Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

A research on cyber kill chain and TTP by APT attack case study

APT 공격 사례 분석을 통한 사이버 킬체인과 TTP에 대한 연구

  • Received : 2020.09.29
  • Accepted : 2020.10.23
  • Published : 2020.10.31
Download PDF
⟨ Previous Next ⟩

Abstract

We analyzed APT attack cases that occurred overseas in the past using a cyber kill chain model and a TTP model. As a result of the analysis, we found that the cyber kill chain model is effective in figuring out the overall outline, but is not suitable for establishing a specific defense strategy, however, TTP model is suitable to have a practical defense system. Based on these analysis results, it is suggested that defense technology development which is based on TTP model to build defense-in-depth system for preparing cyber attacks.

과거 해외에서 발생한 APT 공격사례를 사이버 킬체인 모델과 TTP 모델로 분석하였다. 분석 결과 사이버 킬체인 모델은 전체적인 윤곽을 파악하는데 효과적이지만 구체적인 방어 전략을 수립하는 데에는 부적합하며, TTP 모델로 분석해야만 실질적인 방어 체제를 구비하는데 적합함을 알 수 있었다. 이러한 분석 결과를 바탕으로 사이버 공격을 대비하는 관점에서 심층 방어선 구축에 적합한 TTP 모델 관점에서 방어 기술 개발이 필요함을 제시한다.

Keywords

Acknowledgement

이 논문은 2019년도 한화시스템(주)의 재원을 지원받아 수행된 연구임.

References

  1. Seon-Hak Ji, Ji-Yun Park, and Jae-Woo Lee, "은닉형 악성코드를 활용한 공격 사례 분석과 대응방안에 대한 고찰," 정보보호학회지 Vol. 26, no. 1, pp.92-98, 2016.
  2. Jae-won Yoo, and Dea-woo Park."Cyber kill chain strategy for hitting attacker origin,"한국정보통신학회논문지 Vol. 21, No. 11 pp. 2199-2205, 2017.
  3. Lockheed Martin Corporation, "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains," 2011 Available: "https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf".
  4. Stech F.J., Heckman K.E., and Strom B.E. "Integrating Cyber-D&D into Adversary Modeling for Active Cyber Defense," Cyber Deception: Building the Scientific Foundation, pp.1-22, 2016.
  5. Kyuyong Shin, Kyoung Min Kim, and Jongkwan Lee "A Study on the Concept of Social Engineering Cyber Kill Chain for Social Engineering based Cyber Operations," 정보보호학회논문지 Vol. 28, no. 5, pp.1247-1258, 2018. https://doi.org/10.13089/JKIISC.2018.28.5.1247
  6. MITRE, "Finding Cyber Threats with ATT&CK-Based Analytics," 2017 Available: "https://www.mitre.org/sites/default/files/publications/16-3713-finding-cyber-threats%20with%20att%26ck-based-analytics.pdf"
  7. Myung Kil Ahn, and Jung-Ryun Lee, "Research on System Architecture and Methodology based on MITRE ATT&CK for Experiment Analysis on Cyber Warfare Simulation," 한국컴퓨터정보학회논문지 Vol. 25, no. 8, pp.31-37, 2020.
  8. Hong Suyoun, Kim Kwangsoo and Kim Taekyu, "The Design and Implementation of Simulated Threat Generator based on MITRE ATT&CK for Cyber Warfare Training," 한국군사과학기술학회지 Vol. 22, no. 6, pp797-805, 2019. https://doi.org/10.9766/KIMST.2019.22.6.797
  9. Clearsky Cyber Security, "Iranian cyber espionage against human rights activists, academic researchers and media outlets and the HBO hacker connection," 2017 Available: "https://www.clearskysec.com/charmingkitten"
  10. Trend Micro, "Update on Pawn Storm: New Targets and Politically Motivated Campaigns," 2018 Available: "https://www.trendmicro.com/en_us/research/18/a/update-pawn-storm-new-targets-politically-motivated-campaigns.html".
  11. Palo Alto Networks, "Threat Actors Target Government of Belarus Using CMSTAR Trojan," 2017 Avaliable: "https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan".
  12. Kaspersky, "BlackOasis APT and new targeted attacks leveraging zero-day exploit," 2017 Available: "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732".
  13. NSA/CSS(National Security Agency/Central Security Service) "Defense In Depth", 2010 Available: "https://apps.nsa.gov/iaarchive/library/ia-guidance/archive/defense-in-depth.cfm".