DISSERTATION_40096050

40096050 SOC10101
Pamela Dempster - BEng (Hons) Computer Systems and Networks
Brute Force Attack
Detection and Mitigation
using a SIEM
Architecture
Pamela Dempster
Submitted in partial fulfilment of
the requirements of Edinburgh Napier University
for the Degree of Bachelor of Engineering with Honours in
Computer Systems and Networks
School of Computing
April 2015

40096050 SOC10101
Authorship Declaration
I, Pamela Dempster, confirm that this dissertation and the work presented in it are my own
achievement.
Where I have consulted the published work of others this is always clearly attributed;
Where I have quoted from the work of others the source is always given. With the exception
of such quotations this dissertation is entirely my own work;
I have acknowledged all main sources of help;
If my research follows on from previous work or is part of a larger collaborative research
project, I have made clear exactly what was done by others and what I have contributed
myself;
I have read and understand the penalties associated with Academic Misconduct.
I also confirm that I have obtained informed consent from all people I have involved in the
work in this dissertation following the School's ethical guidelines
Signed:
Date:
Matriculation no: 40096050

40096050 SOC10101
Data Protection Declaration
Under the 1998 Data Protection Act, The University cannot disclose your grade to an
unauthorised person. However, other students benefit from studying dissertations that have
their grades attached.
Please sign your name below one of the options below to state your preference.
The University may make this dissertation, with indicative grade, available to others.
The University may make this dissertation available to others, but the grade may not be
disclosed.
The University may not make this dissertation available to others.

40096050 SOC10101
Acknowledgements
Firstly, I would like to thank my Supervisor, Professor Bill Buchanan for providing me with
the opportunity to complete this project and for the continuous guidance and support he
offered throughout the year.
I would also like to thank Richard Macfarlane for being my Second Marker.
Finally, I would like to thank my family and friends for their never ending support and
encouragement.

40096050 SOC10101
Contents
AUTHORSHIP DECLARATION
DATA PROTECTION DECLARATION
ACKNOWLEDGEMENTS
ABSTRACT
1 INTRODUCTION ................................................................................1
1.1 Introduction.................................................................................................................. 1
1.2 Background .................................................................................................................. 1
1.3 Aims and Objectives.....................................................................................................2
1.4 Dissertation Structure ..................................................................................................3
1.5 Ethics ............................................................................................................................ 3
2 LITERATURE REVIEW ....................................................................4
2.1 Introduction.................................................................................................................. 4
2.2 Cyber Adversaries – A History.................................................................................... 4
2.3 Attack Taxonomy......................................................................................................... 7
2.3.1 Classification of Attacks......................................................................................... 7
2.3.2 Attack Patterns ..................................................................................................... 10
2.4 Defence in Depth ........................................................................................................ 14
2.5 Defence Mechanisms .................................................................................................. 15
2.5.1 Intrusion Detection Systems ................................................................................. 15
2.5.2 Big Data Analytics ............................................................................................... 16
2.5.3 SIEM.................................................................................................................... 19
2.6 Conclusion .................................................................................................................. 21
3 DESIGN ..............................................................................................22
3.1 Introduction................................................................................................................ 22
3.2 Design Methodology................................................................................................... 22
3.3 Threats – An Overview .............................................................................................. 24
3.3.1 Scanning/Information Gathering Attack – Portscan............................................... 24
3.3.2 Brute Force Dictionary Attacks............................................................................. 24
3.4 Requirements Analysis............................................................................................... 24
3.5 Attack Tools................................................................................................................ 26
3.5.1 Nmap.................................................................................................................... 26
3.5.2 Hydra ................................................................................................................... 27

40096050 SOC10101
3.6 Detection Methods – An Overview ............................................................................ 27
3.6.1 Intrusion Detection Systems (IDS)........................................................................ 27
3.6.2 SIEM.................................................................................................................... 27
3.7 Evaluation Metrics ..................................................................................................... 28
3.7.1 Brute Force Dictionary Attack – Rapid Speed....................................................... 28
3.7.2 Brute Force Dictionary Attack – ‘Low and Slow’ ................................................. 29
3.8 Conclusions................................................................................................................. 29
4 IMPLEMENTATION........................................................................30
4.1 Introduction................................................................................................................ 30
4.2 Configuration ............................................................................................................. 30
4.3 Attack Traffic............................................................................................................. 32
4.3.1 Scanning/Information Gathering Attack................................................................ 32
4.3.2 FTP Brute Force Dictionary Attack ...................................................................... 32
4.3.3 Telnet Brute Force Dictionary Attack ................................................................... 33
4.3.4 HTTP Brute Force Dictionary Attack ................................................................... 33
4.3.5 Brute Force Dictionary Attacks – ‘Low and Slow’................................................ 34
4.4 Detection Methods - IDS............................................................................................ 34
4.4.1 Snort Rules – Scanning/Information Gathering Attack.......................................... 34
4.4.2 Snort Rules - FTP Brute Force Dictionary Attack ................................................. 35
4.4.3 Snort Rules - Telnet Brute Force Dictionary Attack.............................................. 35
4.4.4 Snort Rules – HTTP Brute Force Dictionary Attack.............................................. 36
4.5 Detection Methods - SIEM......................................................................................... 36
4.5.1 Splunk Logs ......................................................................................................... 36
4.5.2 Splunk Rules ........................................................................................................ 36
4.6 Conclusion .................................................................................................................. 39
5 EVALUATION...................................................................................40
5.1 Introduction................................................................................................................ 40
5.2 Experiments................................................................................................................ 40
5.2.1 Information Gathering/Probing Attack.................................................................. 40
5.2.2 FTP Brute Force Dictionary Attack ...................................................................... 41
5.2.3 Telnet Brute Force Dictionary Attack ................................................................... 43
5.2.4 HTTP Brute Force Dictionary Attack ................................................................... 44
5.2.5 Brute Force Dictionary Attacks – ‘Low and Slow’................................................ 46
5.3 Results......................................................................................................................... 46

40096050 SOC10101
5.3.1 Scanning/Information Gathering Attack................................................................ 46
5.3.2 Brute Force Dictionary Attacks............................................................................. 47
5.4 Analysis....................................................................................................................... 49
5.5 Conclusions................................................................................................................. 50
6 CONCLUSIONS.................................................................................51
6.1 Introduction................................................................................................................ 51
6.2 Meeting the Objectives............................................................................................... 51
6.2.1 Objective 1 ........................................................................................................... 51
6.2.2 Objective 2 ........................................................................................................... 52
6.2.3 Objective 3 ........................................................................................................... 52
6.2.4 Objective 4 ........................................................................................................... 52
6.3 Critical Analysis ......................................................................................................... 53
6.4 Future Work............................................................................................................... 54
6.5 Personal Reflection..................................................................................................... 54
7 REFERENCES ...................................................................................56
APPENDIX 1 - Initial Project Overview………………………………………..……61
APPENDIX 2 – Week 9 Interim Report………………………………………..…….64
APPENDIX 3 – Diary Sheets…………………………..…………………………...…69

40096050 SOC10101
List of Tables
Table 1: Server/IDS logs and fields of interest for creating Splunk rules .............................. 28
Table 2: Configuration of Virtual Machines ......................................................................... 31
Table 3: Splunk Rules.......................................................................................................... 38
Table 4: Software used in Implementation ........................................................................... 39
Table 5: Detection Results ................................................................................................... 49

40096050 SOC10101
List of Figures
Figure 1: Security Breaches in 2012 – adapted from (PwC, 2012).......................................... 1
Figure 2: Hacker circumplex (Rogers, 2006).......................................................................... 6
Figure 3: Classes of Computer Misuse Techniques (Neumann & Parker, 1989).................... 8
Figure 4: Pattern of Attack - adapted from (Buchanan, 2011)............................................... 10
Figure 5: Typical Stages of an APT – adapted from (Giura & Wang, 2013) ......................... 12
Figure 6: Defending Against Targeted Attacks (The Five Styles of Advanced Threat Defense -
Gartner Presentation) (Orans, 2014)..................................................................................... 14
Figure 7: IDC’s Digital Universe Study, sponsored by EMC, December 2012 (Gantz &
Reinsel, 2012)...................................................................................................................... 16
Figure 8: The Three V’s of Big Data (Niemeijer, 2014) ....................................................... 17
Figure 9: Overall score for each Vendor’s product based on the non-weighted score for each
Critical Capability (Nicolett & Kavanagh, 2013).................................................................. 20
Figure 10: Structure Chart.................................................................................................... 23
Figure 11: Design Overview ................................................................................................ 25
Figure 12: Network Architecture – Design........................................................................... 26
Figure 13: Prototype Network Configuration........................................................................ 30
Figure 14: DMZ Firewall Rules ........................................................................................... 31
Figure 15: LAN/Private Network Firewall Rules.................................................................. 32
Figure 16: Nmap Port Scan command .................................................................................. 32
Figure 17: Hydra command - FTP Brute Force Attack ......................................................... 32
Figure 18: Hydra command - Telnet Brute Force Attack ...................................................... 33
Figure 19: Login form.......................................................................................................... 33
Figure 20: Hydra command - HTTP Brute Force Attack ...................................................... 33
Figure 21: Hydra command (slower speed) – FTP Brute Force Dictionary Attack................ 34
Figure 22: Snort Preprocessor for detecting Port Scan .......................................................... 34
Figure 23: Snort rule created to detect FTP failed login attempts.......................................... 35
Figure 24: Snort rule created to detect FTP successful login................................................. 35
Figure 25: Snort rule created to detect Telnet failed login attempts....................................... 35
Figure 26: Snort rule created to detect Telnet failed login attempts....................................... 35
Figure 27: Snort rule created to detect successful login to Telnet.......................................... 35
Figure 28: Snort rule created to detect HTTP failed login attempts....................................... 36
Figure 29: Snort rule created to detect successful login to Web login form........................... 36
Figure 30: Nmap Port Scan command .................................................................................. 40

