In this blog we summarize some of the demos performed in the FISHY demo day in the Cybersecurity Congress (January 2023). Specifically we showed small demos of different WP3 tools: WAZUH, VAT, Zeek, PMEM, XL-SIEM, RAE and Trust Monitor; as well as a demo of the SACM tool.
WAZUH
Wazuh is a tool that collects monitoring reports and generates alerts based on input gathered from agents running on the target infrastructure.
In this demo WAZUH shows the logs showing that detects the attacks of type “unauthorized device- Distributed ID level”. This is an attack more likely to occur in the IoT island that is deployed during the transportation. For example, an adversary uses an unauthorized device (DID) and attempts to enter “fake” information regarding the conditions during the transportation of the fresh vegetables in the F2F platform.
VAT
VAT performs web server and infrastructure vulnerability scans and assessments according to an execution schedule and produces reports of its findings. The reports are in JSON format and can be viewed through the webUI.
Zeek
Zeek is a passive open-source network traffic analyser that can output an extensive set of logs describing the network activity. Besides simple logs, Zeek is also able to output composite events derived from scripts that can be prepared to detect specific conditions. Zeek comes with multiple built-in functionalities for a range of analysis and detection tasks. We have deployed Zeek in the WBP use-case to continuously monitor and certify the normal behaviour of network traffic in the production line IoT network.
In this demo, we use Zeek to detect three different attacks. First, an SSH Bruteforce attack where we track the number of failed SSH connection attempts, a network scan where we track the number of different hosts and ports being connected to and from, and an SYN Flood Attack by tracking the number of SYN packets seen on the network. By injecting abnormal traffic into the benign one, Zeek successfully compares the different metrics against predefined thresholds and issues an alert whenever they are crossed.
PMEM
PMEM (Predictive MaintenancE and Mitigation) is a cybersecurity tool to detect and predict network anomalies. When an attack is detected, some policies are proposed in order to mitigate possible infrastructure damages and response to the attack to ensure business continuity. It uses different machine learning approaches to classify the normal behavior of the system from the abnormal behavior. The data collection part is monitoring the network traffic of the network.
Here we see the main interface of the PMEM where we can see the recent anomalies detected by PMEM in the network along with the situation of the network's attacks detected in the past. It provides the most recent scan results in real time scenarios along with keeping the history of the previous attacks detected in the network. Here we see that, as soon as the data collection part of the PMEM receives new data this data has been analyzed and information about the latest scan results are updated on the front end.
XL-SIEM
The Security Information and Event Management (XL-SIEM) system collects and aggregates these data from various sources within an organization's IT infrastructure, including servers, network devices, and web dispatcher. It normalizes and correlates this data to identify patterns and anomalies that may indicate a security threat.
Here we see the main user interface of XL-SIEM, which provides a snapshot of recent activity over the past days and weeks.
The XL-SIEM also presents a list of the most recent events and triggered alarms. Furthermore, it's possible to delve into the specifics of each alarm for a detailed inspection.
RAE
The CRAE is a powerful tool designed to calculate potential financial loss based on alarms triggered in the XL-SIEM system. As shown in the video, the user can select the risk models that best fit with its situation and the CRAE provides both quantitative and qualitative risk analysis for every potential attack, leading organizations in making informed decisions about their cybersecurity practices.
Trust Monitor:
The Entities page shows the list of registered entities in the Trust Monitor,
where valuable data is reported, and the possibility of editing them is available.
The status reported is "registered" because no attestation process is running.
Once the attestation begins, the entity's state changes to "attesting".
The Status page shows information about attestation processes running and the
trust status of the related entities.
It additionally shows the loaded adapters, usable to perform remote attestation
with the related technology.
SACM
The SACM tool is responsible for monitoring, testing and assessing complex ICT systems. The tool, through its Evidence Collection Engine developed for the purpose, is monitoring pilot tailor/custom based rules and critical supply chain sub components while presenting the assessing results through its graphical user interface.