• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.3
• /
• pp.527-545
• /
• 2022

In order to effectively detect APT attacks performed by well-organized adversaries, we implemented a system to detect attacks by reconstructing attack chains of APT attacks. Our attack chain-based APT attack detection system consists of 'events collection and indexing' part which collects various events generated from hosts and network monitoring tools, 'unit attack detection' part which detects unit-level attacks defined in MITRE ATT&CK^® techniques, and 'attack chain reconstruction' part which reconstructs attack chains by performing causality analysis based on provenance graphs. To evaluate our system, we implemented a test-bed and conducted several simulated attack scenarios provided by MITRE ATT&CK Evaluation program. As a result of the experiment, we were able to confirm that our system effectively reconstructed the attack chains for the simulated attack scenarios. Using the system implemented in this study, rather than to understand attacks as fragmentary parts, it will be possible to understand and respond to attacks from the perspective of progress of attacks.

• Journal of Microbiology and Biotechnology
• /
• v.13 no.5
• /
• pp.783-788
• /
• 2003

A 27 bp $tRNA^{Gly}$ region (att1) was identified as the integration site for a 12,384 bp Pfl-derived genomic island containing 15 open reading frames (ORFs) from PA0715 to PA0729 in P. aeruginosa strain PAOl. Homologous island was observed in P. aeruginosa strain PA14, but not in P. aeruginosa strain K (PAK). We isolated the Pfl island from PA14, and determined its 10,657 bp sequences containing 14 ORFs, with significant sequence variations near the borders. In contrast to the PAO1 Pfl island, the PA14 Pfl island was integrated at the 10 bp att2 site between PA1191 and PA1192. The attl site of PA14, however, was still occupied by a third genetic segment, whereas both attl and att2 sites of PAK remained unutilized. These results exemplify an extensive genomic variation of Pfl-related islands involving differential genetic organizations and differential att site utilizations.

• Journal of the Korea Institute of Military Science and Technology
• /
• v.22 no.6
• /
• pp.797-805
• /
• 2019

Threats targeting cyberspace are becoming more intelligent and increasing day by day. To cope with such cyber threats, it is essential to improve the coping ability of system security officers. In this paper, we propose a simulated threat generator that automatically generates cyber threats for cyber defense training. The proposed Simulated Threat Generator is designed with MITRE ATT & CK(Adversarial Tactics, Techniques and Common Knowledge) framework to easily add an evolving cyber threat and select the next threat based on the threat execution result.

• KSBB Journal
• /
• v.25 no.2
• /
• pp.167-172
• /
• 2010

Streptomyces scabiei producing phytotoxin called thaxtomin, which cause scab disease on economically important crops such as potato. For molecular genetics study of S. scabiei an effective transformation method was established based on conjugal transfer from Escherichia coli ET12567 (pUZ8002) using a phiC31-derived integration vector, pSET152, containing oriT and attP fragments. The high frequency was obtained on MS medium containing 50 mM $MgCl_2$. In addition, the sequence and location of the chromosomal integration attB site of S. scabiei was identified for the first time in the strains producing thaxtomin by the southern blot analysis of exconjugants and the sequencing of plasmid containing DNA flanking the insertion sites from exconjugant chromosome. Similar to the case of Streptomyces species, a single phiC31 attB site of S. scabiei is present within an ORF encoding a pirin-homolog.

• Journal of Microbiology and Biotechnology
• /
• v.10 no.4
• /
• pp.535-538
• /
• 2000

Streptomyces lavendulae FRI-5 produces the ${\gamma}$-butyrolactone autoregulator IM-2, which is required for nucleoside antibiotic producetion. We have developed a system for introducing DNA into S. lavendule FRI-5 via conjugal transfer from Esherichia cole. Conditions were established for conjugation of the oriT-and attP-containing plasmid pSET152 from E. coli ET12567 (pUZ8002) to FRI-5. Conjugation resulted in integration of the plasmid at the chromosomal C31 attB site. The frequency of intergeneric conjugation varied with the medium used. The highest frequency ($1.6\times10-5$ per recipient) was obtained on ISP medium 2 containing 10mM MgCl2. Southern blot and phenotypic analyses of exconjugants revealed that S. lavendulae FRI-5 contains a unique C31 attB site, and that integration of heterologous DNA into the attB site did not interfere with morphological differentiation or IM-2-dependent signal transduction, including the production of a blue pigment. This system will now enable detailed genetic analysis of the regulation of antibiotic production in S. lavendulae FRI-5.

