CYBER INCIDENT RESPONSE AND NEW FRAMEWORK FOR THE APT

By

Mohamed El Metaafy

A DISSERTATION

Submitted to

The University of Liverpool

in partial fulfillment of the requirements

for the degree of

MASTER OF SCIENCE

21/03/2016
 ABSTRACT

CYBER INCIDENT RESPONSE AND NEW FRAMEWORK FOR THE APT

By

Mohamed Elmetaafy

The game of security cannot be successful without understanding the rules of engage-
ment. The long-term and sophisticated attacks target companies, governments and polit-
ical activists. These incidents happen for different industries as well. A new class of threat
called Advanced Persistent Threat (APT) has emerged and is described as cyber intru-
sions against military organisations. The term APT has been overloaded and means dif-
ferent things to different people - for example, some people refer to attacks from China,
and others consider all attacks as part of the APT. This dissertation proposed framework
allows the incident response team to detect APTs more efficiently and improve the
knowledge of the incident response team about the phases of the attack by identifying and
detecting various indicators of the adversary’s attack. The multistage framework can be
described as a multi-layer security and components. The new framework includes layer
1, which has antivirus, NIDS/HIDS, firewall, etc. The logs of the previous component of
layer 1 will be used by SIEM in layer 2 to show different alerts and warnings. The com-
ponents of the framework are logging modules, SIEM, indicators, attack tree, Kill chain,
and sandbox. The aim of this project is to determine whether using a complex multistage
framework solution will limit or reduce the damage of the cyber attack and, to ask, if will
it help the incident response team to detect the APT or not. A case study simulated to
represent the benefits and the effectiveness of a new framework to limit or reduce the
APT. There are two groups to test and evaluate the framework: Group A will use the
simulation of the new framework whilst group B will use the original method in the se-
cond simulation. The results of simulation prove that the new framework succeeds to
detect the malicious files in the three attempts that allows to mitigate and detect these
types of APT by using different security solutions, SIEM, HIDS, NIDS and Sandbox;
while traditional methods that used antivirus and antispyware fails to detect or prevent
APT. The new framework provides appropriate methods for detecting APT

ii
 DECLARATION
I hereby certify that this dissertation constitutes my own product, that where the language of oth-

ers is set forth, quotation marks so indicate, and that appropriate credit is given where I have used

the language, ideas, expressions, or writings of another.

I declare that the dissertation describes original work that has not previously been presented for

the award of any other degree of any institution.

Signed,

Mohamed El Metaafy

“This dissertation contains material that is confidential and/or commercially sensitive. It is in-

cluded here on the understanding that this will not be revealed to any person not involved in the

assessment process.”

Student, Supervisors and Classes:

Student name: Mohamed Elmetaafy

Student ID number: H00029871

GDI name: Samuel Sambasivam

CRMT class ID: LAUR-906-201582-3, 13-Aug-15

DA name: Yongge Wang

CAC class ID: UKL1.CKIT.702.H00023862

iii
 ACKNOWLEDGEMENTS

Firstly, I would like to express my deepest thanks and gratitude to Dr Yongge Wang for
his advice, professional guidance and providing me with the opportunity to complete this
research

Finally, I would like to thank my mother, family and friends for their outstanding inspi-
ration to me and never ending support and encouragement.

iv
 TABLE OF CONTENTS
Page
LIST OF TABLES ................................................................................................ 2
LIST OF FIGURES .............................................................................................. 3
CHAPTER 1. INTRODUCTION ......................................................................... 5
1.1 SCOPE .......................................................................................................... 5
1.2 BACKGROUND ............................................................................................. 6
1.3 PROBLEM STATEMENT ................................................................................. 7
1.4 AIMS AND OBJECTIVES................................................................................. 8
1.5 APPROACH ................................................................................................... 9
1.6 OUTCOME .................................................................................................... 9
CHAPTER 2. BACKGROUND AND REVIEW OF LITERATURE ............ 10
2.1 BACKGROUND ........................................................................................... 10
2.2 INCIDENT RESPONSE .................................................................................. 11
2.3 ADVANCED PERSISTENT THREAT .............................................................. 15
2.4 THE IMPORTANT OF INCIDENT RESPONSE IN APT....................................... 22
2.5 INTRUSIONS DETECTION ............................................................................ 23
CHAPTER 3. ANALYSIS AND DESIGN ......................................................... 32
3.1 SIEM......................................................................................................... 33
3.2 INDICATORS ............................................................................................... 36
3.3 ATTACK TREE............................................................................................ 39
3.4 CYBER KILL CHAIN ................................................................................... 41
CHAPTER 4. IMPLEMENTATION (REALIZATION)................................. 47
4.1 CONFIGURATION AND INSTALLATION ........................................................ 47
4.2 SCENARIO .................................................................................................. 52
4.3 INTRUSION ATTEMPTS ............................................................................... 53
CHAPTER 5. RESULTS AND EVALUATION ............................................... 70
5.1 THE RESULT OF THE EXPERIMENT ............................................................. 70
5.2 ANALYSING THE RESULT OF THE NEW FRAMEWORK .................................. 75
5.3 COMPARE FRAMEWORKS ........................................................................... 94
CHAPTER 6. CONCLUSIONS.......................................................................... 95
6.1 AIMS AND OBJECTIVES............................................................................... 95
6.2 CRITICAL ANALYSIS .................................................................................. 96
6.3 FUTURE WORK .......................................................................................... 97
REFERENCES..................................................................................................... 98
APPENDICES .................................................................................................... 104

1
 LIST OF TABLES

Table 1: Federal Incident Notification Guidelines (Us-cert, 2014) ....................... 15

Table 2: Analysis of past APT attacks ................................................................... 26
Table 3a: Methods to get into the victim's computer ............................................. 30
Table 4: The defence mechanism based on kill chain phases ................................ 46
Table 5: The result of malicious indicators........................................................... 78
Table 6: Intrusion Attempts 1, 2 and 3 .................................................................. 80
Table 7: The results comparison of group A and B ............................................... 94

2
 LIST OF FIGURES

Page

Figure 1: Incident Response Phases ......................................................................... 6

Figure 2 : Industries Represented. ......................................................................... 10
Figure 3 : incident response lifecycle. ................................................................... 11
Figure 4 : Attack Vectors ....................................................................................... 12
Figure 5: some statistics of Mandiant for APT ...................................................... 16
Figure 6: Highest risk associated with the successful APT ................................... 17
Figure 7: Examples for Delivery Methods (direct & indirect) .............................. 20
Figure 8: Several legitimate services and publicly tools. ...................................... 21
Figure 9: Types of intrusion.................................................................................. 24
Figure 10: Multi-stage framework ......................................................................... 32
Figure 11: A SIEM system architecture................................................................ 33
Figure 12: Magic Quadrant for SIEM .................................................................... 35
Figure 13: : Indicator life cycle states .................................................................... 36
Figure 14: Hunting for Indicators of Compromise ................................................ 38
Figure 15: An example of the attack tree ............................................................... 39
Figure 16: Accessing valuable information via APT attacks................................. 40
Figure 17: lifecycle of an APT kill chain............................................................... 42
Figure 18: Kill Chain Phases ................................................................................. 43
Figure 19: Security solutions that are installed for the simulations ....................... 47
Figure 20: Essential security capabilities of USM ................................................. 49
Figure 21: import virtual machine of USM ........................................................... 49
Figure 22: customize USM virtual machine .......................................................... 49
Figure 23: Configure the management interface ................................................... 50
Figure 24: Access to the server .............................................................................. 50
Figure 25: Administrator web interface ................................................................. 50
Figure 26: : login to the admin account ................................................................. 51
Figure 27: Deploy HIDS ........................................................................................ 51
Figure 28: Network assets...................................................................................... 51
Figure 29: the deployment process ........................................................................ 52
Figure 30: configuring the sensors of USM........................................................... 52
Figure 31: Using Metasploit framework to create VBA code ............................... 54
Figure 32: generating VBA code ........................................................................... 55
Figure 33: create new Macro ................................................................................. 55
Figure 34: Add VBA code the Excel sheet ............................................................ 56
Figure 35: A sample of an invoice ......................................................................... 56
Figure 36: : save the Excel sheet as Macro-Enabled Document ............................ 57
Figure 37: prepare the listener in Kali ................................................................... 58
Figure 38: start Veil-Evasion Framework.............................................................. 59
Figure 39:using the Powershell to evade the Antivirus solutions .......................... 60
Figure 40: generating the code ............................................................................... 60
Figure 41: The output of the generated code ......................................................... 61
Figure 42: Veil Framework main menu ................................................................. 61

