ABSTRACT
Recently, with the normalization of non-face-to-face online environments in response to the COVID-19 pandemic, the possibility of cyberattacks through endpoints has increased. Numerous endpoint devices are managed meticulously to prevent cyberattacks and ensure timely responses to potential security threats. In particular, because telecommuting, telemedicine, and tele-education are implemented in uncontrolled environments, attackers typically target vulnerable endpoints to acquire administrator rights or steal authentication information, and reports of endpoint attacks have been increasing considerably. Advanced persistent threats (APTs) using various novel variant malicious codes are a form of a sophisticated attack. However, conventional commercial antivirus and anti-malware systems that use signature-based attack detection methods cannot satisfactorily respond to such attacks. In this paper, we propose a method that expands the detection coverage in APT attack environments. In this model, an open-source threat detector and log collector are used synergistically to improve threat detection performance. Extending the scope of attack log collection through interworking between highly accessible open-source tools can efficiently increase the detection coverage of tactics and techniques used to deal with APT attacks, as defined by MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK). We implemented an attack environment using an APT attack scenario emulator called Carbanak and analyzed the detection coverage of Google Rapid Response (GRR), an open-source threat detection tool, and Graylog, an open-source log collector. The proposed method expanded the detection coverage against MITRE ATT&CK by approximately 11% compared with that conventional methods. © 2023 Tech Science Press. All rights reserved.
ABSTRACT
After the COVID-19 pandemic, cyberattacks are increasing as non-face-to-face environments such as telecommuting and telemedicine proliferate. Cyberattackers exploit vulnerabilities in remote systems and endpoint devices in major enterprises and infrastructures. To counter these attacks, fast detection and response are essential because advanced persistent threat (APT) attacks intelligently infiltrate endpoint devices for long periods and spread to large-scale environments. However, because conventional security systems are signature-based, fast detection of APT attacks is challenging, and it is difficult to respond flexibly to the environment. In this study, we propose an APT fast detection and response technique using open-source tools that improves the efficiency of existing endpoint information protection systems and swiftly detects the APT attack process. Performance test results based on realistic scenarios using the open-source APT attack library and MITER ATT&CK indicated that fast detection was possible with higher accuracy for the early stages of APT attacks in scenarios where endpoint attack detectors are interworking environments. © 2022 The Authors
ABSTRACT
This paper studies the cybersecurity issues that have occurred during the coronavirus (COVID-19) pandemic. During the pandemic, cyber criminals and Advanced Persistent Threat (APT) groups have taken advantage of targeting vulnerable people and systems. This paper emphasizes that there is a correlation between the pandemic and the increase in cyber-attacks targeting sectors that are vulnerable. In addition, the growth in anxiety and fear due to the pandemic is increasing the success rate of cyber-attacks. We also highlight that healthcare organizations are one of the main victims of cyber-attacks during the pandemic. The pandemic has also raised the issue of cybersecurity in relation to the new normal of expecting staff to work from home (WFH), the possibility of state-sponsored attacks, and increases in phishing and ransomware. We have also provided various practical approaches to reduce the risks of cyber-attacks while WFH including mitigation of security risks related to healthcare. It is crucial that healthcare organizations improve protecting their important data and assets by implementing a comprehensive approach to cybersecurity. © 2020 The Authors. Internet Technology Letters Published by John Wiley & Sons, Ltd.
ABSTRACT
After the COVID-19 pandemic, cyberattacks are increasing as non-face-to-face environments such as telecommuting and telemedicine proliferate. Cyberattackers exploit vulnerabilities in remote systems and endpoint devices in major enterprises and infrastructures. To counter these attacks, fast detection and response are essential because advanced persistent threat (APT) attacks intelligently infiltrate endpoint devices for long periods and spread to large-scale environments. However, because conventional security systems are signature-based, fast detection of APT attacks is challenging, and it is difficult to respond flexibly to the environment. In this study, we propose an APT fast detection and response technique using open-source tools that improves the efficiency of existing endpoint information protection systems and swiftly detects the APT attack process. Performance test results based on realistic scenarios using the open-source APT attack library and MITER ATT&CK indicated that fast detection was possible with higher accuracy for the early stages of APT attacks in scenarios where endpoint attack detectors are interworking environments.
ABSTRACT
Advanced Persistent Threat (APT) attack activities with the theme of COVID-19 and vaccine are also growing rapidly. The target of APT attack has gradually expanded from government agencies to vaccine manufacturers, medical industry and so on. What's more, APT groups have a strict organizational structure and professional division of labor and malware delivered by the same APT groups are similar. Classifying malware samples into known APT groups in time can minimize losses as soon as possible and keep relevant industries vigilant. In our paper, we proposed a multi-classification method of APT malware based on Adaboost and LightGBM. We collect real APT malware samples that have been delivered by 12 known APT groups. The API call sequence of each APT malware is obtained through the sandbox. For the relationship between adjacent APIs, we use TF-IDF algorithm combined with bi-gram. Then, Adaboost algorithm is used to select out the important API features, which form the target feature subset. Finally, we use the above subset combined with LightGBM ensemble algorithm to train multiple classifiers, named Ada-LightGBM. The experimental results show that our method is superior to the single Adaboost and LightGBM method. The classifier has good recognition performance for the test samples. © 2021 IEEE.