Security

What is the best way to simulate Attacks in Splunk?

SecBit
Observer

Hi All,

I would like to know what is the best way to simulate attacks within my organisation. 

I cannot use Virtualbox due to a licensing issue but I do have vmware. 

All the tutorials online show how to use the attack range on virtaulbox but not on vmware.

Any help is much appreciated as this is vital to test our detections.

Thank all

Labels (1)
0 Karma

p97557150
Loves-to-Learn

This is complicate. You must understand what your detection are looking for. After you understand then look for corresponding CVE or TTP to compare with the detection and use isolate lab environment to monitor and test detection. Can be dangerous because CVE or TTP may be real.

0 Karma

SecBit
Observer

Thank you for your comment.

I fully understand the detection I am trying to test as it is based on off the MITREATT&CK TTP's.

I will be using Atomic Red to choose what TTP's I will be testing and the attack_range from github.

I can then forward the logs to our own Splunk instance to view them. The issue we have is with the license's.

Do I need a virtaulbox commercial license to run these tests as it will be used in a commercial environment, I am presuming yes as it seems obvious but I am not 100% sure, if this is case what is the best alternative solution.

Thanks 

0 Karma

SecBit
Observer

Hi,

Thank you for your response.

So by simulating attacks I mean to test my detections, testing the SPL rules I have in Splunk to detect anomoly's from the logs.

What I have been looking at so far is the splunk attack_range from github along with Atomic Red to test certain MITREATT&CK TTP's.

It will have to be a test environment that is totally on prem as we don't cloud access.

The tutorials I am referring to are the ones I have see on youtube where you install virtualbox on ubuntu and then test labs are automatically set up and destroyed for each ttp you are testing.

Yes I thought it would be easy enough to change from Virtualbox to VMWare but I can't find one video

I do have a VSphere where this can be run from as multiple people from our team need to have access to this lab

Please let me know what you would suggest as the best way to set this up

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

can you elaborate what you are meaning  with "simulate attacks"?

And what are those tutorials which you are referring?

Usually it's quite easy/doable to change virtual box to VMware or something else which offer the same capabilities.

r. Ismo

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...