IMPLEMENTATION_OF_SECURITY_INFORMATION_EVENT_MANAG.pdf
- 1. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
1
Abstractโ In an era of widespread information system usage
across various sectors, digital threats to organizations have
become increasingly significant. These threats have the potential
to disrupt operations and result in substantial financial losses. One
enduring threat is brute force attacks, which exploit human
tendencies to use easily remembered passwords. By utilizing The
Security Lifecycle Methodology, this research aims to identify an
efficient and cost-effective solution to enhance information system
security and continuously evaluate the implemented solution
rather than stop right after the policy or solution implementation.
The study proposes the utilization of the open-source Security
Information and Event Management (SIEM) platform, Wazuh.
When combined with the Active Response feature, this platform
not only detects security threats but also automatically takes
mitigating actions against detected attacks. Additionally, the
integration with the Telegram messaging application streamlines
the SIEM monitoring process, making it more practical and
efficient. After implementation, the testing phase confirms the
effectiveness of the implemented solution as the Wazuh SIEM is
able to detect 100% of brute force testing scenarios in multi-
protocol attacks with an average of 80,51 seconds time required to
detect brute force attacks with a 1-second interval between attack,
172,18 seconds for 10-seconds attack interval, and 434,58 seconds
for 30-seconds attack interval. The active response can mitigate
100% of the detected brute force attack with only 0,51 seconds
time required between detection and mitigation action taken. The
implemented telegram integration successfully sends all the
notifications on time to Telegram Chat by utilizing Telegram API.
Keywords: Information System, Cyber Attack, Security
Information & Event Management, Wazuh, Brute Force, Active
Response, Telegram API
I. INTRODUCTION
he use of information technology in businesses and
organizations initially raised doubts about its impact on
organizational productivity. Nicholas Carr's 2003 article, "IT
Doesnโt Matter," challenged the view that information
technology remained a differentiator and instead became a
commodity owned by many organizations[1]. In 2008, Erik
Brynjolfsson and Andrew McAfee's study, "Investing in the IT
That Makes a Competitive Difference," found that technology
sharpens distinctions between companies and highlighted the
.
need for effective management and collaboration for successful
technology implementation.[2]
Over time, information technology gained widespread use
across various business sectors and non-business organizations,
transforming daily life through gadgets, IoT adoption, Wi-Fi 6
technology, Enterprise Resource Planning systems, and
Learning Management Systems. Yet, this extensive use of
information technology correlates with a significant increase in
cyberattacks, with brute force and password guessing attacks
being a primary concern from 2021 to 2023.
The integration of SIEM Wazuh solution, utilization of
Active Response features, and integration with Telegram are
expected to contribute to the field of information security by
providing new insights into possible solution combinations that
can be implemented within organizations at affordable costs.
This research will also address the effectiveness of the
implemented system, thereby complementing data regarding
various approaches that can be adopted to anticipate brute force
attack incidents.
II. LITERATURE REVIEW
Before commencing this study, a substantial body of existing
research was identified, closely aligned with the current case.
This existing research serves as a vital point of reference for the
present study. The first study, titled 'Active Response Using
Host-Based Intrusion Detection System and Software-Defined
Networking'[4], implements the Open-Source Security
(OSSEC) with Floodlight as the SDN Controller, utilizing the
AHNSR design to evaluate system resource performance
IMPLEMENTATION OF SECURITY INFORMATION & EVENT
MANAGEMENT (SIEM) WAZUH WITH ACTIVE RESPONSE
AND TELEGRAM NOTIFICATION FOR MITIGATING
BRUTE FORCE ATTACKS ON THE GT-I2TI USAKTI
INFORMATION SYSTEM
Farhan Ibnu Farrel1*
, Is Mardianto2
, Adrian Sjamsul Qamar3
1
Information Systems Study Program, 23
Informatics Study Program, Faculty of Industrial
Technology, University of Trisakti
T
Fig. 1. Source of external network intrusion[3].
