DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS

Adem Şimşek; Ahmet Koltuksuz

doi:10.46519/ij3dptdi.1353341

Research Article

Year 2023, Volume: 7 Issue: 3, 471 - 477, 31.12.2023

Adem Şimşek Ahmet Koltuksuz

https://doi.org/10.46519/ij3dptdi.1353341

Abstract

References

1. J. Lee, B. Bagheri, H. Kao, "A Cyber-Physical Systems architecture for Industry 4.0-based manufacturing systems", Manufacturing Letters, Vol. 3, January 2015, Pages 18-23.
2. C. Tankard, "Advanced Persistent threats and how to monitor and deter them", Network Security, Vol. 2011, Issue 8, 2011, Pages 16-19.
3. Harknett, R. J. and Stever, J. A., "The New Policy World of Cybersecurity", Public Administration Review, Vol. 71, 2011, Pages 455-460. 4. M. Kenney, “Cyber-terrorism in a post-stuxnet world,” Orbis, Vol. 59, Issue 1, Pages. 111–128, 2015.
5. Kaspersky Lab, "The Darkhotel Apt - A Story Of Unusual Hospitality", Version 1.1, November 2014.
6. Kaspersky Lab, "Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage", https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/, October 1, 2018.
7. Group IB and Fox It, "Anunak: APT Against Financial Institutions". https://www.group-ib.com/resources/research-hub/anunak-apt/, October 2, 2018.
8. P. S. Radzikowski, "CyberSecurity: Expanded Look at the APT Life Cycle and Mitigation", http://drshem.com/2016/02/11/cybersecurity-expanded-look-apt-life-cycle-mitigation/#footnote-dsp-5061.2, October 10, 2018.
9. Dell, "Lifecycle of an Advanced Persistent Threat", 2012, http://www.redteamusa.com/PDF/Lifecycle%20of%20an%20Advanced%20Persistent%20Threat.pdf, October 10, 2018.
10. Sekharan, S. S., & Kandasamy, K., "Proﬁling SIEM Tools and Correlation Engines for Security Analytics", WiSPNET 2017 Conference, 2017, Pages 717-721.
11. Raja, N. M., & Vasudevan, R. A., "Rule Generation for TCP SYN Flood attack in SIEM Environment", 7th International Conference on Advances in Computing & Communications, 2017, Pages 580-587.
12. Anthony, R., "Detecting Security Incidents Using Windows Workstation Event Logs", SANS Institute, 2013, Pages 8-15.
13. Bryant, Blake D. and Hossein Saiedian. "A novel kill-chain framework for remote security log analysis with SIEM software." Computers & Security Vol. 67, 2017, Pages 198-210.
14. Chuvakin, A., "On "Output-driven" SIEM", http://blogs.gartner.co (Alladi, Chamola, & Zeadally, 2020)m/anton-chuvakin/2012/09/24/on-output-driven-siem/, September 8, 2018.
15. Alladi T., Chamola V., Zeadally S., "Industrial Control Systems: Cyberattack trends and countermeasures", Computer Communications, Vol. 155, 2020, Pages 1-8.
16. Mohammed A., Neetesh S., Peter B., "Investigating Ssable Indicators Against Cyber-Attacks in Industrial Control Systems", Proceedings of the 17th Symposium on Usable Privacy and Security, 2021.
17. Atluri V., Horne J., "A Machine Learning based Threat Intelligence Framework for Industrial Control System Network Traffic Indicators of Compromise", SoutheastCon 2021, Atlanta, GA, USA, 2021, Pages 1-5.
18. Powell M., Brule J., Pease M., StoufferK., Tang C., Zimmerman T., ... & Zopf M., "Protecting Information and System Integrity in Industrial Control System Environments", NIST, 2022.
19. Toker F.S., Ovaz Akpinar K., ÖZÇELİK İ., "MITRE ICS Attack Simulation and Detection on EtherCAT Based Drinking Water System," 2021 9th International Symposium on Digital Forensics and Security (ISDFS), Elazig, Turkey, 2021, Pages 1-6.
20. Zahid H., Hina S., Hayat M. F., Shah G. A., "Agentless Approach for Security Information and Event Management in Industrial IoT", Electronics, 2023, Pages 1831.
21. ScienceSoft, "Siem-Based Apt Protection", https://www.scnsoft.com/services/security/siem/apt-protection retrieved October 12, 2018.
22. IBM Qradar, "IBM Security Qradar Suite", https://www.ibm.com/qradar, May 12, 2023.
23. HP ArcSight, "ArcSight Enterprise Security Manager", https://www.hpe.com/psnow/doc/c05100164.pdf?jumpid=in_lit-psnow-getpdf, May 12, 2023.
24. Wazuh, "The Open Source Security Platform", https://wazuh.com/, May 12, 2023.
25. Crowd Strike, "Indicators Of Attack Versus Indicators Of Compromise", https://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperIOAvsIOC.pdf, October 13, 2018.
26. FireEye, "APT 28: A Window into Russia's Cyber Espionage Operations?", https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf, March 13, 2017.
27. Symantec, "W32.Duqu The precursor to the next Stuxnet", Version 1.4, 2011, https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-duqu-11-en.pdf, April 14, 2017.
28. F-Secure," Blackenergy & Quedagh - The Convergence Of Crimeware and APT Attacks", https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf, January 23, 2017.
29. Kaspersky," Targeted Cyberattacks Logbook", https://apt.securelist.com/, May 17, 2023.

DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS

Year 2023, Volume: 7 Issue: 3, 471 - 477, 31.12.2023

Adem Şimşek Ahmet Koltuksuz

https://doi.org/10.46519/ij3dptdi.1353341

Abstract

Cyber-attacks move towards a sophisticated, destructive, and persistent position, as in the case of Stuxnet, Dark Hotel, Poseidon, and Carbanak. These attacks are called Advanced Persistent Threats (APTs), in which an intruder establishes an undetected presence in a network to steal sensitive data over a prolonged period. APT attacks threaten the main critical areas of today's digitalized life. This threat covers critical infrastructures, finance, energy, and aviation agencies. One of the most significant APT attacks was Stuxnet, which targeted the software controlling the programmable logic controllers (PLCs) that are, in turn, used to automate machine processes. The other one was the Deep Panda attack discovered in 2015, which compromised over 4 million US personnel records because of the ongoing cyberwar between China and the US. This paper explains the difficulties of detecting APTs and examines some of the research in this area. In addition, we also present a new approach to detecting APTs using the Security Information and Event Management (SIEM) solution. In this approach, we recommend establishing APT rulesets in SIEM solutions using the indicators left behind by the attacks. The three basic indicator types are considered in the rulesets and are examined in detail.

Keywords

Cyber Security, Cyber War, APT, SIEM, Intrusion Detection System

References

1. J. Lee, B. Bagheri, H. Kao, "A Cyber-Physical Systems architecture for Industry 4.0-based manufacturing systems", Manufacturing Letters, Vol. 3, January 2015, Pages 18-23.
2. C. Tankard, "Advanced Persistent threats and how to monitor and deter them", Network Security, Vol. 2011, Issue 8, 2011, Pages 16-19.
3. Harknett, R. J. and Stever, J. A., "The New Policy World of Cybersecurity", Public Administration Review, Vol. 71, 2011, Pages 455-460. 4. M. Kenney, “Cyber-terrorism in a post-stuxnet world,” Orbis, Vol. 59, Issue 1, Pages. 111–128, 2015.
5. Kaspersky Lab, "The Darkhotel Apt - A Story Of Unusual Hospitality", Version 1.1, November 2014.
6. Kaspersky Lab, "Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage", https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/, October 1, 2018.
7. Group IB and Fox It, "Anunak: APT Against Financial Institutions". https://www.group-ib.com/resources/research-hub/anunak-apt/, October 2, 2018.
8. P. S. Radzikowski, "CyberSecurity: Expanded Look at the APT Life Cycle and Mitigation", http://drshem.com/2016/02/11/cybersecurity-expanded-look-apt-life-cycle-mitigation/#footnote-dsp-5061.2, October 10, 2018.
9. Dell, "Lifecycle of an Advanced Persistent Threat", 2012, http://www.redteamusa.com/PDF/Lifecycle%20of%20an%20Advanced%20Persistent%20Threat.pdf, October 10, 2018.
10. Sekharan, S. S., & Kandasamy, K., "Proﬁling SIEM Tools and Correlation Engines for Security Analytics", WiSPNET 2017 Conference, 2017, Pages 717-721.
11. Raja, N. M., & Vasudevan, R. A., "Rule Generation for TCP SYN Flood attack in SIEM Environment", 7th International Conference on Advances in Computing & Communications, 2017, Pages 580-587.
12. Anthony, R., "Detecting Security Incidents Using Windows Workstation Event Logs", SANS Institute, 2013, Pages 8-15.
13. Bryant, Blake D. and Hossein Saiedian. "A novel kill-chain framework for remote security log analysis with SIEM software." Computers & Security Vol. 67, 2017, Pages 198-210.
14. Chuvakin, A., "On "Output-driven" SIEM", http://blogs.gartner.co (Alladi, Chamola, & Zeadally, 2020)m/anton-chuvakin/2012/09/24/on-output-driven-siem/, September 8, 2018.
15. Alladi T., Chamola V., Zeadally S., "Industrial Control Systems: Cyberattack trends and countermeasures", Computer Communications, Vol. 155, 2020, Pages 1-8.
16. Mohammed A., Neetesh S., Peter B., "Investigating Ssable Indicators Against Cyber-Attacks in Industrial Control Systems", Proceedings of the 17th Symposium on Usable Privacy and Security, 2021.
17. Atluri V., Horne J., "A Machine Learning based Threat Intelligence Framework for Industrial Control System Network Traffic Indicators of Compromise", SoutheastCon 2021, Atlanta, GA, USA, 2021, Pages 1-5.
18. Powell M., Brule J., Pease M., StoufferK., Tang C., Zimmerman T., ... & Zopf M., "Protecting Information and System Integrity in Industrial Control System Environments", NIST, 2022.
19. Toker F.S., Ovaz Akpinar K., ÖZÇELİK İ., "MITRE ICS Attack Simulation and Detection on EtherCAT Based Drinking Water System," 2021 9th International Symposium on Digital Forensics and Security (ISDFS), Elazig, Turkey, 2021, Pages 1-6.
20. Zahid H., Hina S., Hayat M. F., Shah G. A., "Agentless Approach for Security Information and Event Management in Industrial IoT", Electronics, 2023, Pages 1831.
21. ScienceSoft, "Siem-Based Apt Protection", https://www.scnsoft.com/services/security/siem/apt-protection retrieved October 12, 2018.
22. IBM Qradar, "IBM Security Qradar Suite", https://www.ibm.com/qradar, May 12, 2023.
23. HP ArcSight, "ArcSight Enterprise Security Manager", https://www.hpe.com/psnow/doc/c05100164.pdf?jumpid=in_lit-psnow-getpdf, May 12, 2023.
24. Wazuh, "The Open Source Security Platform", https://wazuh.com/, May 12, 2023.
25. Crowd Strike, "Indicators Of Attack Versus Indicators Of Compromise", https://go.crowdstrike.com/rs/281-OBQ-266/images/WhitepaperIOAvsIOC.pdf, October 13, 2018.
26. FireEye, "APT 28: A Window into Russia's Cyber Espionage Operations?", https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf, March 13, 2017.
27. Symantec, "W32.Duqu The precursor to the next Stuxnet", Version 1.4, 2011, https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-duqu-11-en.pdf, April 14, 2017.
28. F-Secure," Blackenergy & Quedagh - The Convergence Of Crimeware and APT Attacks", https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf, January 23, 2017.
29. Kaspersky," Targeted Cyberattacks Logbook", https://apt.securelist.com/, May 17, 2023.

