The security knowledge graph, a knowledge graph specific to the security domain, is the key to realizing cognitive intelligence in cyber security, and it also lays an indispensable technological foundation for dealing with advanced, continuous and complex threats and risks in cyberspace. NSFOCUS will publish a series of articles about the application of the security knowledge graph in several scenarios. This article focuses on the profiling and attribution of APT groups based on the knowledge graph.
The APT group is modeled to establish a knowledge base used for repeated training of attack simulation, with the ultimate goal of detecting malicious behaviors based on attribution and associating malicious cyber activities with specific groups or individuals. The Defense Advanced Research Projects Agency (DARPA) of the United States Department of Defense launched the Enhanced Attribution program to monitor and track the behaviors of attack groups. The program is divided into three technical areas (TA). In particular, TA1 aims for activity tracking and summarization, as well as extraction of metadata that can represent true facts from massive data; TA2 aims for multi-source data fusion and fuzzy data time-series association for metadata; TA3 aims for data validation and enrichment, thus providing credible attacker intelligence. Currently, the modeling of APT groups also faces some new challenges. The level of attack by the world’s top APT groups is evident from the fact that Shadow Brokers leaked multiple cyber weapons and hacking tools of the National Security Agency (NSA) in 2017, which shocked the world. In addition to various 0-day vulnerability exploit tools in the leak, there is an exploit attack framework similar to Metasploit that calls multiple modules for weapon assembly and attack, indicating that the APT group has a high level of vulnerability research and custom weapon development capabilities. Unknown attacks and the use of custom weapons pose great challenges to the attribution and source tracing of APT groups.
For most cyber regulators and enterprises, cybersecurity operations have largely become a big data analysis and processing problem. More and more institutions and organizations often feel the need to analyze massive heterogeneous alarm data from various security devices in real time, in the process of cybersecurity protection and management. To quickly discover high-risk security events, especially those related to APT attack groups, from massive multi-modal alarm data is a major challenge to regulators and enterprises.
Tracking of Cyber APT Attack Groups Based on Context-aware Computing
To quickly discover high-risk security events related to attack groups in massive multi-modal data scenarios, NSFOCUS proposed a method for tracking attack groups based on a context-aware computing framework , as shown in Figure 1. First, the ontology structure with the attack group at its core needs to be defined, based on which the context collection module and the context reasoning module are designed and the attack group knowledge base is established. In particular, the two modules are to collect non-real-time multi-source heterogeneous threat intelligence and real-time sandbox sample information, and store them in the attack group knowledge base after semantic filter, fusion and reasoning. The context collection module is mainly to obtain context information from heterogeneous, complex and diverse information sources, including non-real-time unstructured and semi-structured web pages, structured open-source threat intelligence in SITX format, public blogs and forums, and locally accumulated threat intelligence of attack groups, as well as real-time structured logs and alarms of cyber threat detection devices and malicious sample sandboxes.
Figure 1 General framework of the attack group tracking method based on context-aware computing
Then, a template of normalized security events is defined based on the attack group ontology, so that the stream processing engine can parse massive multi-modal data under the big data stream computing framework, which is considered to be a normalized security event fitting the defined template. Since attackers often employ a series of interrelated attack methods in a longer period of time to carry out actual attacks, it is necessary to associate events within a longer period of time while monitoring and tracking attack behaviors, so as to obtain a more comprehensive and accurate attack behavior scenario. Therefore, multiple normalized security events need to be associated based on the attack chain model, to generate an attack chain containing multiple events. Specifically, all events targeting the same IP address within a certain period of time are integrated in chronological order to generate an attack chain, and Figure 2 shows the process of inserting an event into the behavior chain. The attack group knowledge base is used for event threat context semantic enrichment, attack chain association, context-aware computing of attack group features, and final discovery of high-risk events related to the attack group.