- 2. Imolementation of Security Information & Event Management (SIEM) Wazuh with Active Response and Telegram Notification for Mitigating Farrel Et Al
Brute Force Attacks on the GT-12TI USAKTI Information System
2
during intrusion tests.
The second study, 'Analysis of Security Information and
Event Management (SIEM) Implementation Based on Wazuh
in Windows and Linux Operating Systems,'[5] implements
Wazuh as the SIEM and integrates it with three components:
VirusTotal, Yara, and Suricata. The study then assesses the
effectiveness of Wazuh SIEM compared to SolarWinds SIEM
in detecting five different test scenarios.
The third study, titled 'Wazuh as Log Event Management and
Security Gap Detection on Servers from DoS Attacks,'[6]
integrates Wazuh SIEM with Suricata as a Network Intrusion
Detection System (NIDS) to detect Denial of Service (DoS)
attacks.
The researcher subsequently leveraged several of these
studies as references in various aspects of the research,
including understanding the methodologies employed by the
researchers in those studies and gaining insights into their
testing procedures.
III. RESEARCH METHODOLOGY
A. Research Methodology
In this research, the researcher adopted the Security Lifecycle
model as presented in Robert Pfau's version, as published by the
SANS Institute.[7] This model serves as a framework for
developing security systems based on the policies and standards
established within an organization. The cycle iterates to ensure
that security continually improves in accordance with the
organization's set policies and standards.
The Security Lifecycle consists of four key phases: Identify,
Assess, Protect, and Monitor.
1) Identify:
During this phase, data and information are gathered,
including the current state of the system to be secured, the
resources required to support security system implementation,
and other pertinent information needed to align the system with
established policies and standards.
2) Assess:
After acquiring data and information about the system to be
secured, a plan is devised to secure the system. This phase
involves outlining the necessities for securing the system, such
as hardware, software, regulations, and other supporting
elements.
3) Protect:
Once the implementation plan is prepared, and the required
resources are in place, the next step involves the actual
implementation of the security system. The implementation
process is documented step by step.
4) Monitor:
Once all phases have been executed, the system's enhanced
security requires testing to validate the effectiveness of the
security improvements. The testing results serve as a foundation
for future security enhancements. In addition to testing,
continuous monitoring of the security system's performance
and effectiveness is carried out.
In the context of the research conducted on GT-I2TI, the
researcher introduced a new policy involving the
implementation of a security information system that can detect
and mitigate security gaps in the face of brute force attacks on
the organization's information assets.
B. Research Phase
The research phases represent the steps delineated by the
researcher for executing the study, drawing from previously
established reference models. By organizing these research
phases, it is anticipated that the research outcomes will align
with expectations and fulfill the research objectives. The
following outlines the stages of this research:
1) System Observation
Initially, the researcher conducted an observation at GT-
I2TI Usakti to understand the devices and systems in use.
Information was also gathered from sources at GT-I2TI
Usakti regarding the security systems that had been
implemented.
2) Equipment Preparation
The researcher prepared the infrastructure provided by GT-
I2TI, along with data and simulated systems, in order to
create a simulated operational information system.
3) SIEM and Active Response Installation and Configuration
The researcher installed the Wazuh SIEM system and
configured rules to align with the protocols of the
information systems. This configuration allowed Wazuh
SIEM to detect and configure Active Response for attack
mitigation.
4) Integration with Telegram
Upon SIEM system operation, integration with the
Telegram API was established. This integration enabled
the forwarding of alerts from events detected by Wazuh
SIEM to Telegram Chat.
5) Testing Attack Simulations
During this phase, brute force attack simulations against
various protocols were executed according to predefined
testing scenarios.
6) Analysis of Test Results
The data obtained from the testing phase were analyzed to
determine the effectiveness of the implemented system in
detecting and mitigating brute force attack simulations.
7) Drawing Conclusions
Based on the analysis, the researcher drew conclusions
from the research findings to address the issues raised in
this study.
