Model of four cyber attack information environments
DOI:
https://doi.org/10.20535/2411-1031.2023.11.2.293768Keywords:
nature of information, mental information environment, computer information environment, cyber defense infrastructure, proactive defense strategy, cyber threat intelligence, SIEM, IDS/IPS, APT prediction, indicators of compromise, security event pattern, cyber security management cycleAbstract
The basis of the functioning of the modern cyber defense infrastructure of the corporate IT system is the procedure of comparing current events in the computer environment with the security event indicator. If the indicator matches the corresponding event, security information about this event is generated and transmitted to the SIEM for analysis. Based on the results of the analysis, a decision is made about the existence of a cyber security incident. At the next stage, a decision is made and implemented, which restores the state of cyber security. A mandatory condition for the effective cyber defense infrastructure is the availability of knowledge about possible cyber threats and relevant signs (indicators) of security events at the technical level of computer systems. Cyber threat intelligence (CTI) is responsible for forming signs of security events. In the conditions of large-scale application of common repetitive cyberattacks, the main function of CTI was to identify simple technical features called indicators of compromise (IOCs). Bit sequences (signatures) are used as such IOCs. In the conditions of large-scale application of complex cyberattacks, the task of developing such APT attack forecasting maps that allow the formation of security event attributes pattern (SEAP) for automated detection by computer means of cyber defense infrastructure becomes urgent. The article is devoted to the development of a model that, with the help of an attribute-transfer approach to the essence of information, allows to formalize the processes of cyber protection. The model visually details and combines the events that reveal the essence of the APT attack preparation and implementation, the processes of protection and the task of cyber threat intelligence to determine specific data for the means of an effective cyber defense infrastructure. The level of detail of the model allows the application of known mathematical constructions to describe security events and security information. This approach simplifies the forming algorithms for automating cyber protection processes.
References
G. Johansen, Digital Forensics and Incident Response. An intelligent way to respond to attacks. Birmingham, UK: Packt Publishing Ltd, 2017.
W. Tounsi, “What is Cyber Threat Intelligence and How is it Evolving?” in Cyber‐Vigilance and Digital Trust: Cyber Security in the Era of Cloud Computing and IoT, W. Tounsi, Ed, Wilty, April 2019. [Online]. Available: https://media.wiley.com/product_data/excerpt/81/17863044/1786304481-46.pdf. Accessed on: June 19, 2023. doi: https://doi.org/10.1002/9781119618393.
What is threat intelligence? IBM. 2023. [Online]. Available: https://www.ibm.com/topics/threat-intelligence. Accessed on: June 01, 2023.
NIST Special Publication 800-150, Guide to Cyber Threat Information Sharing, 2016. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf. Accessed on: June 21, 2023.
What is Threat Intelligence? VMware by Broadcom. 2023. [Online]. Available: https://www.vmware.com/topics/glossary/content/threat-intelligence.html. Accessed on: June 20, 2023.
Diamond Model of Intrusion Analysis: A Quick Guide. Security Boulevard, 2023. [Online]. Available: https://securityboulevard.com/2023/03/diamond-model-of-intrusion-analysis-a-quick-guide. Accessed on: June 14, 2023.
E. M. Hutchins, M. J. Clopperty, and R. M. Amin. “Intelligence-Driven Computer Network Defense. Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Lockheed Martin Corporation, 2009. [Online]. Available: https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf. Accessed on: June 14, 2023.
B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, MITRE ATT&CK: Design and Philosophy, McLean, VA, USA: The MITRE Corporation. 2020. [Online]. Available: https://www.mitre.org/news-insights/publication/mitre-attck-design-and-philosophy. Accessed on: June 14, 2023.
Best Practices for MITRE ATT&CK. Mapping, Cybersecurity and Infrastructure Security Agency (CISA), 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-01/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf. Accessed on: June 27, 2023.
