Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation

Ajmal, Abdul Basit; Shah, Munam Ali; Maple, Carsten; Asghar, Muhammad Nabeel; Islam, Saif ul

doi:10.1109/access.2021.3104260

Cited by 35 publications

(21 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…This then leads to providing the right solution/recommendation to the blue teams/organizations. 14,15 CALDERA can also be utilized to test endpoint security arrangements and evaluate a network's security capability to withstand the common post-compromise, antagonistic strategies contained within the ATT&CK approach. 14 CALDERA leverages the ATT&CK approach to distinguish and imitate enemy behaviors as if a genuine interruption is happening.…”

Section: Open Peer Reviewmentioning

confidence: 99%

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Mohamed¹

2022

F1000Res

View full text Add to dashboard Cite

Background: Microsoft Windows Security is a recently implemented safeguard for the Windows operating systems, including the latest versions of Windows10 and 11. However, there is a major shortcoming in this system to stop Advanced Persistent Threat (APT). These are government-financed groups that are funded to attack other government entities. Following the initial security breach, the hacked Windows device is used to access the rest of the network devices in order to transfer data to external storage (Exfiltration). Methods: In this work, we have tested the Microsoft Windows Security system using MITRE CALDERA and ATT&CK frameworks and explain how APT groups are able to bypass Windows Security. Results: In this study we used "54ndc47" agent through GoLang feature in MITRE CALDERA platform to test and bypass Microsoft Windows Security systems (MS Windows 10). Through it, we were able to bypass the Windows Security system and display entire files in the victim's device. Conclusions: In this paper, we have provided recommendations to Microsoft to improve their Windows Security tool through the use of Artificial intelligence (AI).

show abstract

Section: Open Peer Reviewmentioning

confidence: 99%

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Mohamed¹

2022

F1000Res

View full text Add to dashboard Cite

show abstract

“…Hypothesis development focuses on the type of hypothesis. According to the SANS Institute, the definition of a hypothesis is based on intelligence, domain knowledge, and situational awareness (Ajmal et al, 2021). Intelligence-based assumptions come from an understanding of the attacker's tactics, techniques, and procedures (TTPs), and behaviors.…”

Section: Hypotheses Developmentmentioning

confidence: 99%

“…To track threats with particular attention to certain attackers, it is required to improve the accuracy of the threat intelligence. Threat intelligence informs threat hunters of content that can be detected by a particular attacker's TTP (Ajmal et al, 2021).…”

Section: Hypotheses Developmentmentioning

confidence: 99%

See 1 more Smart Citation

Knowing the unknown: The hunting loop

Alanazi¹,

Alanazi²

2022

Int. j. adv. appl. sci.

View full text Add to dashboard Cite

There are several ways to improve an organization’s cybersecurity protection against intruders. One of the ways is to proactively hunt for threats, i.e., threat hunting. Threat Hunting empowers organizations to detect the presence of intruders in their environment. It identifies and searches the tactics, techniques, and procedures (TTP) of the attackers to find them in the environment. To know what to look for in the collected data and environment, it is required to know and understand the attacker's TTPs. An attacker's TTPs information usually comes from signatures, indicators, and behavior observed in threat intelligence sources. Traditionally, threat hunting involves the analysis of collected logs for Indicator of Compromise (IOCs) through different tools. However, network and security infrastructure devices generate large volumes of logs and can be challenging to analyze thus leaving gaps in the detection process. Similarly, it is very difficult to identify the required IOCs and thus sometimes makes it difficult to hunt the threat which is one of the major drawbacks of the traditional threat hunting processes and frameworks. To address this issue, intelligent automated processes using machine learning can improve the threat hunting process, that will plug those gaps before an attacker can exploit them. This paper aims to propose a machine learning-based threat-hunting model that will be able to fill the gaps in the threat detection process and effectively detect the unknown adversaries by training the machine learning algorithms via extensive datasets of TTPs and normal behavior of the system and target environment. The model is comprised of five main stages. These are Hypotheses Development, Equip, Hunt, Respond and Feedback stages. This threat hunting model is a bit ahead of the traditional models and frameworks by employing machine learning algorithms.

show abstract

“…The use of this approach help organizations to discover advanced attack mechanisms and measure their ability to detect attacks [103]. As opposed to traditional approaches that emphasize on identified threats including vulnerability assessment and penetration testing, new unknown threats can be identified and addressed with this method [104].…”

Section: Threat Emulationmentioning

confidence: 99%

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Hillier¹,

Karroubi²

2022

Preprint

View full text Add to dashboard Cite

The threat hunting lifecycle is a complex atmosphere that requires special attention from professionals to maintain security. This paper is a collection of recent work that gives a holistic view of the threat hunting ecosystem, identifies challenges, and discusses the future with the integration of artificial intelligence (AI). We specifically establish a life cycle and ecosystem for privacy-threat hunting in addition to identifying the related challenges. We also discovered how critical the use of AI is in threat hunting. This work paves the way for future work in this area as it provides the foundational knowledge to make meaningful advancements for threat hunting.

show abstract

Offensive Security: Towards Proactive Threat Hunting via Adversary Emulation

Cited by 35 publications

References 22 publications

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Study of bypassing Microsoft Windows Security using the MITRE CALDERA Framework

Knowing the unknown: The hunting loop

Turning the Hunted into the Hunter via Threat Hunting: Life Cycle, Ecosystem, Challenges and the Great Promise of AI

Contact Info

Product

Resources

About