3
Figure 43: Choosing auxiliary/macro_converter payload...................................... 62
Figure 44: Identify the path to a Powershell batch script ...................................... 62
Figure 45: The output of the generate code will be txt file .................................... 63
Figure 46: create Macro ........................................................................................ 63
Figure 47: insert VBS code .................................................................................... 64
Figure 48: CV used to trick the target .................................................................... 64
Figure 49: save the document as world macro enable document .......................... 65
Figure 50: using msfconsole to listen to the target ................................................ 66
Figure 51: choose payload ..................................................................................... 67
Figure 52: Generate exe file ................................................................................... 67
Figure 53: location of the exe file .......................................................................... 68
Figure 54: find Experiment 3 ................................................................................. 68
Figure 55: change the exe extension to jpg ............................................................ 68
Figure 56: using msfconsole to listen to the target ................................................ 69
Figure 57: Setting up of the exploit handler .......................................................... 70
Figure 58: McAfee quarantined the threat ............................................................. 71
Figure 59: : the scan result of McAfee................................................................... 71
Figure 60: the attacker used session 1 to connect to the victim ............................. 72
Figure 61: McAfee Antivirus Plus fails to detect the malicious Excel sheet......... 72
Figure 62: The attacker succeeds to compromise the target .................................. 73
Figure 63: The scan result of McAfee ................................................................... 73
Figure 64: McAfee Antivirus Plus the success to detect the malicious file........... 74
Figure 65: Alien Vault succeeds to detect the malware ......................................... 74
Figure 66: The result of scanning malicious file by VirusTotal ............................ 75
Figure 67: indicators of several intruders .............................................................. 77
Figure 68 : Attack tree of the APT attack for the three attempts ........................... 79
Figure 69: Dashboards overview ........................................................................... 82
Figure 70: : AlienVault Scan vulnerabilities ......................................................... 83
Figure 71: AlienVault Port Scan for one or more hosts......................................... 83
Figure 72: List of events for a host ........................................................................ 84
Figure 73: The result of analysis ............................................................................ 85
Figure 74: Further details of vulnerabilities scan .................................................. 85
Figure 75: SIEM determines priority of vulnerability ........................................... 86
Figure 76: Current vulnerability according to severity .......................................... 87
Figure 77: HIDS event trends and data source ...................................................... 88
Figure 78: vulnerability and service of host 192.168.0.119 .................................. 89
Figure 79: SIEM reports ........................................................................................ 89
Figure 80: Hash file of uploaded document in first attempt .................................. 90
Figure 81: The result of scanning document with VirusTotal ............................... 91
Figure 82: hash file of the uploaded document in the second attempt................... 91
Figure 83: the result of scanning the Excel sheet in second attempt ..................... 92
Figure 84: hash file of uploaded document in third attempt .................................. 93
Figure 85: The result of scanning JPG photo in third attempt ............................... 93

4
 Chapter 1. INTRODUCTION

Cyber attacks have spread rapidly since the adoption of the Internet: starting with viruses
and worms, to malware and, nowadays, botnets. A new class of threat called Advanced
Persistent Threat (APT) has emerged and is described as cyber intrusions against military
organisations. The term APT has been overloaded and means different things to different
people - for example, some people refer to attacks from China, and others consider all
attacks as part of the APT (Mandiant, 2010; Cole, 2012, PP. 3-4). However, APT has
extended to a wide range of industries and governments; it is not just limited to the mili-
tary domain (Mandiant, 2013; Villeneuve et al., 2013; Chen, Desmet and Huygens, 2014,
Field, 2013). According to Mandiant (2010), in most cases, the standard security tools
cannot detect APT malware, such as antivirus and antimalware programs. The main hy-
potheses for the dissertation is based on using complex multistage framework solutions
in order to limit and reduce the damage of the cyber attack in addition to improving the
detection of advanced and persistent threats. The long term and sophisticated attacks tar-
get companies, governments and political activists; these incidents happen for different
industries as well. Multinational corporations can be spread over several countries, and
for multi-vectored APT challenges to establish a strong defence against APT is very im-
portant. Figure 2 shows numerous challenges for companies, governments, political ac-
tivists, etc. APT campaigns may be interested to achieve financial benefits for the country
involved in theft of valuable information and intellectual property that has a close rela-
tionship between industry and government (Thales, 2014).

1.1 Scope
The proposed framework allows the incident response team to detect APTs more effi-
ciently and improve the knowledge of the incident response team about the phases of the
attack by identifying and detecting various indicators of the adversary’s attack. The mul-
tistage framework can be described as a multi-layer security and components. The new
framework (as shown in Figure 10) includes layer 1, which has antivirus, NIDS/HIDS,
firewall, etc. The logs of the previous component of layer 1 will be used by SIEM in layer
2 to show different alerts and warnings. The incident response team can use these alerts

5
and indicators to draw the attack tree and connect parts of the complex attack; then iden-
tify the phase of the attack according to the kill chain. The incident response team can use
the sandbox to test suspicious files that are infected by malwares. The top down design
methodology will break larger processes into smaller over analysis of the intrusion kill
chains, SIEM, and robust indicator maturity. The artefact will include a model, the pro-
cesses and a framework to represent solutions of APTs.

1.2 Background
The incident refers to the adverse event that cause potential harm to data or the system,
while response stands to the taken action to understand the incident then recover the op-
eration into normal status by the incident response team (Cole, 2012). Computer security
incidents are frequently complex so it should divide this complex or large problem into
components, then test and examine the inputs and outputs of each component (Pidawekar,
2014). Seven main phases for the incident response are presented in Figure 1, as follows:

Pre-incident
• Preparing the organisation before the incident.
preparation

Detection of
•Identify the potential and possible security incident.
incidents

• Investigate and record all the details of the incident then inform the persons who should
Initial
response
know about the incident.

• According to the known facts, it should determine the best response and action to be
Formulate
response taken.
strategy

• Re-assess the data collected to understand and decide when it happened, what happened
Investigate
the incident
and determine the possible methods to prevent it in the future.

• Write a report about the investigation to the decision makers.

Reporting

• Record the learned lesson and apply them next time.

Resolution

Figure 1: Incident Response Phases

Schneier (2013), a pioneer security researcher says in his blogs:

6
“If you go back to the definition of security being protection, detection and response, this
feels like the last area that needs work, and the idea of incident response coordination
and working on a response is really important and something that isn’t there.”

Schneier wants to emphasize the importance of getting prevention and detection proce-
dures with an operational incident response plan. However, we cannot eliminate all the
threats but we can migrate threats more quickly. The APT’s prevention measures should
include Data Loss Prevention technologies, firewalls, management solutions like IPS AV,
IDS, etc. In case of APT, an effective response strategy allows the incident response team
to prevent and detect more efficiently (Prosise and Mandia, 2003).

