ISN 1903-GROUP ASSIGNMENT

LAB ASSIGNMENT 2
Submitted to: Saikat Asaduzzaman
Date of submission:11th August 2023, Friday
Group name: Delta Force
Group Members
Ronald John Guzman C0893664
Tanzimul Haque C0895707
Dumkelechukwu Jerry-Okoro C0890899
Kamal Kalra C0892848
Thazni Kassim C0895117
Dixa Kathiriya C0892073
 Table of Contents

Introduction ........................................................................................................................................... 3
1.What is an Endpoint Detection and Response (EDR) tool? ........................................................... 3
1. Threat Detection: ...................................................................................................................... 4
2. Incident Investigation: .............................................................................................................. 4
3. Response and Remediation: ..................................................................................................... 4
4. Forensic Analysis: ..................................................................................................................... 5
5. Threat Hunting: ........................................................................................................................ 5
6. Behavioural Analytics: ............................................................................................................. 5
2. What are some of the Open Source EDR solutions you can use in your environment? ............. 6
1. OSSEC ........................................................................................................................................... 6
2. Nessus Vulnerability scanner ....................................................................................................... 6
3. SNORT ........................................................................................................................................... 7
3. What is Sysmon? How can you install and manage Sysmon in an environment with fifty
endpoints with Windows OS? .............................................................................................................. 8
Sysmon includes the following capabilities. .................................................................................... 8
Usage of SYSMON ............................................................................................................................ 9
Installation ....................................................................................................................................... 10
Management .................................................................................................................................... 11
4. Perform a comparison analysis between Sysmon and any of the Open source EDR solution of
your choice. .......................................................................................................................................... 11
Comparison table .....................................................................................................................11
Justification ..................................................................................................................................... 14
Conclusion ........................................................................................................................................... 16
References ............................................................................................................................................ 17
 Introduction
Protecting endpoints from sophisticated cyber threats is of utmost importance for
organisations in the ever-changing digital landscape of today. Strong
cybersecurity solutions are increasingly necessary as hostile actors continue to
develop complex ways to hack into networks and steal important data. Endpoint
Detection and Response (EDR) tools, which provide sophisticated threat
detection, real-time monitoring, and efficient incident response capabilities, have
become a crucial line of defence. We will go into the world of EDR tools in this
discussion, looking at their importance, open-source choices, and comparing
Sysmon and Velociraptor—two potent tools that serve as examples of the
possibilities of EDR solutions.

1.What is an Endpoint Detection and Response (EDR) tool?

