Model of four cyber attack information environments

Authors

  • Ihor Yakoviv Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv, Ukraine https://orcid.org/0000-0001-7432-898X

DOI:

https://doi.org/10.20535/2411-1031.2023.11.2.293768

Keywords:

nature of information, mental information environment, computer information environment, cyber defense infrastructure, proactive defense strategy, cyber threat intelligence, SIEM, IDS/IPS, APT prediction, indicators of compromise, security event pattern, cyber security management cycle

Abstract

The basis of the functioning of the modern cyber defense infrastructure of the corporate IT system is the procedure of comparing current events in the computer environment with the security event indicator. If the indicator matches the corresponding event, security information about this event is generated and transmitted to the SIEM for analysis. Based on the results of the analysis, a decision is made about the existence of a cyber security incident. At the next stage, a decision is made and implemented, which restores the state of cyber security. A mandatory condition for the effective cyber defense infrastructure is the availability of knowledge about possible cyber threats and relevant signs (indicators) of security events at the technical level of computer systems. Cyber threat intelligence (CTI) is responsible for forming signs of security events. In the conditions of large-scale application of common repetitive cyberattacks, the main function of CTI was to identify simple technical features called indicators of compromise (IOCs). Bit sequences (signatures) are used as such IOCs. In the conditions of large-scale application of complex cyberattacks, the task of developing such APT attack forecasting maps that allow the formation of security event attributes pattern (SEAP) for automated detection by computer means of cyber defense infrastructure becomes urgent. The article is devoted to the development of a model that, with the help of an attribute-transfer approach to the essence of information, allows to formalize the processes of cyber protection. The model visually details and combines the events that reveal the essence of the APT attack preparation and implementation, the processes of protection and the task of cyber threat intelligence to determine specific data for the means of an effective cyber defense infrastructure. The level of detail of the model allows the application of known mathematical constructions to describe security events and security information. This approach simplifies the forming algorithms for automating cyber protection processes.

Author Biography

Ihor Yakoviv, Institute of special communication and information protection of National technical university of Ukraine “Igor Sikorsky Kyiv polytechnic institute”, Kyiv

candidate of technical sciences, associate professor, associate professor at the cybersecurity and application of information systems and technology academic department

References

G. Johansen, Digital Forensics and Incident Response. An intelligent way to respond to attacks. Birmingham, UK: Packt Publishing Ltd, 2017.

W. Tounsi, “What is Cyber Threat Intelligence and How is it Evolving?” in Cyber‐Vigilance and Digital Trust: Cyber Security in the Era of Cloud Computing and IoT, W. Tounsi, Ed, Wilty, April 2019. [Online]. Available: https://media.wiley.com/product_data/excerpt/81/17863044/1786304481-46.pdf. Accessed on: June 19, 2023. doi: https://doi.org/10.1002/9781119618393.

What is threat intelligence? IBM. 2023. [Online]. Available: https://www.ibm.com/topics/threat-intelligence. Accessed on: June 01, 2023.

NIST Special Publication 800-150, Guide to Cyber Threat Information Sharing, 2016. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-150.pdf. Accessed on: June 21, 2023.

What is Threat Intelligence? VMware by Broadcom. 2023. [Online]. Available: https://www.vmware.com/topics/glossary/content/threat-intelligence.html. Accessed on: June 20, 2023.

Diamond Model of Intrusion Analysis: A Quick Guide. Security Boulevard, 2023. [Online]. Available: https://securityboulevard.com/2023/03/diamond-model-of-intrusion-analysis-a-quick-guide. Accessed on: June 14, 2023.

E. M. Hutchins, M. J. Clopperty, and R. M. Amin. “Intelligence-Driven Computer Network Defense. Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains”, Lockheed Martin Corporation, 2009. [Online]. Available: https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf. Accessed on: June 14, 2023.

B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, MITRE ATT&CK: Design and Philosophy, McLean, VA, USA: The MITRE Corporation. 2020. [Online]. Available: https://www.mitre.org/news-insights/publication/mitre-attck-design-and-philosophy. Accessed on: June 14, 2023.

Best Practices for MITRE ATT&CK. Mapping, Cybersecurity and Infrastructure Security Agency (CISA), 2023. [Online]. Available: https://www.cisa.gov/sites/default/files/2023-01/Best%20Practices%20for%20MITRE%20ATTCK%20Mapping.pdf. Accessed on: June 27, 2023.