There are 28 citations in total.

Details

Primary Language	English
Subjects	Software Engineering (Other)
Journal Section	Research Article
Authors	Adem Şimşek 0000-0002-3610-9812 Ahmet Koltuksuz 0000-0002-2205-6238
Early Pub Date	December 25, 2023
Publication Date	December 31, 2023
Submission Date	August 31, 2023
Published in Issue	Year 2023 Volume: 7 Issue: 3

Cite

APA	Şimşek, A., & Koltuksuz, A. (2023). DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. International Journal of 3D Printing Technologies and Digital Industry, 7(3), 471-477. https://doi.org/10.46519/ij3dptdi.1353341
AMA	Şimşek A, Koltuksuz A. DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. IJ3DPTDI. December 2023;7(3):471-477. doi:10.46519/ij3dptdi.1353341
Chicago	Şimşek, Adem, and Ahmet Koltuksuz. “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”. International Journal of 3D Printing Technologies and Digital Industry 7, no. 3 (December 2023): 471-77. https://doi.org/10.46519/ij3dptdi.1353341.
EndNote	Şimşek A, Koltuksuz A (December 1, 2023) DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. International Journal of 3D Printing Technologies and Digital Industry 7 3 471–477.
IEEE	A. Şimşek and A. Koltuksuz, “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”, IJ3DPTDI, vol. 7, no. 3, pp. 471–477, 2023, doi: 10.46519/ij3dptdi.1353341.
ISNAD	Şimşek, Adem - Koltuksuz, Ahmet. “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”. International Journal of 3D Printing Technologies and Digital Industry 7/3 (December 2023), 471-477. https://doi.org/10.46519/ij3dptdi.1353341.
JAMA	Şimşek A, Koltuksuz A. DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. IJ3DPTDI. 2023;7:471–477.
MLA	Şimşek, Adem and Ahmet Koltuksuz. “DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS”. International Journal of 3D Printing Technologies and Digital Industry, vol. 7, no. 3, 2023, pp. 471-7, doi:10.46519/ij3dptdi.1353341.
Vancouver	Şimşek A, Koltuksuz A. DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS. IJ3DPTDI. 2023;7(3):471-7.

Download Cover Image

Article Files

Full Text

download

International Journal of 3D Printing Technologies and Digital Industry is lisenced under Creative Commons Atıf-GayriTicari 4.0 Uluslararası Lisansı