40096050 SOC10101
Figure 31: Snort preprocessor to detect Port Scan................................................................. 40
Figure 32: Results of Port Scan ............................................................................................ 41
Figure 33: Snort Alert for Port Scan..................................................................................... 41
Figure 34: Hydra command - FTP Brute Force Dictionary attack ......................................... 41
Figure 35: Snort rule to detect FTP failed login attempts...................................................... 41
Figure 36: Result of FTP Brute Force Attack ....................................................................... 42
Figure 37: Snort Alert for FTP failed login attempts............................................................. 42
Figure 38: Snort rule to detect FTP successful login............................................................. 42
Figure 39: Successful login to FTP service........................................................................... 42
Figure 40: Snort Alert for FTP successful login.................................................................... 42
Figure 41: Hydra command – Telnet Brute Force Dictionary attack ..................................... 43
Figure 42: Snort rule to detect Telnet failed login attempts................................................... 43
Figure 43: Snort rule to detect failed login attempts.............................................................. 43
Figure 44: Result of Telnet Brute Force Attack .................................................................... 43
Figure 45: Snort Alert for Telnet failed login attempts ......................................................... 43
Figure 46: Snort rule to detect successful login via Telnet .................................................... 43
Figure 47: Successful login to Telnet service........................................................................ 44
Figure 48: Snort Alert for Telnet successful login ................................................................ 44
Figure 49: Hydra command – HTTP Brute Force Dictionary Attack .................................... 44
Figure 50: Snort rule to detect HTTP failed login attempts................................................... 44
Figure 51: Result of HTTP Brute Force Attack .................................................................... 45
Figure 52: Snort Alert for HTTP failed login attempts.......................................................... 45
Figure 53: Snort rule to detect successful login to Web login form....................................... 45
Figure 54: Successful login to Web Page.............................................................................. 45
Figure 55: Snort Alert for successful login to Web login form.............................................. 46
Figure 56: Hydra command (slower speed) – FTP Brute Force Dictionary Attack................ 46
Figure 57: Splunk – Detection of Port scan .......................................................................... 47
Figure 58: Splunk rule created to detect over 100 failed logins in 10 seconds ....................... 47
Figure 59: Splunk Timeline for FTP Brute Force Dictionary Attack..................................... 47
Figure 60: Splunk Timeline for Telnet Brute Force Dictionary Attack.................................. 48
Figure 61: Splunk Timeline for HTTP Brute Force Dictionary Attack.................................. 48
Figure 62: Splunk results for ‘Low and Slow’ FTP Brute Force Dictionary Attack............... 49

40096050 SOC10101
Abstract
Cyber security and how to combat a wide variety of threats is a topic that is in the forefront of
many organisations’ minds these days. As attacks grow in number and complexity, companies
are having to look to spend more on security and look at new ways of confounding attackers.
Research shows that although the traditional security measures of Intrusion Detection
Systems and Intrusion Prevention Systems are inadequate when it comes to detecting and
preventing Advanced Persistant Threats due to the ‘low and slow’ modus operandi of these
attacks, Big Data Analytics with the ability to collect and analyse data over a long period of
time offers a solution to this problem. According to Gartner (Orans, 2014), in order for
companies to successfully defend against targeted attacks, organisations’ defences must
incorporate firewalls, IDS/IPS and SIEM.
The aim of this project is to determine whether by analysing and filtering log data from a
variety of sources; Security logs, System logs, Server logs and IDS logs and looking for
specific patterns in the data, it is possible using a SIEM architecture to detect brute force
dictionary attacks and whether by identifying said patterns, it is therefore possible to block
these attacks prior to sensitive information being stolen or any damage being caused to the
system.
VMware vSphere Client is utilised to provide a virtual cloud environment in which to create
the prototype SIEM architecture. Three VMware instances are created, one of which is a
Windows Server 2008 machine which acts as the victim in the implementation, another, the
Kali Linux, acts as the attacker in the scenario and finally, pfSense which provides the routing
between the two aforementioned machines and a firewall. In order to detect the attacks, Snort
and Splunk were installed on the Windows Server 2008. So as to determine the efficacy of a
SIEM architecture for the purpose of detecting and mitigating brute force dictionary attacks,
two different experiments were performed. The first experiment saw the attack being carrried
out at rapid speed whereas for the second experiment the attack is carried out at a much
slower speed. Various Splunk rules are created in order to filter and analyse the log data,
however, so as to obtain accurate results across the board, a standard metric to detect over 100
failed logins in 10 seconds is used.
The results for the first experiment indicated 1,935 failed login attempts to the FTP service
within approximately 10 seconds. Therefore, it could be concluded that it is possible to detect
and mitigate these types of attacks using a SIEM architecture. However, when the attack was
carried out at a much slower speed with only one login attempt being made per minute and the
same filtering rule was applied, the attacks were in fact not detected. This does not however
mean that a SIEM architecture would not be an appropriate method for detecting ‘Low and
Slow’ attacks, it merely shows that for successful detection, data would have to be collected
and analysed over a much longer period of time than for attacks that are carried out at a much
faster rate.

40096050 SOC10101
Pamela Dempster – BEng (Hons) Computer Systems and Networks Page | 1
1 Introduction
1.1 Introduction
According to Gartner (2014), in order to achieve across-the-board protection, ‘an adaptive
protection process integrating predictive, preventative, detective and response capabilities’
was necessary and a shift in thinking was required, moving from ‘incident response’ to
‘continuous response’, ‘wherein systems are assumed to be compromised and require
continuous monitoring and remediation’. Gartner (Orans, 2014) concluded that in order for
incorporate firewalls, IDS/IPS and SIEM.
The aim of this project is to determine whether by analysing and filtering log data from a
variety of sources; Security logs, System logs, Server logs and Snort logs and looking for
specific patterns in the data, it is possible using a SIEM architecture to detect brute force
dictionary attacks and whether by identifying said patterns, it is therefore possible to block
these attacks prior to sensitive information being stolen or any damage being caused to the
system. Taking into account Gartner’s recommendations (Orans, 2014), the prototype
network architecture has been designed accordingly. In order to evaluate the effectiveness of
the SIEM architecture in detecting these types of attacks, the attacks have been carried out
under different conditions.
1.2 Background
Cyber security and how to combat a wide variety of threats is a topic that is in the forefront of
many organisations’ minds these days. As attacks grow in number and complexity, companies
are having to look to spend more on security and look at new ways of confounding attackers.
According to a survey carried out by Infosecurity Europe, the results of which were analysed
and reported by PwC, the number of security breaches in 2012 was at an all time high with
91% of large organisations reporting that they had had a malicious breach in the last year.
The estimated costs incurred by these organisations for the worst incident they had suffered
were in the region of £110,000 - £250,000. Figure 1 shows that out of these breaches, 73%
were attacks carried out by unauthorised outsiders, 59% were infections by viruses or
malicious software and 53% related to theft or fraud (PwC, 2012).
Figure 1: Security Breaches in 2012 – adapted from (PwC, 2012)

40096050 SOC10101
Some of the biggest security breaches seen over the last few years have included a data breach
at Adobe which resulted in 38 million users having to reset their passwords after hackers
gained access to user account information. Theft of source code for various Adobe
applications was identified as a partial cause of the incident (Krebs, 2013).
J P Morgan Chase, America’s largest bank announced they had been on the receiving end of a
cyber attack which resulted in a vast number of customers’ accounts being compromised. It is
said that the breach affected 76 million households and 7 million small businesses and was
cited at the time as one or the largest ever intrusions. The company stated in their defence
that, although user contact details were compromised, there was insufficient evidence to show
that information pertaining to customers’ accounts such as account numbers, passwords and
Social Security numbers had been compromised (Silver-Greenberg, et al., 2013).
Another company experiencing a massive data breach was eBay. In May 2014, hackers stole
private information belonging to 145 million users. Then in June, StubHub, eBay’s event
ticket reseller platform was attacked allowing hackers to obtain and resell event tickets
resulting in a $1million profit. Unfortunately for Ebay, this was not the end of their troubles
as it later transpired that customers had been part of a phishing scam where they were
redirected to malicious sites thereby allowing hackers to obtain their passwords and other
personal information (Cozza, 2014).
With the rise in the number of attacks and the increase in complexity of these attacks, the
traditional layers of defence; Demilitarized Zones (DMZ), Firewalls (hardware or software),
Intrusion Detection Systems (IDS) and Intrusion Protection Systems (IPS) are no longer
enough to keep organisations systems and data secure. Implementing SIEM software with the
ability to collect and analyse large amounts of data from various sources, gives companies a
further layer of defence and the opportunity to detect and mitigate these attacks and future
attacks.
1.3 Aims and Objectives
The overall aim of this dissertation is to determine whether by using a SIEM architecture it is
possible to detect and block scanning/information gathering attacks and brute force dictionary
attacks prior to sensitive information being stolen or any damage being caused to the system.
In order to meet this aim, the following objectives must be met:
1. Research and review Attack Taxonomies covering topics such as Cyber Adversaries,
Classification of Attacks and Attack Patterns. Further research and review Defence in
Depth, Big Data Analytics and SIEM.
2. Design and implement a prototype SIEM architecture.
3. Simulate brute force dictionary attacks against multiple protocols and import log data
from a variety of sources into a SIEM software package and carry out an analysis of
the data.
4. Evaluate whether it is possible by identifying certain patterns in the data, to detect and
therefore block the attack and whether when carrying out the attacks at a much slower
speed, it is still possible to detect the attacks.