Figure 2 Process of generating an attack chain
In addition to the above-mentioned APT group tracking method based on the context-aware computing framework, NSFOCUS also proposed a method for discovering unknown attack groups based on feature graph clustering , which mainly includes:
1. Normalized understanding module for massive heterogeneous alarms based on the normalized attack model
2. Event feature association module combining the attack chain and attack source model
3. Construction and clustering module of the attack source feature graph model
Figure 3 shows the general system framework.
Figure 3 General system framework
Features are extracted from the real-time attack source data including multiple attack chains, with the attack source IP address at its core, to generate feature points, and they are connected with the core point. The extracted features include all relevant features in the attack source data, as well as the additional information from the threat intelligence association. The connection between the feature point and the core point is a weighted edge. Table 1 lists the feature points and corresponding descriptions.
Table 1 Descriptions of feature points
|Attack source IP address||Core point|
|Attack pattern||Assigned with different weights depending on the frequency of the attack pattern adopted. The higher the frequency, the greater the weight.|
|Attack source active time||Time period when the attack source carried out attacks, with the unit accurate to hours. It is assigned with different weights depending on the frequency. The higher the frequency, the greater the weight.|
|Attack target IP address||Target IP address attacked by the attack source|
|Attack target port||Assigned with different weights depending on the frequency. The higher the frequency, the greater the weight.|
|Attack source geographic information||Country, province/state, and city|
|Protocol||Related protocol information|
|Service type||Related service information|
|Sample action||Malicious sample actions related to the attack source|
|Sample action related parameters||Action-related parameter feature points, connected to sample action feature points|
The attack feature graph constructed above is a weighted undirected graph. Based on this graph, the required graph community clustering algorithm is employed to perform community clustering on the feature graph and finally to generate multiple community clusters. Each community cluster can be considered to be an attack group. Since most graph clustering algorithms perform clustering to optimize the global modularity, some large communities without noticeable features are often generated in the actual process of feature graph clustering, which can be further divided into smaller communities. Therefore, further splitting and clustering of larger communities are required, as shown in Figure 4. After the clustering of feature graphs is completed, each cluster can be regarded as a group to be analyzed. Then, the groups can be merged according to the merger rules, and the merger can be carried out between newly formed groups or between newly formed groups and historical groups. In addition, group tags can be added manually to fulfill relevant business needs.
Figure 4 Process of feature graph clustering
Conclusion and Outlook
As security vendors increase their attack detection capabilities, APT groups adopt more sophisticated methods of evading detection accordingly. The most common method is to check the process or specific file path for anti-virus software, and disable security detection of the software such as Microsoft Defender Antivirus (formerly Windows Defender) by modifying the registry. Another method is to adopt various algorithms to encrypt and decrypt shellcodes. Particularly, more and more APT groups adopt steganography to store keys and even scripts in bitmap files and host them using legal cloud services, which greatly increases the difficulty of detection. There are also various attack techniques that cannot be classified, such as fileless malware, whitelist exploits, loading with VHDX, and hiding a backdoor in ADS, which improves the stealthiness of APT’s attack behaviors.
The generation of traditional threat intelligence relies on event-driven expert analysis methods and expert experience, which is laborious and less time-efficient. Although intelligent analysis methods based on statistical machine learning have made important breakthroughs in many threat-aware scenarios, no standardized modeling with security semantics is provided for input on the perception layer, and false positives of malicious attacks (non-real attacks) are inevitable on the data layer in the case of dynamic and complex network behavior analysis. Moreover, in the event of multi-dimensional perceptual analysis results, security experts need to fully participate in the assessment and correlation analysis to completely restore the complete picture of the attack, which limits the improvement of the analysis automation level of advanced complex attack techniques and tactics such as APT. For the research on the profiling and attribution of APT groups, it is necessary to use the security knowledge graph to uniformly describe the TTPs in each phase of APT attacks, realize automatic threat tracking of APT attacks, master the attack features of attackers, discover potential crises, and even prevent future attacks. This requires the ongoing joint exploration by cybersecurity personnel.
Posts about Security Knowledge Graph