search

LTW-GCR-CSOC / csoc-installation-scripts

GCR - Cybersecurity Operations Center Project
GNU General Public License v3.0
15 stars 9 forks source link

readme

Global Cybersecurity Resource

Carleton University - GCR Cybersecurity Operations Center Project

Description

The GCR - CSOC (Cybersecurity Operations Center) initiative seeks to provide small to medium size enterprises with openly available cybersecurity resources to self-manage their own security or enable companies to offer cybersecurity services to others as part their business.

The development of this project is primarily divided into three focus areas: i) Developing open source software to compliment CSOC services ii) Developing CSOC operation guides and templates as a means to manage security iii) Creating CSOC "Pathway Training" material for online learning.

i) Open Source Software Development:
Open source software development activities for this project seeks to configure, integrate and enhance existing open source projects (such as Dionaea, Cowrie, OSSEC, OpenVAS and others) to report to a central alert collector (such as Apache Metron). The central alert collector will be used for alert aggregation and analytics. Development also includes the creation of "GCR Canary" honeypots. The honeypots are physically and virtually deployable. As the GCR Canary project evolves it will include the various sensors mentioned above. The GCR Canary honeypot can be used for intrusion detection in SME environments.

ii) CSOC Operation Guide Creation:
The creation of the GCR CSOC Playbook will include guidance and templates for managing cybersecurity in an organization.

iii) CSOC Pathway Training Material:
Online training resources seeks to improve the adoption of proper cybersecurity hygiene within an organization

Plans

This project is being rolled out over three phases. We are currently focused on Phase 1.

Screenshots

The following screenshots (from left to right) are of Apache Metron (used for central alert collection), a terminal output of a GCR Canary honeypot, and a screen capture of the GCR CSOC Playbook. Global Cybersecurity Resource - Collage of screenshots

The following screenshot shows a customized dashboard in Apache Metron that presents alert information from a GCR Canary honeypot. Metron Analytics UI - GCRDionaea

A GCR Canary honeypot was configured to send Dionaea type alerts to the Apache Metron central server. The Metron Management UI was used enter how the alert should be parsed. Metron Management UI - GCRDionaea

In the alert collection server Apache Nifi was used to channel Syslog alert information to a Kafka broker for further processing by Apache Metron. Nifi UI - GCRDionaea

Installation

GCR Canary

The installation procedure below was tested on Ubuntu Mate LTS 16.04 with Raspberry Pi 3.

To install all of the GCR Canary software, run the following script on Ubuntu Mate:

cd ~ && \
sudo apt-get -y install unzip && \
wget https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/archive/master.zip && \
unzip master.zip && \
cd csoc-installation-scripts-master/ && \
chmod +x *.sh

Configuration

Configuration settings (such as disabling the install of OpenVAS, OSSEC, ext..) is in honeypots.sh. Within honeypots.sh change the INSTALL_* parameters as needed. The following is an example of enabling Dionaea for install and disabling Cowrie for install. 

PREINSTALL_CLEANUP="yes"   
INSTALL_RP="yes"   
INSTALL_REFRESH="yes"   
INSTALL_CLEANUP="no"   
SETUP_SYSLOG="yes"   
INSTALL_DIONAEA="yes"

After the updates have been made run honeypots.sh

./honeypots.sh

Dionaea Service within GCR Canary: The following provides guidance on the GROK formatted output which is intended for use with Apache Metron: GCRDionaea GROK Format

The Dionaea logs and sqlite3 database is stored in /opt/dionaea/var/dionaea within GCR Canary.

If INSTALL_DIONAEALOGVIEWER was set to "yes", to view the Dionaea Logs visit http://0.0.0.0:8000

Cowrie Service within GCR Canary: If INSTALL_COWRIE and INSTALL_COWRIELOGVIEWER were set to "yes", to view the Cowrie Logs, visit http://0.0.0.0:5000

Alert Collection Server

This project uses Apache Metron to collect alerts from the distribution of GCR Canary honeypots. Below are links that can provide guidance to install Apache Metron.

Syslog configuration for GCR Canary alert ingest The following syslog configuration files will need to be installed on the server. (syslog config files)[https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/SampleLogFiles/configForServer-notEnc]

Apache Metron Configuration for GCR Canary alert ingest To be provided - Instructions for ingesting GCR Canary alerts are under development. The screenshots above provide a preview of what alerts look like in Apache Metron.

How to test the software

To be provided - (Information on how to run automated tests on the software)

Known issues

See this repository's issue tracker.

GCR Canary Case

GCR is working with Made Mill at Bayview Yards. to create a custom designed case for the GCR Canary. The case is composed of PLA plastic and manufactured using 3D printing. More details are available in this repository.

Global Cybersecurity Resource - Canary Case

GCR CSOC Playbook

Operational documentation for use of the CSOC is provided here. The documentation includes: organization structure and roles, workflows and usecases, incident report templates, shift report templates.

Getting help

If you have questions, concerns, bug reports, etc, please file an issue in this repository's issue tracker.

Getting involved

CONTRIBUTING

Open source licensing info

Some components in GCR Canary are licensed under GPL LICENSE.

Apache Metron is licensed under Apache v2.0 LICENSE.

Related open source projects

Related cloud services

Credits and references

Contributors