• Convergence Security Journal
• /
• v.21 no.3
• /
• pp.13-23
• /
• 2021

The attacker's techniques and tools are becoming intelligent and sophisticated. Existing Anti-Virus cannot prevent security accident. So the security threats on the endpoint should also be considered. Recently, EDR security solutions to protect endpoints have emerged, but they focus on visibility. There is still a lack of detection and responsiveness. In this paper, we use real-world EDR event logs to aggregate knowledge-based MITRE ATT&CK and autoencoder-based anomaly detection techniques to detect anomalies in order to screen effective analysis and analysis targets from a security manager perspective. After that, detected anomaly attack signs show the security manager an alarm along with log information and can be connected to legacy systems. The experiment detected EDR event logs for 5 days, and verified them with hybrid analysis search. Therefore, it is expected to produce results on when, which IPs and processes is suspected based on the EDR event log and create a secure endpoint environment through measures on the suspicious IP/Process.

• Convergence Security Journal
• /
• v.20 no.4
• /
• pp.135-141
• /
• 2020

The Ministry of National Defense is strengthening the power and capacity of cyber operations as cyber protection training is conducted. However, considering the level of enemy cyber attack capability, the level of cyber defense capability of the ministry of national defense is significantly low and the protection measures and response system for responding to cyber threats to military networks are not clearly designed, falling short of the level of cyber security capabilities of the public and private sectors. Therefore, this paper is to investigate and verify the establishment of a military internal network vulnerability mitigation system that applies the intention of attackers, tactics, techniques and procedures information (ATT&CK Framework), identified military internal network main threat information, and military information system security requirements with military specificity as factors that can establish a defense network vulnerability mitigation system by referring to the domestic and foreign cyber security framework It has the advantage of having.

• Journal of Internet Computing and Services
• /
• v.23 no.6
• /
• pp.15-26
• /
• 2022

Various subjects are carrying out cyberattacks using a variety of tactics and techniques. Additionally, cyberattacks for political and economic purposes are also being carried out by groups which is sponsored by its nation. To deal with cyberattacks, researchers used to classify the malware family and the subjects of the attack based on malware signature. Unfortunately, attackers can easily masquerade as other group. Also, as the attack varies with subject, techniques, and purpose, it is more effective for defenders to identify the attacker's purpose and goal to respond appropriately. The essential goal of cyberattacks is to threaten the information security of the target assets. Information security is achieved by preserving the confidentiality, integrity, and availability of the assets. In this paper, we relabel the attacker's goal based on MITRE ATT&CK® in the point of CIA triad as well as classifying cyber security reports to verify the labeling method. Experimental results show that the model classified the proposed CIA label with at most 80% probability.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.673-689
• /
• 2022

We propose an APT attack scoring method as a part of the process for detecting and responding to APT attacks. First, unlike previous work that considered inconsistent and subjective factors determined by cyber security experts in the process of scoring cyber attacks, we identify quantifiable factors from components of MITRE ATT&CK^Ⓡ techniques and propose a method of quantifying each identified factor. Then, we propose a method of calculating the score of the unit attack technique from the quantified factors, and the score of the entire APT attack composed of one or more multiple attack techniques. We present the possibility of quantification to determine the threat level and urgency of cyber attacks by applying the proposed scoring method to the APT attack reports, which contains the hundreds of APT attack cases occurred worldwide. Using our work, it will be possible to determine whether actual cyber attacks have occurred in the process of detecting APT attacks, and respond to more urgent and important cyber attacks by estimating the priority of APT attacks.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.34 no.1
• /
• pp.53-60
• /
• 2024

Security assessment is an indispensable process for a secure network, and appropriate performance indicators must be present to manage risks. The most widely used quantitative indicator is CVSS. CVSS has a problem that it cannot consider context in terms of subjectivity, complexity of interpretation, and security risks. To compensate for these problems, we propose indicators that itemize and quantify four things: attackers, threats, responses, and assets, taking into account the security context of ISO/IEC 15408 documents. Vulnerabilities discovered through network scanning can be mapped to MITREATT&CK's technology by the connection between weaknesses and attack patterns (CAPEC). We use MITREATT&CK's Groups, Tactic, and Mitigations to produce consistent and intuitive scores. Accordingly, it is expected that security evaluation managers will have a positive impact on strengthening security such as corporate networks by expanding the range of choices among security indicators from various perspectives.