Multi-stage attack detection using contextual information

The appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA is to create a Point of Entry (PoE) to a target machine, which could be used as part of an APT like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs in real-time by 58%

Multi-Stage Attack Detection Using Contextual Information

The appearance of new forms of cyber-threats, such as Multi-Stage Attacks (MSAs), creates new challenges to which Intrusion Detection Systems (IDSs) need to adapt. An MSA is launched in multiple sequential stages, which may not be malicious when implemented individually, making the detection of MSAs extremely challenging for most current IDSs. In this paper, we present a novel IDS that exploits contextual information in the form of Pattern-of-Life (PoL), and information related to expert judgment on the network behaviour. This IDS focuses on detecting an MSA, in real-time, without previous training process. The main goal of the MSA is to create a Point of Entry (PoE) to a target machine, which could be used as part of an Advanced Persistent Threat (APT) like attack. Our results verify that the use of contextual information improves the efficiency of our IDS by enhancing the detection rate of MSAs in real-time by 58%

Amenințările persistente avansate în securitatea cibernetică – Războiul cibernetic

O analiză cuprinzătoare a Amenințărilor Persistente Avansate (Advanced Persistent Threats, APT), inclusiv caracteristicile, originile, metodele, consecințele și strategiile de apărare ale acestora, cu accent pe detectarea acestor amenințări. Se explorează conceptul de amenințări persistente avansate în contextul securității cibernetice și al războiului cibernetic. APT reprezintă una dintre cele mai insidioase și provocatoare forme de amenințări cibernetice, caracterizate prin sofisticarea, persistența și natura lor țintită. Această carte analizează originile, caracteristicile și metodele folosite de actorii APT. De asemenea, explorează complexitățile asociate cu detectarea APT, analizând tacticile evolutive folosite de actorii amenințărilor și a progreselor corespunzătoare în metodologiile de detectare. Cartea subliniază importanța abordării cu mai multe fațete, care integrează inovații tehnologice cu strategii proactive de apărare pentru a identifica în mod eficient și atenua APT

Hidden Markov models and alert correlations for the prediction of advanced persistent threats

YesCyber security has become a matter of a global interest, and several attacks target industrial companies and governmental organizations. The advanced persistent threats (APTs) have emerged as a new and complex version of multi-stage attacks (MSAs), targeting selected companies and organizations. Current APT detection systems focus on raising the detection alerts rather than predicting APTs. Forecasting the APT stages not only reveals the APT life cycle in its early stages but also helps to understand the attacker's strategies and aims. This paper proposes a novel intrusion detection system for APT detection and prediction. This system undergoes two main phases; the first one achieves the attack scenario reconstruction. This phase has a correlation framework to link the elementary alerts that belong to the same APT campaign. The correlation is based on matching the attributes of the elementary alerts that are generated over a configurable time window. The second phase of the proposed system is the attack decoding. This phase utilizes the hidden Markov model (HMM) to determine the most likely sequence of APT stages for a given sequence of correlated alerts. Moreover, a prediction algorithm is developed to predict the next step of the APT campaign after computing the probability of each APT stage to be the next step of the attacker. The proposed approach estimates the sequence of APT stages with a prediction accuracy of at least 91.80%. In addition, it predicts the next step of the APT campaign with an accuracy of 66.50%, 92.70%, and 100% based on two, three, and four correlated alerts, respectively.The Gulf Science, Innovation and Knowledge Economy Programme of the U.K. Government under UK-Gulf Institutional Link Grant IL 279339985 and in part by the Engineering and Physical Sciences Research Council (EPSRC), U.K., under Grant EP/R006385/1

A system dynamics approach to evaluate advanced persistent threat vectors.

Cyber-attacks targeting high-profile entities are focused, persistent, and employ common vectors with varying levels of sophistication to exploit social-technical vulnerabilities. Advanced persistent threats (APTs) deploy zero-day malware against such targets to gain entry through multiple security layers, exploiting the dynamic interplay of vulnerabilities in the target network. System dynamics (SD) offers an alternative approach to analyze non-linear, complex, and dynamic social-technical systems. This research applied SD to three high-profile APT attacks - Equifax, Carphone, and Zomato - to identify and simulate socio-technical variables leading to breaches. By modeling APTs using SD, managers can evaluate threats, predict attacks, and reduce damage by mitigating specific socio-technical cues. This study provides valuable insights into the dynamics of cyber threats, making it the first to apply SD to APTs

Advanced Persistent Threats in Cybersecurity – Cyber Warfare

This book aims to provide a comprehensive analysis of Advanced Persistent Threats (APTs), including their characteristics, origins, methods, consequences, and defense strategies, with a focus on detecting these threats. It explores the concept of advanced persistent threats in the context of cyber security and cyber warfare. APTs represent one of the most insidious and challenging forms of cyber threats, characterized by their sophistication, persistence, and targeted nature. The paper examines the origins, characteristics and methods used by APT actors. It also explores the complexities associated with APT detection, analyzing the evolving tactics used by threat actors and the corresponding advances in detection methodologies. It highlights the importance of a multi-faceted approach that integrates technological innovations with proactive defense strategies to effectively identify and mitigate APT

Les menaces persistantes avancées en cybersécurité – La guerre cybernétique

Ce livre vise à fournir une analyse complète des menaces persistantes avancées, y compris leurs caractéristiques, origines, méthodes, conséquences et stratégies de défense, en mettant l'accent sur la détection de ces menaces. Il explore le concept de menaces persistantes avancées dans le contexte de la cybersécurité et de la cyberguerre. Les menaces persistantes avancées représentent l’une des formes de cybermenaces les plus insidieuses et les plus complexes, caractérisée par leur sophistication, leur persistance et leur nature ciblée. Le livre examine les origines, les caractéristiques et les méthodes utilisées par les acteurs des menaces persistantes avancées. Il explore également les complexités associées à la détection des menaces persistantes avancées, en analysant l'évolution des tactiques utilisées par les acteurs de la menace et les avancées correspondantes dans les méthodologies de détection. Il souligne l’importance d’une approche multidimensionnelle intégrant les innovations technologiques à des stratégies de défense proactives pour identifier et atténuer efficacement les menaces persistantes avancées

APPLICATION OF GAME THEORY FOR ACTIVE CYBER DEFENSE AGAINST ADVANCED PERSISTENT THREATS

Advanced persistent threats (APTs) are determined, adaptive, and stealthy threat actors in cyber space. They are often hosted in, or sponsored by, adversary nation-states. As such, they are challenging opponents for both the U.S. military and the cyber-defense industry. Current defenses against APTs are largely reactive. This thesis used machine learning and game theory to test simulations of proactive defenses against APTs. We first applied machine learning to two benchmark APT datasets to classify APT network traffic by attack phase. This data was then used in a game model with reinforcement learning to learn the best tactics for both the APT attacker and the defender. The game model included security and resource levels, necessary conditions on actions, results of actions, success probabilities, and realistic costs and benefits for actions. The game model was run thousands of times with semi-random choices with reinforcement learning through a program created by NPS Professor Neil Rowe. Results showed that our methods could model active cyber defense strategies for defenders against both historical and hypothetical APT campaigns. Our game model is an extensible planning tool to recommend actions for defenders for active cyber defense planning against APTs.Approved for public release. Distribution is unlimited.Captain, United States Marine CorpsCaptain, United States Marine CorpsDISA, Arlington, VA, 2220