In 2012, the report of Mandiant about APT shows that 54% of compromised machines
have malware, whereas 100% of the analysed attacks used stolen credentials through the
intrusion. In the meantime, the report of Symantec illustrates 18 zero-day vulnerabilities
that have been exploited up to 30 months previous to the public disclosure. In 2014, Man-
diant provided a report that illustrated threat factors that remain undetected for about 229
days as it becomes more difficult to identify and detect attack frequently. Moreover, the
third party, like content management service providers or cloud providers, often inform
the organisations about the attack but sometimes these organisations may have been com-
promised earlier than the detection of attack that happens 6-9 months later. Incident re-
sponse is very important in order to minimize the attack’s damage, it starts from the mo-
ment of detecting the attack until the organisation is being recovered into the normal status
and it makes sure this attack does not happen again. One of the main characteristics of the
APT attack is its persistence. As a result, the incident response team has to get rid of the
attack as soon as possible (Dan, 2013). In order to deal with APT, the plan of the incident
response should have several methods to prevent, detect and respond in addition to man-
aging zero day vulnerabilities, new malwares, etc. In case the company has top-secret
data, APT incident response must have a priority in business strategy and information
security programs.

1.3 Problem Statement

Understanding the nature of the attack, like being complex, stealth and persistence helps
to find a solution for the problem. The majority of APT has multiple stages and each of
them provide the attacker with more information, resources and privileges to penetrate

7
the organisation. Also, understanding the persistency of APT usually means the attacker
does not give up easily until he achieves his goals; the attackers may be supported by
nations or organisations with resources and capabilities to achieve their aims. Analysing
the indicators allows the incident response team to find the APT more efficiently and
connect these indicators with kill chain phases that would be more practical. Several re-
searches and dissertations discuss parts of the framework, like SIEM or intrusion detec-
tion, but these researches do not cover the whole picture of a real attack. This dissertation
covers more than one topic; connects them in a comprehensive framework and then ap-
plies it to achieve the dissertation goals.

1.4 Aims and objectives

The project will provide a comprehensive framework to represent a model of Multi-Stage
attacks. This multistage model includes an attack threat model to analyse and describe
attacks towards computer systems; in addition, understanding the characteristics of the
adversary. The output of the attack threat model can help to identify the phase of the attack
on the Kill-Chain attack model. The framework can help the incident response team to
identify the objectives, intent and strategies of the attacker; then respond correctly against
these APTs. Moreover, the framework can map the numerous links, relationships and
procedures. To meet the previous aims, the below objects must be met:

1. To research and review IRs and APTs that are covering various topics, such as
Traditional IRs, APTs, Indicators and the Indicator Life Cycle, Cyber Adversaries,
threat model, Kill Chain and Security Information, and Event Management sys-
tems (SIEM).
2. Design and implement a new framework.
3. Provide two simulations to simulate an attack over a virtual network and are tested
by two groups of user study. The first simulation will use the framework model of
Multi-Stage attacks and imports log data from different sources to SIEM and an-
alyse it, while the second simulation will represent the original approach.
4. The results of the evaluation from the two groups will show whether the frame-
work model of Multi-Stage attacks can identify and detect APTs and compare it
with the second simulation with default security settings.

8
1.5 Approach
The new framework will be the research method that is used to achieve the goals and
hypotheses of the dissertation. A case study will be simulated to represent the benefits
and the effectiveness of a new framework to limit or reduce the APT. There will be two
groups to test and evaluate the framework: Group A will use the simulation of the new
framework whilst group B will use the original method in the second simulation. The
scenario of the case study represents an adversary attempt to attack the network via lev-
eraging a ‘zero-day’ vulnerability and brute force attack. Since every defence has blind
spots, Intrusion Detection System (IDS) can be effective. In case the intruder triggers one
or more registered detection rules, it commonly generates negatives and positive alerts.
Also the antivirus cannot detect malware, as it does not exist in the database of signatures.
Moreover, vulnerabilities can exist for a long time and usually users do not have aware-
ness and adequate training - even the users who access sensitive assets. If the adversary
discovers these vulnerabilities via network reconnaissance or a combination of social en-
gineering, this may allow the attacker to launch serious attacks.

1.6 Outcome
The two user groups will get data from the components of the new framework and the
original approach. For example, the case study will be applied for the two frameworks
and the users of group A will get results and alerts from SIEM, HIDS/NIDS, sandbox
tools, etc. These results will be analysed and compared with the results with the original
approach.

9
 Chapter 2. BACKGROUND AND REVIEW OF LITERATURE

2.1 Background
The game of security cannot be successful without understanding the rules of engage-
ment. The long-term and sophisticated attacks target companies, governments and politi-
cal activists. These incidents happen for different industries as well. Figure 2 represents
a survey for 19 industries that show the incident response share of each industry. The
technology/IT sector has the highest incident (15%) whilst engineering and consultation
are represented by 0.5% (Torres, 2014).

Figure 2 : Industries Represented (Torres, 2014)

Multinational corporations can be spread over several countries, and for multi-vectored
APT challenges to establish a strong defence against APT is a very important aspect. The
statistics of Thales (2014) and Verizon (2015) show numerous challenges for companies,
governments, political activists, etc. APT campaigns may be interested in achieving fi-
nancial benefits for the country involved in the theft of valuable information and intellec-
tual property that has a close relationship between industry and government.

10
2.2 Incident Response
The guide from the National Institute for Standards and Technology (NIST) defines the
event in a network or a system as any observable occurrence, such as a user sending email;
receiving requests for web pages; connecting to a file share and firewall blocking a con-
nection attempt, etc. The events of adversary represent the negative consequence of these
events, such as unauthorised access to data, packet floods, malware that destroys data,
system crashes, and so on. The computer security incident defines the violation of com-
puter security policies, standard security practices or acceptable use policies (Scarfone,
Grance and Masone, 2008; Cichonski et al., 2012). The guide of NIST provides four main
phases for response to different incidents. Each of these phases can be a reiterative process
as new information becomes available (Coughanour, 2014). Figure 3 shows the Incident
Response Lifecycle that contains four phases:

Figure 3: Incident response lifecycle (Cichonski et al., 2012)

Preparation:

NIST identifies the need to maintain and establish the capability of incident response be-
sides the preventing efforts to secure the environment and reduce the number of incidents.
This phase is a foundation for the incident response programs success; it contains pre-
planning activities, such as maintaining the capabilities of incident response that represent
in the form of technology and staff; network documentation; maintaining contact rosters;
creation and approval of security policies, including established incident notification pro-
cess, user privacy expectations, warning banners, etc. This preparation may include pre-
deploying incident handling assets like:

11
 • Monitors, probes and sensors on critical systems to monitor processes, disk space,
CPU utilization and the access to the application.
• Tracking data based upon minimum security during normal operations, active au-
dit logs for the network components and servers and Configuration Management
Data Base (CMDB) of the corporate.

The second phase of incident response lifecycle is detection and analysis. Organisations
should be prepared to handle any incident especially incidents that use common attack
vectors. The attack vectors, below, show the common methods of attack and are used as
a basis to define a specific handling procedures, as shown in Figure 4.

Removable Media/External: The attack is executed

from external or removable media like USB flash
drive has malicious code.

Attrition: An attack may use brute force methods to

compromise, destroy systems, services or networks,
like DDoS to deny access to a service.

Email: The attack can be lanuched through an

attachment or an email message (e.g. link to a
malicious website in the message).

