Threat hunting with Graylog

Introduction

Graylog is a leading centralized log management solution which allows security teams to log, store and analyze huge amounts of data. One area where Graylog especially shines is in its analysis speeds. In this article, we’ll discuss how Graylog can be used to analyze data in a hypothetical threat-hunting scenario.

Overview

We set up Graylog, elasticsearch and mongo-db on an Ubuntu 18.04 virtual machine. We won’t be discussing the initial set-up; however, if that is of interest, the procedure can be found here.

In our scenario, an internal rogue employee attacks one of our production servers to gain unauthorized access through brute-forcing our SSH and FTP services. Using this premise, we’ll discuss how Graylog stores the logs and displays them and how we can implement various features in the open-source version during analysis.

Attack scenario

We recently discovered a breach attempt on one of our company’s production servers. Unbeknownst to the attackers, we had our Graylog instance installed within the same server, which allowed us to monitor their attempts at unauthorized access. The attackers were discovered to have performed numerous brute-force attacks against the FTP and SSH services on our server and had managed to gain access to our server. We had previously configured the server to send logs to Graylog through rsyslog.

Below is an analysis of how we discovered this by using the Graylog Open Source log management solution.

The Analysis

When we logged into our production server and accessed our Graylog Web view, we discovered that some new logs had come in and decided to take a look at them. We did this by clicking on “Show received messages” on the Web interface, as shown below:

We discovered multiple attempts at bypassing our FTP and SSH logins. According to the logs, the attacker was based (Read more...)