40096050 SOC10101
1.4 Dissertation Structure
This dissertation is divided into the following six chapters:
 Chapter 1 - Introduction: This chapter contains an overview of the project and
provides a background as to why SIEM software is now a necessity when it comes to
organisations detecting and mitigating today’s advanced attacks. The project aim and
objectives are also outlined as is the structure of the dissertation. Due to the nature of
the project, a section on the ethics surrounding brute force attacks is also covered.
 Chapter 2 - Literature Review: The Literature Review covers several different areas
of research. The initial research covers areas such as cyber adversaries, classifications
of attacks and patterns of attacks. The literature review then examines how a defence
in depth approach provides organisations with the best means of defending against
cyber threats and finally, there follows a review of defence mechanisms; Intrusion
Detection Systems, Big Data Analytics and SIEM.
 Chapter 3 - Design: Following on from the conclusion reached in the Literature
Review, this chapter presents a design for the prototype SIEM architecture with
justification for design choices made. An overview of the attacks and of the proposed
detection methods is also provided as are details of the attack tools that are necessary
to carry out the attacks.
 Chapter 4 - Implementation: This chapter examines in detail how the design was
implemented in a cloud environment using a series of virtual machines to create the
required network scenario. The commands used to carry out the attacks, the Snort
rules used to detect the attacks and the Splunk rules that will be used to analyse and
filter the log data will be further explained.
 Chapter 5 - Evaluation: A description and evaluation of the experiments carried out
in order to determine whether it is in fact possible to detect and mitigate brute force
dictionary attacks is provided in this chapter. The results of those experiments are also
provided along with an analysis of those results.
 Chapter 6 - Conclusion: This chapter provides a conclusion to the dissertation and
examines how the aim and objectives were met. There follows a critical analysis of
the project as a whole and finally, a section on future work surrounding the subject
area of this project is presented.
1.5 Ethics
Due to the nature of this dissertation and the attack tools that will be used to carry out the
information gathering attack and the brute force dictionary attacks, there are some ethical
concerns that must be taken into account. Due to these factors, the prototype architecture will
be created in a virtualised environment with no access to any other networks. In accordance
with the Code of Conduct for BCS Members (British Computer Society, 2011) the following
rules will be adhered to:
 have due regard for public health, privacy, security and wellbeing of others and the
environment.
 not claim any level of competence that you do not possess
 avoid injuring others, their property, reputation, or employment by false or malicious or
negligent action or inaction.

40096050 SOC10101
2 Literature Review
2.1 Introduction
The literature review initially provides the reader with research on cyber adversaries and the
motivation behind cyber attacks. Further research is then presented on the classification of
attacks which looks in detail at scanning/information gathering attacks and brute force attacks
and finally, the stages that an attack or intrusion will typically follow are investigated.
Additional research examines how a Defence in Depth approach provides a means of
defending against cyber threats and finally, there follows a review of defence mechanisms;
Intrusion Detection Systems, Big Data Analytics and SIEM. A conclusion is subsequently
reached which ascertains that in order to prevent, detect and predict today’s more complex
attacks a security strategy which incorporates Firewalls, Intrusion Detection Systems and
SIEM, with the ability to analyse large data sets, is required.
2.2 Cyber Adversaries – A History
According to Meyers et al. (2009) it was not until the early 1980’s when personal computers
became more readily available that any kind of study was undertaken with regards to cyber
adversaries and when the term ‘hacker’ was first introduced, it referred only to people who
were highly skilled at programming and manipulating operating systems. The works of
Raymond (2003) and Walleij (1998) indicate that the first hackers originated from MIT and
were simply a group of curious students who excelled at programming and who liked nothing
better than to experiment and explore the capabilities of computers and computer technology.
As per Murphy et al. (1983) however it was not until a few years later following an incident
involving six teenagers referred to as the ‘414 gang’ who broke into 60 computer systems and
were subsequently arrested, that the term ‘hacker’ came to mean ‘an individual engaging in
malicious activity’. Lawson (2001) observes that today, however, many people within the
computer science sector argue that this terminology is in fact incorrect and that a more
appropriate term for these individuals is ‘cracker’.
Meyers et al. (2009) state that in 1985, Landreth, himself a skilled hacker, was one of the first
to attempt to classify the cyber adversary community. Landreth & Rheingold (1985) proposed
dividing those belonging to the hacking community into the following five categories:
 Novices
 Students
 Tourists
 Crashers
 Thieves
Novices were defined primarily as youths, who were on the whole just interested in making
mischief, who lost interest after a short while and were prone to making mistakes. The
students’ category as defined by Landreth & Rheingold, is reminiscent of Raymond (2003)
and Walleij (1998) description of the first hackers, students from MIT who engaged in this
type of activity purely for the cerebral challenge, who had little or no criminal intent and who
simply aspired to accumulate information about infiltrated systems. Tourists were described

40096050 SOC10101
as individuals who saw hacking as a personal challenge, who were in it for the thrill of it.
Crashers, however, were seen as destructive individuals who deliberately set out to cause
damage to systems or information and egoists who wanted their exploits to be known about
and consequently derived pleasure from the recognition. Landreth & Rheingold’s final
category thieves, consists of as the name implies, criminals who generally seek to profit from
their malevolent behaviour. These hackers were recognised as the most treacherous, with
superior technical skills and a thorough knowledge of their intended target (Landreth &
Rheingold, 1985).
In 1996, a large-scale study of 164 known hackers of various ethnicities was carried out.
Chantler (1996) argued that hacking behaviour could be compartmentalised according to a
number of different characteristics, such as knowledge, motivation, prowess and length of
time spent carrying out an attack. From the results of this study, which were derived from
surveys and interviews, Chantler proposed dividing the hacking population into the following
three categories:
 Losers and lamers
 Neophytes
 Elites
According to Chantler’s research, the losers and lamers were of limited intellect and were
predominantly motivated by greed and vengeance. Neophytes in Chantler’s opinion however
were more intellectually advanced than the losers and lamers, wanting to follow in the
footsteps of the elites and further their knowledge. The final category proposed, the elites,
were identified as individuals with superior technical skills who found the test of their
abilities to be stimulating, who enjoyed the sense of exhilaration and derived pleasure from
their feats of accomplishment.
Meyers et al. (2009) cite the works of Rogers (1999), (2000), (2001) and (2006) as being ‘the
most comprehensive study of cyber adversaries and their motivations’. Rogers earliest work
(Rogers, 1999), proposed a new taxonomy of hackers. After having examined earlier research
that had previously been done in this area, some of which has been mentioned earlier in this
report, Rogers proposed the following seven categories:
 Newbie/tool kit
 Cyber-punks
 Internals
 Coders
 Old guard hackers
 Professional criminals
 Cyber terrorists
Rogers ordered these categories starting with those with the least technical ability to those
with the highest technical ability. The newbie/tool kit category, Rogers classified as hacking
novices, who had only basic coding skills and who had to depend on existing hacking tools to
enable them to carry out their attacks. The cyber-punks’ programming ability however was
slightly more advanced than the newbies in that they were able to write some of their own
code and were more knowledgeable about the systems they were attacking. They also
deliberately engaged in malicious activities including theft and fraud. The internals, consisted

40096050 SOC10101
of disgruntled or former employees, possibly from an IT background, who had the capactity
to carry out attacks due to the level of access they had been granted for their post. To this day,
this category accounts for a very large proportion of security breaches. Rogers’ definition of
old guard hackers is comparable to that of the student category defined by Landreth &
Rheingold (1985) in that these individuals were not criminally minded and were interested
purely in the intellectual challenges of hacking and furthering their knowledge, similar to the
first generation of hackers originating from MIT as described by Raymond (2003) and Walleij
(1998). The final categories of professional criminals and cyber terrorists Rogers cites as
being the most dangerous, classifying them as highly skilled criminals with access to high-
tech equipment. These categories as defined by Rogers, bear a close resemblance to that of
Landreth & Rheingold’s (1985) ‘thieves’.
Rogers more recent work (Rogers, 2006), proposes a more up to date taxonomy that draws
upon his earlier work (Rogers, 1999) and the works of Furnell (2002) and Gordon (Gordon,
2002). This revised version contains the following nine categories:
 Novice
 Cyber-punks
 Internals
 Petty thieves
 Virus Writers
 Old guard hackers
 Professional criminals
 Information Warriors
 Political activist
In Figure 2, Rogers shows the nine defined categories, their level of skill and the motivation
behind their various activities.
Figure 2: Hacker circumplex (Rogers, 2006)
Note: Novice (NV), Cyber-punks (CP), Petty Thieves (PT), Virus writers (VW), Old Guard hackers (OG),
Professional Criminals (PC), Information Warriors (IW), Political Activists (PA)

