Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

What is the best way to simulate Attacks in Splunk?

SecBit
Observer
‎06-02-2023 05:34 AM

Hi All,

I would like to know what is the best way to simulate attacks within my organisation. 

I cannot use Virtualbox due to a licensing issue but I do have vmware. 

All the tutorials online show how to use the attack range on virtaulbox but not on vmware.

Any help is much appreciated as this is vital to test our detections.

Thank all

Labels (1)
Labels
0 Karma
Reply

p97557150
Loves-to-Learn
‎06-06-2023 08:01 AM

This is complicate. You must understand what your detection are looking for. After you understand then look for corresponding CVE or TTP to compare with the detection and use isolate lab environment to monitor and test detection. Can be dangerous because CVE or TTP may be real.

0 Karma
Reply

SecBit
Observer
‎06-06-2023 08:11 AM

Thank you for your comment.

I fully understand the detection I am trying to test as it is based on off the MITREATT&CK TTP's.

I will be using Atomic Red to choose what TTP's I will be testing and the attack_range from github.

I can then forward the logs to our own Splunk instance to view them. The issue we have is with the license's.

Do I need a virtaulbox commercial license to run these tests as it will be used in a commercial environment, I am presuming yes as it seems obvious but I am not 100% sure, if this is case what is the best alternative solution.

Thanks 

0 Karma
Reply

SecBit
Observer
‎06-06-2023 01:03 AM

Hi,

Thank you for your response.

So by simulating attacks I mean to test my detections, testing the SPL rules I have in Splunk to detect anomoly's from the logs.

What I have been looking at so far is the splunk attack_range from github along with Atomic Red to test certain MITREATT&CK TTP's.

It will have to be a test environment that is totally on prem as we don't cloud access.

The tutorials I am referring to are the ones I have see on youtube where you install virtualbox on ubuntu and then test labs are automatically set up and destroyed for each ttp you are testing.

Yes I thought it would be easy enough to change from Virtualbox to VMWare but I can't find one video

I do have a VSphere where this can be run from as multiple people from our team need to have access to this lab

Please let me know what you would suggest as the best way to set this up

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-02-2023 06:03 AM

Hi

can you elaborate what you are meaning  with "simulate attacks"?

And what are those tutorials which you are referring?

Usually it's quite easy/doable to change virtual box to VMware or something else which offer the same capabilities.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...