Fig. 2. Security Lifecycle Model.[7]
- 3. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
3
C. Implementation Scenario
The implementation process commences with an observation
of the running system, which is then replicated within the
simulation environment. This initial step is of paramount
importance as it ensures the accuracy of the research
alignment with the research subject's needs. The figure below
illustrates the system's topology in operation at GT-I2TI
Usakti
Building upon the functioning system within GT-I2TI Usakti,
the author has chosen to replicate the system and simulate a
real-world scenario. Below is the network topology that will be
employed in this research.
The research environment will be configured to match the
predetermined topology. This setup will encompass the
installation of information systems within the replicated
systems. Subsequently, the Wazuh SIEM will be installed, and
agents will be deployed on each information system. Rules will
then be modified to enable the detection of brute force attacks.
These modifications will involve altering custom rules provided
by Wazuh. Once the rules are customized to detect brute force
attacks on each protocol, the active response will be configured
in the global configuration of Wazuh to execute the 'firewall-
drop' command for Linux agents and 'netsh' for Windows
agents. This configuration will allow for the blocking of
detected attacker IP addresses engaged in brute force attacks on
information systems connected to Wazuh SIEM.
To enable the reading of log files from each information
system, the log file locations will be added to the Wazuh global
configuration. Additionally, the locations of log files from the
active response will be added to ensure that active responses are
recorded within Wazuh events.
Further, Telegram will be integrated with the Wazuh SIEM
by creating a new integration file and adding integration code
lines to the global configuration of Wazuh. This integration will
facilitate the transmission of alerts from Wazuh to a Telegram
chat.
The integration of Telegram with the Wazuh was achieved
by creating a new integration file and adding integration code
lines to the global configuration of Wazuh.
D. Testing Scenario
In conducting the testing phase, the researcher devised
multiple scenarios encompassing various protocols, intervals,
actors, and repetitions. The tool employed to facilitate brute
force attack testing was THC Hydra. For normal user
simulations, Hydra was executed alongside a custom bash script
to mimic genuine user services. Conversely, for threat actor
simulations, THC Hydra was leveraged as a potent cyber
weapon to execute brute force attacks on the information
system. The following table provides a list of scenarios to be
executed during the testing phase in this research:
Table 1. List of test scenarios
Protocol
- HTTP
- SSH
- HTTPS
- FTP
- IMAP
- RDP
Interval
- 1 seconds
- 10 seconds
- 30 seconds
Actor
- 0 normal user, 1 threat actor
- 3 normal user, 0 threat actor
- 2 normal user, 2 threat actor
- 3 normal user, 2 threat actor
Repetition
- Test #1
- Test #2
- Test #3
Fig. 3. Running system topology at GT-I2TI Usakti.
Fig. 4. Simulated system topology.
- 4. Imolementation of Security Information & Event Management (SIEM) Wazuh with Active Response and Telegram Notification for Mitigating Farrel Et Al
Brute Force Attacks on the GT-12TI USAKTI Information System
4
IV. RESULT AND DISCUSSION
A. Implementation
The implementation process of Wazuh as a SIEM involves
aligning it with the predetermined scenarios, engaging four
simulation information systems replicating six protocols used
by GT-I2TI Usakti. Installation of Wazuh Agents on these
systems and rule modifications to adapt to brute force attack
detection are performed. Once the SIEM system is set up, failed
login attempts are initiated on one of the information systems
to test its functionality.
Following this, the configuration of the Active Response
feature is performed to enable Wazuh to automatically mitigate
detected brute force attacks. Rule IDs for each modified brute
force detection rule serve as triggers for Active Response when
any of these rules are activated.
The integration of Telegram notifications with the Wazuh
SIEM system begins by creating a Telegram bot and generating
a new integration file. This is followed by the insertion of the
provided API code to enable the bot's functionality. Finally, a
test is conducted using one of the rules to verify the successful
delivery of notifications through the Telegram API integration.
B. Testing
In the testing phase, the researcher will employ THC Hydra
for conducting experiments involving both normal user and
threat actor scenarios. For the normal user, a custom Bash script
will be introduced to enable automatic and continuous
authentication processes. In contrast, for the threat actor, THC
Hydra will be utilized exclusively for conducting attacks with
customizations made to the interval settings in accordance with
the testing scenarios.