40096050 SOC10101
The final taxonomy of cyber adversaries this report will consider is one proposed by Meyers
et al. (2009) which suggests separating hackers into the following eight categories:
 Script kiddies, newbies, novices
 Hacktivists, political activists
 Cyber punks, crashers, thugs
 Insiders, user malcontents
 Coders, writers
 White hat crackers, old guard, sneakers
 Black hat hackers, professionals, elite
 Cyber terrorists
Although this is a more up to date study, the definitions for the eight categories provided by
Meyers et al. (2009) are in fact based heavily on Rogers’ works (Rogers, 2000), (Rogers,
2006) as well as other previously carried out studies some of which have already been
examined in this report (Chantler, 1996) and (Landreth & Rheingold, 1985). When
comparing the above taxonomies, in particular that of Landreth & Rheingold which dates
back to 1985 and the most recent work this report examines, that of Meyers et al., which was
proposed some fourteen years later, it can be seen that although Meyers et al. propose more
categories of hackers than Landreth & Rheingold, the definitions and skills of the various
individuals involved in hacking activities are in fact extremely similar with the exception of
the cyber terrorists whose goal according to Meyers et al. is to cause damage or destruction to
an enemy nation’s infrastructure or data. So, although some of the characteristics of hackers
remain unchanged from years ago, it is apparent that the motivation behind some attacks and
the goals of some hackers today, are far more sinister than in previous years.
2.3 Attack Taxonomy
2.3.1 Classification of Attacks
Various papers have been written over the years proposing taxonomies intended for
classifying attacks. Some papers concentrated on particular types of attack such as the works
of Collins et al. (2006) and Weaver et al. (2003), who studied various types of worms. Lough
(2001) provided an attack taxonomy specifically relating to the field of wireless networks and
Specht & Lee (2004) and Wood & Stankovic (2004) both proposed a classification system
which focussed on Distributed Denial of Service Attacks (DDoS) and the various ways to
defend against them.
One of the earliest general attack taxonomies was proposed by Neumann and Parker (1989) in
1989 which put forward nine different categories of attacks for consideration. These can be
seen in Figure 3 ‘Classes of Computer Misuse Techniques’.

40096050 SOC10101
Figure 3: Classes of Computer Misuse Techniques (Neumann & Parker, 1989)
Hansman and Hunt (2004) however, provide a different type of taxonomy focussing more on
specific types of attacks which would however for all intents and purposes fall under the
headings Neumann and Parker had initially proposed. These eight suggested categories are as
follows; Viruses, Worms, Buffer Overflows, Denial of Service Attacks, Network Attacks,
Physical Attacks, Password Attacks and Information Gathering Attacks. A more
comprehensive classification system is provided by Buchanan (2011), which although
primarily uses the same categories proposed by Neumann and Parker in 1989, includes an
additional class of ‘Pests’. Examples of attacks that fall into these categories are also
specified and defined. As it would not be possible to address every type of attack in this
report, for the purposes of this dissertation, Scanning/Information Gathering Attacks and
Brute Force Attacks will be examined in detail.
Scanning/Information Gathering Attacks
Attacks on networks are generally approached in several stages; this is further explored in
Section 2.3.2 Attack Patterns. During the first stage, an attacker may try to probe or scan a
network looking to find a vulnerability or point of entry. Valuable information can be gained
from scanning/information gathering attacks, such as the network topology, the kind of traffic
permitted through the firewall, which hosts are active on the network, which services are
running and details of the operating system being used. Shaikh et al. (2008) observe that the
more information an intruder has of their intended target, the higher the probability there is of
the intruder then being able to carry out an attack successfully and furthermore avoid
detection. Buchanan (2011) asserts that any sign of scanning or probing activities should be
seen as a sure sign of a forthcoming security breach. Shaikh et al. (2008) further suggest that
in order to avert security breaches, these information gathering/probing attacks must be
detected as early as possible. The works of de Vivo et al. (1999) identify many different types
of scanning techniques such as TCP SYN scanning, stealth scanning and indirect scanning. In
the case of TCP SYN scanning, the attacker sends a SYN to any number of ports on the
victim machine, if the port is open, a SYN ACK is returned, if the port is closed, a RST ACK
is returned. Stealth scanning differs from SYN scanning in that is uses FIN packets instead of
SYN segments. If the port is closed, as with SYN scanning, a REST ACK is returned,

40096050 SOC10101
however, if the port is open the FIN segment is merely dropped. Indirect scanning involves
the use of spoofed IP addresses with the sole intent of hiding the location of the intruder.
According to Bace & Mell (2001), many different tools can be used for the purpose of
scanning and information gathering such as network mappers, port mappers, network
scanners, port scanners or vulnerability scanners to gain valuable information about a
network. Nmap, a well-known and popular network mapper, is a free and open source utility
used by millions of people ranging from novices to highly skilled hackers. Nmap can be used
by attackers during the reconnaissance phase of an attack, to quickly scan a range of devices
in order to gain valuable information about the network and identify any potential
vulnerabilities or possible points of entry to the system (Lyon, 2009). Nmap can perform a
variety of scans including ping sweeps to identify which hosts are active on the network and
operating system scans which allow the attacker to glean details about the operating system
being used and port scans which will identify which ports are open and which services are
running on the network.
Brute Force Attacks
Tasevski (2011) suggests that the foremost method of controlling access to systems is by
means of passwords. Users must input passwords in order to identify themselves to the system
and to gain access to the required resources. Other research suggests however that passwords
are soon to be a thing of the past as they present a large security risk and that the use of
biometrics is becoming more prevalent as a standard authentication mechanism due to the fact
that biometric characteristics are unique to each individual (Chin-Chuan, 2003), (Brown,
2003). Whitman & Mattord (2012) note that in order for an attacker to gain entry to a system,
access to a valid user name and password must be acquired. Drasar’s research (2013)
intimates that attackers play on the fact that users are apt to select weak passwords, leaving
them open to attack. Vykopal (2013) agrees, stating that attackers presume users select
passwords that are either short or names or words from the dictionary. Whitman & Mattord
(2012) and Vykopal (Vykopal, 2013) note that acquiring a valid user name and password can
be achieved in one of two ways, either by carrying out a brute force attack which uses random
combinations of all characters and can be very time consuming or a dictionary attack which is
a variation of a brute force attack but which uses lists of commonly known user names and
passwords. Vykopal (2013) proposes two categories of brute force attacks, simple or
distributed. In simple attacks, all the authentication attempts come from a single host,
whereas with distributed attacks, many different hosts initiate a much smaller number of
authentication requests thus making the attack much more problematical to detect. Once an
attacker has gained a foothold on the system by accessing a user account, Buchanan (2011)
affirms that it is then possible by using those credentials to secure further information about
the system and advance up the privilege levels. If the attacker were then able to obtain the
Administrators credentials with the highest level of privileges, it would be possible for the
intruder to cause untold damage to the system or to steal confidential information.
An example of a tool which can be used to perform such attacks is Hydra. Hydra is an
extremely fast logon cracker that can be used to carry out brute force dictionary attacks
against many different protocols including FTP, Telnet, SMTP and HTTP (THC-Hydra,
2014). In order to carry out the attack, files containing well known user names such as
administrator, guest and root, and commonly used passwords must be provided to the utility
as well as the IP address of the target. Hydra will then endeavour to crack the user name and
password by trying every possible permutation. If successful, Hydra will discontinue the
attack and return the correct username and password.

40096050 SOC10101
2.3.2 Attack Patterns
Whitman and Mattord (2012) define an attack as ‘an intentional or unintentional act that can
cause damage to or otherwise compromise information and/or the systems that support it’. An
attack or intrusion typically follows a pattern consisting of several stages. Barnum et al.
(2007) write that attack patterns make it is possible to classify attacks in a way that can assist
in the design of appropriate security solutions and that armed with the knowledge of how
specific attacks are carried out, what stages an attack will go through and the motivation
behind the attack, it is possible to implement measures to prevent these attacks. Mohay et al.
(2003) suggest that this pattern is made up of three stages; the reconnaissance phase, the
attack phase and the ‘pay off and exit’ phase. The reconnaisance phase defined by Mohay et
al. involves gathering information that will enable the attacker to identify a vulnerability in
the system. The attack phase subsequently involves exploiting that vulnerability thereby
allowing the attacker to gain access to the system. Depending on motive, the final stage, the
‘pay off and exit’ phase could see the attacker accessing, corrupting or destroying information
resulting in a breach of confidentiality, integrity or availability. The work of Buchanan
(2011) provides a more detailed account of attack patterns and proposes five attack phases
colour coded from yellow to red according to level of severity. Figure 4, shows the five
attack phases as identified by Buchanan with additional information as to what could be
expected during each phase of an attack.
Outside
Reconnaissance
Inside
Reconnaissance
Exploit
FootholdProfit
Attacker gathers information
already in public domain
such as domain names or IP
addresses
Using network scanning tools such as Nmap, attacker
attempts to gain more detailed information eg.
network topology, active hosts on the network (ping
sweep), location of devices and open ports (TCP/UDP
scans) and account scans (scanning user IDs for weak
passwords)
Attacker finds a weakness
such as cracking a password
(brute force attack,
dictionary attack) or
breaching a firewall
Once inside, attacker can
then advance up the
privilege levels
Data stealing, system damage,
user abuse, fraud, terrorism,
financial gain, political gain,
resource utilisation (DoS)
Figure 4: Pattern of Attack - adapted from (Buchanan, 2011)

