Carleton University - GCR Cybersecurity Operations Center Project
- How to test the software
- Known issues
- GCR Canary Case
- GCR CSOC Playbook
- Getting help
- Getting involved
- Open source licensing info
- Related open source projects
- Related cloud services
- Credits and references
The GCR - CSOC (Cybersecurity Operations Center) initiative seeks to provide small to medium size enterprises with openly available cybersecurity resources to self-manage their own security or enable companies to offer cybersecurity services to others as part their business.
The development of this project is primarily divided into three focus areas: i) Developing open source software to compliment CSOC services ii) Developing CSOC operation guides and templates as a means to manage security iii) Creating CSOC "Pathway Training" material for online learning.
i) Open Source Software Development:
Open source software development activities for this project seeks to configure, integrate and enhance existing open source projects (such as Dionaea, Cowrie, OSSEC, OpenVAS and others) to report to a central alert collector (such as Apache Metron). The central alert collector will be used for alert aggregation and analytics. Development also includes the creation of "GCR Canary" honeypots. The honeypots are physically and virtually deployable. As the GCR Canary project evolves it will include the various sensors mentioned above. The GCR Canary honeypot can be used for intrusion detection in SME environments.
ii) CSOC Operation Guide Creation:
The creation of the GCR CSOC Playbook will include guidance and templates for managing cybersecurity in an organization.
iii) CSOC Pathway Training Material:
Online training resources seeks to improve the adoption of proper cybersecurity hygiene within an organization
This project is being rolled out over three phases. We are currently focused on Phase 1.
- UPDATE Oct, 2017: Simple alerts from Dionaea can be reported to a remote server using syslog(unencrypted). Alerts are GROK formatted and ingested by Apache Metron.
- Project is currently under active development and testing.
To install all of the GCR Canary software, run the following script on Ubuntu Mate:
cd ~ && \ sudo apt-get -y install unzip && \ wget https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/archive/master.zip && \ unzip master.zip && \ cd csoc-installation-scripts-master/ && \ chmod +x *.sh
Configuration settings (such as disabling the install of OpenVAS, OSSEC, ext..) is in honeypots.sh. Within honeypots.sh change the INSTALL_* parameters as needed. The following is an example of enabling Dionaea for install and disabling Cowrie for install.
PREINSTALL_CLEANUP="yes" INSTALL_RP="yes" INSTALL_REFRESH="yes" INSTALL_CLEANUP="no" SETUP_SYSLOG="yes" INSTALL_DIONAEA="yes"
After the updates have been made run honeypots.sh
Dionaea Service within GCR Canary: The following provides guidance on the GROK formatted output which is intended for use with Apache Metron: GCRDionaea GROK Format
The Dionaea logs and sqlite3 database is stored in /opt/dionaea/var/dionaea within GCR Canary.
If INSTALL_DIONAEALOGVIEWER was set to "yes", to view the Dionaea Logs visit http://0.0.0.0:8000
Cowrie Service within GCR Canary: If INSTALL_COWRIE and INSTALL_COWRIELOGVIEWER were set to "yes", to view the Cowrie Logs, visit http://0.0.0.0:5000
Alert Collection Server
This project uses Apache Metron to collect alerts from the distribution of GCR Canary honeypots. Below are links that can provide guidance to install Apache Metron.
- Home Page
- Install Guide
- Source Code You can use the Apache Metron mailing list if any issues are encountered during install.
Syslog configuration for GCR Canary alert ingest The following syslog configuration files will need to be installed on the server. (syslog config files)[https://github.com/LTW-GCR-CSOC/csoc-installation-scripts/tree/master/SampleLogFiles/configForServer-notEnc]
Apache Metron Configuration for GCR Canary alert ingest To be provided - Instructions for ingesting GCR Canary alerts are under development. The screenshots above provide a preview of what alerts look like in Apache Metron.
How to test the software
To be provided - (Information on how to run automated tests on the software)
See this repository's issue tracker.
GCR Canary Case
GCR is working with Made Mill at Bayview Yards. to create a custom designed case for the GCR Canary. The case is composed of PLA plastic and manufactured using 3D printing. More details are available in this repository.
GCR CSOC Playbook
Operational documentation for use of the CSOC is provided here. The documentation includes: organization structure and roles, workflows and usecases, incident report templates, shift report templates.
If you have questions, concerns, bug reports, etc, please file an issue in this repository's issue tracker.
Open source licensing info
Some components in GCR Canary are licensed under GPL LICENSE.
Apache Metron is licensed under Apache v2.0 LICENSE.
Related open source projects
- Apache Metron
- Dionaea Log Viewer
- Cowrie Log Viewer
Related cloud services
Credits and references
- Global Cybersecurity Resource
- Global Epic
- Hacker Alerting Service
- Carleton University TIM Program
- Technology Innovation Management Review
- Daniel Craigen - GCR Project Leader, President of Global EPIC organization
- Ahmed Shah - Cybersecurity Analyst and Software Developer
- Naveen Narayanasamy - Cybersecurity Analyst and Software Developer
- Brandon Hurley - Cybersecurity Software Developer
- Adefemi "Femi" Debo-Omidokun - CSOC Operations
- Brian Hurley - Former GCR CSOC Lead and Developer
- Eddie Villarta - GCR CSOC Advisor
- [David Hudson - GCR CSOC Advisor]
- Mahmoud Gad - GCR CSOC Advisor