Endpoint Detection and Response (EDR) is a cybersecurity solution created to

improve an organization's capacity to identify, investigate, and respond to
advanced cyberthreats and criminal activity on specific endpoints, often known
as individual devices. Computers, laptops, servers, cell phones, and other
connected devices are examples of endpoints.
A digital detective for your computer or device is an endpoint detection and
response (EDR) tool. Think of it as a security guard keeping an eye on your
computer or smartphone to spot any misleading or dangerous behaviours.
Whenever you use your smartphone or tablet, evidence of your activity is left
behind, including data transferred over the internet, files opened, and apps
performed. An EDR tool closely monitors this trail and keeps an eye open for any
signals that something strange or negative may be occurring.
The EDR tool, for instance, raises a red signal if a cybercriminal tries to access
your device or if dangerous software (malware) tries to gain control over. It's
similarly to the guard noticing someone attempting to break a window or break a
lock.
However, the EDR tool doesn't just alert you and then disappear. Additionally, it
does additional research and gathers proof of what occurred. It looks at the
footprints the unwanted person left, just like a detective would at a crime scene.
This enables you to find the precise problem and the solution.
The EDR tool also has a few unique tricks under its package. Even the negative
things may be stopped in their tracks. It can stop a suspicious-acting software
from doing any harm if it is detected. It resembles our guard preventing a criminal
in their tracks before they can steal anything of value. So, to put it simply, having
an EDR solution for your digital devices is like having a security guard and a
knowledgeable detective all in one. It keeps an eye out for problems, investigates
odd things, and takes action to protect your devices from dangers on the internet.
EDR tools are specialist software programs that operate at the endpoint level,
watching over and analysing in real-time the actions and behaviours of these
gadgets. They provide several essential capabilities to give a more proactive
approach to cybersecurity:
1. Threat Detection:
Endpoint activity is continuously monitored by EDR tools, which search
for defects, unusual patterns, and indicators of compromise (IoCs).
Unauthorized access attempts, odd file alterations, strange network
activity, and other things might be among them.
2. Incident Investigation:
EDR tools allow security teams to thoroughly examine an occurrence if a
possible danger is identified. They offer information about the attack's
information, its vectors, and its affected endpoints. For analysing the
attack's extent and developing a suitable security plan, this information is
important.
3. Response and Remediation:
EDR tools allows security teams to react to attacks quickly and
successfully. They provide a range of responses, including preventing
malicious activities, rolling back illegal improvements, and separating
infected endpoints from the network. It helps in containing the danger and
preventing its future spread.
 4. Forensic Analysis:
EDR technologies save past endpoint activity data, enabling forensic
investigation by security experts. This is helpful for identifying an
incident's primary cause, understanding the strategies used by attackers,
and strengthening overall security posture.
5. Threat Hunting:
Actively threat hunting is made possible by EDR solutions, allowing
security professionals to actively look for vulnerabilities and hidden
dangers that may not have been the subject of automatic warnings. This
strategy helps in the detection and mitigation of possible threats before they
develop into completely attacks.
6. Behavioural Analytics:
To create a baseline of behaviour for each endpoint, modern EDR systems
frequently include behavioural analytics. This makes it possible for them
to recognize unusual values, which may be a sign of a hack or security
breach.

Overall, by providing knowledge of endpoint activity, improving threat detection

capabilities, speeding up reaction times, and eventually reducing the potential
effect of cyber-attacks, EDR technologies play a crucial role in supporting an
organization's cybersecurity strategy.
 2. What are some of the Open Source EDR solutions you can use
in your environment?

1. OSSEC
OSSEC is an open-source and free software that provides EDR features like
HIDS, HIPS, log analysis, and real-time Windows registry monitoring. The
software can be obtained from the creator's GitHub page or the official website.
OSSEC primarily targets major businesses, small and medium-sized businesses,
and governmental organizations looking for server intrusion detection systems
and/or solutions.
OSSEC boasts compliance with many of the common industry standards such as
CIS and PCI-DSS. The software is compatible with Windows, Linux, OpenBSD,
macOS, Solaris, and FreeBSD. No support for mobile platforms such as Android
or Mac OSX.
OSSEC EDR FEATURES
A. LIDS (Log-based Intrusion Detection): Scans and analyses log data coming
from multiple endpoints.
B. Malware and Rootkit Detection capabilities: Employs process- and file-
level scanning to detect dormant or active malicious applications, rootkits
included.
C. Active response: Firewall policy benchmarking, support for integrating
with/in 3rd party apps. OSSEC’s active response feature also mentions
something about “self-healing actions” but fails to elaborate.
D. FIM (File Integrity Monitoring): Real-time windows and file registry
monitoring. Capable of producing forensic copies to facilitate data analysis in
case of system changes.
E. System inventory: Information-gathering platform. Able to retrieve various
types of software and hardware data: listeners, hardware info, installed software,
versioning, utilization rate, and network services.
2. Nessus Vulnerability scanner
Nessus’ lightweight and open-source software is a communication port-scanning
tool useful for detecting system vulnerabilities – entry points that can be
exploited by malicious actors. This tool does not have full EDR capabilities,
nonetheless, efficient in identifying security breaches. Nessus is compatible with
devices running Linux, Windows, and macOS.
 NESSUS FEATURES
A. Custom scripting and multiple plug-ins: Nessus allows the user to write
custom scripts by providing him with a scripting language. The agent also allows
multiple plug-ins: server detection, processor information, Microsoft Windows
ARP table, recent file history, Windows scan not performed with Admin
Privileges, Microsoft Windows Last Boot Time, etc.
B. Patching indicator: Upon vulnerability detection, the port-scanner will also
offer suggestions on how to resolve the vulnerability.
C. In-depth vulnerability scanning: After Nessus is deployed on the machine,
it will perform up to 1,200 checks (passes) to detect system vulnerabilities.
3. SNORT
SNORT is an open-source and powerful intrusion prevention tool that enables
users to find e-threats by analyzing packet logging and real-time network traffic.
Fedora, Centos, FreeBSD, and Windows are all completely compatible with the
product. SNORT is promoted as an EDR solution that is simple to use and helpful
for audits or investigations.

