Modeling the Operational Phases of APT Campaigns

Berady, Aimad; Tông, Valérie Viêt Triêm; Guette, Gilles; Bidan, Christophe; Carat, Guillaume

doi:10.1109/csci49370.2019.00023

Cited by 4 publications

(6 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Studies on APT attack detection have typically focused predominantly on signature-, graph-, and machine learning-based detection methods. Berady et al [8] proposed a Nuke model in which the APT attack lifecycle was defined as a state machine. This model consists of exploration, exploitation, and decision-making phases.…”

Section: Apt Attack Detection and Responsementioning

confidence: 99%

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Jeon¹,

Lee²,

Lee³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

Recently, with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic, the possibility of cyberattacks through endpoints has increased. Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats. In particular, because telecommuting, telemedicine, and teleeducation are implemented in uncontrolled environments, attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information, and reports of endpoint attacks have been increasing considerably. Advanced persistent threats (APTs) using various novel variant malicious codes are a form of a sophisticated attack. However, conventional commercial antivirus and anti-malware systems that use signature-based attack detection methods cannot satisfactorily respond to such attacks. In this paper, we propose a method that expands the detection coverage in APT attack environments. In this model, an open-source threat detector and log collector are used synergistically to improve threat detection performance. Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks, as defined by MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response (GRR), an open-source threat detection tool, and Graylog, an open-source log collector. The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11% compared with that conventional methods.

show abstract

Section: Apt Attack Detection and Responsementioning

confidence: 99%

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

Jeon¹,

Lee²,

Lee³

et al. 2023

Computers, Materials &Amp; Continua

View full text Add to dashboard Cite

show abstract

“…This choice was motivated by the fact that we wanted to observe participants' behavior during the Network Propagation phase. Thus, some tactics (i.e., stages of kill chains) were not applicable because attackers used these tactics to reach their goals during earlier or later operational phases [23], for example Reconnaissance, Initial Access, Asset Dominance, and even those related to the victim's Network Exploitation phase in order to achieve final objective.…”

Section: B Deploymentmentioning

confidence: 99%

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

Berady

Jaume²,

Tông

et al. 2022

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Identifying patterns in the modus operandi of attackers is an essential requirement in the study of Advanced Persistent Threats. Previous studies have been hampered by the lack of accurate, relevant, and representative datasets of current threats. System logs and network traffic captured during attacks on real companies' information systems are the best data sources to build such datasets. Unfortunately, for apparent reasons of companies' reputation, privacy, and security, such data is seldom available. This article proposes an alternative approach to such issues involved with collecting data. It first presents a formal model of an attacker's tactical progression during their network propagation phase. Such a progression is expressed according to the attacker's state, called muSE, which specifies their propagation area, collected secrets, and knowledge of the environment. The new model wields the operational semantics of attack techniques proposed in this article. The semantics formally define a transition relation between attackers' states. Hence, it can be used to describe an entire attack scenario. This formalization allows the ability to describe the PWNJUTSU experiment unequivocally. In this experiment, 22 Red Teamers attacked the vulnerable infrastructure to compromise machines and steal secret flags. Each Red Teamer operated on a dedicated instance. Sensors captured system logs and network traffic on each of these instances. This article's second contribution is the public release of the PWNJUTSU dataset.

show abstract

“…When the attacker has compromised at least one component of the targeted network, he is able to apply attack procedures inside it. Here begins the Network Propagation phase [8].…”

Section: A Actions Of the Attackermentioning

confidence: 99%

“…a) Need for unified views: Gianvecchio et al [11] point out the semantic gap between the defender and the attacker. Indeed, the attacker operates at the level of strategy and tactics; he focuses on target discovery, and can deploy various kill chains tactics [8,12]. However, the defender spends significant time processing low-level, rule-generated alerts and singlelog analysis can hardly reveal the complete attack story for complex, multi-stage attacks.…”

Section: Related Workmentioning

confidence: 99%

From TTP to IoC: Advanced Persistent Graphs for Threat Hunting

Berady

Jaume²,

Tông³

et al. 2021

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Defenders fighting against Advanced Persistent Threats need to discover the propagation area of an adversary as quickly as possible. This discovery takes place through a phase of an incident response operation called Threat Hunting, where defenders track down attackers within the compromised network. In this article, we propose a formal model that dissects and abstracts elements of an attack, from both attacker and defender perspectives. This model leads to the construction of two persistent graphs on a common set of objects and components allowing for (1) an omniscient actor to compare, for both defender and attacker, the gap in knowledge and perceptions; (2) the attacker to become aware of the traces left on the targeted network; (3) the defender to improve the quality of Threat Hunting by identifying false-positives and adapting logging policy to be oriented for investigations. In this article, we challenge this model using an attack campaign mimicking APT29, a real-world threat, in a scenario designed by the MITRE Corporation. We measure the quality of the defensive architecture experimentally and then determine the most effective strategy to exploit data collected by the defender in order to extract actionable Cyber Threat Intelligence, and finally unveil the attacker.

show abstract

Modeling the Operational Phases of APT Campaigns

Cited by 4 publications

References 2 publications

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

An Effective Threat Detection Framework for Advanced Persistent Cyberattacks

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

From TTP to IoC: Advanced Persistent Graphs for Threat Hunting

Contact Info

Product

Resources

About