论文信息 - Modeling the Operational Phases of APT Campaigns

Modeling the Operational Phases of APT Campaigns

In the context of Advanced Persistent Threat (APT) attacks, this paper introduces a model, called Nuke, which tries to provide a more operational reading of the attackers' lifecycle in a compromised network. It allows to consider the notions of regression; and repetitiveness of final objectives achievement. By confronting this model with examples of recent attacks (Equifax data breach and TV5Monde sabotage), we emphasize the importance of the attack chronology in the Cyber Threat Intelligence (CTI) reports, as well as the Tactics, Techniques and Procedures (TTP) used by the attacker during his progression.

[1] Mica R. Endsley,et al. Toward a Theory of Situation Awareness in Dynamic Systems , 1995, Hum. Factors.

[2] J. A. Battaglia,et al. Finding Cyber Threats with ATT&CK-Based Analytics , 2017 .

[3] S. Radack. Managing Information Security Risk: Organization, Mission, and Information System View | NIST , 2011 .

[4] Eric Michael Hutchins,et al. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[5] George Rajna,et al. Equifax Data Breach , 2018 .

[6] R. Ross. Managing Information Security Risk: Organization, Mission, and Information System View | NIST , 2011 .

[7] Scott D. Lathrop,et al. Towards a definition of cyberspace tactics, techniques and procedures , 2017, 2017 IEEE International Conference on Big Data (Big Data).