Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticu...Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats.In particular,because telecommuting,telemedicine,and teleeducation are implemented in uncontrolled environments,attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information,and reports of endpoint attacks have been increasing considerably.Advanced persistent threats(APTs)using various novel variant malicious codes are a form of a sophisticated attack.However,conventional commercial antivirus and anti-malware systems that use signature-based attack detectionmethods cannot satisfactorily respond to such attacks.In this paper,we propose a method that expands the detection coverage inAPT attack environments.In this model,an open-source threat detector and log collector are used synergistically to improve threat detection performance.Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks,as defined by MITRE Adversarial Tactics,Techniques,and Common Knowledge(ATT&CK).We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response(GRR),an open-source threat detection tool,and Graylog,an open-source log collector.The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11%compared with that conventional methods.展开更多
基金This study is the result of a commissioned research project supported by the affiliated institute of ETRI(No.2021-026)partially supported by the NationalResearch Foundation of Korea(NRF)grant funded by the Korean government(MSIT)(No.2020R1F1A1061107)+2 种基金the Korea Institute for Advancement of Technology(KIAT)grant funded by the Korean government(MOTIE)(P0008703,The Competency Development Program for Industry Specialist)the MSIT under the ICAN(ICT Challenge and Advanced Network of HRD)program[grant number IITP-2022-RS-2022-00156310]supervised by the Institute of Information&Communication Technology Planning and Evaluation(IITP).
文摘Recently,with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic,the possibility of cyberattacks through endpoints has increased.Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats.In particular,because telecommuting,telemedicine,and teleeducation are implemented in uncontrolled environments,attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information,and reports of endpoint attacks have been increasing considerably.Advanced persistent threats(APTs)using various novel variant malicious codes are a form of a sophisticated attack.However,conventional commercial antivirus and anti-malware systems that use signature-based attack detectionmethods cannot satisfactorily respond to such attacks.In this paper,we propose a method that expands the detection coverage inAPT attack environments.In this model,an open-source threat detector and log collector are used synergistically to improve threat detection performance.Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks,as defined by MITRE Adversarial Tactics,Techniques,and Common Knowledge(ATT&CK).We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response(GRR),an open-source threat detection tool,and Graylog,an open-source log collector.The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11%compared with that conventional methods.