Web: This attack launched from web-based

application or a website (e.g. a cross-site scripting).

Impersonation: This attack is related to replacing

something benign with something malicious such
as man in the middle attacks, spoofing, rogue
wireless access points, etc.

Other Attacks: This category includes attacks that

do not suit any of the previous categories.

Figure 4: Attack Vectors

12
The most important part of the incident response process for many organisations is iden-
tifying and detecting possible incidents. Furthermore, there are three factors that can be
the cause for several challenges as follows:

• The detection of incidents that have occurred by different means with multi-levels
of details. The automated detection includes: log analysers, antivirus software and
IDPSs. While the manual detection happens when a user reports a problem.
• The sign’s number or volume of incidents like receiving millions of intrusion de-
tection sensor alerts per day is not uncommon.
• Experience and the technical knowledge are vital for an efficient analysis of inci-
dent.

Signs are divided into two main categories and these are precursors and indicators. A
precursor refers to an incident that may happen in the future, while an indicator refers to
an incident that is currently underway or occurring now.

Containment, eradication and recovery

This phase is important and considered the next major step essential through the response;
this is after identifying incidents and before the damage has increased or even an incident
overwhelms resources. Kessler (2014) provides several questions requiring answers in
this stage, such as:

• Should the system be shut down?

• Should the network be disconnected from the machine?
• Is it better to disable some functions, protocols, ports or services?

The strategies of containment depend on the type of incident, like containing a network-
based DDoS attack is very different from an email-borne malware infection. Organisa-
tions should create strategies and pay consideration to the duration of a solution, time and
resources needed; potential damage; service availability; need for evidence preservation

13
and effectiveness of the strategy. Eradication is used to eliminate components of the inci-
dent, such as deleting code snippets or malicious software; closing the applicable firewall
ports and disabling accounts on the system. The recovery activities are intended to restore
the affected system and rebuild the system from scratch; uninfected backups; changing
administrative passwords and adding new security parameters on boundary devices after
the incident to ensure full recovery.

The recovery portion centres on remediation of the environment in order to prevent future
reoccurrence. NIST suggests prioritisation of such actions, beginning with steps that can
be taken within days to weeks and then focusing on larger initiatives, such as infrastruc-
ture changes which may take months to implement.

Post-incident activity

NIST discussed the importance of post incident activities after the event learning action.
These results of lessons learned can help to improve the post-incident effort and record
these lessons and suggestions in the documentation of incidents. The members of the in-
cident response team should summarise and evaluate the techniques used, efforts, the
threat realized, the timing of the response and the support actions to improve the response
next time, and the mechanisms within the response team in addition to the security of the
organisation.

2.1.1 Incident categories

In 2014, the United States Computer Emergency Readiness Team (US-CERT) states that
a new federal incident notification guideline is to take place to refine the incidents of
cyber security, the advice is to include the information, below, and the report of the inci-
dent information is as follows (Us-cert, 2014):

• Agency name
• Incident date and time
• Incident Category as shown in Table 1
• Source IP, Destination IP, Source port, Destination port and protocol
• Operating Systems, patches, etc
• Location of the system
• Impact to agency
• System Function

14
US-CERT provides a set of concepts and descriptions to improve communications be-
tween agencies. US-CERT utilises the below event categories, incident and reporting
timeframe criteria, as shown in Table 1.

Table 1: Federal Incident Notification Guidelines (Us-cert, 2014)

2.3 Advanced Persistent Threat

Since the adoption of the Internet, cyber attacks have spread rapidly, starting from viruses
and worms to malware, and nowadays botnets. Recently, a new class of threat called Ad-
vanced Persistent Threat (APT) has emerged and describes the cyber intrusions against

15
military organisations. However, APT has extended to a wide range of industries and
governments; it is not just limited to the military domain (Mandiant, 2013; Villeneuve et
al., 2013; Chen, Desmet and Huygens, 2014, Field, 2013). According to Mandiant (2010),
in most of the cases, the standard security tools cannot detect APT malware, such as anti-
virus and anti-malware programs. The statistics of Figures 2-5 illustrate that security soft-
ware only detects 24% of all the APT malware. The statistics also show how difficult it
is to detect and identify the techniques of APT and the analysis of APT malware shows
that 10% of APT backdoor attacks were packed using common filenames, such as
iprinp.dll, iexplore.exe, svchost.exe, winzf32.dll, service persistence and process injec-
tion. The backdoors of APT can communicate by using chat protocols, APT uses back-
doors to communicate though distinct chat protocols; this allows the attackers to use file
transfers and command shells on the infected machine. This method of communication is
difficult to detect. Furthermore, Mandiant (2010) found out that 60% of APT backdoor
samples were persistent on the machine, 30% used process injections to avoid detection
and 100% of APT backdoors made only outbound connections. The persistence back-
doors, shown in Figure 5, is represented by 76% for the windows service; 21% for HKLM
run registry key and others by 3%.

3% HKLM Run Registry Key

21%
24%
21%
Windows Service

76%
76%
Other
Undetected Detected

Figure 5: Some statistics of Mandiant for APT

ISACA (2013, P. 11) conducted a survey to discover the highest risks associated with
the successful APT attacks, as shown in Figure 6.

16
Figure 6: Highest risk associated with the successful APT (ISACA; 2013, P. 11)

2.2.1 What is an APT?

APT is a cyber crime category that is directed at political targets and business; it requires
a high degree of stealth to be successful and achieve its goals. Damballa (2015) and
ISACA (2013, P. 11) summarises the requirements of APT, these are as follows:

• Advanced:

The attackers behind the threat use a wide range of computer intrusion techniques and
technologies, whereas the individual components of the attack may not be described
as advanced; such as using easily procured exploit materials or common malware
components generated from construction kits. Also, the attackers usually use multiple
attack tools and methodologies to compromise their target.

• Persistent:

The attacker focuses on a particular task and gives it priority rather than seeking im-
mediate financial gain. The APT’s attacker usually keeps monitoring and interacting
continuously to achieve the defined objectives using a low-and-slow approach.

• Threat:

17
 The threat of APT is not based only on the automated piece of code; it also uses a
level of coordinated human involvement. The attackers are usually organized, moti-
vated, skilled, well funded and have a specific objective.

The APT made global headlines; the term of APT has been overloaded and means differ-
ent things for different people. For example, some people refer to attacks from China and
others considered all attack as part of the APT (Mandiant, 2010; Cole, 2012, PP. 3-4). In
2005, the term ‘advanced persistent threat’ had appeared to security analysts working for
the US Air Force to discuss particular espionage attacks without identifying the source of
threats (ISACA, 2013, P. 12). Joint Task Force Transformation Initiative (2011) or NIST
provided a clear definition for APT, which is:

“An adversary that possesses sophisticated levels of expertise and significant resources
which allow it to create opportunities to achieve its objectives by using multiple attack
vectors (e.g., cyber, physical, and deception). These objectives typically include estab-
lishing and extending footholds within the information technology infrastructure of the
targeted organizations for purposes of exfiltrating information, undermining or impeding
critical aspects of a mission, program, or organization; or positioning itself to carry out
these objectives in the future. The advanced persistent threat: (i) pursues its objectives
repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it;
and (iii) is determined to maintain the level of interaction needed to execute its objec-
tives.”

