Browse > Article
http://dx.doi.org/10.13089/JKIISC.2022.32.3.527

Implementation of an APT Attack Detection System through ATT&CK-Based Attack Chain Reconstruction  

Cho, Sungyoung (Agency for Defense Development)
Park, Yongwoo (Agency for Defense Development)
Lee, Kyeongsik (Agency for Defense Development)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.32, no.3, 2022 , pp. 527-545 More about this Journal
Abstract
In order to effectively detect APT attacks performed by well-organized adversaries, we implemented a system to detect attacks by reconstructing attack chains of APT attacks. Our attack chain-based APT attack detection system consists of 'events collection and indexing' part which collects various events generated from hosts and network monitoring tools, 'unit attack detection' part which detects unit-level attacks defined in MITRE ATT&CK® techniques, and 'attack chain reconstruction' part which reconstructs attack chains by performing causality analysis based on provenance graphs. To evaluate our system, we implemented a test-bed and conducted several simulated attack scenarios provided by MITRE ATT&CK Evaluation program. As a result of the experiment, we were able to confirm that our system effectively reconstructed the attack chains for the simulated attack scenarios. Using the system implemented in this study, rather than to understand attacks as fragmentary parts, it will be possible to understand and respond to attacks from the perspective of progress of attacks.
Keywords
APT; MITRE ATT&CK; TTPs; Attack Chain; Reconstruction;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Alfonso Valdes and Keith Skinner, "Probabilistic alert correlation," International Workshop on Recent Advances in Intrusion Detection (RAID), pp. 54-68, Oct. 2001
2 Elastic, Elastic Common Schema, https://elastic.co/guide/en/ecs/1.12/index.html, accessed on Jan. 2022
3 MITRE Center for Threat Informed Defense, Adversary Emulation Library, https://github.com/center-for-threat-informed-defense/adversary_emulation_library, accessed on Jul. 2021
4 Microsoft Sysinternals Sysmon, https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon, accessed on Jan. 2022
5 Peng Ning, Yun Cui and Douglas S. Reeves, "Analyzing intensive intrusion alerts via correlation," International Workshop on Recent Advances in Intrusion Detection (RAID), pp. 74-94, Oct. 2002
6 Yang Ji, et al., "Enabling refinable cross-host attack investigation with efficient data flow tagging and tracking," 27th USENIX Security Symposium (USENIX Security '18), pp. 1705-1722, Aug. 2018
7 Shiqing Ma et al., "Kernel-supported cost-effective audit logging for causality tracking," 2018 USENIX Annual Technical Conference (USENIX ATC 18), pp.241-254, Jul. 2018
8 OTRF, OSSEM Detection Model (DM), https://github.com/OTRF/OSSEM-DM, accessed on Oct, 2021
9 Ryan Wright, Alan Fern, Anthony Williams, James Cheney, Ghita Berrada and Sid Ahmed Benabderrahmane, "A diagnostics approach for persistence threat detection (ADAPT)," AFRL-RY-WP-TR-2019-0140, Galois, Inc., Nov. 2019
10 Josyula Rao, Yan Chen, R. Sekar, Venkat Venkatakrishnan, "Mitigating advanced and persistent threat (APT) damage by reasoning with provenance in large enterprise network (MARPLE) Program," AFRL-RY-WP-TR-2019-0285, International Business Machines Corporation, Jan. 2020
11 OASIS, STIX Version 2.1 Specification, https://docs.oasis-open.org/cti/stix/v2.1/os/stix-v2.1-os.html, accessed Mar. 2022
12 FireEye, "Naval Information Warfare Systems Command (NAVWAR) Awards FireEye First Place in Network Threat Detection Challenge," https://www.fireeye.com/company/press-releases/2021/naval-information-warfare-systems-command-navwar-awards-fireeye-firstplace.html, accessed on Mar. 2022
13 MITRE, ATT&CK, https://attack.mitre.org/, accessed on Mar. 2022
14 PEStudio, https://winitor.com, accessed on Mar. 2022
15 Frederic Cuppens, "Managing alerts in a multi-intrusion detection environment," Proceedings of the 17th Annual Computer Security Applications Conference, pp. 22-31, Dec. 2001
16 Samuel T. King and Peter M. Chen, "Backtracking intrusions," Proceedings of the 2003 Symposium on Operating Systems Principles, pp. 223-236, Oct. 2003
17 Frederic Cuppens and Alexandre Miege, "Alert correlation in a cooperative intrusion detection framework," Proceedings 2002 IEEE Symposium on Security and Privacy, pp. 202-215, May 2002
18 Benjamin Morin, Ludovic Me, Herve Debar and Mireille Ducasse, "M2D2: A formal data model for IDS alert correlation," International Workshop on Recent Advances in Intrusion Detection (RAID), pp. 115-137, Oct. 2002
