From TTP to IoC: Advanced Persistent Graphs for Threat Hunting

Berady, Aimad; Jaume, Mathieu; Tông, Valérie Viêt Triêm; Guette, Gilles

doi:10.1109/tnsm.2021.3056999

Cited by 20 publications

(10 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Berady et al [9] presented a threat hunting model based on the common acceptance of the conclusion that the attacker and defender should mutually understand each other. The analysis was performed from both an offensive and defensive perspective.…”

Section: Related Workmentioning

confidence: 99%

Revisiting the Detection of Lateral Movement through Sysmon

2022

View full text Add to dashboard Cite

This work attempts to answer in a clear way the following key questions regarding the optimal initialization of the Sysmon tool for the identification of Lateral Movement in the MS Windows ecosystem. First, from an expert’s standpoint and with reference to the relevant literature, what are the criteria for determining the possibly optimal initialization features of the Sysmon event monitoring tool, which are also applicable as custom rules within the config.xml configuration file? Second, based on the identified features, how can a functional configuration file, able to identify as many LM variants as possible, be generated? To answer these questions, we relied on the MITRE ATT and CK knowledge base of adversary tactics and techniques and focused on the execution of the nine commonest LM methods. The conducted experiments, performed on a properly configured testbed, suggested a great number of interrelated networking features that were implemented as custom rules in the Sysmon’s config.xml file. Moreover, by capitalizing on the rich corpus of the 870K Sysmon logs collected, we created and evaluated, in terms of TP and FP rates, an extensible Python .evtx file analyzer, dubbed PeX, which can be used towards automatizing the parsing and scrutiny of such voluminous files. Both the .evtx logs dataset and the developed PeX tool are provided publicly for further propelling future research in this interesting and rapidly evolving field.

show abstract

Section: Related Workmentioning

confidence: 99%

Revisiting the Detection of Lateral Movement through Sysmon

2022

View full text Add to dashboard Cite

show abstract

“…In addition, the authors of [105] stated that When dealing with APT, defenders must detect the area where an adversary is spread as soon as possible. The discovery occurs as part of an incident response operation called Threat Hunting, during which defenders identify attackers within the compromised network [105].…”

Section: Threat Emulationmentioning

confidence: 99%

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Hillier¹,

Karroubi²

2022

Preprint

View full text Add to dashboard Cite

The threat hunting lifecycle is a complex atmosphere that requires special attention from professionals to maintain security. This paper is a collection of recent work that gives a holistic view of the threat hunting ecosystem, identifies challenges, and discusses the future with the integration of artificial intelligence (AI). We specifically establish a life cycle and ecosystem for privacy-threat hunting in addition to identifying the related challenges. We also discovered how critical the use of AI is in threat hunting. This work paves the way for future work in this area as it provides the foundational knowledge to make meaningful advancements for threat hunting.

show abstract

“…The reconstruction of this kind of attack is possible thanks to the collected logs exploitation. Then, in order to identify techniques performed by the attacker, we used a tool 9 that allows us to extract Events of Interest (EoI) [27] from the dataset. In the following, we detail actions performed by the participant #12, denoted P12.…”

Section: Pwnjutsu P12 Attack Campaignmentioning

confidence: 99%

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

Berady

Jaume²,

Tông

et al. 2022

IEEE Trans. Netw. Serv. Manage.

Self Cite

View full text Add to dashboard Cite

Identifying patterns in the modus operandi of attackers is an essential requirement in the study of Advanced Persistent Threats. Previous studies have been hampered by the lack of accurate, relevant, and representative datasets of current threats. System logs and network traffic captured during attacks on real companies' information systems are the best data sources to build such datasets. Unfortunately, for apparent reasons of companies' reputation, privacy, and security, such data is seldom available. This article proposes an alternative approach to such issues involved with collecting data. It first presents a formal model of an attacker's tactical progression during their network propagation phase. Such a progression is expressed according to the attacker's state, called muSE, which specifies their propagation area, collected secrets, and knowledge of the environment. The new model wields the operational semantics of attack techniques proposed in this article. The semantics formally define a transition relation between attackers' states. Hence, it can be used to describe an entire attack scenario. This formalization allows the ability to describe the PWNJUTSU experiment unequivocally. In this experiment, 22 Red Teamers attacked the vulnerable infrastructure to compromise machines and steal secret flags. Each Red Teamer operated on a dedicated instance. Sensors captured system logs and network traffic on each of these instances. This article's second contribution is the public release of the PWNJUTSU dataset.

show abstract

From TTP to IoC: Advanced Persistent Graphs for Threat Hunting

Cited by 20 publications

References 16 publications

Revisiting the Detection of Lateral Movement through Sysmon

Revisiting the Detection of Lateral Movement through Sysmon

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

Contact Info

Product

Resources

About