Aimad Berady scite author profile

Aimad Berady

2Publications

11Citation Statements Received

16Citation Statements Given

How they've been cited

How they cite others

Affiliations

Institut de Recherche en Informatique et Systèmes Aléatoires, CentraleSupélec, University of Rennes

Publications

Order By: Most citations

From TTP to IoC: Advanced Persistent Graphs for Threat Hunting

Berady

Jaume²,

Tông³

et al. 2021

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Defenders fighting against Advanced Persistent Threats need to discover the propagation area of an adversary as quickly as possible. This discovery takes place through a phase of an incident response operation called Threat Hunting, where defenders track down attackers within the compromised network. In this article, we propose a formal model that dissects and abstracts elements of an attack, from both attacker and defender perspectives. This model leads to the construction of two persistent graphs on a common set of objects and components allowing for (1) an omniscient actor to compare, for both defender and attacker, the gap in knowledge and perceptions; (2) the attacker to become aware of the traces left on the targeted network; (3) the defender to improve the quality of Threat Hunting by identifying false-positives and adapting logging policy to be oriented for investigations. In this article, we challenge this model using an attack campaign mimicking APT29, a real-world threat, in a scenario designed by the MITRE Corporation. We measure the quality of the defensive architecture experimentally and then determine the most effective strategy to exploit data collected by the defender in order to extract actionable Cyber Threat Intelligence, and finally unveil the attacker.

show abstract

Modeling the Operational Phases of APT Campaigns

Berady

Tông

Guette

et al. 2019

View full text Add to dashboard Cite

In the context of Advanced Persistent Threat (APT) attacks, this paper introduces a model, called Nuke, which tries to provide a more operational reading of the attackers' lifecycle in a compromised network. It allows to consider the notions of regression; and repetitiveness of final objectives achievement. By confronting this model with examples of recent attacks (Equifax data breach and TV5Monde sabotage), we emphasize the importance of the attack chronology in the Cyber Threat Intelligence (CTI) reports, as well as the Tactics, Techniques and Procedures (TTP) used by the attacker during his progression. Index Terms-advanced persistent threat, cyber kill chain, tactics techniques and procedures, cyberspace operations, cyber threat intelligence

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

customersupport@researchsolutions.com

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

Aimad Berady

From TTP to IoC: Advanced Persistent Graphs for Threat Hunting

Modeling the Operational Phases of APT Campaigns

Contact Info

Product

Resources

About