19 Hanli Ren, Natalia Stakhanova and Ali A. Ghorbani, "An online adaptive approach to alert correlation," International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pp.153-172, Jul. 2010
20 Samuel T. King, Z. Morley Mao, Dominic G. Lucchetti and Peter M. Chen, "Enriching intrusion alerts through multi-host causality," Proceedings of Network and Distributed System Security Symposium (NDSS), Feb. 2005
21 Md Nahid Hossain et al., "SLEUTH: Real-time attack scenario reconstruction from COTS audit data," 26th USENIX Security Symposium(USENIX Security 17), pp. 487-504, Aug. 2017
22 Sadegh M. Milajerdi et al., "HOLMES: Real-time APT detection through correlation of suspicious information flows," 2019 IEEE Symposium on Security and Privacy, pp. 1137-1152, May 2019
23 Center for Threat Informed Defense, Attack Flow, https://ctid.mitre-engenuity.org /our-work/attack- flow/" , accessed on Mar. 2022
24 Chunlin Xiong et al., "CONAN: A practical real-time APT detection system With high accuracy and efficiency," IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 1, pp. 551-565, Feb. 2020
25 Kexin Pei, et al., "HERCULE: Attack story reconstruction via community discovery on correlated log graph," Proceedings of the 32nd Annual Conference on Computer Security Applications, pp. 583-595, Dec. 2016
26 Jun Zeng, et al., "WATSON: Abstracting behaviors from audit logs via aggregation of contextual semantics," Proceedings of the 28th Annual Network and Distributed System Security Symposium (NDSS), pp. 1-18, Feb. 2021
27 Defense Advanced Research Projects Agency(DARPA), Transparent Computing (Archived), https://www.darpa.mil/program/transparent-computing, accessed on Mar. 2022
28 Amanda Strnad, Quy Messiter, Robert Watson, Lucian Carata, Jonathan Anderson and Brian Kidney, "Casual, adaptive, distributed, and efficient tracing system (CADETS)," AFRL-RY-WP-TR-2019-0115, BAE Systems, Sep. 2019
29 Michaell Gordon, Jordan Eikenberry, Anthony Eden, Jeffrey Perkins, Malavika Samak, Henny Sipma and Martin Rinard, "ClearScope: Full stack provenance graph generation for transparent computing on mobile devices," AFRL-RY-WP-TR-2020-0013, Massachusetts Institute of Technology, Jul. 2020
30 Gabriela Ciocarlie, "Tracking and analysis of causality at enterprise-level (TRACE)," ARFL-RY-WP-TR-2019-0337, SRI International, Mar. 2022
31 KISA, "TTPs #6 Target Watering Hole Attack Strategy Analysis," Sep. 2021, https://www.krcert.or.kr/filedownload.do?attack_file_seq=3277&attach_file_id=EpF3277.pdf, accessed on Mar. 2022
32 Herve Debar and Andreas Wespi, "Aggregation and correlation of intrusion-detection alerts," International Workshop on Recent Advances in Intrusion Detection (RAID), pp. 85-103, Oct. 2001
33 Faeiz Alserhani, Monis Akhlaq, Irfan U. Awan, Andrea J. Cullen and Pravin Mirchandani, "MARS: multi-stage attack recognition system," 2010 24th IEEE International Conference on Advanced Information Networking and Applications (AINA), pp. 753-759, Apr. 2010
34 Bin Zhu and Ali A. Ghorbani, "Alert correlation for extracting attack strategies," International Journal on Network Security, vol. 3, no. 3, pp.244-258, Nov. 2006
35 MITRE ATT&CK, Data Source, https://attack.mitre.org/datasources, accessed on Oct, 2021
36 Zeek, https://zeek.org, accessed on Jan. 2022
37 SwiftOnSecurity, Sysmon Config, https://github.com/SwiftOnSecurity/sytsmon-config, accessed on Jan. 2022
38 Neo23x0, auditd, https://github.com/Neo23x0/auditd, accessed on Jan. 2022
39 Suricata, https;//suricata.io, accessed on Jan. 2022
40 Elastic, Elastic Stack, https://elastic.co/elastic-stack, accessed on Mar. 2022
41 MITRE, CAR (Cyber Analytics Repostory), https://github.com/mitre-attack/car, accessed on Mar. 2022
42 SigmaHQ, Sigma, https://github.com/SigmaHQ/sigma, accessed on Mar. 2022
43 Elastic, Elastic Detection Ruels, https://github.com/elastic/detection-rules, accessed on Mar. 2022
44 pfSense, https://www.pfsense.org, accessed on Jan. 2022
45 Pupy, https://github.com/n1nj4sec/pupy, accessed on Jul. 2021
46 PoshC2, https://github.com/netitude/PoshC2, accessed on Jul. 2021
47 Metasploit, https://github.com/rapid7/metasploit-framework, accessed on Jul. 2021
48 MITRE Engenuity, ATT&CK Evaluations, https://attackevals.mitre-engenuity.org. accessed on Mar. 2022
49 Cesar Ghali, Gene Tsudik and Ersin Uzun, "Needle in a haystack: Mitigating content poisoning in named-data networking," Proceedings of NDSS workshop on security of emerging networking technologies (SENT), Feb. 2014
50 Steven T. Eckmann, Giovanni Vigna and Richard A. Kemmerer, "STATL: An attack language for state-based intrusion detection," Journal of computer security, vol. 10, no. 1-2, pp. 71-103, 2002   DOI