BSidesSATX 2023

SIEM Slam: Tricking Modern SIEMs with Fake Logs and Confusing Blue Teams (Pre-Recorded)
2023-06-10, 14:00–14:45, Track 2 (Moody Rm 101)

Our research has uncovered a sneaky tactic that attackers use to outsmart modern Security Information and Event Management (SIEM) tools, such as Splunk. By creating and injecting fake logs, attackers can divert the attention of blue teams and conceal their real attacks. In this study, we explore this devious approach and provide an in-depth analysis of how it can be used to deceive security operations. Specifically, we examine the vulnerabilities of SIEM tools, with Splunk as a prime example.

Here is the introduction part of our whitepaper:
For many organizations, Security Information and Event Management (SIEM) tools like Splunk have been essential components of their security operations for a long time. SIEM tools are critical for blue teams because they enable them to detect potential attacks and respond to them quickly. By collecting and analyzing logs from various sources, including network devices, servers, and applications, SIEM tools can identify suspicious activity and generate alerts. These alerts can then be used by security analysts to investigate and remediate any potential threats. Without SIEM tools, security teams would need to manually review and analyze each log, which would be a time-consuming and error-prone process. The speed and accuracy of SIEM tools make them an essential component of any organization's security operations.

However, as SIEM tools have become more prevalent and sophisticated, attackers have also evolved their tactics to circumvent them. In our original research, we have discovered that one particularly effective strategy is to create and insert fake logs into the SIEM tool, which can mislead and distract the blue team and hide the real attack. In this paper, we will explore how attackers use fake logs to deceive security operations and how security teams can defend against these attacks. We will focus specifically on Splunk, a modern SIEM tool, and demonstrate how to create and inject fake logs to mislead the blue team.

By the end of this paper, readers will have a better understanding of the vulnerabilities of modern SIEM tools and the tactics attackers can use to exploit them, as well as the best practices for defending against these attacks.

Ozgun is a 22 year old Offensive Security Engineer at Trendyol Group, focusing on breach & attack simulation and penetration testing. Prior to joining Trendyol, Ozgun gained valuable experience in the realm of wireless security, specializing in Bluetooth, RF protocols, Wi-Fi, and other related technologies.

Currently, his primary focus revolves around the advancement of red team operations and penetration testing, with a particular emphasis on web security.

Ozgun holds a Bachelor of Science degree in Computer Engineering as well as the OSCP certification. When he's not around, you'll likely find him busy demolishing CTF competitions or embarking on thrilling bug hunting expeditions in the vast wilderness of the web!