Threats that have been primarily targeting nation states and their associated entities have expanded the target zone to include the private and corporate sectors. This class of threats, well known as advanced persistent threats (APTs), are those that every nation and well-established organization fears and wants to protect itself against. While nation-sponsored APT attacks will always be marked by their sophistication, APT attacks that have become prominent in corporate sectors do not make it any less challenging for the organizations. The rate at which the attack tools and techniques are evolving is making any existing security measures inadequate. As defenders strive to secure every endpoint and every link within their networks, attackers are finding new ways to penetrate into their target systems. With each day bringing new forms of malware, having new signatures and behavior that is close to normal, a single threat detection system would not suffice. While it requires time and patience to perform APT, solutions that adapt to the changing behavior of APT attacker(s) are required. Several works have been published on detecting an APT attack at one or two of its stages, but very limited research exists in detecting APT as a whole from reconnaissance to cleanup, as such a solution demands complex correlation and fine-grained behavior analysis of users and systems within and across networks. Through this survey paper, we intend to bring all those methods and techniques that could be used to detect different stages of APT attacks, learning methods that need to be applied and where to make your threat detection framework smart and undecipherable for those adapting APT attackers. We also present different case studies of APT attacks, different monitoring methods, and mitigation methods to be employed for fine-grained control of security of a networked system. We conclude this paper with different challenges in defending against APT and opportunities for further research, ending with a note on what we learned during our writing of this paper.

A Survey on Advanced Persistent Threats: Techniques, Solutions, Challenges, and Research Opportunities

Analysis of high volumes of network traffic for Advanced Persistent Threat detection

Advanced persistent threats (APTs) pose a significant risk to nearly every infrastructure. Due to the sophistication of these attacks, they are able to bypass existing security systems and largely infiltrate the target network. The prevention and detection of APT campaigns is also challenging, because of the fact that the attackers constantly change and evolve their advanced techniques and methods to stay undetected. In this paper we analyze 22 different APT reports and give an overview of the used techniques and methods. The analysis is focused on the three main phases of APT campaigns that allow to identify the relevant characteristics of such attacks. For each phase we describe the most commonly used techniques and methods. Through this analysis we could reveal different relevant characteristics of APT campaigns, for example that the usage of 0-day exploit is not common for APT attacks. Furthermore, the analysis shows that the dumping of credentials is a relevant step in the lateral movement phase for most APT campaigns. Based on the identified characteristics, we also propose concrete prevention and detection approaches that make it possible to identify crucial malicious activities that are performed during APT campaigns.

Advanced persistent threats: Behind the scenes

Recently in the connected digital world, targeted attack has become one of the most serious threats to conventional computing systems. Advanced persistent threat (APT) is currently one of the most important threats considering the information security concept. APT persistently collects data from a specific target by exploiting vulnerabilities using diverse attack techniques. Many researchers have contributed to find approaches and solutions to fight against network intrusion and malicious software. However, only a few of these solutions are particularly focused on APT. In this paper, we introduce a structured study on semantic-aware work to find potential contributions that analyze and detect APT in details. We propose modeling phase that discusses the typical steps in APT attacks to collect the desired information by attackers. Our research explores social network and web infrastructure exploitation as well as communication protocols and much more for future networks and communications. The paper also includes some recent Zero-day attacks, use case scenarios and cyber trends in southeastern countries. To overcome these challenges and attacks, we introduce a detailed comprehensive literature evaluation scheme that classifies and provides countermeasures of APT attack behavior. Furthermore, we discuss future research direction of APT defense framework of next-generation threat life cycle.

A comprehensive study on APT attacks and countermeasures for future networks and communications: challenges and solutions

A systematic survey on multi-step attack detection

Detecting and defending against Multi-Stage Advanced Persistent Threats (APT) Attacks is a challenge for mechanisms that are static in its nature and are based on blacklisting and malware signature techniques. Blacklists and malware signatures are designed to detect known attacks. But multi-stage attacks are dynamic, conducted in parallel and use several attack paths and can be conducted in multi-year campaigns, in order to reach the desired effect. In this paper the design principles of a framework are presented that model Multi-Stage Attacks in a way that both describes the attack methods as well as the anticipated effects of attacks. The foundation to model behaviors is by the combination of the Intrusion Kill-Chain attack model and defense patterns (i.e. a hypothesis based approach of known patterns). The implementation of the framework is made by using Apache Hadoop with a logic layer that supports the evaluation of a hypothesis.

Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks

The simulation process involves the collaboration of different participants, such as simulation analysts, programmers, statisticians, and users of the simulation software. Many simulation tasks such as modeling, verification, validation, and design for experimentation require the participants to meet. It is understood that these meetings are time-consuming and expensive. This paper proposes a collaborative environment to help with the tasks of discrete event simulation software development using the World Wide Web platform. The environment, named GroupSim, is based on a collaborative computer system and uses the concepts of distributed modeling with automatic program generation and distributed control of experimentation. The authors show some examples to illustrate the use of the environment and discuss some issues related to collaborative environments such as concurrency control, access control, awareness, and performance.

GroupSim: A Collaborative Environment for Discrete Event Simulation Software Development for the World Wide Web:

Evaluating the impact that events within the cyber domain inflict to a military operation and its critical infrastructure is a non-trivial question, which remains unanswered so far in spite of the various research efforts addressing it. The key issue underlying this question is the difficulty in correlating cyber and physical behaviors in an integrated view, thus allowing for real-time task evaluation. This paper addresses the issue with the development of an ontology-based framework in which the cyber and physical behaviors are integrated in a consolidated view, using a combination of open standards protocols and semantic technologies. In our approach, the mission and its physical aspects are modeled using a business process language (e.g., BPMN) and an information infrastructure based on Simple Network Management Protocol (SNMP). In this scheme, changes in the environment are captured using the output of sensor components existing in the infrastructure. In order to ensure a complete and integrated analysis of the accruing data, we have developed a Cyber Situation ontology (in OWL language) and a methodology for mapping the cyber and the physical domains. In this framework, mission data from the environment is retrieved and fused using an engine based on the semantic rule language (SWRL). The output of this process is then presented to an analyst in a way that only the most important information needed to support his/her decisions is shown. To validate our approach, a fictitious air traffic scenario was modeled and many simulated flights were generated in support to our experiments.

/pdf/a-semantic-approach-to-evaluate-the-impact-of-cyber-actions-103opxmz4l.pdf

A Semantic Approach to Evaluate the Impact of Cyber Actions to the Physical Domain.

The use of cyberspace as a platform for military operations presents many new research challenges. This paper focuses on the specific problem of assessing the impact of an event in the cyber domain (e.g. a cyber attack) on the missions it supports. The approach involves the use of Cyber-ARGUS, a C2 simulation framework, along with semantic technologies to provide consistent mapping between domains. Relevant information is stored in a semantic knowledge base about the nodes in the cyber domain, and then used to build a Bayesian network to provide impact assessment. The technique is illustrated through the simulation of an air transportation scenario in which the C2 infrastructure is subjected to various cyber attacks, and their associated impact to the operations is assessed.

/pdf/using-a-semantic-approach-to-cyber-impact-assessment-344bb3lkx7.pdf

Using a Semantic Approach to Cyber Impact Assessment

Computer systems are increasingly used in space, whether in launch vehicles, satellites, ground support and payload systems. Software applications used in these systems have become more complex, mainly due to the high number of features to be met, thus contributing to a greater probability of hazards related to software faults. Therefore, it is fundamental that the specification activity of requirements have a decisive role in the effort of obtaining systems with high quality and safety standards. In critical systems like the embedded software of the Brazilian Satellite Launcher, ambiguity, non-completeness, and lack of good requirements can cause serious accidents with economic, material and human losses. One way to assure quality with safety, reliability and other dependability attributes may be the use of safety analysis techniques during the initial phases of the project in order to identify the most adequate dependability requirements to minimize possible fault or failure occurrences during the subsequent phases. This paper presents a structured software dependability requirements analysis process that uses system software requirement specifications and traditional safety analysis techniques. The main goal of the process is to help to identify a set of essential software dependability requirements which can be added to the software requirement previously specified for the system. The final results are more complete, consistent, and reliable specifications.

http://www.jatm.com.br/papers/vol2_n3/JATMv2n3_p287-300_Identifying_dependability_requirements_for_space_software_systems.pdf

Edgar Toshiro Yano

Papers

Towards a Framework to Detect Multi-stage Advanced Persistent Threats Attacks

GroupSim: A Collaborative Environment for Discrete Event Simulation Software Development for the World Wide Web:

A Semantic Approach to Evaluate the Impact of Cyber Actions to the Physical Domain.

Using a Semantic Approach to Cyber Impact Assessment

Identifying dependability requirements for space software systems