Creation of Signatures for a Security Information and Event Management System, to Aid in the Detection of Insider Attacks on SharePoint 2013
Jenkins, M. (2015). Creation of Signatures for a Security Information and Event Management System, to Aid in the Detection of Insider Attacks on SharePoint 2013 (MSc Advanced Security & Digital Forensics DL). Edinburgh Napier University (Ludwiniak, R.,
aim of this thesis is to create signatures for a Security information and event management system (SIEM), which will allow for the standardised detection of an attack that may be carried out by a malicious privileged user on a Microsoft SharePoint 2013 infrastructure.
Lack of empirical information and organisational sensitivity of much of the data and statistics, makes the study of this field extremely challenging; so a literature review of current hacking techniques and SharePoint vulnerabilities had to be completed to gain the full understanding of vulnerabilities that a malicious insider may utilise.
From the initial review of the available data three areas of investigation were expanded upon and then tested in a Microsoft Azure lab environment, using SPLUNK to analyse the ‘malicious’ actions that were generated by a manual process. The added complexities of the discovery of a logging deficit within the SharePoint application lead to the implementation of the LOGBinder program in the testing infrastructure, to allow the logs to be ingested in a meaningful manner.
The achievement that was aimed was to attain results with a high true positive hit rate, but at the same time having low false positive observations; this was achieved, however it was noted that this was a structured test lab so there would be difficulties in generating truly unknown false positives that would catch the signatures out.
The formulation of queries from this lab setup, which could effectively be shared over multiple SIEM products, was a major success and they are presented in such a way that they can be transferred between other SIEM applications with ease.
A major finding was the ability to infer denied accesses from within the SharePoint application, this was especially fortuitous as many of the user case triggers would rely on this metric and SharePoint itself does not generate these events. It is proposed that future study should concentrate on this specific area, to ensure the results observed occur in other configurations of SharePoint. Additionally it’s proposed that additional work be completed with running the analysis on a live infrastructure; this will allow the better understanding of real-life false positives in a truly live corporate environment.