DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS

Yıl 2023, Cilt: 7 Sayı: 3, 471 - 477, 31.12.2023

Adem Şimşek , Ahmet Koltuksuz

https://doi.org/10.46519/ij3dptdi.1353341

Öz

Cyber-attacks move towards a sophisticated, destructive, and persistent position, as in the case of Stuxnet, Dark Hotel, Poseidon, and Carbanak. These attacks are called Advanced Persistent Threats (APTs), in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period. APT attacks threaten the main critical areas of today's digitalized life. This threat covers critical infrastructures, finance, energy, and aviation agencies. One of the most significant APT attacks was Stuxnet, which targeted the software controlling the programmable logic controllers (PLCs) that are, in turn, used to automate machine processes. The other one was the Deep Panda attack discovered in 2015, which compromised over 4 million US personnel records because of the ongoing cyberwar between China and the US. This paper explains the difficulties of detecting APTs and examines some of the research in this area. In addition, we also present a new approach to detecting APTs using the Security Information and Event Management (SIEM) solution. In this approach, we recommend establishing APT rulesets in SIEM solutions using the indicators left behind by the attacks. The three basic indicator types are considered in the rulesets and are examined in detail.

Anahtar Kelimeler

Cyber Security, Cyber War, APT, SIEM, Intrusion Detection System

Kaynakça

• 1. J. Lee, B. Bagheri, H. Kao, "A Cyber-Physical Systems architecture for Industry 4.0-based manufacturing systems", Manufacturing Letters, Vol. 3, January 2015, Pages 18-23.
• 2. C. Tankard, "Advanced Persistent threats and how to monitor and deter them", Network Security, Vol. 2011, Issue 8, 2011, Pages 16-19.
• 3. Harknett, R. J. and Stever, J. A., "The New Policy World of Cybersecurity", Public Administration Review, Vol. 71, 2011, Pages 455-460. 4. M. Kenney, “Cyber-terrorism in a post-stuxnet world,” Orbis, Vol. 59, Issue 1, Pages. 111–128, 2015.
• 5. Kaspersky Lab, "The Darkhotel Apt - A Story Of Unusual Hospitality", Version 1.1, November 2014.
• 6. Kaspersky Lab, "Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage", https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/, October 1, 2018.
• 7. Group IB and Fox It, "Anunak: APT Against Financial Institutions". https://www.group-ib.com/resources/research-hub/anunak-apt/, October 2, 2018.
• 8. P. S. Radzikowski, "CyberSecurity: Expanded Look at the APT Life Cycle and Mitigation", http://drshem.com/2016/02/11/cybersecurity-expanded-look-apt-life-cycle-mitigation/#footnote-dsp-5061.2, October 10, 2018.
• 9. Dell, "Lifecycle of an Advanced Persistent Threat", 2012, http://www.redteamusa.com/PDF/Lifecycle%20of%20an%20Advanced%20Persistent%20Threat.pdf, October 10, 2018.
• 10. Sekharan, S. S., & Kandasamy, K., "Profiling SIEM Tools and Correlation Engines for Security Analytics", WiSPNET 2017 Conference, 2017, Pages 717-721.
• 11. Raja, N. M., & Vasudevan, R. A., "Rule Generation for TCP SYN Flood attack in SIEM Environment", 7th International Conference on Advances in Computing & Communications, 2017, Pages 580-587.
• 12. Anthony, R., "Detecting Security Incidents Using Windows Workstation Event Logs", SANS Institute, 2013, Pages 8-15.
• 13. Bryant, Blake D. and Hossein Saiedian. "A novel kill-chain framework for remote security log analysis with SIEM software." Computers & Security Vol. 67, 2017, Pages 198-210.
• 14. Chuvakin, A., "On "Output-driven" SIEM", http://blogs.gartner.co (Alladi, Chamola, & Zeadally, 2020)m/anton-chuvakin/2012/09/24/on-output-driven-siem/, September 8, 2018.
• 15. Alladi T., Chamola V., Zeadally S., "Industrial Control Systems: Cyberattack trends and countermeasures", Computer Communications, Vol. 155, 2020, Pages 1-8.
• 16. Mohammed A., Neetesh S., Peter B., "Investigating Ssable Indicators Against Cyber-Attacks in Industrial Control Systems", Proceedings of the 17th Symposium on Usable Privacy and Security, 2021.
• 17. Atluri V., Horne J., "A Machine Learning based Threat Intelligence Framework for Industrial Control System Network Traffic Indicators of Compromise", SoutheastCon 2021, Atlanta, GA, USA, 2021, Pages 1-5.
• 18. Powell M., Brule J., Pease M., StoufferK., Tang C., Zimmerman T., ... & Zopf M., "Protecting Information and System Integrity in Industrial Control System Environments", NIST, 2022.
• 19. Toker F.S., Ovaz Akpinar K., ÖZÇELİK İ., "MITRE ICS Attack Simulation and Detection on EtherCAT Based Drinking Water System," 2021 9th International Symposium on Digital Forensics and Security (ISDFS), Elazig, Turkey, 2021, Pages 1-6.
• 20. Zahid H., Hina S., Hayat M. F., Shah G. A., "Agentless Approach for Security Information and Event Management in Industrial IoT", Electronics, 2023, Pages 1831.
• 21. ScienceSoft, "Siem-Based Apt Protection", https://www.scnsoft.com/services/security/siem/apt-protection retrieved October 12, 2018.
• 22. IBM Qradar, "IBM Security Qradar Suite", https://www.ibm.com/qradar, May 12, 2023.
• 23. HP ArcSight, "ArcSight Enterprise Security Manager", https://www.hpe.com/psnow/doc/c05100164.pdf?jumpid=in_lit-psnow-getpdf, May 12, 2023.
• 24. Wazuh, "The Open Source Security Platform", https://wazuh.com/, May 12, 2023.
• 25. Crowd Strike, "Indicators Of Attack Versus Indicators Of Compromise", https://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperIOAvsIOC.pdf, October 13, 2018.
• 26. FireEye, "APT 28: A Window into Russia's Cyber Espionage Operations?", https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf, March 13, 2017.
• 27. Symantec, "W32.Duqu The precursor to the next Stuxnet", Version 1.4, 2011, https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-duqu-11-en.pdf, April 14, 2017.
• 28. F-Secure," Blackenergy & Quedagh - The Convergence Of Crimeware and APT Attacks", https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf, January 23, 2017.
• 29. Kaspersky," Targeted Cyberattacks Logbook", https://apt.securelist.com/, May 17, 2023.