40096050 SOC10101
In relation to the above diagram, the outside reconnaissance phase sees the attacker gathering
information about the intended target that is already in the public domain, such as domain
names or IP addresses. During the inside reconnaissance phase, the attacker attempts to gain
more information such as the network topology, the kind of traffic permitted through the
firewall, which hosts are active on the network and details of the operating system being
used. Various scanning tools can be used during the reconnaissance phase of an attack, to
quickly scan a range of devices in order to gain valuable information about the network and
identify any potential vulnerabilities or possible points of entry to the system. Once an
attacker has discovered a weakness that they can exploit, such as cracking a password, they
can then gain entry to the system and once inside, gather more information that will allow
them to advance up the privilege levels.
Barnum et al. (2007) however take a different approach and suggest that in addition to the
chain of events an attacker will follow to carry out a specific type of attack, an attack pattern
should consist of the following information:
 Pattern Name and Classification
 Attack Prerequisites
 Description
 Related Vulnerabilities or Weaknesses
 Method of Attack
 Attack Motivation-Consequences
 Attacker Skill or Knowledge Required
 Resources Required
 Solutions and Mitigations
 Context Description
 References
It can be deduced from the above works, that attack patterns most definitely have a place in
the field of security and that by identifying attack specific information, such as why and how
different types of attack are carried out and the skills and goal of the attacker, it should then
be possible to implement the correct security measures in order to detect or even prevent
certain attacks.
Advanced Persistent Threat
According to an RSA Security Brief (Curry, et al., 2011), Advanced Persistent Threats
(APTs) are one of the most dangerous and rapidly growing threats to information security that
organisations are being confronted by today. The term Advanced Persistent Threat is defined
by The National Institute of Standards and Technology (NIST) as ‘an adversary that possesses
sophisticated levels of expertise and significant resources which allow it to create
opportunities to achieve its objectives by using multiple attack vectors’ (Ross, et al., 2010).
Curry et al. (2011) indicate that although in the past, these attacks were generally aimed at
military and political targets, it would appear now, that more and more, attackers are directing
these attacks at enterprise targets for monetary reward. Thomson (2011) however states that
the motivation behind some of these attacks is to highlight security problems or purely for the
purpose and pleasure of causing chaos. Schwartz (2011) point out that RSA was recently on
the receiving end of one of these targeted attacks. RSA later stated however that after a
thorough investigation, the attackers were not targeting their customers financial details, but

40096050 SOC10101
that the intended targets were more than likely the defence sector and other government
related departments. Whatever the attackers motive in this instance, the attack subsequently
cost the organisation in the region of $66 million in direct costs alone.
Advanced Persistent Threats are regarded as ‘low and slow’. ‘Low’ meaning that the attacks
are carried out in a covert manner in order to avoid detection and ‘slow’ referring to the
measured and unhurried way in which the attacks are carried out (Giura & Wang, 2013),
(Tankard, 2011). Giura & Wang (2013) state that although each attack is individually tailored
and adapted for the specific target, the phases they go through are analogous, however, it
would appear that there are varying opinions as to how many stages there actually are and
what each of these stages entails. Smith (Smith, 2013) suggests that APT attacks go through
three specific stages; Access Expansion, Persistence and Asset Targeting and Exfiltration.
Thonnard et al. (2012) however propose the following four phases; Incursion, Discovery,
Capture and Exfiltration. Whereas, Guira & Wang (2013) and Dalal (2012) take this even
further, specifying six stages; Reconnaissance, Delivery, Exploitation, Operation, Data
Collection and Exfiltration.
Figure 5 illustrates the typical stages, as defined by Guira & Wang (2013), that an Advanced
Persistent Threat will follow.
EXFILTRATION
DATA COLLECTION
OPERATION
EXPLOITATION
DELIVERY
RECONNAISSANCE
Select drop servers
Establish large C&C channels
Initiate external connections
Exfiltrate data
Select intermediary staging servers
Move sensitive data
Pack and compress data
Encrypt data
Locate target data
Target most privileged users
Elevate access privileges
Access sensitive data
Deliver spear-phishing email
Exploit employee user machine
Collect user credentials
Scan internal network
Craft targeted email
Create malware (RAT)
Set up malicious URL
Send spear-phishing email
Network scan
Network mapping
Employee profiling
Search zero day exploits
Figure 5: Typical Stages of an APT – adapted from (Giura & Wang, 2013)
There follows a short description of what each of these stages actually entails as defined by
Giura & Wang (2013) and Dalal (2012).

40096050 SOC10101
 Reconnaissance Phase: The attacker gathers information about the network and specific
employees, determining who to target and how.
 Delivery Phase: The attacker composes and sends an email to particular individuals
which contains a malicious attachment or directs them towards an infected website.
 Exploitation Phase: The spear-phishing email is delivered allowing attack tools to be
installed thereby enabling the attacker to gain more information about the internal network
such as security configurations, usernames and passwords.
 Operation Phase: The attacker maintains a continuing presence in the network trying to
identify where the organisation’s sensitive information is stored, who has access to it and
how they can gather the information and then transport it out of the network.
 Data Collection Phase: Using credentials obtained in the Exploitation and Operation
phases, the attacker accesses the targeted information, divides it up, compresses it and
encrypts it in readiness for exporting it out of the network to a predefined location.
 Exfiltration Phase: During the final phase of the attack, the information is moved out of
the network via encrypted channels to one or more ‘drop points’. Once the information is
in the hands of the attacker, it can be sold or used for the purposes of extortion.
Virvilis et al. (2013) suggest that APT attacks cannot be detected merely by using normal
security measures such as Intrusion Detection Systems (IDS) and Intrusion Prevention
Systems (IPS) as these tend to operate in real time and will only generate alerts for attacks
taking place over a short window of time. As APTs are generally carried out over a longer
period of time, it is quite possible for them to go undetected. Virvilis et al. propose that rather
than focussing on trying to detect these attacks with tools that concentrate on real-time
incidents, Big Data Analytics are essential for preventing such attacks. Tankard (2011) also
notes that by analysing data collected from a variety of sources over a much longer period of
time, it is deemed possible to detect less obvious attack indicators such as an increase in failed
login attempts, excessive network traffic and unusual resource utilisation (Virvilis, et al.,
2013), (Tankard, 2011). Smith (2013), suggests that only a defence in depth approach to
security will help to prevent these more sophisticated forms of attack and that there is not one
single solution and that it is not only network security that needs to be continuously assessed
but that educating staff in order to prevent them from opening unsolicited emails or clicking
on links is also a crucial factor in maintaining secure systems. Thomson (2011) agrees that
additional security measures are required in order to detect and hopefully prevent these types
of attacks and that a layered approach to security is a necessity. Thomson also notes that
particular attention should be paid to those staff that are most likely to be targeted.
It can be concluded from the above research that although the traditional security measures of
Intrusion Detection Systems and Intrusion Prevention systems are inadequate when it comes
to detecting and preventing Advanced Persistant Threats due to the ‘low and slow’ modus
operandi of these attacks, Big Data Analytics with the ability to collect and analyse data over
a long period of time offers a solution to this problem.

40096050 SOC10101
2.4 Defence in Depth
The term defence in depth originates from the military perspective of positioning multiple
layers of defence in the path of an attacker for the purpose of slowing them down (Buchanan,
2011), (Andress & Winterfield, 2014) . Andress & Winterfield (2014) note that it is not
viable for organisations to presume to create a situation where their defences are in fact
impassable, however, through employing numerous security strategies, it should be possible
to hamper attackers’ efforts for long enough in order to be able to detect their actions or even
deter them altogether. The National Security Agency (2014) proposes that in order for
organisations to successfully defend against attacks, it is imperative that possible adversaries
and their motivations are identified as well as the types of attack that may be carried out
against them. Whitman & Mattord (2012) suggest that these layers of defence should be
structured to include; security policy, an ongoing staff training and education programme and
technology. The NSA (National Security Agency, 2014) suggest that in order for
organisations’ assets to be adequately protected, the defence in depth approach needs to
incorporate the following three entities; people, technology and operations.
Virvilis et al. (2013) emphasise that with cyber attacks becoming more and more prevalent
and where the consequences of such attacks, particularly in relation to the military and
government, can result in the loss of life, it is essential to recognise the challenges and
limitations faced by existing technologies in relation to today’s more complex attacks. In
2013, Gartner stated that “Prevention is futile in 2020. Advanced targeted attacks make
prevention-centric strategies obsolete” (Gartner, 2013). In a subsequent report published in
2014, Gartner suggested that in order to achieve across-the-board protection, ‘an adaptive
protection process integrating predictive, preventitive, detective and response capabilities’
was necessary and that a shift in thinking was required, moving from ‘incident response’ to
continuous monitoring and remediation’ (Gartner, 2014). Figure 6, taken from a Gartner
Presentation entitled ‘The Five Styles of Advanced Threat Defense’ (Orans, 2014) looks at
the technologies required for defending against targeted attacks and shows what stage
mainstream enterprises are at when it comes to implementing these strategies.
Figure 6: Defending Against Targeted Attacks (The Five Styles of Advanced Threat Defense - Gartner
Presentation) (Orans, 2014)