The definition of NIST provides a good basis to understand the difference between APTs
and traditional threats. Below is a brief explanation for the four main characteristics of
APTs concluded from the definition of NIST, as follows:

(1) Clear Goals and Precise Targets

The attacks of APT have clear goals and are considered highly targeted attacks. The
targets of APTs include organisations and governments with a highly intellectual
property value. In 2013, the statistics of FireEye shows the top ten industries that are
targeted by APT, these are: governments, finance, education, high-tech, energy, tele-
communications, consulting, chemical, aerospace and healthcare. The attacks of APT
usually limit its attack range and pre-defines its targets, while the APT’s objectives

18
 focus on the strategic benefits and bring competitive advantages, such as trade secrets,
intellectual property, national security data and so on. The majority of traditional
threats focus on the financial gain, like credit card data and personal information.

(2) Attackers are Highly Resourced and Organised

According to Kaspersky (2013), the APT’s actors can be highly skilled groups work-
ing for military cyber units, state intelligence, governments, or they are cyber merce-
naries hired by private companies and governments. These groups have high re-
sources, like technical perspectives and finances, that allow them to work for long
periods and get access to attack tools and zero-day vulnerabilities (Chen, Desmet and
Huygens, 2014).

(3) A Long-Term Campaign

The APT attack has been designed or has happened over a long-term campaign; it has
stayed undetected and undiscovered for several months or years in the target’s net-
work. The APT attackers continue the attack campaigns until the attempt is a success,
which is considered different from traditional threats. The traditional attackers have
many victims and can penetrate easy targets when they could not penetrate the initial
target (Chen, Desmet and Huygens, 2014).

(4) Evasive Techniques and Stealthy

APT attacks can conceal themselves and stay stealthy or undetected within the target’s
network traffic to achieve the defined objectives such as using zero-day exploits in
order to avoid signature-based detection.

2.2.2 Phases of an APT Attack

According to Jeong et al. (2013, P. 60), the APT attack has six phases: intelligence gath-
ering; point of entry; command and control; lateral movement; asset discovery and data
exfiltration. While Chen, Desmet and Huygens (2014, P. 65) and Cole (2012, P. 26) dis-
cuss the six phases (below):

19
 1. Reconnaissance and Weaponization

In reconnaissance or information gathering phase, the attackers study and identify the
targeted organization, collect information about the technical environment using en-
gineering techniques or open source intelligence tools. This information includes
hardware and software configurations, and employee personal profiles. The APT ac-
tors may employ big data analytics and data mining techniques to process the gathered
data.

2. Delivery

The APT actors deliver their exploits to the targets using direct and indirect methods
as shown in Figure 7. In the direct method, attackers send exploits by social engineer-
ing techniques like spear phishing. While the indirect methods (e.g. watering hole
attack) related to compromising a third party (e.g. software/hardware, website which
is regularly visited by the target), have the trust of the target then use the third party
to compromise the target (Li and Clark, 2015, PP. 98-102; Haq and Khalid, 2013;
Trend Labs APT Research Team, 2012).

• Spear phishing is form of phishing • The APT actors infect a website

Watering Hole Attack
Spear Phishing

attack over sending fraudulent with maare for a third party that
emails to a small group of selected are regularly visited by the target.
victims. It can be used through the when the target person visits the
phase of gathering information and infected webpages, thw
the attachment of the fraudulent deliveryaccomplishes.
emails may have a link to a
malicious site that serving drive-
by-download exploits or includes a
vulnerability exploit. Howeve,
malicious attachments is usually
used in APT attacks becuase
people normally share files like
business documents, reports

Figure 7: Examples for Delivery Methods (direct and indirect)

20
3. Initial Intrusion

This phase occurs when the APT actor gets unauthorised access to a computer or
network of the target. Whereas the attackers can use social engineering to get access
credentials or get legitimate access. In the previous phase, the attacker delivers a ma-
licious code; when the exploit is successfully executed in this phase, the attacker gets
access to the victim’s machine. The APT’s attacker pays more attention to vulnera-
bilities in Internet Explorer, Microsoft Office, Adobe Flash and Adobe PDF besides
having leverage zero-day exploits.

4. Command and Control

When the attacker establishes a backdoor successfully, the attacker uses the mecha-
nisms of Command and Control in order to take control of the compromised comput-
ers and the attacker uses legitimate services to evade detection as shown in Figure 8
(Cole, 2012).

Figure 8: Several legitimate services and publicly tools

5. Lateral Movement

When the attacker established the communication between the Command and Con-
trol server and has compromised the systems, the attacker expends inside the network

21
 in the target organization to discover and collect valuable data. The attacker may
crack or steal credentials to get legitimate access to make the entire activities untrace-
able or undetectable.

6. Data Exfiltration

The main target of an APT attack is stealing sensitive information to get strategic
benefits; therefore, data exfiltration is an important phase. The APT factors usually
transfer encrypted and compressed data to external locations of the attacker’s. The
attackers used secure protocols during transmission process such as SSL/TLS or even
leverage feature of Tor network (Chen, Desmet and Huygens, 2014, P. 68; Jeong et
al., 2013, P. 60).

2.4 The important of incident response in APT

Incident response in APT cannot eliminate the threats completely; however, it can migrate
the threat quickly. The APT’s preventative measures include unified threat management
solutions (e.g. IDS, IPS); Data Loss Prevention technologies and Next Generation fire-
walls. In the case of APT, the response role is important as prevention and detection be-
comes strengthened from effective response strategies (Pidawekar, 2014). In 2012, the
report of Mandiant regarding APT shows that 54% of compromised machines have mal-
ware, whereas 100% of the analysed attacks used stolen credentials through the intrusion.
In the meantime, the report of Symantec illustrates 18 zero-day vulnerabilities that have
been exploited up to 30 months previous to the public disclosure. In 2014, Mandiant pro-
vided a report that illustrated threat factors that remain undetected for about 229 days as
it became more difficult to identify and detect attacks frequently. Moreover, the third
party, like content management service providers or cloud providers, often inform the
organisations about the attack, but sometimes these organisations may have been com-
promised earlier; the detection of attack that happens 6-9 months later (Mandiant, 2014).
Incident response is very important in order to minimize the attack damage, it starts from
the moment of detecting the attack until the organisation is being recovered into a normal
status and it does this by making sure this attack does not happen again. One of the main
characteristics of the APT attack is persistence. As a result, the incident response team
has to get rid of the attack as soon as possible (Dan, 2013). In order to deal with APT, the
plan of the incident response should have several methods to prevent, detect and respond

22
in addition to managing zero day vulnerabilities, new malwares, etc. In case that a com-
pany has top-secret data, APT incident response must have a priority in business strategy
and information security programs (Mandiant, 2014; Chappel, 2014).

The plan of incident response deals with all adverse events and prospective threats that
can damage the organisation. The purpose of an incident plan is ensuring that actions
should be taken to limit, reduce or prevent any recurrence of the particular event whenever
a damage event takes place. There are various important elements that should be consid-
ered in the incident response plan, as follows (Pidawekar, 2014; Cole, 2012):

• Tools and techniques should be used to document different scenarios, findings,

validating the result, process and overall progress.
• The role of the management is identifying a team with high skills that are dedi-
cated to incident response. 

• The critical infrastructure of the organization should be participated by senior ex-
ecutives for risk assessment.
• The secure configuration improves the corporate infrastructure. Also, the guide-
lines for incident response should be followed through attacks with well-defined
roles of management and staff. 

• Maintaining the integrity of data is essential for any incident response team, as to
plan to handle and preserve evidence during analysis and reporting.

