Executive Summary
In alignment with strategic decisions to fortify cybersecurity measures across enterprise IT frameworks, we have demonstrated a deployment of the Wazuh Security Information and Event Management (SIEM) system atop the client's Apache server environment.
Given the Apache server's role in the infrastructure, it becomes important to establish oversight on its operational dynamics, potential threat vectors, and vulnerability exposures. To this end, Wazuh SIEM has will be deployed, given its record in comprehensive monitoring and regulatory compliance management.
During the setup phase, our team made sure that both the hardware and software were properly set up. Our team also ensured the network was secure and that everything integrated smoothly.
After setting everything up, our tests showed that the system was working seamlessly, capturing data efficiently. The early results indicate that the ability of our team to spot and handle security threats on the client's server has improved. Also, the system is running efficiently without overloading the server.
Objective
To implement and evaluate the Wazuh SIEM system on a virtualized environment, focusing on its capability to identify, record, and respond to four specific Indicators of Compromise (IoC).
Scope
Systems and Technologies
Deployment on three virtual machines:
i. Ubuntu VM: Wazuh SIEM system. (10.0.29.15)
ii. Kali Linux VM: Apache web server with Wazuh agent (10.0.29.17).
iii. Kali Linux VM: Used exclusively to generate the predefined cyberattacks.
Requirements
For the successful implementation of this project, the following requirements were identified
Infrastructure
i. Wazuh SIEM Solution: For collecting and analyzing logs from the IIS Web Server.
ii. Kali Machine: For simulating the specified attacks, aiding in testing our system's reliability.
Technical
i. Integration of Wazuh with Apache Server: Seamless assimilation is essential for real-time log monitoring.
ii. Configuration & Rules: Define specific rules in Wazuh to identify the four types of IoC.
Indicators of Compromise (IoC) to be Monitored
i. Brute Force attempts.
ii. Syn Scan attempts.
iii. TCP Scan attempts.
iv. UDP Scan attempts.
Operational
i. Regular Monitoring: Constant surveillance of the Wazuh dashboard for potential threats.
ii. Periodic Testing: Regularly simulating threats using the Kali machine to ensure our system remains robust and updated against evolving threats.
Setup and Configuration
Setting up Wazuh SIEM solution on Ubuntu
1. So we followed instructions on https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html (The official wazuh website) to successfully install and implement Wazuh on an Ubuntu Machine. We had to install Wazuh-Manager and Wazuh-Indexer to make sure that everything is working properly.
2. Once install was done, we had to start both Wazuh Manager and Wazuh Indexer on a terminal by using the commands ‘systemctl start wazuh-manager’ and ‘systemctl start wazuh-indexer’.
3. Once both services have been started, we open a browser and access the agent through the local IP which in our case is ’10.0.29.15’ to open the wazuh dashboard.
4. Once we are on the dashboard, we have to set up our agent on our web server. To do that, click on either Total Agents or Active agents, and then click on deploy new agent and follow instructions to install it on the web server.
When deploying a new agent, there will be a command which needs to be copied over to the web server so that we can install it without any issues.
Installing Apache and Wazuh-Agent on Kali (Web Server)
1. Open terminal as root. Use the command ‘sudo apt-get install apache2’ to install apache on the Kali web server.
2. Start the apache server using command ‘systemctl start apache2’
3. Next, install IDS on the web server. To do that, we used the command ‘sudo apt-get -y install suricata’.
4. When installation is successful, we need to change the suricata config file to allow certain IP, or a whole subnet as shown below. To do that we used command ‘nano suricata.yaml’ to edit the file which is stored in /etc/suricata/.
5. Once suricata is set up, we need to install Wazuh Agent on the web server. To do that we use the command provided on the wazuh server as shown below. We then start the wazuh agent using command ‘systemctl start wazuh-agent’.
6. Once that is set up, we need to do a few configurations to have it up and running. We head over to /var/ossec/etc/ossec.conf, and add a rule to collect logs and send it to wazuh server.
Test Scenario
Attack Simulation
1. Launch Kali system so that we can start launching attacks to the web server.
2. Open a root terminal, and use command ‘nmap -A 10.0.29.17’ to launch an nmap scan on the target machine.
3. Next step is launching a brute force on the web server using hydra as shown below. We used root as the username and rockyou.txt file in kali for the password file.
4. Next we launched a UDP scan using the command ‘nmap -sU 10.0.29.17’.
5. Next we launched a TCP scan using the command ‘nmap -sT 10.0.29.17’.
6. Lastly we launched a SYN attack using the command ‘nmap -sS 10.0.29.17’
Log Analysis
Checking the Logs
1. Go back to Wazuh Server Dashboard. Click on Active Agents, and then click on the machine that appears which in our case is our Kali Web Server Machine.
2. Next click on Security events at the top of the screen. And then click on Events.
3. Next we should be able to see all the alerts and logs that are being captured by the Wazuh Server
We can confirm that all attacks are being detected by our Wazuh Server.
Conclusion
The deployment of integrating the Wazuh Security Information and Event Management (SIEM) system into a virtualized web server environment for a hypothetical enterprise has been demonstrably successful. This endeavor was structured to assess the capability of Wazuh SIEM in detecting predefined Indicators of Compromise (IoCs) and to evaluate its efficacy within a controlled, simulated setting.
The successful identification of the stipulated IoCs, encompassing Brute Force attempts, Syn Scan, TCP Scan, and UDP Scan, attests to the system's robustness and corroborates literature that champions Wazuh's capabilities in real-time cyber threat detection.
Our virtual machine setup, comprising the Ubuntu-based Wazuh machine, the Kali-based Apache web server, and a threat-generation Kali machine, emulated a pragmatic operational environment. This architecture not only facilitated real-world simulation but also ensured controlled conditions for testing. The evidence illustrates the practical applicability of the theoretical frameworks in a simulated enterprise scenario.
References
·        https://documentation.wazuh.com/current/installation-guide/wazuh-indexer/index.html
·        https://www.kali.org/tools/hydra/
·        https://httpd.apache.org/docs/