From TTP to IoC: Advanced Persistent Graphs for Threat Hunting

Defenders fighting against Advanced Persistent Threats need to discover the propagation area of an adversary as quickly as possible. This discovery takes place through a phase of an incident response operation called Threat Hunting, where defenders track down attackers within the compromised network...

Full description

Saved in:
Bibliographic Details
Published in:IEEE eTransactions on network and service management 2021-06, Vol.18 (2), p.1321-1333
Main Authors: Berady, Aimad, Jaume, Mathieu, Tong, Valerie Viet Triem, Guette, Gilles
Format: Article
Language:English
Subjects:
Advanced persistent threat
Companies
Computer Science
Cryptography and Security
Graphs
Hunting
Intelligence gathering
IOC
IP networks
Knowledge engineering
MIMICs
Monitoring
Process control
Sensors
SIEM
tactics techniques procedures
Threat evaluation
threat hunting
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Defenders fighting against Advanced Persistent Threats need to discover the propagation area of an adversary as quickly as possible. This discovery takes place through a phase of an incident response operation called Threat Hunting, where defenders track down attackers within the compromised network. In this article, we propose a formal model that dissects and abstracts elements of an attack, from both attacker and defender perspectives. This model leads to the construction of two persistent graphs on a common set of objects and components allowing for (1) an omniscient actor to compare, for both defender and attacker, the gap in knowledge and perceptions; (2) the attacker to become aware of the traces left on the targeted network; (3) the defender to improve the quality of Threat Hunting by identifying false-positives and adapting logging policy to be oriented for investigations. In this article, we challenge this model using an attack campaign mimicking APT29, a real-world threat, in a scenario designed by the MITRE Corporation. We measure the quality of the defensive architecture experimentally and then determine the most effective strategy to exploit data collected by the defender in order to extract actionable Cyber Threat Intelligence, and finally unveil the attacker.
ISSN:1932-4537
1932-4537
DOI:10.1109/TNSM.2021.3056999