Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.2.331

Cyber-Threat Detection of ICS Using Sysmon and ELK  

Kim, Yongjun (Department of Information and Communication Engineering, Ajou University)
Shon, Taeshik (Department of Cyber Security, Ajou University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.2, 2019 , pp. 331-346 More about this Journal
Abstract
Global cyber threats to industrial control systems are increasing. As a result, related research and cooperation are actively underway. However, we are focusing on strengthening security for physical network separation and perimeter. Internal threats are still vulnerable. This is because the easiest and strongest countermeasure is to enhance border security, and solutions for enhancing internal security are not easy to apply due to system availability problems. In particular, there are many vulnerabilities due to the large number of legacy systems remaining throughout industrial control systems. Unless these vulnerable systems are newly built according to the security framework, it is necessary to respond to these vulnerable systems, and therefore, a security solution considering availability has been verified and suggested. Using Sysmon and ELK, security solutions can detect Cyber-threat that are difficult to detect in unstructured ICS.
Keywords
ICS/SCADA; Legacy ICS; CTI; Sysmon; ELK;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Jungchan Na, Hyunsook Cho, "Classification of ICS abnormal behavior in terms of security", Journal of the Korea Institute of Information Security & Cryptology 23(2), pp. 329-33, Apr. 2013.   DOI
2 Hyunguk Yoo, Jeong-Han Yun, Taeshik Shon, "Whitelist-Based Anomaly Detection for Industrial Control System Security", The Journal of The Korean Institute of Communication Sciences 38(8), pp. 642-643, April. 2013.
3 Younghun Lee, Junghyun Ryu, Jonghyuk Park, "Research Trends and Considerations of Security Technology of Industrial Control System", SeoulNational University of Science and Technology, pp.3, May. 2018.
4 Procon, "SCADA OS Windows Unix", http://www.procon.co.kr/page/sub.htm l?main=2&sub=1, DEC. 2018.
5 Univ. Hoseo, "Analysis of Overseas System based Evaluation Cases and Technology", KISA-WP-2009-0011. pp. 8, Jun. 2009.
6 Josh Brower, "Using Sysmon to Enrich Security Onion's Host-Level Capabilities", GIAC (GCFA) Gold Certification, pp.6-15, Mar. 2015.
7 Vasileios Mavroeidis . Audcun Josang, "Data-Driven Threat Hunting Using Sysmon", ICCSP 2018, pp.5-6, Mar. 2018.
8 Financial Security Institute, "Cyber Threat Intelligence", https://www.fsec.or.kr/user /bbs/fsec/163/344/bbsDataView/1139.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=, Sep. 2018.
9 Mitre Corp, "Mitre ATT&CK", https://mitre-attack.github.io/caret, Sep. 2018.
10 Kaspersky Lab, "ShadowPad", https://securelist.com/shadowpad-in-corporate-networks/81432/, Oct. 2018.
11 JPCERT Coordination Center, "Sysmon Malware Detection", https://blogs.jpcert.or.jp /en/2018/09/visualise-sysmon-logs-and-detect-suspicious-device-behaviour-sysmonsearch.html, Sep. 2018.
12 SecurityFocus, "SCADA vulnerabilities", https://www.securityfocus.com/news/11402, Sep. 2018.
13 Gyeongyeong Song, "Security technology trend for SCADA system", The Magazine of the IEEK, pp.1-2, Aug. 2015.
14 GAO, "Critical Infrastructure Threats", GAO 04-354, pp.2, Mar. 2004.
15 MSS, "Technology Roadmap for SME 2018-2020 Information Security", MSS, pp. 257, Jan. 2018.
16 Microsoft, "Sysmon Setup", https://docs. microsoft.com/ko-kr/sysinternals/downloads/sysmon, Aug. 2018.
17 CISA, "ICS Sysmon", https://ics-cert.us-cert.gov/Industrial-Control-Systems-Joint-Working-Group-ICSJWG, Sep. 2018.
18 Plura Blog, "Windows Sysmon", http:// blog.plura.io/?p=9481, Sep. 2018
19 Elastic, "Elasticsearch Logstash Kibana", https://www.elastic.co/kr/products/, Sep. 2018
20 "4th Industrial Revolution and 'Cyber Threat Intelligence'", DT, 2. May. 2018. http://www.dt.co.kr/contents.html?article_no=2018050302102351607001
21 Darktrace Blog, "ICS SCADA EDR", https://blog.naver.com/darktrace-ray/221045454630, Sep. 2018.
22 MSS, "Technology Roadmap for SME 2018-2020Information Security", MSS, pp. 252-254, Jan. 2018.
23 DRAGOS, "CRASHOVERRIDE; Analysisof the Threat to Electric Grid Operations", DRAGOS, pp.6-11, Jun. 2017.
24 NIST, "Guide to Industrial control systems security", NIST Special Publication 800-82 Revision 2, pp. 29-31, May. 2015.
25 Seonghun Eom, Jaepyo Bag, "A Study on the Security Threats Detection through Analysis of Endpoint Integration Security Log", Soongsil Univ., pp.9-24, Dec. 2016.
26 Ahnlab, "Critical Infrastructure Threats", Analysis Report, pp. 36-37, May. 2016.
27 Boannews, "Seungyeon Han, The impo rtance of ICS /SCADA security and co unter measures, ISEC 2018", https://www.youtube. com/watch?v=k2oJO-_nkRw, Nov. 2018.