P. Chen, L. Desmet, and C. Huygens, “A study on Advanced Persistent Threats”, in Proc. 15th IFIP TC 6/TC 11 International on Conference Communications and Multimedia Security, Aveiro, Portugal, 2014, pp. 63-72. doi: https://doi.org/10.1007/978-3-662-44885-4_5.
Mandiant M-Trends: The Advanced Persistent Threat, Mandiant, 2010. [Online]. Available: https://wikileaks.org/hbgary-emails//fileid/27714/8307. Accessed on: July 07, 2023.
D. E. Whitehead, K. Owens, D. Gammel, and J. Smith, “Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies”, in Proc 2017 70th Annual Conference for Protective Relay Engineers (CPRE), College Station, TX, USA, 2017, pp. 1-8. doi: https://doi.org/10.1109/CPRE.2017.8090056
S. A. Camtepe, and B. Yener, “Modeling and detection of complex attacks”, in Proc. 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops – SecureComm 2007, Nice, France, 2007. pp. 234-243. doi: https://doi.org/10.1109/SECCOM.2007.4550338.
F. Arnold, H. Hermanns, R. Pulungan, and M. Stoelinga, “Time-dependent analysis of attacks”, in Proc. International Conference on Principles of Security and Trust (POST-2014), Grenoble, France, pp. 285-305. doi: http://dx.doi.org/10.1007/978-3-642-54792-8_16.
O. Flaten, and M. S. Lund, “How good are attack trees for modelling advanced cyber threats?”, Norwegian Information Security Conference (NISK) 7(1), 2014.
J. Navarro et al., “HuMa: A multi-layer framework for threat analysis in a heterogeneous log environment”, in Proc. 10th International Symposium Foundations and Practice of Security (FPS 2017), Nancy, France, 2017 Université de Strasbourg, France, ECAM Strasbourg-Europe, Schiltigheim, France, 2015, pp.144-159. [Online]. Available: http://fps2017.loria.fr/wp-content/uploads/2017/10/08.pdf. Accessed on: June 27, 2023.
P. Giura, and W. Wang, “Using large scale distributed computing to unveil advanced persistent threats”, Science J, vol. 1, iss. 3, pp.93-105, 2013. [Online]. Available: https://www.semanticscholar.org/paper/Using-Large-Scale-Distributed-Computing-to-Unveil-Giura-Wang/75e702d56a4a90f9c773a0e1fd0074cbe6910ead. Accessed on: June 27, 2023.
Z. Cui, I. erwono, and P. Kearney, “Multi-stage attack modeling”, in Proc. Cyberpatterns 2013: The Second International Workshop on Cyber Patterns: Unifying Design Patterns with Security, Attack and Forensic Patterns, pp. 78-89, 2013.
I. Yakoviv, “Information, signs, knowledge and intelligence”, Information Technology and Security, vol. 8, iss. 2, pp. 1-12, 2020. doi: http://dx.doi.org/10.20535/2411-1031.2020.8.2.222605.
Адміністрація Держспецзв’язку (2021, Жовт. 06). Наказ № 601 Про затвердження Методичних рекомендацій щодо підвищення рівня кіберзахисту критичної інформаційної інфраструктури. [Електронний ресурс]. Доступно: https://cip.gov.ua/ua/news/nakaz-ad-2021-10-06-601.
“Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1”, National Institute of Standards and Technology (NIST), 2018. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.
I. Yakoviv, “APT cyber attack model”, Information Technology and Security, vol. 6, iss. 1 (10), pp. 46-58, 2018. doi: http://dx.doi.org/10.20535/2411-1031.2018.6.1.153140.
I. Yakoviv, А. Trokhymenko, та К. Hlum, “A method of determining the control channel of an APT attack”, Information Technology and Security, vol. 10, iss. 2 (17), pp. 176-188, 2021. doi: http://dx.doi.org/10.20535/2411-1031.2021.9.2.249899.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2023 Collection "Information Technology and Security"
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).
