Research Article
BibTex RIS Cite
Year 2023, , 471 - 477, 31.12.2023
https://doi.org/10.46519/ij3dptdi.1353341

Abstract

References

  • 1. J. Lee, B. Bagheri, H. Kao, "A Cyber-Physical Systems architecture for Industry 4.0-based manufacturing systems", Manufacturing Letters, Vol. 3, January 2015, Pages 18-23.
  • 2. C. Tankard, "Advanced Persistent threats and how to monitor and deter them", Network Security, Vol. 2011, Issue 8, 2011, Pages 16-19.
  • 3. Harknett, R. J. and Stever, J. A., "The New Policy World of Cybersecurity", Public Administration Review, Vol. 71, 2011, Pages 455-460. 4. M. Kenney, “Cyber-terrorism in a post-stuxnet world,” Orbis, Vol. 59, Issue 1, Pages. 111–128, 2015.
  • 5. Kaspersky Lab, "The Darkhotel Apt - A Story Of Unusual Hospitality", Version 1.1, November 2014.
  • 6. Kaspersky Lab, "Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage", https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/, October 1, 2018.
  • 7. Group IB and Fox It, "Anunak: APT Against Financial Institutions". https://www.group-ib.com/resources/research-hub/anunak-apt/, October 2, 2018.
  • 8. P. S. Radzikowski, "CyberSecurity: Expanded Look at the APT Life Cycle and Mitigation", http://drshem.com/2016/02/11/cybersecurity-expanded-look-apt-life-cycle-mitigation/#footnote-dsp-5061.2, October 10, 2018.
  • 9. Dell, "Lifecycle of an Advanced Persistent Threat", 2012, http://www.redteamusa.com/PDF/Lifecycle%20of%20an%20Advanced%20Persistent%20Threat.pdf, October 10, 2018.
  • 10. Sekharan, S. S., & Kandasamy, K., "Profiling SIEM Tools and Correlation Engines for Security Analytics", WiSPNET 2017 Conference, 2017, Pages 717-721.
  • 11. Raja, N. M., & Vasudevan, R. A., "Rule Generation for TCP SYN Flood attack in SIEM Environment", 7th International Conference on Advances in Computing & Communications, 2017, Pages 580-587.
  • 12. Anthony, R., "Detecting Security Incidents Using Windows Workstation Event Logs", SANS Institute, 2013, Pages 8-15.
  • 13. Bryant, Blake D. and Hossein Saiedian. "A novel kill-chain framework for remote security log analysis with SIEM software." Computers & Security Vol. 67, 2017, Pages 198-210.
  • 14. Chuvakin, A., "On "Output-driven" SIEM", http://blogs.gartner.co (Alladi, Chamola, & Zeadally, 2020)m/anton-chuvakin/2012/09/24/on-output-driven-siem/, September 8, 2018.
  • 15. Alladi T., Chamola V., Zeadally S., "Industrial Control Systems: Cyberattack trends and countermeasures", Computer Communications, Vol. 155, 2020, Pages 1-8.
  • 16. Mohammed A., Neetesh S., Peter B., "Investigating Ssable Indicators Against Cyber-Attacks in Industrial Control Systems", Proceedings of the 17th Symposium on Usable Privacy and Security, 2021.
  • 17. Atluri V., Horne J., "A Machine Learning based Threat Intelligence Framework for Industrial Control System Network Traffic Indicators of Compromise", SoutheastCon 2021, Atlanta, GA, USA, 2021, Pages 1-5.
  • 18. Powell M., Brule J., Pease M., StoufferK., Tang C., Zimmerman T., ... & Zopf M., "Protecting Information and System Integrity in Industrial Control System Environments", NIST, 2022.
  • 19. Toker F.S., Ovaz Akpinar K., ÖZÇELİK İ., "MITRE ICS Attack Simulation and Detection on EtherCAT Based Drinking Water System," 2021 9th International Symposium on Digital Forensics and Security (ISDFS), Elazig, Turkey, 2021, Pages 1-6.
  • 20. Zahid H., Hina S., Hayat M. F., Shah G. A., "Agentless Approach for Security Information and Event Management in Industrial IoT", Electronics, 2023, Pages 1831.
  • 21. ScienceSoft, "Siem-Based Apt Protection", https://www.scnsoft.com/services/security/siem/apt-protection retrieved October 12, 2018.
  • 22. IBM Qradar, "IBM Security Qradar Suite", https://www.ibm.com/qradar, May 12, 2023.
  • 23. HP ArcSight, "ArcSight Enterprise Security Manager", https://www.hpe.com/psnow/doc/c05100164.pdf?jumpid=in_lit-psnow-getpdf, May 12, 2023.
  • 24. Wazuh, "The Open Source Security Platform", https://wazuh.com/, May 12, 2023.
  • 25. Crowd Strike, "Indicators Of Attack Versus Indicators Of Compromise", https://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperIOAvsIOC.pdf, October 13, 2018.
  • 26. FireEye, "APT 28: A Window into Russia's Cyber Espionage Operations?", https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf, March 13, 2017.
  • 27. Symantec, "W32.Duqu The precursor to the next Stuxnet", Version 1.4, 2011, https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-duqu-11-en.pdf, April 14, 2017.
  • 28. F-Secure," Blackenergy & Quedagh - The Convergence Of Crimeware and APT Attacks", https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf, January 23, 2017.
  • 29. Kaspersky," Targeted Cyberattacks Logbook", https://apt.securelist.com/, May 17, 2023.

DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS

Year 2023, , 471 - 477, 31.12.2023
https://doi.org/10.46519/ij3dptdi.1353341

Abstract

Cyber-attacks move towards a sophisticated, destructive, and persistent position, as in the case of Stuxnet, Dark Hotel, Poseidon, and Carbanak. These attacks are called Advanced Persistent Threats (APTs), in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period. APT attacks threaten the main critical areas of today's digitalized life. This threat covers critical infrastructures, finance, energy, and aviation agencies. One of the most significant APT attacks was Stuxnet, which targeted the software controlling the programmable logic controllers (PLCs) that are, in turn, used to automate machine processes. The other one was the Deep Panda attack discovered in 2015, which compromised over 4 million US personnel records because of the ongoing cyberwar between China and the US. This paper explains the difficulties of detecting APTs and examines some of the research in this area. In addition, we also present a new approach to detecting APTs using the Security Information and Event Management (SIEM) solution. In this approach, we recommend establishing APT rulesets in SIEM solutions using the indicators left behind by the attacks. The three basic indicator types are considered in the rulesets and are examined in detail.

References

  • 1. J. Lee, B. Bagheri, H. Kao, "A Cyber-Physical Systems architecture for Industry 4.0-based manufacturing systems", Manufacturing Letters, Vol. 3, January 2015, Pages 18-23.
  • 2. C. Tankard, "Advanced Persistent threats and how to monitor and deter them", Network Security, Vol. 2011, Issue 8, 2011, Pages 16-19.
  • 3. Harknett, R. J. and Stever, J. A., "The New Policy World of Cybersecurity", Public Administration Review, Vol. 71, 2011, Pages 455-460. 4. M. Kenney, “Cyber-terrorism in a post-stuxnet world,” Orbis, Vol. 59, Issue 1, Pages. 111–128, 2015.
  • 5. Kaspersky Lab, "The Darkhotel Apt - A Story Of Unusual Hospitality", Version 1.1, November 2014.
  • 6. Kaspersky Lab, "Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage", https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/, October 1, 2018.
  • 7. Group IB and Fox It, "Anunak: APT Against Financial Institutions". https://www.group-ib.com/resources/research-hub/anunak-apt/, October 2, 2018.
  • 8. P. S. Radzikowski, "CyberSecurity: Expanded Look at the APT Life Cycle and Mitigation", http://drshem.com/2016/02/11/cybersecurity-expanded-look-apt-life-cycle-mitigation/#footnote-dsp-5061.2, October 10, 2018.
  • 9. Dell, "Lifecycle of an Advanced Persistent Threat", 2012, http://www.redteamusa.com/PDF/Lifecycle%20of%20an%20Advanced%20Persistent%20Threat.pdf, October 10, 2018.
  • 10. Sekharan, S. S., & Kandasamy, K., "Profiling SIEM Tools and Correlation Engines for Security Analytics", WiSPNET 2017 Conference, 2017, Pages 717-721.
  • 11. Raja, N. M., & Vasudevan, R. A., "Rule Generation for TCP SYN Flood attack in SIEM Environment", 7th International Conference on Advances in Computing & Communications, 2017, Pages 580-587.
  • 12. Anthony, R., "Detecting Security Incidents Using Windows Workstation Event Logs", SANS Institute, 2013, Pages 8-15.
  • 13. Bryant, Blake D. and Hossein Saiedian. "A novel kill-chain framework for remote security log analysis with SIEM software." Computers & Security Vol. 67, 2017, Pages 198-210.
  • 14. Chuvakin, A., "On "Output-driven" SIEM", http://blogs.gartner.co (Alladi, Chamola, & Zeadally, 2020)m/anton-chuvakin/2012/09/24/on-output-driven-siem/, September 8, 2018.
  • 15. Alladi T., Chamola V., Zeadally S., "Industrial Control Systems: Cyberattack trends and countermeasures", Computer Communications, Vol. 155, 2020, Pages 1-8.
  • 16. Mohammed A., Neetesh S., Peter B., "Investigating Ssable Indicators Against Cyber-Attacks in Industrial Control Systems", Proceedings of the 17th Symposium on Usable Privacy and Security, 2021.
  • 17. Atluri V., Horne J., "A Machine Learning based Threat Intelligence Framework for Industrial Control System Network Traffic Indicators of Compromise", SoutheastCon 2021, Atlanta, GA, USA, 2021, Pages 1-5.
  • 18. Powell M., Brule J., Pease M., StoufferK., Tang C., Zimmerman T., ... & Zopf M., "Protecting Information and System Integrity in Industrial Control System Environments", NIST, 2022.
  • 19. Toker F.S., Ovaz Akpinar K., ÖZÇELİK İ., "MITRE ICS Attack Simulation and Detection on EtherCAT Based Drinking Water System," 2021 9th International Symposium on Digital Forensics and Security (ISDFS), Elazig, Turkey, 2021, Pages 1-6.
  • 20. Zahid H., Hina S., Hayat M. F., Shah G. A., "Agentless Approach for Security Information and Event Management in Industrial IoT", Electronics, 2023, Pages 1831.
  • 21. ScienceSoft, "Siem-Based Apt Protection", https://www.scnsoft.com/services/security/siem/apt-protection retrieved October 12, 2018.
  • 22. IBM Qradar, "IBM Security Qradar Suite", https://www.ibm.com/qradar, May 12, 2023.
  • 23. HP ArcSight, "ArcSight Enterprise Security Manager", https://www.hpe.com/psnow/doc/c05100164.pdf?jumpid=in_lit-psnow-getpdf, May 12, 2023.
  • 24. Wazuh, "The Open Source Security Platform", https://wazuh.com/, May 12, 2023.
  • 25. Crowd Strike, "Indicators Of Attack Versus Indicators Of Compromise", https://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperIOAvsIOC.pdf, October 13, 2018.
  • 26. FireEye, "APT 28: A Window into Russia's Cyber Espionage Operations?", https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf, March 13, 2017.
  • 27. Symantec, "W32.Duqu The precursor to the next Stuxnet", Version 1.4, 2011, https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-duqu-11-en.pdf, April 14, 2017.
  • 28. F-Secure," Blackenergy & Quedagh - The Convergence Of Crimeware and APT Attacks", https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf, January 23, 2017.
  • 29. Kaspersky," Targeted Cyberattacks Logbook", https://apt.securelist.com/, May 17, 2023.
There are 28 citations in total.