40096050 SOC10101
It can be determined from the above research that with cyber attacks becoming more
prevalent and with the emergence of Advanced Targeted Attacks, although it is not possible
for organisations to hope to create a situation where their defences are impenetrable, by
employing numerous security strategies and taking a new approach to security whereby
systems must be presumed to be compromised and require continuous monitoring and
remediation it should be possible to achieve comprehensive protection.
2.5 Defence Mechanisms
2.5.1 Intrusion Detection Systems
Bace & Mell (2001) define intrusions as “attempts to compromise the confidentiality,
integrity or availability, or to bypass the security mechanisms of a computer or network.”
Whitman & Mattord (2012) make the presumption that most often; intrusions are carried out
by outsiders, however Scarfone & Mell (2007) dispute this stating that although many
security intrusions come from outside the organisation, many incidents are actually the result
of authorised users abusing their privileges and some threats may in fact be the result of
human error. According to the works of Scarfone & Mell (2007) and Bace & Mell (2001), in
order to detect intrusions, computer system and network events must be continuously
monitored and analysed.
As indicated by Bace & Mell (2001), there are three main working components that are
fundamental to the makeup of an Intrusion Detection System. These are as follows:
 Information Sources: The computer system and network events which are monitored in
order to ascertain whether an intrusion has occurred.
 Analysis: The component of the IDS that analyses the computer system and network
event information in order to determine whether an intrusion is currently taking place or
has already occurred.
 Response: Relates to the actions that are carried out by the IDS once an intrusion has
been detected and are classified as either active responses or passive responses. In the
case of active responses, the IDS automatically deals with the intrusion. Whereas, in the
case of passive responses, the IDS relays its responses, generally in the form of an alarm
or notification, to a user, oftentimes an Administrator in order that a decision on how to
react may be made (Bace & Mell, 2001).
Ruiz-Martinez, et al. (2014) note that there are four ways that an IDS can respond to event
information:
 True Positive: The IDS generates an alarm and an intrusion has taken place
 False Positive: The IDS generates an alarm, but the events detected are in fact legitimate
 True Negative: The IDS does not generate an alarm and no intrusion has taken place
 False Negative: The IDS does not generate an alarm although an intrusion has occurred
Intrusion Detection Systems (IDS) fall into two categories; signature based or anomaly based.
According to Scarfone & Mell (2007), signature based intrusion detection systems which use
pattern matching, provide the most accurate method for detecting known attacks. Whitman &
Mattord (2012) note however that one disadvantage of signature based detection is that since
previous knowledge of an attack is necessary, unless new signatures are constantly added,
new attacks may go undetected. One example of a signature based IDS is Snort. Snort is an
open source IDS/IPS that is capable of real-time traffic analysis. Martin Roesch (1999) refers

40096050 SOC10101
to Snort as a “lightweight network intrusion detection tool” suited to monitoring smaller scale
networks. Snort is preconfigured with a set of built in pre-processor rules that will detect
many forms of attack, however, it is also relatively easy to create new rules in order to be able
to adapt to new forms of attack.
Scarfone & Mell (2007) observe that anomaly based IDS monitor the behaviour of users,
hosts or network connections. Information is gathered with regards to normal system or user
activity and used to set a baseline. If the behaviour then deviates from that norm, the change
can thus be seen as suspicious activity and logged. Whitman & Mattord (2012) note that one
advantage of this anomaly based approach is that new attacks can be detected, however, this
type of detection does have its limitations, in that one, it is still possible for a user to carry out
malicious activities without deviating from their normal behaviour pattern and two, due to the
erratic behaviour of networks and users, it generally produces a lot of false positives.
It can be concluded from the above research that both signature based IDS and anomaly based
IDS have their place when it comes to detecting intrusions, both have advantages and both
have disadvantages.
2.5.2 Big Data Analytics
According to a study carried out by IDC (International Data Corporation), Gantz and Reinsel
(2012) report that between the start of 2005 and the end of 2020 the amount of ‘digital data
created, replicated and consumed’ will increase three hundred fold from 130 exabytes to
40,000 exabytes which is equal to 5,200GB per person. Figure 7 shows that from the start of
2010 to the end of 2020, the total amount of digital data will increase by a factor of 50.
EXABYTES
2009 20202010 2011 2012 2013 2014 2015 2016 2017 2018 2019
40,000
10,000
20,000
30,000
THE DIGITAL UNIVERSE: 50-Fold Growth from the Beginning
of 2010 to the End of 2020
DigitalData
Years
Figure 7: IDC’s Digital Universe Study, sponsored by EMC, December 2012 (Gantz & Reinsel, 2012)
In 2001, Doug Laney of the Meta Group (now known as Gartner) defined big data with the
three dimensions; volume, velocity and variety (Laney, 2001):

40096050 SOC10101
 Volume: The first V referred to in the context of big data refers to Volume. Buchanan
(2014) notes that the amount of data being generated is constantly increasing and states
that 90% of all the data in the Cloud has been created within the last 2 years, with 2.5
quintillion bytes of data being produced daily which is the equivalent of 1 billion hard
disks. According to McNulty (2014), 100 terabytes of data are uploaded on a daily basis
to Facebook alone, whilst Buchanan (2014) states that 12 terabytes of tweets are generated
daily. Russom (2011) states that although the majority of people refer to terabytes or
petabytes in relation to quantifying big data, it can also be measured by counting records,
transactions, tables or files.
 Variety: The second V referred to in the context of big data refers to Variety. Russom
(2011) states that what causes big data to be big is that the sources of data generated are
far more diverse now than in previous years. Russom notes that many of the more recent
sources are Web related such as clickstreams and social media, but also mentions text data
from call centres, geospatial data and RFID data. Niemeijer (2014) also notes that the
variety of data being generated has expanded, changing from simply plain text to images,
audio, video, locations and sensor data. Russom (2011) goes on to say that it is not just
the sources of data that have evolved, but also the type of data being collected. Mark van
Rijmenam (2014) writes that whereas previously all data generated was structured, 90% of
the data created today is unstructured and comes in a wide variety of formats. Russom
(2011) gives some examples of unstructured data as being human language and semi-
structured data such as XML and RSS feeds and also notes that some data such as from
audio and video and other devices does not fall into any particular category.
 Velocity: The third V referred to in the context of big data refers to Velocity. Velocity
according to van Rijmenam (2014) and McNulty (2014) relates to the speed at which
data is currently being created and how fast the data can be processed, stored, analysed
and visualised. McNulty (2014) and van Rijmenam (2014) also state that every minute of
every day, 200 million emails and 300,000 tweets are sent and 100 hours of video are
uploaded to YouTube. van Rijmenam (2014) writes, that where previously it took time
for data to be processed and databases to be updated, now data is being created in real-
time and can be collected from a variety of sources and processed immediately.
Figure 8 defines the three V’s of big data; Volume, Velocity and Variety.
Figure 8: The Three V’s of Big Data (Niemeijer, 2014)

40096050 SOC10101
Mark van Rijmenam (2014) expands on the above in an article ‘Why The 3V’s Are Not
Sufficient To Describe Big Data’ and proposes a further four V’s, namely, Veracity,
Variability, Visualisation and Value. These additional categories are:
 Veracity: Veracity in the context of big data refers to the accuracy or correctness of the
data. According to van Rijmenam (2014) and McNulty (2014) although there are huge
possibilities for organisations through the analysis of big data, unless the data is accurate,
it holds no value. McNulty (2014) goes on to point out that what organisations have to
understand about big data is that a huge amount of work must be carried out in order to
clean up the data and to ensure the accuracy of it before the process of analysis can
commence.
 Variability: Variability in the context of big data refers to the constant shifting in
meaning of the data. McNulty (2014) explains that in relation to data that is dependent
on language processing, the same word can have different meanings when used in
different contexts. The solution to this problem according to both McNulty (2014) and
van Rijmenam (2014) is that organisations will have to create complex programmes that
are capable of deciphering context in order to be able to define the intended meaning of
words.
 Visualisation: Visualisation in the context of big data refers to the ability to present
huge quantities of raw data in a format that is simple to understand and easy to look at
(van Rijmenam, 2014), (McNulty, 2014). These visualisation techniques take the form of
images, diagrams and animations and according to a report by The McKinsey Global
Institute (Manyika, et al., 2011) form an essential part of the data analysis process in
enabling people to compute large amounts of numerical or text data.
 Value: Value in the context of big data refers to the financial benefits organisations stand
to gain through the analysis of big data. According to McKinsey’s report (Manyika, et
al., 2011) big data has an estimated value of $300 billion to the US Health Care system
and 250 billion Euros to Europe’s public sector administration. van Rijmenam (2014)
points out however, that data alone holds no value, that it is the analysis of the data and
the resulting knowledge that can be gained from that analysis that is of huge value to
many organisations.
According to Russom (2011), “Big Data Analytics is where advanced analytic techniques
operate on big data sets.” Taft (2012), notes that a wide range of industries such as the
financial sector, retail industry, the physical sciences and life sciences are now generating and
analysing huge amounts of data. The financial sector is using data analytics to enable them to
devise trading strategies and to aid in the creation and development of new financial products.
The retail sector is using data analytics in order to determine what products customers are
looking at and subsequently purchasing in order to give them some insight into customers’
buying habits. In the case of life science, Brust (2012) suggests that with the use of data
analysis tools such as Hadoop, not only is there the possibility to alter lives for the better;
there is also the potential to save lives. Tankard (2012), pronounces that outside of
commercial organisations, big data analytics can be used in a variety of other ways, for
example in enhancing Governments’ capacity to detect and even prevent threats from foreign
countries. Tankard quotes the United States Department of Homeland Security as having
stated that by analysing data from various sources such as the Internet and social media sites
and by examining and monitoring the sites individuals were viewing and what was being
communicated, it would have been possible to foresee the Arab Spring revolutions.