Table 2. List of THC Hydra commands used
HTTP
hydra -l admin -P pass.txt 10.xx.xx.111
http-post-form
"/login.php:username=^USER^&password=^
PASS^&IdUniversity=1&Login=Login:302"
-V -I -c [interval in second]
SSH
hydra -l root -P pass.txt
ssh://10.xx.xx.111 -V -I -c [interval
in second]
HTTPS
hydra -l admin -P pass.txt 10.xx.xx.112
https-post-form "/wordpress/wp-
login.php:log=^USER^&pwd=^PASS^&wp-
submit=Log+In&redirect_to=http%3A%2F%2
F10.xx.xx.112%2Fwordpress%2Fwp-
admin%2F&testcookie=1:password" -V -I -
c [interval in second]
FTP
hydra -l admin -P pass.txt
ftp://10.xx.xx.112 -V -I -c [interval
in second]
IMAP
hydra -l email -P pass.txt
imap://10.xx.xx.113 -V -I -c [interval
in second]
RDP
hydra -l Administrator -P pass.txt
rdp://10.xx.xx.114 -V -I -c [interval
in second]
Table 4. SSH protocol test result
Fig. 5. Event on Wazuh Dashboard after failed login test
Fig. 6. Active Response rule that will active if one of the rules_id triggered
Fig. 7. Telegram integration test
- 5. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
5
C. Testing Results
The results of the brute force attack detection, mitigation
using Active Response, and Telegram notifications are
presented in tabular form. Time to detect (TTD) reflects the
time SIEM Wazuh requires to identify an attack since its
initiation, measured in seconds, while time to respond (TTR)
measures the time for Active Response to mitigate indicators of
brute force attacks, also in seconds. The N indicator reveals the
capability to send notifications to Telegram Chat.
The results of the brute force attack testing on all information
system protocols reveal that in each attack scenario, the
configured rules within Wazuh detect every attack without any
undetected attempts. Furthermore, the Active Response system
successfully mitigates all attacks, ensuring none of them bypass
security measures. Although the time required for detection and
mitigation varies, these variations are not significant. In
scenario 3, where there are only normal users and no threat
actors, SIEM Wazuh distinguishes these attempts as non-brute
force attack indications. Consequently, no login attempts are
identified as brute force attacks in this scenario, and Active
Response remains inactive. Additionally, Telegram
notifications are consistently received for each experiment.
Based on the bar chart comparing the three scenarios with
each protocol, it is evident that the time required for detection
and response is nearly identical among most protocols.
However, in the case of the IMAP protocol, the time for
detection and response is similar for intervals of 1s and 10s.
Wazuh Detection Effectiveness
To draw conclusions from the research, particularly in the
section related to the detection of brute force attacks on the GT-
I2TI Usakti simulation system, the findings from all scenarios
Table 3. HTTP protocol test result
Table 5. HTTPS protocol test result
Table 6. FTP protocol test result
Table 7. IMAP protocol test result
Table 8. RDP protocol test result
Fig. 8. Comparison between protocol on
0 Normal User, 1 Threat Actor scenario
Fig. 9. Comparison between protocol on
2 Normal User, 2 Threat Actor scenario
Fig. 10. Comparison between protocol on
3 Normal User, 2 Threat Actor scenario
- 6. Imolementation of Security Information & Event Management (SIEM) Wazuh with Active Response and Telegram Notification for Mitigating Farrel Et Al
Brute Force Attacks on the GT-12TI USAKTI Information System
6
were combined, resulting in the following outcomes.
