A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
- Provide a free hunting platform to the community and share the basics of Threat Hunting.
- Make sense of a large amount of event logs and add more context to suspicious events during hunting.
- Expedite the time it takes to deploy an ELK stack.
- Improve the testing of hunting use cases in an easier and more affordable way.
- Enable Data Science via Apache Spark, GraphFrames & Jupyter Notebooks.
HELK is an ELK (Elasticsearch, Logstash & Kibana) stack with advanced hunting analytic capabilities provided by the implementation of Spark & Graphframes technologies. The Hunting ELK or simply the HELK is one of the first public builds that enables data science features to an ELK stack for free. In addition, it comes with a Jupyter Notebook integration for prototyping in Big Data/Machine learning use cases via the PySpark API. This stack provides a full-text search engine mixed with great visualizations, graph relational queries and advanced analytics.
Nowadays, enabling the right event logging and centralizing the collection of different data sources is finally becoming a basic security standard. This allows organizations to not just increase the level of visibility from an endpoint and network perspective, but to adopt new concepts within their security teams such as threat hunting. Even though it might seem that collecting a lot of data is all a hunt team needs to be successful, there are several challenges that hunters face when using large, unstructured and sometimes incomplete data. One of this challenges is to make sense of the disparate data sources in an easy and consistent way when trying to effectively detect adversarial techniques.
ELK stacks have already been adopted considerably by small and large organizations for data ingestion, storage and visualization. Therefore, using it as a main structure with Spark and GraphFrames on the top of it allow hunt teams to effectively take their hunt skills and program to the next level. This approach is affordable, scalable, and can be used during research or any other engagement where blue and red teams meet.
APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. The focus of this tool is to simulate adversary activity, not malware. The aim of the engagement from the point of view of the tester (or “red team”) is to gain access to sensitive information without being detected. APT testing assesses a company’s intelligence protection, intrusion detection capability and incident response capability as well as testing the external infrastructure defences.
Both HELK and APTSimulator can be used together. The true principles of blue team and detection quality are innate in these projects.