SNORT FEATURES
A. Multi-mode deployment: SNORT can be configured to run in three modes:
sniffer (reads network packets and displays them on your console), packet logger
(logs the content of each packet and stores them on your local disk), and NIDS
(short for Network Intrusion Detection system; real-time analysis of network
traffic.)
B. Tunneling Protocol Support for most common formats: SNORT supports
the following tunneling protocols: PPTP over GRE, MPLS, GRE, IP in IP,
ERSPAN.
C. Multiple NIDS Mode Output options: The NIDS module supports multiple
output options: Fast alert (the alert is jotted down in a simple format that includes
the source, destination IP and/port, alert header and message, and the timestamp),
Full Alert mode, Unsock (can send the alert to a Unix-type socket), No alert
(disables alerts), Console (displays fast-type alerts on your screen), and CMG
(displays alerts in the CMG style).
 3. What is Sysmon? How can you install and manage Sysmon in
an environment with fifty endpoints with Windows OS?

Windows System Monitor (Sysmon) is a device driver and system service that,
once installed on a system, stays in place throughout system reboots to monitor
and record system activity to the Windows event log. The establishment of
processes, network connections, and adjustments to file creation times are all
covered in detail. You may spot suspicious or out-of-the-ordinary activities and
learn how malware and intruders operate on your network by gathering the events
it generates using Windows Event Collection or SIEM agents and analyzing them
afterwards.
It should be noted that Sysmon does not seek to defend or hide itself from
attackers, nor does it attempt to analyze the events it creates.
Sysmon includes the following capabilities.
• Records both the parent and child processes' complete command line when
a process is created.
• Uses IMPHASH, MD5, SHA256, or SHA1 (the default) to record the hash
of process image files.
• More than one hash can be utilized simultaneously.
• Process creates events contain a process GUID to enable event correlation
even when Windows reuses process IDs.
 • Each event has a session GUID to enable correlation of occurrences during
the same logon session.
• Records the signatures and hashes of the drivers or DLLs that have been
loaded.
• Logs are accessible for direct read access to volumes and disks. Optionally
logs network connections, including each connection’s source process, IP
addresses, port numbers, hostnames, and port names.
• Tracks changes in file creation times to determine the actual creation date
of a file. Malware frequently uses the modification of file create
timestamps as a method of concealment.
• Reload configuration automatically if the registry is modified.
• Dynamic rule filtering to include or exclude specific events.
• Produces events from the very beginning of the boot process to record
activity from even the most complex kernel-mode malware.

Usage of SYSMON
Common usage featuring simple command-line options to install and uninstall
Sysmon, as well as to check and modify its configuration:
Install: sysmon64 -i [<configfile>]
Update configuration: sysmon64 -c [<configfile>]
Install event manifest: sysmon64 -m
Print schema: sysmon64 -s
Uninstall: sysmon64 -u [force]
Parameter Description
-i Install service and driver. Optionally take a configuration file.
-c Update configuration of an installed Sysmon driver or dump the current
configuration if no other argument is provided. Optionally takes a
configuration file.
-m Install the event manifest (implicitly done on service install as well).
-s Print configuration schema definition.
-u Uninstall service and driver. Using -u force causes uninstall to proceed.
even when some components are not installed.