Table 9 Wazuh detection summary
ALL 3 SCENARIO
TTD 1s TTD 10s TTD 30s
MIN
28,33 (HTTP &
HTTPS)
146,00 (SSH) 403,67 (IMAP)
AVERAGE 80,51 173,18 434,58
MEDIAN 36,17 154,67 434,83
MAX 258,67 (IMAP) 265,00 (IMAP) 466,33 (IMAP)
Based on the final data analysis, where all scenarios and
protocols were combined and compared, it was observed that
the minimum time required to detect brute force attacks varied
across different protocol intervals. Notably, the HTTP and
HTTPS protocols exhibited the shortest detection time, while
the IMAP protocol required the longest time for detection. This
trend persisted consistently throughout the analysis,
highlighting the distinct authentication mechanisms inherent to
each protocol.
This indicates that the authentication mechanism between
these protocols is different as we didn't get the same result in
the final analysis. HTTP and HTTPS take the shortest time to
detect as they required less step to authenticate and only use
request-respond process while IMAP required more complex
authentication process. Each IMAP authentication session also
needs to establish TCP connection and that adds more overhead
time. This made IMAP are the longest time required to detect
for a brute force attack.
Although the factors influencing authentication time were
not the focus of this research, they present potential avenues for
further investigation. Despite this, our study confirms the
effectiveness of the implemented solution, achieving a 100%
detection accuracy across all six protocols tested for brute force
attacks.
D. Active Response Mitigation Effectiveness
To determine the Reaction Time, which is the time required
by Active Response to take action against the source IP
identified as conducting a brute force attack, the researcher
employed the following formula:
๐ด๐๐ก๐๐ฃ๐ ๐
๐๐ ๐๐๐๐ ๐ ๐
๐๐๐๐ก๐๐๐ ๐๐๐๐
= (๐ก๐๐๐ ๐ก๐ ๐๐๐ ๐๐๐๐ ๐) โ (๐ก๐๐๐ ๐ก๐ ๐๐๐ก๐๐๐ก)
Using this formula, the researcher calculated the reaction
time from the grouped data based on scenarios and consolidated
the results into the following table.
Subsequently, data regarding the minimum time, average
time, median time, and maximum time needed for Active
Response to initiate actions upon detecting brute force attack
indications by SIEM Wazuh was gathered and is presented in
the following table.
Table 11. Active Response mitigation summary
Active Response Reaction Time
(All Tests)
MIN 0,00
AVERAGE 0,51
MEDIAN 0,49
MAX 1,33
Based on the data presented in the table above, we reveal that
the average duration necessary for Active Response to initiate
a response upon detecting brute force attacks, facilitated by
Wazuh, amounted to 0.51 seconds. This average response time
underscores the system's efficiency in promptly addressing
security threats. Furthermore, examination of the tests data
unveiled that the shortest recorded response time was
instantaneous, registering at 0.00 seconds, indicative of
immediate action taken upon detection. Conversely, the
lengthiest response time recorded was 1.33 seconds, signifying
instances where response initiation encountered slight delays,
albeit within an acceptable timeframe.
V. CONCLUSION
Based on the research conducted regarding the
implementation and testing of SIEM Wazuh, the Active
Response feature, and its integration with Telegram, several
conclusions can be drawn as follows:
The implementation of the SIEM Wazuh system, inclusive of
the Active Response feature, was executed successfully,
adhering to the predefined implementation scenario and
simulation topology, mirroring the live system environment at
GT-I2TI Usakti. Furthermore, the integration with Telegram
proved successful in transmitting notifications to the designated
Telegram Chat.
SIEM Wazuh demonstrates remarkable efficacy in detecting
brute force attacks across diverse protocols, boasting a flawless
accuracy rate of 100%. Notably, the system exhibits varying
average detection times across intervals, with figures standing
at 80.51 seconds for 1-second intervals, 173.18 seconds for 10-
Table 10. Active Response reaction time
- 7. Volume 4 Number 1 Januari-Juni 2024 PP 1-7 INTELMATICS ISSN 2775-8850 (Online)
*Corresponding author https://doi.org/10.25105/itm.v4i1.18529
E-mail addresss : farhan065001900038@std.trisakti.ac.id
7
second intervals, and 434.58 seconds for 30-second intervals.
