Welcome to the K8sStormCenter ThreatIntel repository. This repository is an integral part of the K8sStormCenter project, focusing specifically on the threat intelligence aspects and offering tools and guidance needed to analyze and identify juicy attacks on your honeyclusters. This repository complements the HoneyCluster repository, which provides the necessary tooling for deploying your own honeyclusters and baits.
The primary focus of this repository is to equip users with the tools and knowledge necessary for:
.
├── pattern_matcher
│ ├── Dockerfile
│ ├── src
│ │ └── patternmatcher
│ └── README.md
│
├── stix
│ ├── examples
│ └── README.md
│
├── neo4j
├── Makefile
└── README.md
The pattern_matcher directory provides a Python package which is your toolkit for transforming logs from e.g. a honey cluster to STIX models and interacting with the threat database. For detailed information take a look at the pattern matcher README. The pattern matcher is responsible for:
The stix directory provides examples and resources to help users understand how to utilize STIX data structures for their own threat intelligence and attack detection needs:
Follow these detailed steps to deploy the necessary components on your honey cluster, create your attack model, upload it, and set up monitoring for your specific attack interests.
Step 1-3 can be executed at once using:
make
Begin by deploying the Neo4J database which will store and manage your threat data. This rule located in Makefile will deploy neo4j to your cluster by using helm:
make install-neo4j
Once the database is set up, deploy the pattern matcher container. It consumes a stream of the logs produced by the honeycluster, looking for signs of the specific attacks you are monitoring (based on the Indicators uploaded to Neo4J, which is done in the next step). Using the following rule resources.yaml is applied to your cluster:
make install-matcher
This action creates a Kubernetes pod that runs the k8sstormcenter/matcher
container (You can have a look at the patternmatcher directory to see the pattern matchers functionality and how to build your own matcher).
Now, focus on defining what you are detecting/defending against by creating your STIX attack models and indicators:
Create Your Attack Model and Indicators: Utilize the templates and guidelines found in the stix
directory to construct a STIX model that represents the types of attacks your system should detect.
Upload Your Model:
make insert-attack-models
make insert-attack-models STIX_MODEL_PATH=path/to/stix/attack/model.json
After setting up your models, you can either simulate an attack on the honey cluster or monitor for real attacks. To verify if an attack has been detected, use the following command to port forward to the Neo4j database on the cluster and access it on your local machine:
make forward-neo4j
Once connected, navigate to localhost:7474
in your web browser to check the database entries and see if the matcher has detected any relevant attacks as defined by your models. With some luck you should be able to see lots of colorful detected balls.
Remove all created resources (from step 1-3) on your cluster using
make destroy