Installation
1. Download Sysmon: Visit the official Sysmon page on the Microsoft
website to download the Sysmon executable (Sysmon.exe) and the
configuration file (SysmonConfig.xml).
2. Create a Shared Folder: Create a shared network folder accessible by all
endpoints to store the Sysmon files, including Sysmon.exe and
SysmonConfig.xml.
3. Deploy Sysmon:
• Manual Installation: You can manually copy Sysmon.exe and
SysmonConfig.xml to each endpoint and run the following command in an
elevated Command Prompt:
sysmon.exe -accepteula -i sysmonconfig.xml
• Automated Deployment: You can use scripting or deployment tools (e.g.,
Group Policy, PowerShell scripts, configuration management tools like
SCCM or Ansible) to deploy Sysmon across all endpoints simultaneously.
 Management
1. Centralized Configuration: Adjust the SysmonConfig.xml file to meet
the security needs of your company. This file specifies the actions that
Sysmon must track and log. Make sure the shared folder is open to all
endpoints and the new SysmonConfig.xml is saved there.
2. Update Sysmon: Regularly check the Microsoft website for Sysmon
updates. Replace the current Sysmon.exe file on the shared folder with the
latest version if updates are available.
3. Automated Management: Automate the periodic inspection and updating
of Sysmon on endpoints using deployment tools or scripts. When
modifications are required, implement a procedure to instantly update the
Sysmon configuration on all endpoints.
4. Event Collection and Analysis: A SIEM solution, for example, can be set
up to capture Sysmon logs from all endpoints. This enables you to track
and check the gathered data for security events. Create efficient warning
and reporting systems to react to questionable activity right away.
5. Maintenance: To make sure you are capturing the right events without
overburdening your environment with superfluous logs, regularly check
and improve your Sysmon settings. Keep track of Sysmon tool
modifications and updates and adapt your deployment, as necessary.

4. Perform a comparison analysis between Sysmon and any of the

Open source EDR solution of your choice.

A comparison table of Sysmon with all three options: OSSEC, Nessus

Vulnerability Scanner, and SNORT.

Feature Sysmon OSSEC(HIDS) Nessus SNORT(IDS/IPS

Vulnerability )
Scanner

Purpose System Host-based Vulnerability Network-based

monitoring intrusion scanning intrusion
detection detection and
prevention
Deployment Host-based, Host-based, Network- Network-based,
Windows only Multi-platform based, Multi- Multi-platform
platform

Primary Low-level system Log analysis, Vulnerability Network traffic

Functionality
event logging File integrity scanning, monitoring,
checking, Security Intrusion
Real-time assessments detection and
alerting, Active prevention
response

Platform Support Windows Multi-platform Multi-platform Multi-platform

(Windows, (Windows, (Windows,
Linux, macOS, Linux, MacOS, Linux, macOS,
etc) etc.) etc.)

Flexibility Limited query- Extensive Vulnerability Customizable

based
query-based scanning rule sets, Real-
analysis
analysis, based on time analysis,
Custom rules plugins Active response

Target Host-level Host-level Network and Network traffic

Environment
monitoring monitoring system analysis and
protection

Threat Detection Limited to File integrity vulnerability Signature-

system-level checks, assessment based,
events Anomaly Anomaly-based
detection,
Rootkit
detection

Active Response No Yes, can take Vulnerability- Yes, can take

active based, active response
response Signature- measures
measures based
Integration and Limited Supports Supports Supports
Automation
integration integration integration integration with
capabilities with other with other other security
security tools security tools tools

Cost Free Free Commercial Free (Open-

(paid license) source)

Community Limited Active Active Active

Support and
Updates community community community community
support support support support