The Active Response functionality within SIEM Wazuh
emerges as a robust tool in thwarting identified brute force
attacks across multiple protocols. With impeccable accuracy, it
swiftly blocks attackers' IP addresses, with an average initiation
time of merely 0.51 seconds.
Moreover, SIEM Wazuh, coupled with the Active Response
feature, effectively discerns between normal user activities and
those of threat actors, achieving this feat without generating any
false positives during the experimental trials.
The Telegram notification mechanism operates seamlessly,
delivering timely updates regarding failed login attempts and
the activation of Active Response in response to detected brute
force attacks directly to the Telegram application. This ensures
swift and reliable communication of critical security events to
relevant stakeholders.
REFERENCES
[1] Bourgeois, David T.; Smith, James L.; Wang, Shouhong; and Mortati,
Joseph, "Information Systems for Business and Beyond" (2019). Open
Textbooks. 1.
[2] McAfee, A. & Brynjolfsson, โInvesting in the IT that Makes a
Competitive Differenceโ. Harvard Business Review. 86. 98-107 (2008).
[3] ESET Threat Report H1 2023, ESET Research,2023,
https://www.welivesecurity.com/2023/07/11/eset-threat-report-h1-2023/.
Accessed July, 12 2023.
[4] Goodgion, Jonathon S., "Active Response Using Host-Based Intrusion
Detection System and Software-Defined Networking" (2017). Theses and
Dissertations. 1575.
[5] Radhitya, Dimas. โAnalisis implementasi Security Information and Event
Management (SIEM) dengan berbasis wazuh pada sistem operasi
Windows dan Linuxโ (2022). Fakultas Teknik Universitas Indonesia.
[6] Nova, F., Pratama, M. D., & Prayama, D. (2022). Wazuh sebagai Log
Event Management dan Deteksi Celah Keamanan pada Server dari
Serangan Dos. JITSI: Jurnal Ilmiah Teknologi Sistem Informasi, 3(1), 1-
7.
[7] Pfau, Robert. The Security Lifecycle, SANS Institute, USA, 2003.
[8] N. Carr, โIT Doesnโt Matter,โ Harvard Business Review, May 2003.
[Online]. Available: https://hbr.org/2003/05/it-doesnt-matter. [Accessed:
October 13, 2022].
[9] Center for Strategic & International Studies (CSIS), โSignificant Cyber
Incidents Since 2006,โ Center for Strategic & International Studies
(CSIS), 2019.
[10] Check Point Software Technologies Ltd, โCYBER ATTACK TRENDS
Check Pointโs 2022 Mid-Year Report,โ Check Point Software
Technologies Ltd, 2022.
[11] Dr. Madhu Tyagi, โSECURITY AGAINST CYBER-CRIME:
PREVENTION AND DETECT,โ Horizon Books ( A Division of Ignited
Minds Edutech P Ltd), 2017
[12] R. Stair and G. Reynolds, Principles of information systems. Cengage
Learning, 2017.
[13] Committee on National Security Systems Instruction (CNSSI) No. 4009,
โNational Information Assurance Glossary,โ Committee on National
Security Systems (CNSS), Apr. 2010.
[14] Microsoft, โWhat is SIEM?,โ Microsoft. [Online]. Available:
https://www.microsoft.com/en-us/security/business/security-101/what-
is-siem. [Accessed: Jan. 5, 2023].
[15] Wazuh, โComponents โ Getting started,โ Wazuh. [Online]. Available:
https://documentation.wazuh.com/current/getting-
started/components/index.htm. [Accessed: Jan. 10, 2023].
Farhan Ibnu Farrel, born in Bukittinggi, February 23, 2001.
Student of Trisakti University, Faculty of Information System
Industrial Technology
(email: farhan065001900038@std.trisakti.ac.id)
Is Mardianto, completed bachelor at Institute Technology
Bandung, Masterโs at University of Indonesia
(email: mardianto@trisakti.ac.id)
Adrian Sjamsul Qamar, completed bachelor at University of
Indonesia, masterโs at the University of Indonesia.
(email: adrian.qamar@trisakti.ac.id)