2.5 Intrusions Detection

The intrusion can be defined as attempting to compromise the confidentiality, integrity
and availability of resources - this intrusion caused serious problems (Heady et al., 1990).
There are 6 main types of intrusion, as follows:

23
 •Attempted break-ins: These can be detected
1 via identifying violations of security
constraints or typical behaviour profiles

•Masquerade attacks: These can be detected via

2 identifying violations of security constraints or
typical behaviour profiles

•Penetration of the security control system:

3 These can be detected through monitoring for
certain patterns of activity

•Leakage: Can be detected during the use of

4
system resources

•Denial of service: Can be detected during the

5
use of system resources

• Malicious use: Can be detected via identifying

6 violations of security constraints or typical
behaviour profiles or use of special privileges

Figure 9: Types of intrusion

Anderson (1980) categorised intruders as external intruders and internal intruders. Ander-
son also divided the intrusion detection into misuse/signature-based intrusion detection
and anomaly-based intrusion detection.

• Misuse/Signature-based intrusion detection


The misuse-based detection system is based on a database that includes signatures

about known attacks. Furthermore, the IDS collected the audit data and compared
this data with the database’s content; in the case that the result match is found, an
alert is generated, while the un-matched events are considered as a part of legiti-
mate activities (Koskei, 2008; Anderson, 1980). The study of IDS has helped the
researchers to understand the misuse detection of systems and networks. However,
there is a disadvantage with the misuse-based intrusion detection system, as there
are gaps between Signature applied in IDS for detecting the threat and the new
threat discovery.

24
 • Anomaly-based intrusion detection


The Anomaly-based detection, based on the behaviour method, assumes anoma-

lous activities are malicious, with further attacks being anomaly activities. It is
based on the assumption that all anomalous activities are malicious and all the
attacks are a subset of the anomaly activities. By building a model of the normal
behaviour of the system, it looks for anomalous activities that do not conform to
the established model (Koskei, 2008). Denning (1987) created the first real anom-
aly-based IDS model and called it Intrusion Detection Expert System (IDES) to
detect known malicious activity. Another approach is of Forrest’s et al. (1996)
which created similar IDS in order to immunize the system; this was achieved by
detecting anomalous behaviour from the system by calling sequences whenever
an attack happens. Another approach, developed by Lane and Brodley (1999), is
to distinguish the behaviour of normal users or illegal users over the comparison
between the behavioural sequence and historical users’ profiles.

2.4.1 The past APT attack’s detection

Table 2 shows popular, past APT attacks based on the categories of APTs and the associ-
ated attack vectors which are Stuxnet, Flame, Operation Aurora, Duqu, mini-Duque,
Night Dragon, RSA Breach and Red. Then they are compared according to detection, PE
executable, key logging, initial infection, motivation, encryption, evasion and replication
(Giura and Wang, 2012; Knapp and Langill, P. 41, 2014; Zulkefli, Singh and Malim,
2015):

25
 Table 2: Analysis of past APT attacks
APT’s Stuxnet Operation Flame Duqu Night RSA Red Mini-
Name Aurora Dragon Breach Duqu
Detected 2010 2010 2012 2011 2011 2011 2012 2013
PE Execut- DLL DLL, EXE OCX DLL EXE EXE EXE EXE
able
Initial in- Unknown Spear Unknown MS word Unknown Excel, MS Word PDF
fection but, by phishing but, by the- Spear &Excel,
theory, it is (malicious ory, it is phishing Spear
caused by links) caused by (Java) phishing
USB de- USB de- (Java)
vice vice
Key log- NO NO Yes NO Yes Yes NO NO
ging

26
Replication Removable Manual Manual Manual Manual Manual Manual Manual
drive ,
Network
Motivation Sabotage, Gathering Gathering Gathering Stealing in- Stealing in- Gathering
Slowing information information information formation formation information
down the
program
Encryption XOR PORT 443, XOR, RC4, XOR, VICTIMS Unknown XOR Unique
HTTP Subs CBS, AES DEPEND per
victim,
XOR,
ROL
Evasion Yes Yes Yes Yes Yes Yes NO Yes
Stuxnet

In 2010, a sophisticated computer worm was discovered and the samples date back to
June 2009, it was then called Stuxnet. Stuxnet is an APT attack against Iranian uranium
enrichment infrastructures, specifically the Natanz uranium enrichment plant. This was
done through exploiting Microsoft Windows’ vulnerability; then spreading in the entire
network by targeting Siemens’ equipment and software, causing it to malfunction. This
type of threat can be threatening to the security of control systems, like supervisory con-
trols and data acquisition (SCADA) that was used to control vital infrastructures and net-
works such as offshore equipment, fuel onshore, fuel pumping devices, water valves de-
vices, electricity generation, etc (Giura and Wang, 2012).

Operation Aurora

Another attack, called Operation Aurora, began in mid-2009 until December 2009 and
was achieved over a series of cyber attacks. Operation Aurora used a malware attack
against 30 main companies, such as Google, Adobe, Symantec, Yahoo, Morgan Stanley,
Northrop Grumman, etc (FireEye, 2012; Jackson, 2010).

Duqu

In 2011, a malware was detected which had close similarities with Stuxnet. Researchers
believe the same team who developed Stuxnet developed Duqu, but the main goal of Duqu
was espionage instead of distruction. Duqu used malware to infect over 50 targets world-
wide. Duqu remained active after the activation for 36 days before self-destructing; how-
ever, attackers can change the destruction time to remain as long as required. Duqu is
harder to detect and allows attackers to access other systems on the network as well as
compromising all certificates to signed components (Ginter, 2012).

Night Dragon

In 2011, McAfee discovered a series of attacks against petrochemical, energy and oil. The
main purpose of the attack was extracting information. Night Dragon is an APT that in-
filtrated critical systems and was involved in the theft of sensitive information that could
be used for different purposes or motivations. It started with SQL injections against the
web servers through standard tools and acquired additional usernames and passwords to

27
infiltrate the internal PCs and servers. Moreover, Night Dragon established Remote Ad-
ministration Toolkits (RATs) and C&C servers. Important information had been extracted
from these systems and this information could be used in further targeted attacks (Knapp
and Langill, P. 41, 2014).

RSA Breach

In 2011, the security division of storage EMC (RSA) became a victim of cyber attacks.
With the generating of tokens, the SecurID one-time password of a thousand RSA cus-
tomers should have been reissued. The attackers were successful at exfiltrating EMC (a
forensic tool called Netwitness which was used by EMC to capture data packets for sus-
picious behaviours). The investigation found that, with the infected machines, attackers
succeeded in revealing the encryption key of EMC to decrypt the exfiltration traffic. The
capture traffic shows that secret seeds to SecurID tokens were stolen (Green, 2015, P. 13).

Flame

In 2012, a modular malware called Flame was discovered by CrySyS Lab of the Budapest
University of Technology and Economics, Kaspersky Lab, Computer Emergency Re-
sponse Team (CERT) and MAHER Center of Iranian National. Flame APT attacks Mi-
crosoft Windows’ operating system in Middle Eastern countries, like attacking Iranian
Oil Ministry computers to collect intelligence for cyber sabotage. The command and con-
trol server of Flame malware has called back operations to download other malware mod-
ules (Jajodia et al., 2015, P. 38). Flame is like Duke and has the ability to intercept emails,
screenshots; used microphones to record conversations and capture various types of in-
formation.

Red October

In 2012, Red October was discovered. Researchers thought that Red October had been
active since May 2007; it aimed to gather information from governmental, diplomatic and
scientific agencies. The characteristics of Red October seemed to be different, with three
malware samples. Furthermore, it used one component to connect to C&C Servers by
using minimalistic architecture. The research was estimated and identified modules of
over 1000 that could be downloaded and executed by the attackers as to perform a wide

28
range of tasks. For this reason, the detection of Red October took several years. Red Oc-
tober allowed attackers to steal information from iPhones, Nokia phones and recover de-
leted files from removable drives (Virvilis and Gritzalis, 2013).