Details

Primary Language English
Subjects Software Engineering (Other)
Journal Section Research Article
Authors

Adem Şimşek 0000-0002-3610-9812

Ahmet Koltuksuz 0000-0002-2205-6238

Early Pub Date December 25, 2023
Publication Date December 31, 2023
Submission Date August 31, 2023
Published in Issue Year 2023

Cite

APA Şimşek, A., & Koltuksuz, A. (2023). DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. International Journal of 3D Printing Technologies and Digital Industry, 7(3), 471-477. https://doi.org/10.46519/ij3dptdi.1353341
AMA Şimşek A, Koltuksuz A. DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. IJ3DPTDI. December 2023;7(3):471-477. doi:10.46519/ij3dptdi.1353341
Chicago Şimşek, Adem, and Ahmet Koltuksuz. “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”. International Journal of 3D Printing Technologies and Digital Industry 7, no. 3 (December 2023): 471-77. https://doi.org/10.46519/ij3dptdi.1353341.
EndNote Şimşek A, Koltuksuz A (December 1, 2023) DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. International Journal of 3D Printing Technologies and Digital Industry 7 3 471–477.
IEEE A. Şimşek and A. Koltuksuz, “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”, IJ3DPTDI, vol. 7, no. 3, pp. 471–477, 2023, doi: 10.46519/ij3dptdi.1353341.
ISNAD Şimşek, Adem - Koltuksuz, Ahmet. “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”. International Journal of 3D Printing Technologies and Digital Industry 7/3 (December 2023), 471-477. https://doi.org/10.46519/ij3dptdi.1353341.
JAMA Şimşek A, Koltuksuz A. DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. IJ3DPTDI. 2023;7:471–477.
MLA Şimşek, Adem and Ahmet Koltuksuz. “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”. International Journal of 3D Printing Technologies and Digital Industry, vol. 7, no. 3, 2023, pp. 471-7, doi:10.46519/ij3dptdi.1353341.
Vancouver Şimşek A, Koltuksuz A. DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. IJ3DPTDI. 2023;7(3):471-7.

 download

Uluslararası 3B Yazıcı Teknolojileri ve Dijital Endüstri Dergisi Creative Commons Atıf-GayriTicari 4.0 Uluslararası Lisansı ile lisanslanmıştır.