Attacker Intent Search
Find the attacker intent hidden in your
Elastic data lake
The empow Attacker Intent Search Module
in the Elastic Stack
The empow Attacker Intent Search module uses empow’s classification plugin and configures the entire Elastic stack, including Logstash pipeline, Elastic DB, and Kibana UI.
A typical SIEM (Security Information and Event Management) solution collects and manages a huge number of security events, from many security devices, such as IDS/IPS, anti-virus and anti-malware, reputation services, etc.
The vendors’ logs are usually vague and not indicative.
One of the most difficult and time-consuming tasks in managing a SIEM is the process of analyzing each collected log and mapping it to the security intent – the attacker’s purpose associated with the detected log. Since there are many products and many types of security devices, and the set of detected events changes on an almost daily basis, this task has become mission impossible.
In the Attacker Intent Search open-source solution, empow is opening its classification center, an online service which enables security analysts to find the intent of security threats immediately and without all the complexity associated with this task. Once a security log is detected, and its relevant information is sent to the classification center (e.g. malware hash value, IDS signature ID, attack name, attack description etc.). The classification service automatically acquires a textual description of the threat, and uses NLP algorithms, analyzes the information and maps the log into the relevant attacker intent. This process is performed in seconds, compared to human-based analysis which can take hours, or even days.
In order to utilize the classification center, empow is contributing a classification Logstash plugin to the opensource community , that interacts with the empow classification center and enriches every incoming security log with security intent classification.
To simplify the configuration, installation and usage of the Logstash plugin, empow is also contributing a classification ELK module, that configures the entire Elastic Stack (including Logstash, Elastic database and Kibana), in order to provide an out-of-the-box attacker intent search and reports dashboards.