MiniDuke

MiniDuke was detected in 2013. The architecture of MiniDuke included pure assembly
coding for its payload and modern exploitation techniques in order to bypass the PDF
sandbox of Adobe (Virvilis, Gritzalis and Apostolopoulos, 2013).

2.4.2 Methods used by APT attackers

Attackers can use various methods to gain access into the system of the victim - as shown
in Tables 3a and 3b. The tables below shows how these methods used protocol exploita-
tion and malware in order to achieve the goals of the attackers whenever targeting the
victim. The tables also discuss the attacker’s methods, attacks, motivations and tech-
niques, as below (Giura and Wang, 2012, Virvilis, Gritzalis, and Apostolopoulos, 2013;
Zulkefli, Singh and Malim, 2015):

29
 Table 3a: Methods to get into the victim's computer
Methods Exploiting com- Exploiting web infra-
structure spear phishing Exploiting social network
munication

Attacks - Exploiting - SQL injection and - Spear phishing Spear phishing

DNS Protocol XSS
-Compromising
SMTP server
-Insecure HTTP
and FTP server

Motives -Redirect users - redirect users to a -whenever the user - encourage the user to
to malicious malicious domain via redirected to a mali- click on the link provided.

30
sites inserting malicious cious domain then
- spear phishing iframe into the data- malware downloaded
- hosting mal- base of vulnerable into the system or by
ware website. downloading infected
-extract the details of attachment
the database by using
SQL vulnerabilities

Technique - DNS cache poi- browsing vulnerable - Spear phishing -Social engineering
soning website - using malicious
- Malware Iframe
-Attach files embed-
ded with malicious
code
 Table 3b: Methods to get into the victim's computer
Methods Physical attack Exploiting co-loca- Rootkit and
tion services Remote Ac-
cess Control

Attacks - Hardware with Backdoor online chatting and Instant Rootkit

- Teensy device messaging Remote Access
-Portable devices Bluetooth, weak Control
wireless or Rogue
WiFi, Cloud pro-
vider
and Virtual hosting

31
Motives - The malware copy itself
when the USB stick plug
into another system
- Direct malware installation
-Capture keystroke and exe-
cute payload
clicking the malware, gath-
ering information, hosting
of malware for drive-by
download and take control
on the hosting server.
Hide the infection and
downloading malware into
the system
-Allows remote manage-
ment

Technique Pwn Plug -Spear phishing TDL

Worm -spoof IP address PoisonIvy
Zero Access
Pineapple WiFi -virtual WiFi function in window
GhostRAT
-Malicious iframe injection
 Chapter 3. ANALYSIS AND DESIGN

The aim of this project is to determine whether using a complex multistage framework
solution will limit or reduce the damage of the cyber attack and, to ask, if will it help the
incident response team to detect the advanced and persistent threats or not. In order to
design and create the required simulation model of Multi-Stage, security layers are de-
signed to achieve the goals and objectives for this project. Figure 10 shows the compo-
nents of the framework that is logging modules, SIEM, indicators, attack tree, Kill chain,
and sandbox. Each of these components are briefly discussed; it then identifies the de-
fence mechanism - as shown in Table 1 - based on linking all of the components of the
framework, such as HIDS, SIEM, kill chain, sandbox, etc. Identifying the attack phase of
the attacker and applying the defence mechanism will help to detect and prevent APT.

Figure 10: Multi-Stage framework

Below are the components of the Multi-Stage framework:

32
3.1 SIEM
According to the report of Nicolett and Kavanagh (2011) Security Information and Event
Management systems (SIEMs) are implemented to deal with compliance reporting re-
quirements and improving the ability for dealing with various security incidents, besides
allowing the organisation to collect and analyse various security events and information
in networked infrastructures. Organisations can implement SIEM systems for many rea-
sons, such as insider threats, compliance threats and the costs of security incidents and
recovery (Dempster, 2015). Furthermore, SIEM can be used to detect internal and exter-
nal threats; monitoring database access; servers; user actions and providing analytic ca-
pabilities to the incident response team (Nicolett and Kavanagh, 2012). SIEM can be used
in the forensic analysis, it may also considered to be a valuable asset in protecting critical
infrastructures in order to track and identify the attacker, and then provide these evidences
to the court (Garofalo et al., 2014). A SIEM can collect data from applications and mon-
itored networks over a group of sensors - as shown in Figure 11 - then forward the events
to a core facility in order to be processed at a correlation engine that analyses the event’s
stream and generates alarms, while the other SIEM components deal with other infor-
mation for post-processing.

Figure 11: A SIEM system architecture (Bhatt, Manadhata, and Zomlot, 2014)

SIEMs have a vital role in the security management tasks and network of organisations
to ensure that operations under a wide range of fault scenarios are correct. The security

33
solutions regularly focus on malicious actions, such as firewalls, intrusion detection sys-
tems, antivirus software, etc. While SIEM systems are built to deal with the sort of actions
that eventually occur. A traditional solution, like a firewall, can defend the network from
malicious outsiders and control the traffic by separating security perimeters – like LAN
from a WAN. Firewalls decide to drop the packet or let it go through, depending on the
header and content analysis. The analysis performed at various levels of the OSI stack is
based on the rules of the application. Numerous vendors, such as Dell, SonicWall, Palo
Alto and Juniper provide the network appliances like a firewall. The failure of the firewall
can lead to serious impacts on the system’s security. For example, Firewalls are allowed
to access the resources of the network or prevent traffic to go through the firewall, but the
failure of some of its components may lead to a compromise in the network. When the
attack is handled in the early stages by the firewall, the performance would be increased
by efficient tests. Firewalls includes two phases, as follows (Bhatt, Manadhata, and Zom-
lot, 2014):

• Pre-filtering: This phase checks all messages in order to discard all attacks from
external adversaries and only allows messages to go through from a pre-defined
group of senders (the sensors of the SIEM) and this sender is authenticated cor-
rectly. The external source of the Denial-of-Service (DoS) would be immediately
dropped in order to prevent messages from overloading the next stage.
• Filtering: This phase enforces additional refined application level policies that
need an accurate inspection of message fields to observe certain ordering rules.
For example, when initial setup is performed with the engine, the sensor is allowed
to send data.

The systems of SIEM are designed in order to meet the challenges and collect events from
various sources. The devices and network systems, such as Windows/Linux servers/desk-
tops, IDS, VPN, proxy server, firewalls, switches and routers, generate logs by the se-
cond. The log files have information of all user activities, devices and systems in the
network infrastructures in addition to investigating the organisation's security posture by
forensic tools. The log files’ analysis helps to understand objects access, system and de-
vice level activities (read, write or delete files); user level activities (login success; login
failure); website visits; network bandwidth consumed; account management; traffic dis-
tribution; host session status, and network security activities (network anomalies; attack

34
signatures or identifying virus). The rule engine of SIEM allows triggering alerts from
stored events and the correlation of events from various sensors (Dempster, 2015; Nicolett
and Kavanagh, 2012). The main strength of SIEM systems is the advantage of crossing
correlate logs from various sources and used attributes in order to define scenarios and
meaningful attack patterns that alert security analysts. Moreover, SIEM allows the inci-
dent response team to investigate and detect stealthy, slow attacks and APTs. There are
numerous vendors of SIEM products, as shown in Figure 12; they provide various prod-
ucts, such as Splunk, AlienVault, ArcSight, Q1 Labs, NitroSecurity, Trustwave, S21sec,
etc.