40096050 SOC10101
It can be seen from the above, that a wide range of sectors from commercial organisations to
Governments to medical research facilities can benefit in a variety of different ways from the
use of data analytics.
2.5.3 SIEM
Gartner reported in 2011 (Nicolett & Kavanagh, 2011) that although Security Information
and Event Management systems (SIEMs) are often implemented in order to deal with
regulatory compliance reporting requirements that once deployed however, organisations
were also then looking to take the opportunity to improve upon their capacity for dealing with
security incidents. According to Karlzen (2009), there are several reasons organisations
implement SIEM systems; compliance, insider threats and the costs organisations can incur as
a result of a security breach. Gartner (Nicolett & Kavanagh, 2013) expand on this by stating
that SIEM technology is often implemented for the purposes of detecting external and internal
threats, monitoring the actions of users in particular those with a high level of privileges,
monitoring server and database access, behaviour profiling and for the purpose of offering
analytic capabilities in order to improve upon the management of incident responses.
The works of Afzaal, et al. (2012) and Garofalo, et al. (2014) affirm that SIEMs are
extensively used to monitor and protect critical infrastructures. Afzaal, et al. (2012) stress
that when a security breach takes place, the forensic analysis of stored events is of vital
importance in tracking and subsequently identifying attackers. Afzaal, et al. go on to say that
once the attacker has been identified, results of the forensic analysis can then be taken to
Court and used as evidence in order to secure a conviction. Grzinic, et al. (2013) agree that
analysing data for the purpose of detecting security incidents is invaluable, but raise concerns
as to the intelligence of commercial SIEM products suggesting that due to the basic statistical
techniques employed by these products, the detection of threats or intrusions falls mainly to
the data analysts. Hernando (2014) agrees, pointing out that as rules must be expressly
designed for each new attack, that at present, correlation modules are not capable of detecting
new types of threat or even existing threats where the behaviour of the threat deviates from
the norm. Hernando does believe however that as network infrastructures have become more
complex and the amount of event information has increased, it is no longer feasible for
security personnel to manually examine the amount of data that is currently being generated
and that therefore, SIEMs whatever their limits are a welcome solution to this problem.
There are various SIEM products available on the market from different vendors such as
Hewlett Packard who offer ArcSight, IBM who offer Q1 Labs, AlienVault and Splunk all of
which differ slightly; however, the basic functions are the same (Karlzen, 2009). Hollows
(2002) quotes Gartner as stating that SIEM technologies must be able to provide the following
five services, otherwise known as the ‘five Cs’:
 Collection: log data is collected from a diverse range of sources such as network devices,
security devices, servers, databases and applications.
 Consolidation: log data is normalised and aggregated.
 Correlation: separate log events are linked together in order to try to identify and
construct an imminent threat or an attack as a whole.
 Communication: once a potential threat or an attack has been identified during the
correlation phase, an alert is generated.

40096050 SOC10101
 Control – relates to how the data is stored, whether that be whilst the data is being
analysed and is available online or once the data is no longer required to be readily
available (Karlzen, 2009), (Hollows, 2002).
In 2013, Gartner rated SIEM technologies according to their ability for delivering real-time
monitoring, threat intelligence, behaviour profiling, data and user monitoring, application
monitoring, analytics, log management and reporting and deployment and support simplicity.
The highest scoring products according to Gartner’s calculations are HP ArcSight, IBM Q1
Labs, McAfee ESM, LogRhythm and Splunk (Nicolett & Kavanagh, 2013). Figure 9 shows
the overall score for each vendor’s product according to Gartner.
Figure 9: Overall score for each Vendor’s product based on the non-weighted score for each Critical
Capability (Nicolett & Kavanagh, 2013)
It can be concluded from the above research that although SIEM systems are often
implemented in order to deal with regulatory compliance reporting requirements, that more
and more, organisations are turning to SIEMs that offer analytic capabilities to improve upon
the management of responses to security incidents.

40096050 SOC10101
2.6 Conclusion
The aim of this chapter was to initially provide some background research on cyber
adversaries, the motivation behind cyber attacks and the different classes of attacks being
faced by organisations, as according to The National Security Agency (2014) in order for
organisations to successfully defend against attacks, it is imperative that possible adversaries
and their motivations are identified as well as the types of attack that may be carried out
against them.
Section 2.4 examined how a Defence in Depth approach provides organisations with a means
of defending against cyber threats and that although according to Andress & Winterfield
(2014) it is not viable for organisations to presume to create a situation where their defences
are in fact impassable, through employing numerous security strategies, it should be possible
to hamper attackers’ efforts for long enough in order to be able to detect their actions or even
deter them altogether.
Finally, Section 2.5 provided a review of defence mechanisms; Intrusion Detection Systems,
Big Data Analytics and SIEM where it was shown that although the traditional security
measures of Intrusion Detection Systems and Intrusion Prevention Systems are inadequate
when it comes to detecting and preventing Advanced Persistant Threats due to the ‘low and
slow’ modus operandi of these attacks, Big Data Analytics with the ability to collect and
analyse data over a long period of time offers a solution to this problem. Further research
showed, that in order to achieve across-the-board protection according to Gartner (2014), ‘an
adaptive protection process integrating predictive, preventative, detective and response
capabilities’ was necessary and a shift in thinking was required, moving from ‘incident
response’ to ‘continuous response’, ‘wherein systems are assumed to be compromised and
require continuous monitoring and remediation’. It is therefore concluded that in order to
prevent, detect and predict today’s more complex attacks a security strategy which
incorporates Firewalls, Intrusion Detection Systems and SIEM, with the ability to analyse
large data sets, is required.
The overall aim of this dissertation is to determine whether by using a SIEM architecture it is
possible to detect and block scanning/information gathering attacks and brute force dictionary
attacks prior to sensitive information being stolen or any damage being caused to the system.
Based on the conclusion reached in the Literature Review and in order to meet this aim, it is
apparent that the network architecture that is to be created should incorporate the following
three elements; a Firewall, an Intrusion Detection System and SIEM software.

40096050 SOC10101
3 Design
3.1 Introduction
The aim of this dissertation is to determine whether by analysing and filtering log data from a
variety of sources; Security logs, System logs, Server logs and Snort logs and looking for
specific patterns in the data, it is possible using a SIEM architecture to detect
scanning/information gathering attacks and FTP, Telnet and HTTP brute force dictionary
attacks and whether by identifying said patterns, it is therefore possible to block these attacks
prior to sensitive information being stolen or any damage being caused to the system.
According to Gartner (2014), in order to achieve across-the-board protection, ‘an adaptive
protection process integrating predictive, preventative, detective and response capabilities’
was necessary and a shift in thinking was required, moving from ‘incident response’ to
continuous monitoring and remediation’. Gartner (Orans, 2014) concluded that in order for
incorporate firewalls, IDS/IPS and SIEM. This is therefore the approach that has been taken
when designing the prototype network architecture for this project.
Section 3.2 gives an outline of the design methodology used. Section 3.3 presents an
overview of the threats that will be simulated, further information about which can be found
in the Literature Review. Section 3.4 outlines the design of the network architecture that will
be created and looks at the various options that were considered in order to create the best
prototype testing environment and gives a brief summary as to why various design choices
were made. In addition, a diagram providing an overview of the design is included. Section
3.5 provides details of the attack tools that are necessary to carry out the attacks. Section 3.6
looks at Intrusion Detection Systems and SIEM software and provides details of the various
logs that will be monitored and the fields of interest for creating the rules to filter the data and
detect the attack. Section 3.7 defines the evaluation metrics and finally, Section 3.8 affords a
conclusion to this chapter.
3.2 Design Methodology
In order to design and create the required prototype SIEM architecture, a Top Down Design
methodology will be used. This approach is used throughout computing and in many other
fields as well. This process of breaking larger, complicated problems down into smaller,
easier-to solve ones is known as Top Down Design for the obvious reason that the designer
starts at the top, with the problem as a whole, and works downwards (Pelchat, 2004). One
other advantage of this methodical approach is that it also provides a structure for the
solution. In structured analysis, structure charts are often used to specify the high-level
design, or architecture, of a computer program or network. As a design tool, structure charts
assist the designer in dividing and conquering a sizeable problem, that is, recursively breaking
a problem down into parts that are small enough and simple enough to be understood
(Yourdon & Constantine, 1979).
Figure 10 shows a Structure Chart that has been created to show all the components required
to create the prototype framework.

