowledge base, ID 43191, creation time: Oct 10,
2016 - https://www.fortiguard.com/encyclopedia
[7] Cyber Security article for Mirai Botnet, © 2021 Cloudflare Inc.
https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
[8] Cyber Security article for Mirai Botnet, © 2021 HEIMDAL TM
https://heimdalsecurity.com/blog/mirai-botnet-phenomenon/
[9] T. Su, S. Wang, Y. Chen and C. Liu, "Attack detection of distributed
denial of service based on Splunk," 2016 International Conference on
Advanced Materials for Science and Engineering (ICAMSE), 2016, pp.
397-400, doi: 10.1109/ICAMSE.2016.7840355.
[10] M. Pokrinchak and M. M. Chowdhury, "Distributed Denial of Service:
Problems and Solutions," 2021 IEEE International Conference on
Electro Information Technology (EIT), 2021, pp. 032-037, doi:
10.1109/EIT51626.2021.9491925.
Figure 10. Vulnerabilities that the IP looks to exploit [11] Omar Santos - Cisco CyberOps Associate (CBROPS 200-201) Official
Cert Guide – Cisco Press - ISBN-13: 978-0-13-687243-6 / ISBN-10:
0-13-687243-3 - 2021
CONCLUSION
[12] Official Manual of Splunk®, Enterprise - Getting Data In, version
The proposed paper has an overview of the SIEM 8.2.2, Copyright © 2021 Splunk Inc.
solutions, types of logs that are typically ingested, the main [13] Official Manual of Splunk®, Enterprise - Alerting Manual, version
8.2.2, Copyright © 2021 Splunk Inc.
functions (e.g. log correlation) and some of the additional
[14] OSINT for IP reputation lookup, Copyright © 2021 GreyNoise,
capabilities utilized with Artificial Intelligence and Machine https://www.greynoise.io

Authorized licensed use limited to: ULAKBIM UASL - GAZI UNIV. Downloaded on November 29,2024 at 11:28:01 UTC from IEEE Xplore. Restrictions apply.