P. Chen, L. Desmet, and C. Huygens, “A study on Advanced Persistent Threats”, in Proc. 15th IFIP TC 6/TC 11 International on Conference Communications and Multimedia Security, Aveiro, Portugal, 2014, pp. 63-72. doi: https://doi.org/10.1007/978-3-662-44885-4_5.

Mandiant M-Trends: The Advanced Persistent Threat, Mandiant, 2010. [Online]. Available: https://wikileaks.org/hbgary-emails//fileid/27714/8307. Accessed on: July 07, 2023.

D. E. Whitehead, K. Owens, D. Gammel, and J. Smith, “Ukraine Cyber-Induced Power Outage: Analysis and Practical Mitigation Strategies”, in Proc 2017 70th Annual Conference for Protective Relay Engineers (CPRE), College Station, TX, USA, 2017, pp. 1-8. doi: https://doi.org/10.1109/CPRE.2017.8090056

S. A. Camtepe, and B. Yener, “Modeling and detection of complex attacks”, in Proc. 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops – SecureComm 2007, Nice, France, 2007. pp. 234-243. doi: https://doi.org/10.1109/SECCOM.2007.4550338.

F. Arnold, H. Hermanns, R. Pulungan, and M. Stoelinga, “Time-dependent analysis of attacks”, in Proc. International Conference on Principles of Security and Trust (POST-2014), Grenoble, France, pp. 285-305. doi: http://dx.doi.org/10.1007/978-3-642-54792-8_16.

O. Flaten, and M. S. Lund, “How good are attack trees for modelling advanced cyber threats?”, Norwegian Information Security Conference (NISK) 7(1), 2014.

J. Navarro et al., “HuMa: A multi-layer framework for threat analysis in a heterogeneous log environment”, in Proc. 10th International Symposium Foundations and Practice of Security (FPS 2017), Nancy, France, 2017 Université de Strasbourg, France, ECAM Strasbourg-Europe, Schiltigheim, France, 2015, pp.144-159. [Online]. Available: http://fps2017.loria.fr/wp-content/uploads/2017/10/08.pdf. Accessed on: June 27, 2023.

P. Giura, and W. Wang, “Using large scale distributed computing to unveil advanced persistent threats”, Science J, vol. 1, iss. 3, pp.93-105, 2013. [Online]. Available: https://www.semanticscholar.org/paper/Using-Large-Scale-Distributed-Computing-to-Unveil-Giura-Wang/75e702d56a4a90f9c773a0e1fd0074cbe6910ead. Accessed on: June 27, 2023.

Z. Cui, I. erwono, and P. Kearney, “Multi-stage attack modeling”, in Proc. Cyberpatterns 2013: The Second International Workshop on Cyber Patterns: Unifying Design Patterns with Security, Attack and Forensic Patterns, pp. 78-89, 2013.

I. Yakoviv, “Information, signs, knowledge and intelligence”, Information Technology and Security, vol. 8, iss. 2, pp. 1-12, 2020. doi: http://dx.doi.org/10.20535/2411-1031.2020.8.2.222605.

Адміністрація Держспецзв’язку (2021, Жовт. 06). Наказ № 601 Про затвердження Методичних рекомендацій щодо підвищення рівня кіберзахисту критичної інформаційної інфраструктури. [Електронний ресурс]. Доступно: https://cip.gov.ua/ua/news/nakaz-ad-2021-10-06-601.

“Framework for Improving Critical Infrastructure Cybersecurity. Version 1.1”, National Institute of Standards and Technology (NIST), 2018. [Online]. Available: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf.

I. Yakoviv, “APT cyber attack model”, Information Technology and Security, vol. 6, iss. 1 (10), pp. 46-58, 2018. doi: http://dx.doi.org/10.20535/2411-1031.2018.6.1.153140.

I. Yakoviv, А. Trokhymenko, та К. Hlum, “A method of determining the control channel of an APT attack”, Information Technology and Security, vol. 10, iss. 2 (17), pp. 176-188, 2021. doi: http://dx.doi.org/10.20535/2411-1031.2021.9.2.249899.

Published

2023-12-28

How to Cite

Yakoviv, I. (2023). Model of four cyber attack information environments. Collection "Information Technology and Security", 11(2), 175–192. https://doi.org/10.20535/2411-1031.2023.11.2.293768

Issue

Section

MATHEMATICAL AND COMPUTER MODELING