40096050 SOC10101
Figure 10: Structure Chart

40096050 SOC10101
3.3 Threats – An Overview
3.3.1 Scanning/Information Gathering Attack – Portscan
Attacks on networks are generally approached in several stages. During the first stage, an
attacker may try to probe or scan a network looking to find a vulnerability or point of entry to
the system. Valuable information can be gained from scanning/information gathering attacks,
such as the network topology, the kind of traffic permitted through the firewall, which hosts
are active on the network, which services are running and details of the operating system
being used. Further information about this type of attack can be found in Section 2.3.1 of the
Literature Review. In the case of this project, a portscan will be carried out using Nmap, in
order to determine which ports are open and which services are running on the victim
machine.
3.3.2 Brute Force Dictionary Attacks
In order for an attacker to gain entry to a system, access to a valid user name and password
must first be acquired. This can be achieved in one of two ways, either by carrying out a
brute force attack which uses random combinations of all characters and can be very time
consuming or a dictionary attack which is a variation of a brute force attack but which uses
lists of commonly known user names and passwords (Whitman & Mattord, 2012), (Czagan,
2013). Further information about this type of attack can be found in Section 2.3.1 of the
Literature Review. In this instance, a dictionary attack will be carried out using Hydra against
the FTP, Telnet and HTTP protocols on the victim server.
3.4 Requirements Analysis
In order to carry out the aforementioned experiments, a network architecture will be created in
a cloud environment using different virtual machines. The victim server will have many open
services running on it including FTP, Telnet and HTTP and will be located in the DMZ. The
attacking machine will be located in the Private Network. Both machines will be configured
on different VLANs. In order to provide routing between the two machines and a firewall, a
virtual router will also be implemented. The attack tools required to carry out the information
gathering/probing attack and the brute force dictionary attacks will be installed on the
attacking machine. In order to detect the various threats, SIEM software will be installed on
the victim server for the purposes of real-time monitoring of various logs. An Intrusion
Detection System will also be installed on the victim server. Various tools, packages and
operating systems have been investigated and the most appropriate choices for the design
have now been selected.
Figure 11 provides an overview of the design and the steps that will be followed in order to
carry out the various experiments.

40096050 SOC10101
Figure 11: Design Overview
Various operating systems were considered for the victim server prior to the final selection
being made, however, as the majority of the logs that Splunk has the ability to monitor are
Windows logs such as Performance logs and Event Logs, it was decided that a Windows
Server would be the best option for the prototype implementation. Windows Server 2003 was
selected initially as the victim machine in the network architecture as it has many open
services; however, when attempting to download the SIEM software, it transpired that the
2003 Server was not of an adequate specification for it to be installed. Therefore, for the
purposes of these experiments, Windows Server 2008 is deemed to be the most appropriate
choice.
Again, different options were investigated in relation to the selection of the attacking
machine, including Metasploit and Kali Linux. Metasploit is open source penetration testing
software that is employed for the purposes of verifying vulnerabilities and to manage security
assessments (Metasploit, 2015). Kali Linux is an open source Linux distribution that is
designed for digital forensics, advanced penetration testing and security auditing and is
preinstalled with numerous penetration testing tools (Offensive Security, 2013). These tools
are divided into various categories such as Information Gathering which includes tools like
Nmap and Password Attacks which includes tools for online attacks like Hydra and Hydra
GTK. These tools make it an appropriate choice for the attacking host in the network
architecture.

40096050 SOC10101
In order to provide routing between the virtual machines and to provide a firewall for the
prototype implementation again, different options were considered. Vyatta is a virtual router
which provides advanced routing and security functionality for physical, virtual, and cloud
networking environments (Brocade, 2015). pfSense is an open source Firewall/Router
distribution which includes a web interface giving users the option to either configure it
through the command line or the GUI (pfSense, 2015). With both options, filtering can be
implemented using a variety of parameters such as source and destination IP address, IP
protocol and source and destination port (pfSense, 2015), (Brocade, 2015). As pfSense also
provides the option to log traffic, it has been decided that for the purposes of the dissertation,
it would be the most appropriate product to implement.
Following on from the above research, a design of the basic architecture required to facilitate
the various experiments has been created, as can be seen in Figure 12.
DMZ
Private Network
Kali
VLAN 205
Windows Server 2008
VLAN 206
VLAN 200Public Network eth0
eth1
eth2
Figure 12: Network Architecture – Design
3.5 Attack Tools
3.5.1 Nmap
According to Bace & Mell (2001), many different tools can be used for the purpose of
scanning and information gathering such as network mappers, port mappers, network
scanners, port scanners or vulnerability scanners to gain valuable information about a
network. Nmap, a well known and popular network mapper, is a free and open source utility
used by millions of people ranging from novices to highly skilled hackers. Nmap can be used
by attackers during the reconnaissance phase of an attack, to quickly scan a range of devices
in order to gain valuable information about the network and identify any potential
vulnerabilities or possible points of entry to the system (Lyon, 2009). Nmap can perform a
variety of scans however, for the purposes of this dissertation a port scan will be carried out in
order to identify which ports are open and which services are running on the victim machine.
Further information about Nmap can be found in Section 2.3.1 of the Literature Review.

40096050 SOC10101
3.5.2 Hydra
Hydra is an extremely fast logon cracker that can be used to attack many different protocols
including FTP, Telnet and HTTP and is therefore the tool of choice for carrying out the
dictionary attack. Further information about Hydra can be found in Section 2.3.1 of the
Literature Review. Both Hydra and Hydra GTK are installed on the Kali Linux virtual
machine and although Hydra GTK has a GUI that requires limited input from the user, it has
been decided that for the purposes of this dissertation, Hydra will be operated from the
command line. In order to carry out the dictionary attack, a file containing various common
usernames will be created as well as a password file containing the top most commonly used
passwords.
3.6 Detection Methods – An Overview
3.6.1 Intrusion Detection Systems (IDS)
‘Intrusion detection is the process of monitoring the events occurring in a computer system or
network and analysing them for signs of intrusions’ (Scarfone & Mell, 2007). In order to
detect the various threats that will be simulated as part of this project, one of the tools that
will be used is Snort. Snort is an open source IDS/IPS that is capable of real-time traffic
analysis, any suspicious activity detected by Snort is logged in an alerts file. Martin Roesch
(1999) refers to Snort as a “lightweight network intrusion detection tool” suited to monitoring
smaller scale networks. Snort is based on a set of rules that use pattern matching (signature
based detection) and comes preconfigured with a set of built in pre-processor rules that will
detect many forms of attack, however, it is also relatively easy to create new rules in order to
be able to adapt to new forms of attack. A combination of specifically created rules and pre-
processor rules will be implemented in order to detect the various threats.
3.6.2 SIEM
There are various SIEM products available on the market from different vendors such as
Hewlett Packard who offer ArcSight, IBM who offer Q1 Labs, AlienVault and Splunk all of
which differ slightly; however, the basic functions are the same (Karlzen, 2009).
As it is possible however to get an academic licence for Splunk and it has the capacity to
monitor a large variety of sources in real time, as can be seen from the following list of
options, it is the chosen SIEM for this dissertation:
 Local Event Logs – this option provides the ability to monitor Windows Event Logs
such as Application, Security, Setup and System
 Remote Event Logs - allows for the collection of event logs from remote hosts
 Files and Directories – ability to continuously monitor local files or entire directories
such as IDS logs or FTP and HTTP logs
 TCP/UDP – this option provides the ability to listen on any TCP or UDP port to
capture data sent over the network such as Syslog
 Local Performance Monitoring – ability to monitor Windows performance counters
such as CPU, Memory, Threads, FTP Service and HTTP Service
 Remote Performance Monitoring – gives the ability to collect performance metrics
on remote Windows machines

40096050 SOC10101
 Registry Monitoring – gives the ability to capture Windows Registry settings and
monitor the changes
 Active Directory – ability to watch for changes to the Active Directory and to collect
user and machine metadata such as user Additions, host changes and logins
 Local Windows host monitoring – gives the ability to collect up-to-date hardware
and software (computer, operating system, Processor etc) information about the local
machine
 Local Windows Network Monitoring – capture statistics about network activity
 Local Windows Print Monitoring – gives the ability to capture information about
printers, drivers, print jobs, and so on.
In order to see whether it is possible to detect the portscan and the brute force dictionary
attacks using a SIEM architecture, the following logs and fields were identified as being of
interest for the creation of the Splunk rules (Table 1).
Server/IDS Logs Fields of interest
Security Log Audit Failure, Audit Success
System Log Logon failure
FTP Log IP address
Response code 530 – failed login attempt
Response code 230 – successful login
Web Log (W3SVC1) POST
Snort Logs IP address
Port 21, Port 23, Port 80
Good login, Bad login
Table 1: Server/IDS logs and fields of interest for creating Splunk rules
3.7 Evaluation Metrics
As was ascertained by the literature review, in order for companies to successfully defend
against targeted attacks, organisations’ defences must incorporate firewalls, IDS/IPS and
SIEM (Orans, 2014). So as to determine the efficacy of a SIEM architecture for the purpose
of detecting and mitigating brute force dictionary attacks, two different experiments will be
performed.
3.7.1 Brute Force Dictionary Attack – Rapid Speed
The first experiment will see the brute force dictionary attacks being carried out at a rapid
speed. Hydra which is already installed on the Kali Linux virtual machine will be used to
carry out the brute force attacks. In order to detect the attacks, Snort and Splunk will be
installed on the Windows Server 2008 virtual machine. Splunk will be configured to actively
monitor Security logs, System logs, FTP logs, HTTP logs, FTP Service logs, HTTP service
logs and Snort logs. Snort will be run for the duration of the attacks using various rules that
will be created to detect both failed and successful login attempts to the FTP, Telnet and

DISSERTATION_40096050

Recommended

Recommended

More Related Content

Viewers also liked

Viewers also liked (16)

Similar to DISSERTATION_40096050

Similar to DISSERTATION_40096050 (20)

DISSERTATION_40096050