At this year’s Special Interest Group on Security, Audit and Control conference, representatives from The National Institute of Standards and Technology alongside security professionals from Pennsylvania State University proposed a new framework aimed at enhancing the Automatic Recognition of Advanced Persistent Threat Tactics for Enterprise Security.
Advanced Persistent Threat groups are known to attack high value targets such as government agencies and enterprise businesses associated with the public sector. They are one of the most pertinent security threats to such industries, as they are typically carried out by state-sponsored groups with economic and/or political interest in the target. In light of the global pandemic of COVID-19, APT groups have been more active than ever, with recent attacks on the healthcare, public safety, and banking industries specifically. By nature, APTs are carefully crafted attacks that use advanced obfuscation methods in order to avoid detection and maintain persistent access on a target network. Because of their adaptive, sophisticated nature and code composition, advanced persistent threats are able to penetrate networks, establish multiple points of entry, and siphon valuable data for extended periods of time.
In 2019, the National Institute for Standards and Technology published volume 2 of their Special Publication 800-160: Developing Cyber Resilient Systems, which is aimed at determining whether the cyber detection and response capabilities of a system are sufficient for the organization to meet its mission assurance and security requirements in a threat environment (Developing Cyber Resilient Systems: A Systems Security Engineering Approach, 2019). The goal of the new framework is to provide a standardized method for detecting APT tactics and applying specific APT technique identification methods in order to enhance and improve overall incident response. Evaluation of the framework process shows that the approach is successful in detecting APT tactics with high accuracy and low false positive rates, signifying a high use case as a central implementation method within security response and operation centers. Implementations of the framework are aimed to help CSOCs and analysts identify the attacker’s intents, objectives and strategies, and provide a “whole story” of the attacks. Additionally, automated APT tactic detection could significantly reduce manual overhead efforts, allowing enterprise agencies to greatly improve their threat response abilities (Zou, Sun, Liu, & Singhal, 2020).
Ross, Pillitteri, Graubart, Bodeau, & McQuaid. Developing Cyber Resilient Systems: A Systems Security Engineering Approach (2019, November). National Institute of Standards and Technology.
Zou, Q., Sun, X., Liu, P., & Singhal, A. Automatic Recognition of Advanced Persistent Threat Tactics forEnterprise Security (2020, March 18). PDF.