Convergence Security Journal (융합보안논문지)

Korea convergence Security Association (한국융합보안학회)
권호 표지
DOI QR코드

DOI QR Code

A Study on Hacking E-Mail Detection using Indicators of Compromise

침해지표를 활용한 해킹 이메일 탐지에 관한 연구

  • 이후기 (건양대학교/사이버보안공학과)
  • Received : 2020.07.05
  • Accepted : 2020.09.29
  • Published : 2020.09.30
Download PDF
⟨ Previous Next ⟩

Abstract

In recent years, hacking and malware techniques have evolved and become sophisticated and complex, and numerous cyber-attacks are constantly occurring in various fields. Among them, the most widely used route for compromise incidents such as information leakage and system destruction was found to be E-Mails. In particular, it is still difficult to detect and identify E-Mail APT attacks that employ zero-day vulnerabilities and social engineering hacking techniques by detecting signatures and conducting dynamic analysis only. Thus, there has been an increased demand for indicators of compromise (IOC) to identify the causes of malicious activities and quickly respond to similar compromise incidents by sharing the information. In this study, we propose a method of extracting various forensic artifacts required for detecting and investigating Hacking E-Mails, which account for large portion of damages in security incidents. To achieve this, we employed a digital forensic indicator method that was previously utilized to collect information of client-side incidents.

최근 해킹 및 악성코드는 점검 기법이 매우 정교하고 복잡하게 발전하고 있으며, 다양한 분야에서 침해사고가 지속적으로 발생하고 있다. 그 중 정보유출, 시스템 파괴 등에 활용되는 침해사고의 가장 큰 이용 경로는 이메일을 이용한 것으로 확인되고 있다. 특히, 제로데이 취약점과 사회공학적 해킹 기법을 이용한 이메일 APT공격은 과거의 시그니처, 동적분석 탐지만으로는 식별이 매우 어려운 상황이다. 이에 대한 원인을 식별하고 해당 내용을 공유하여 유사한 침해사고에 대해 빠르게 대응하기 위한 침해지표(IOC, Indicators Of Compromise)의 필요성은 지속적으로 증가하고 있다. 본 논문에서는 기존에 클라이언트단의 침해사고를 수집하기위해 활용되었던 디지털 포렌식 탐지 지표 방식을 활용하여 보안사고의 가장 큰 피해를 유발하는 해킹 메일의 탐지 및 조사 분석 시 필요한 다양한 아티팩트 정보를 효과적으로 추출할 수 있는 방법을 제안한다.

Keywords

References

  1. Tae-Kyung Kim, "The study of detection methods for malicious code", Journal of Security Engineering, vol 9, no 5, pp.387-400, 2012.
  2. Yoon-Jae Park, Myung-Sin Chae, "A Research on the Effectiveness of the Vulnerability Detection Against Leakage of Proprietary Informatio Using Digital Forensic Methods", Journal of the Korea Academia-Industrial Cooperation Society, vol 18, no 9, pp.462-472, 2017.
  3. Lee Min Wook, Yoon Jong Seong, Lee Sang Jin, "Digital Forensic Indicators of Compromise Format(DFIOC) and It's Application, KIPS Transactions on Computer and Communication Systems", vol 5, no 4, pp.95-102, 2016. https://doi.org/10.3745/KTCCS.2016.5.4.95
  4. https://securelist.com/kaspersky-security-bulletin-spam-and-phishing-in-2016/77483/, Feb 20 2017.
  5. Jun-Hyung Lee, Jung-Won Cho, 'The World of Digital Forensic', InfoTheBooks, 2014.
  6. Sang-Duk Jeong, Dong-Sook Hong, Ki-Jun Han, "Technology Trends and Prospects of Digital Forensic", National Information Society Agency, 2006.
  7. Stephen Larson, "Book Review: The Basics of Digital Forensics: The Primer For Getting Started in Digital Forensics", Journal of Digital Forensics, Security and Law, Vol.9, No.1, pp.83-85, 2014.
  8. Simson Garfinkel, "Digital forensics XML and the DFXML toolset". Vol.8. pp.161-174, 2012. https://doi.org/10.1016/j.diin.2011.11.002
  9. Seong-Ho Kim, "A method to indicator compromise utilization for the effective infringement accident analysis", May 2015.
  10. Chris Alberts, Audrey Dorofee, Georgia Killcrece, Robin Ruefle, Mark Zajicek, "Defining Incident Management Processes for CSIRTs : A Workin Progress", CMU SEI(Carnegie Mellon University Software Engineering Institute), Oct 2004.
  11. Karen Scarfone, Tim Grance, Kelly Masone, "Special Publication 800-61 Revision 1 Computer Security Incident Handling Guide(Recommendations of the National Institute of Standards and Technology)", Computer Security Division Information Technology Laboratory National Institute of Standards and Technology, Mar 2008.
  12. https:/www.rfc-editor.org/rfc/rfc2822.txt, Apr 2001.