Way of determining APT control channel
DOI:
https://doi.org/10.20535/2411-1031.2021.9.2.249899Keywords:
cyber defense system, proactive strategy, SIEM, SOC, APT detection, unauthorized channel, backdoor, target attack actionAbstract
The widespread use of sophisticated cyber attacks against the national critical infrastructure of the APT type has been a powerful stimulus for the development of proactive cyber defense techniques. APTs are characterized by the following features: an attack is a complex set of time and space-related actions of an attacker. Separately, these actions may not arouse suspicion; the target attack action in the cyber segment of the object is prepared for a long time (from several months to a year or more); the set of actions of the attacker is a chain of tactics, the implementation of which allows to achieve the goal of the attack. Despite the variety of tools used in ARTs, the set of most tactics and their nature remain constant. The basis of many APTs is that the attacker uses unauthorized channels to control the attack via the Internet, which allows him to perform various actions in the cyberspace segment of the victim's information technology system. The task of timely identification of such channels at the stages of preparation of the target action of attack is urgent. This approach is in line with the implementation of a proactive cybersecurity strategy. Based on the results of research of information processes of formation and use of unauthorized channel, organization of processes of proactive cyber defense systems, a method of determining the control channel of APT has been developed. It can be used in the management of information and security events SIEM to determine the attack after its stage of penetration into the information technology system, but before the implementation of the stage of the target action. The method is developed on the basis of using the cybernetic model of APT using the methods of formalized analysis of information processes of modern operational cyber defense systems. As part of the research, a procedure for the formation and use of a multi-indicator template of the control channel, which is used for a comprehensive analysis of security events, was developed. To fill in the template, a software has been developed that generates information about security events on the hosts of the corporate system. Theoretical and practical results of research are focused on the use of corporate information system for proactive protection against APTs.
References
P. Chen, L. Desmet, and C. Huygens, “A study on Advanced Persistent Threats”, in Proc. 15th IFIP TC 6/TC 11 International on Conference Communications and Multimedia Security, Aveiro, Portugal, 2014, pp. 63-72, doi: https://doi.org/10.1007/978-3-662-44885-4_5.
E. M. Hutchins, M. J. Clopperty, and R. M. Amin, Intelligence-Driven Computer Network Defense. Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. Lockheed Martin Corporation, 2009. [Online]. Available: https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf. Accessed on: Aug. 10, 2021.
Mandiant M-Trends: The Advanced Persistent Threat. Mandiant, 2010. [Online]. Available: https://wikileaks.org/hbgary-emails//fileid/27714/8307. Accessed on: Aug. 10, 2021.
J. Navarro, et al. ICube. HuMa: A multi-layer framework for threat analysis in a heterogeneous log environment, Université de Strasbourg, France, ECAM Strasbourg-Europe, Schiltigheim, France, 2015. [Online]. Available: http://fps2017.loria.fr/wp-content/uploads/2017/10/08.pdf. Accessed on: Aug. 10, 2021.
F. Arnold, H. Hermanns, R. Pulungan, and M. Stoelinga, “Time-dependent analysis of attacks”. Principles of Security and Trust, Lecture Notes in Computer Science, vol. 8414, pp. 285-305, doi: https://doi.org/10.1007/978-3-642-54792-8_16.
S. Camtepe, and B. Yener, “Modeling and detection of complex attacks”, in Proc. Third International Conference on Security and Privacy in Communications Networks and the Workshops – SecureComm 2007, Nice, France, 2007, pp. 234-243, doi: https://doi.org/10.1109/SECCOM.2007.4550338.
O. Flåten, and M. S. Lund, “How good are attack trees for modelling advanced cyber threats?”, in Proc. Norwegian Information Security Conference, Fredrikstad, Norway, 2014. [Online]. Available: http://ojs.bibsys.no/index.php/NISK/article/view/105. Accessed on: Aug. 10, 2021.
I. Yakoviv, “Cybernetic model of the Advanced Persistent Threat”, Information Technology and Security, vol. 6, iss. 1, pp. 46-58, January – June 2018, doi: https://doi.org/10.20535/2411-1031.2018.6.1.153140.
D. Whitehead, K. Owens, D. Gammel, and J. Smith, “Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies”, in Proc. 70th Annual Conference for Protective Relay Engineers. 2017. [Online]. Available: https://doi.org/10.1109/CPRE.2017.8090056. Accessed on: Aug. 10, 2021.
I. Yakoviv, “The base model of informational processes of management and safety criteria for cybernetic systems”, Іnformation Technology and Security, vol. 3, iss.1, pp. 68-74, January – June 2015, doi: https://doi.org/10.20535/2411-1031.2015.3.1.57735.
I. Yakoviv. “Basic model of information processes and behavior of a cyber defense system”, Іnformation technology and security, vol. 7, iss. 2, pp. 183-196, July – December 2019, doi: https://doi.org/10.20535/2411-1031.2019.7.2.190568.
Cybersecurity Framework Version 1.1. (April 2018). [Online]. Available: https://www.nist.gov/cyberframework/framework. Accessed on: Aug. 10, 2021.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 Information Technology and Security
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).