Scalability Limited to Scalable to Scalable to Scalable to large

individual multiple hosts large networks networks
hosts

It's crucial to remember that every instrument has a certain function. Windows
users generally use Sysmon for system-level monitoring, OSSEC offers host-
based IDS/IPS capabilities with substantial customization, Nessus is a
vulnerability scanner that focuses on finding system vulnerabilities, and SNORT
is a network intrusion detection system. The tool you use will rely on your
requirements and particular use scenario.
We just choose SNORT tool for our environment.
 Justification
After carefully comparing the three tools (OSSEC, Nessus Vulnerability Scanner,
and SNORT) and considering the needs of our environment, SNORT was chosen
as the best tool for the job for the reasons listed below:
Network traffic monitoring and analysis in real-time are the core functions of the
open-source SNORT intrusion detection and prevention system (IDS/IPS). To
ensure proactive defense measures against network-based threats and attacks, this
capacity is crucial for quick detection and response.
Network-Focused Security: In our setting, protecting the network infrastructure
is our priority. SNORT is the best tool for achieving our network security
objectives because its main job is to detect suspicious or malicious activity at the
network level.
SNORT makes advantage of threat signature-based detection. Threat Signature-
Based Detection: SNORT detects and alerts on a variety of well-known and
documented threats by using signature-based detection to identify known attack
patterns. This guarantees a high level of accuracy in identifying known assault
types and gives us a strong defensive base.
Customizable Rule Sets: SNORT gives us the ability to design and alter our rule
sets so that they can be adjusted to the particulars of our environment and threat
landscape. By focusing on the dangers that are most important to our
organization, we can ignore irrelevant noise and false positives.
SNORT can take active response actions, such as blocking or dumping harmful
traffic, in addition to issuing alerts on suspicious activity. Our network can be
actively protected against known threats thanks to this feature.
Support from the community and updates: SNORT has a sizable and vibrant
community of security experts and enthusiasts, which guarantees regular updates,
rule set additions, and enhancements to stay up with new threats and
vulnerabilities.
Cost-Effective Approach: SNORT is an open-source programme that offers us
sophisticated network security capabilities without requiring a substantial outlay
of cash. It is a financially sensible choice.
Scalability: SNORT is known for its scalability and can be utilised in both small
and big networks, making it an excellent alternative for our changing
environment.
SNORT is the greatest option because to its network-focused skills, real-time
threat detection, customization possibilities, and active response capabilities,
even if OSSEC and Nessus Vulnerability Scanner are also helpful tools in their
respective sectors. SNORT is the best option for our environment's primary
security goals and concerns because of its network-focused capabilities, real-time
threat detection, customization options, and active response capabilities. While
OSSEC and Nessus Vulnerability Scanner are useful tools in their respective
fields. We can strengthen our network security posture, identify threats in real-
time, and prevent prospective attacks by implementing SNORT as our network-
based IDS/IPS solution. This will help us develop a strong and efficient security
strategy.

Conclusion

It takes considerable thought and a comprehensive approach to choose the best

technologies to bolster an organization's defences in the evolving world of
cybersecurity. The ability to identify, examine, and respond to even the most
complex attacks is made possible by endpoint detection and response (EDR)
systems, which act as bulwarks against the never-ending flow of cyberthreats.
Our examination of Sysmon and Velociraptor has shown that each tool has
strengths that are tailored to particular security goals. While Sysmon excels at
comprehensively logging system activity for forensic analysis, Velociraptor
equips businesses with real-time threat hunting and live incident response
capabilities.
In the end, the organization's priorities, infrastructure, and skills will determine
which of these technologies to use. It's important to keep in mind that the most
effective strategy might combine both technologies in a synergistic manner,
utilising Velociraptor's agility for proactive threat hunting and Sysmon's thorough
data collecting for rigorous investigations. Organisations may improve their
cyber resilience by embracing EDR solutions and customising them to meet their
unique needs. This will help them foil threats and guarantee the integrity of their
digital assets in a threat environment that is always changing.
 References
Ten Open-Source EDR Tools to Enhance Your Cyber-Resilience Factor,
https://heimdalsecurity.com/blog/open-source-edr-tools/

Compare Business Software, Endpoint Detection and Response (EDR) Software

https://sourceforge.net/software/endpoint-detection-and-response-edr/

Tenable Nessus, https://www.tenable.com/products/nessus/nessus-essentials

Official Microsoft Sysinternals documentation: https://docs.microsoft.com/en-

us/sysinternals/downloads/sysmon
Official OSSEC website: https://www.ossec.net/
OSSEC Wiki: https://github.com/ossec/ossec-docs/wiki
Tenable's official Nessus product page: https://www.tenable.com/products/nessus
Nessus documentation and support: https://docs.tenable.com/nessus/
SNORT documentation: https://www.snort.org/documents
Qualys Context XDR (Extended Detection and Response), https://www.qualys.com/docs/parser-
guides/qualys_sysmon_config_guide.pdf.