Trusted Computing vs. Advanced Persistent Threats: Can a Defender Win This Game?

As both the number and the complexity of cyber attacks continuously increase, it is becoming evident that traditional security mechanisms have limited success in detecting sophisticated threats. Stuxnet, Duqu, Flame, Red October and, more recently, Miniduke, have troubled the security community due to their severe complexity and their ability to evade detection in some cases for several years, while exfiltrating gigabytes of data or sabotaging critical infrastructures. The significant technical and financial resources needed for orchestrating such complex attacks are a clear indication that perpetrators are well organized and, likely, working under a state umbrella. In this paper we perform a technical analysis of these advanced persistent threats, highlighting particular characteristics and identifying common patterns and techniques. We also focus on the issues that enabled the malware to evade detection from a wide range of security solutions and propose technical countermeasures for strengthening our defenses against similar threats.

[1]  M. Schunter,et al.  An Open Trusted Computing Architecture — Secure Virtual Machines Enabling User-Defined Policy Enforcement , 2006 .

[2]  Dimitris Gritzalis,et al.  Design of a neural network for recognition and classification of computer viruses , 1995, Comput. Secur..

[3]  Rolf Oppliger,et al.  Does trusted computing remedy computer security problems? , 2005, IEEE Security & Privacy Magazine.

[4]  D A Gritzalis,et al.  Enhancing security and improving interoperability in healthcare information systems. , 1998, Medical informatics = Medecine et informatique.

[5]  David Lie,et al.  Manitou: a layer-below approach to fighting malware , 2006, ASID '06.

[6]  Levente Buttyán,et al.  Duqu: Analysis, Detection, and Lessons Learned , 2012 .

[7]  Dimitris Gritzalis,et al.  Embedding privacy in IT applications development , 2004, Inf. Manag. Comput. Secur..

[8]  Levente Buttyán,et al.  The Cousins of Stuxnet: Duqu, Flame, and Gauss , 2012, Future Internet.

[9]  Dimitris Gritzalis,et al.  An Insider Threat Prediction Model , 2010, TrustBus.

[10]  Dimitris Gritzalis,et al.  On the Feasibility of Malware Attacks in Smartphone Platforms , 2011, ICETE.

[11]  Ahmad-Reza Sadeghi,et al.  Compartmented Security for Browsers - Or How to Thwart a Phisher with Trusted Computing , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[12]  Dimitris Gritzalis,et al.  Model for Network Behaviour under Viral Attack , 1996 .

[13]  Paul G. Spirakis,et al.  Intrusion detection: Approach and performance issues of the SECURENET system , 1994, Comput. Secur..

[14]  Thomas M. Chen,et al.  Lessons from Stuxnet , 2011, Computer.

[15]  A. Kohn [Computer viruses]. , 1989, Harefuah.

[16]  L. Najjar The missing link. , 2003, Dental assistant.

[17]  Dimitris Gritzalis,et al.  Smartphone security evaluation The malware attack case , 2011, Proceedings of the International Conference on Security and Cryptography.

[18]  Paul G. Spirakis,et al.  Attack Modelling in Open Network Environments , 1996, Communications and Multimedia Security.

[19]  Eric Chien,et al.  W32.Duqu: The Precursor to the Next Stuxnet , 2012, LEET.