DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS
Loading...
Date
2023
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Open Access Color
GOLD
Green Open Access
No
OpenAIRE Downloads
OpenAIRE Views
Publicly Funded
No
BIP! Indicators
Impulse
Average
Influence
Average
Popularity
Top 10%
Abstract
Cyber-attacks move towards a sophisticated destructive and persistent position as in the case of Stuxnet Dark Hotel Poseidon and Carbanak. These attacks are called Advanced Persistent Threats (APTs) in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period. APT attacks threaten the main critical areas of today's digitalized life. This threat covers critical infrastructures finance energy and aviation agencies. One of the most significant APT attacks was Stuxnet which targeted the software controlling the programmable logic controllers (PLCs) that are in turn used to automate machine processes. The other one was the Deep Panda attack discovered in 2015 which compromised over 4 million US personnel records because of the ongoing cyberwar between China and the US. This paper explains the difficulties of detecting APTs and examines some of the research in this area. In addition we also present a new approach to detecting APTs using the Security Information and Event Management (SIEM) solution. In this approach we recommend establishing APT rulesets in SIEM solutions using the indicators left behind by the attacks. The three basic indicator types are considered in the rulesets and are examined in detail.
Description
Keywords
Bilgisayar Bilimleri- Yazılım Mühendisliği-Kriminoloji ve Ceza Bilimi-Kamu Yönetimi-Hukuk-Savunma Bilimleri-Bilgisayar Bilimleri- Yapay Zeka, Bilgisayar Bilimleri, Yazılım Mühendisliği, Hukuk, Bilgisayar Bilimleri, Yapay Zeka, Kriminoloji Ve Ceza Bilimi, Savunma Bilimleri, Kamu Yönetimi, Yazılım Mühendisliği (Diğer), Software Engineering (Other), Cyber Security;Cyber War;APT;SIEM;Intrusion Detection System
Fields of Science
0202 electrical engineering, electronic engineering, information engineering, 02 engineering and technology
Citation
1. J. Lee B. Bagheri H. Kao \"A Cyber-Physical Systems architecture for Industry 4.0-based manufacturing systems\" Manufacturing Letters Vol. 3 January 2015 Pages 18-23.2. C. Tankard \"Advanced Persistent threats and how to monitor and deter them\" Network Security Vol. 2011 Issue 8 2011 Pages 16-19.3. Harknett R. J. and Stever J. A. \"The New Policy World of Cybersecurity\" Public Administration Review Vol. 71 2011 Pages 455-460. 4. M. Kenney “Cyber-terrorism in a post-stuxnet world” Orbis Vol. 59 Issue 1 Pages. 111–128 2015.5. Kaspersky Lab \"The Darkhotel Apt - A Story Of Unusual Hospitality\" Version 1.1 November 2014.6. Kaspersky Lab \"Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage\" https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/ October 1 2018.7. Group IB and Fox It \"Anunak: APT Against Financial Institutions\". https://www.group-ib.com/resources/research-hub/anunak-apt/ October 2 2018.8. P. S. Radzikowski \"CyberSecurity: Expanded Look at the APT Life Cycle and Mitigation\" http://drshem.com/2016/02/11/cybersecurity-expanded-look-apt-life-cycle-mitigation/#footnote-dsp-5061.2 October 10 2018.9. Dell \"Lifecycle of an Advanced Persistent Threat\" 2012 http://www.redteamusa.com/PDF/Lifecycle%20of%20an%20Advanced%20Persistent%20Threat.pdf October 10 2018.10. Sekharan S. S. & Kandasamy K. \"Profiling SIEM Tools and Correlation Engines for Security Analytics\" WiSPNET 2017 Conference 2017 Pages 717-721.11. Raja N. M. & Vasudevan R. A. \"Rule Generation for TCP SYN Flood attack in SIEM Environment\" 7th International Conference on Advances in Computing & Communications 2017 Pages 580-587.12. Anthony R. \"Detecting Security Incidents Using Windows Workstation Event Logs\" SANS Institute 2013 Pages 8-15.13. Bryant Blake D. and Hossein Saiedian. \"A novel kill-chain framework for remote security log analysis with SIEM software.\" Computers & Security Vol. 67 2017 Pages 198-210.14. Chuvakin A. \"On \"Output-driven\" SIEM\" http://blogs.gartner.co (Alladi Chamola & Zeadally 2020)m/anton-chuvakin/2012/09/24/on-output-driven-siem/ September 8 2018.15. Alladi T. Chamola V. Zeadally S. \"Industrial Control Systems: Cyberattack trends and countermeasures\" Computer Communications Vol. 155 2020 Pages 1-8.16. Mohammed A. Neetesh S. Peter B. \"Investigating Ssable Indicators Against Cyber-Attacks in Industrial Control Systems\" Proceedings of the 17th Symposium on Usable Privacy and Security 2021.17. Atluri V. Horne J. \"A Machine Learning based Threat Intelligence Framework for Industrial Control System Network Traffic Indicators of Compromise\" SoutheastCon 2021 Atlanta GA USA 2021 Pages 1-5.18. Powell M. Brule J. Pease M. StoufferK. Tang C. Zimmerman T. ... & Zopf M. \"Protecting Information and System Integrity in Industrial Control System Environments\" NIST 2022.19. Toker F.S. Ovaz Akpinar K. ÖZÇELİK İ. \"MITRE ICS Attack Simulation and Detection on EtherCAT Based Drinking Water System\" 2021 9th International Symposium on Digital Forensics and Security (ISDFS) Elazig Turkey 2021 Pages 1-6.20. Zahid H. Hina S. Hayat M. F. Shah G. A. \"Agentless Approach for Security Information and Event Management in Industrial IoT\" Electronics 2023 Pages 1831.21. ScienceSoft \"Siem-Based Apt Protection\" https://www.scnsoft.com/services/security/siem/apt-protection retrieved October 12 2018.22. IBM Qradar \"IBM Security Qradar Suite\" https://www.ibm.com/qradar May 12 2023.23. HP ArcSight \"ArcSight Enterprise Security Manager\" https://www.hpe.com/psnow/doc/c05100164.pdf?jumpid=in_lit-psnow-getpdf May 12 2023.24. Wazuh \"The Open Source Security Platform\" https://wazuh.com/ May 12 2023.25. Crowd Strike \"Indicators Of Attack Versus Indicators Of Compromise\" https://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperIOAvsIOC.pdf October 13 2018.26. FireEye \"APT 28: A Window into Russia's Cyber Espionage Operations?\" https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf March 13 2017.27. Symantec \"W32.Duqu The precursor to the next Stuxnet\" Version 1.4 2011 https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-duqu-11-en.pdf April 14 2017.28. F-Secure\" Blackenergy & Quedagh - The Convergence Of Crimeware and APT Attacks\" https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf January 23 2017.29. Kaspersky\" Targeted Cyberattacks Logbook\" https://apt.securelist.com/ May 17 2023.
WoS Q
Scopus Q
OpenCitations Citation Count
1
Source
International Journal of 3D Printing Technologies and Digital Industry
Volume
7
Issue
3
Start Page
471
End Page
477
Collections
PlumX Metrics
Captures
Mendeley Readers : 13
Google Scholar™