Figure 12: Magic Quadrant for SIEM (Nicolett and Kavanagh, 2012)

These products have the same basic function and provide the services, below (Dempster,
2015):

Collection: collecting logs from various sources like servers, network devices, appli-
cations, databases and security devices.
Consolidation: the data of log files is being aggregated and normalised.
Correlation: categorised the linked log events to detect and identify threats.
Communication: An alert will be generated in case an attack has been detected
through the correlation phase.
Control: controlling the storage of data and how it can be stored.

35
3.2 Indicators
According to Hutchins, Clopperty and Amin (2014), indication is a fundamental element
that has three main types, as follows:

• Atomic indicators: These types cannot be divided into smaller parts and keeps
their meaning according to the circumstance of an intrusion such as vulnerability
identifiers, email addresses and IP addresses.
• Computed indicators: These types are derived from data involved in an incident
such as regular expressions and hash values.
• Behavioural indicators: These types are a combination between atomic and com-
puted indicators and can be qualified by quantity; for instance, the intruder may
use a backdoor to generate network traffic matching afterwards by replacing it
with matching MD5 hash whenever the access established.

The incident response team need to analyse these indicators through leveraging them in
their tools and utilising these indicators whenever matching the discovered activities that
may lead to additional indicators. Figure 13 shows the cycle between the previous actions
and indicators over the lifecycle of the indicators (Hutchins, Clopperty and Amin, 2014;
Nige Security Guy, 2013b).

Revealed

Utilized Discover Mature

Figure 13: Indicator life cycle states (Hutchins, Clopperty and Amin, 2014)

36
3.2.1 Indicators of Compromise

Indicators of compromise have a valuable benefit for technical information on any given
APT for incident response team and security administrators. The indicators of compro-
mise (IOCs) can help various security teams to discover any malicious activity within the
network and systems then take appropriate action. Generally, there is no formal format to
describe these indicators but various types of structured data are supported and used
within the industry. IOCs are based on signs of malicious activity that are fed into auto-
mated tools in order to check infrastructure for signs of infection and combat advanced
attackers, besides being a forensic artefact of an intrusion on a network. IOCs are related
to observables and stateful properties or measurable events, these include a wide range
from measurable events like registry key on a host, to stateful property. The incident re-
sponse teams use APT detection framework to check and optimise gaps in the organisa-
tion and in addition to monitoring and detecting the below elements, as follows (Nige
Security Guy, 2013a):

• DNS server’s changes or events the IP routing.

• Permission change or changes in privileged user account activity.
• Abnormal outbound network traffic.
• Presence or even symptoms of root kits.
• Changes in local user accounts or even the configuration of firewall.
• Attackers trying to cover presence or tracks on the systems.
• Unusual log-ins and cross-country activity.
• Abnormal changes in scheduled tasks, start-up tasks, drivers, system services and
listening ports.
• Signs of man-in-the-middle attacks, ARP spoofing, ARP cache poisoning and so
on.

The previous elements are considered an early indicator that allows detect and contain
security incidents in early stages before causing serious loss. The capability of the inci-
dent handler or security analyst to collect and record IOCs in complete detail is a very
important success factor. Figure 14 shows the phases and lifecycle of hunt indicators of
compromise; these start by searching for indicators; investigating compromise systems;
analysing new evidence; develop indicators and applying shared IOC libraries. As shown

37
in Chapter 2, the incident response team follows various phases to overcome the APT’s
incident, such as detection, containment, investigation, eradicate/recover and rinse/repeat.
APT has patterns and attributes that can be monitored by various open sources, readily
available and commercial tools for the earlier detection of APT behaviour, or outbound
traffic. Monitoring a combination of hosts and networks can be essential to detect APTs,
such as Squert, Sguil, Splunk and Snort (Nige Security Guy, 2013a).

Figure 14: Hunting for Indicators of Compromise (Nige Security Guy, 2013b)

3.2.2 Indicator Tools

There are various commercial solutions for IOC; although in several cases, the abilities
of similar programs are sufficient in order to check systems for various signs of infection.
Loki is an example of an IOC scanner used to search the target system for different indi-
cators of malicious activity. Loki scanner is also used to unpack the archive that contains
utilities, then adds related attributes of IOC to Loki’s knowledge base and divides into
three categories that are located in a folder called Signature (Makrushin, 2015).

- Filename-iocs: include all the attributes of the system generated from the activity
of various threats.
- Hash-iocs: include several hashes of malicious components, such as MD5, SHA1
and SHA256 that appear after the infection.

38
 - False positive-hashes: includes all exception hashes, such as MD5, SHA1 and
SHA256 that are marked as false positives.

3.3 Attack Tree

Attack tree is a technique used to analyse and describe threats and attacks towards the
system; the incident response team can use it to conduct security analysis. The attack tree
is similar to a fault tree and represents a logical diagram for threat metrics. In 1999,
Scneier published the attack tree methodology to analyse the attack in Dr Dobb’s Journal.
The attack tree starts with goals of a cyber attack and works backwards considering dif-
ferent methods to accomplish the goal. Figure 15 illustrates an example to determine the
attacker’s overarching goals. Attack tree divides the high level threat to intermediate goals
and final to attackers’ actions. Child nodes of the attack tree includes AND or OR rela-
tionships. The attacker’s goals are represented in the root node; they are then divided into
sub-goals that decompose until the leaf node represents the action of the attacker, as
shown in Figure 15. The logical relationships between actions and an adversary can help
to achieve objectives and actions themselves (Edge et al., 2006).

Goal

intermediate Goal intermediate Goal

1 2

Attacker action2 Attacker action1 Attacker action3 Attacker action4

Figure 15: An example of the attack tree (Edge et al., 2006)

The incident handler can use the attack tree in brainstorming and evaluating threats be-
sides enabling technical and non-technical analysis, as they are assigned numeric and
textual values. Moreover, the incident handler can ask “what if” to provide suitable coun-
termeasures and allow several incident handlers to work in parallel. The incident response
team can use the attack tree to characterise scenarios of an attack, such as the level of
skill; the time required and the consequence generated from launching an attack. There
are several advantages for the attack tree, as follows:

39
 • The incident response team can delineate attacks deductively.
• The attack tree helps the security analyst to analyse the attack and provide trans-
parent and relative technique for characterising attacks and attackers.
• The attack tree is a highly flexible and able to model any type of threat and attacks.
• The generated data from the attack tree can support the security framework and
understand the logical structure.

These threats look for valuable data of military or economic stature and may persist for a
long time - this is known as APT. According to Flaten and Lund (2014), the attack tree is
useful to model the APT as it provides a good overview of a threat and can support other
models to understand the threat. Figure 16 is an example of the attack tree that shows an
APT called Operation Aurora. The high level display shows how an attacker can attack
servers and get access to valuable information. The defender should decompose the tree
as in-depth as possible to show the effective defences of the tree’s construction. Operation
Aurora (as mentioned in Chapter 2) hit Google between mid-2009 to December 2009.

Access system
valuable
information

Run as an open a user

administrator account

password obtaining user obtaining user password

hacking information information hacking

user runs other methods

Hacker Expliot
infected rootkit infected to infect
root root Hole
malware malware

Exploit tools Fall for a trap Fall for a trap

unsettled Download Download

vulnerabilities malware malware

Figure 16: Accessing valuable information via APT attacks

40
3.4 Cyber Kill Chain
Incident response teams, malware analysts and forensic investigators, in order to work in
a chained manner and analyse offensive actions of a cyber attacker, can use the model of
the cyber kill chain. Using the kill chain model - by the security analysts - allows them to
think like the attacker and understand what has happened in each phase of the kill chain.
Recently, cyber attacks have become more complex, destructive and dangerous by using
multiple redundant attack vectors in order to multiply the effect and make it difficult for
the incident response team (Bhatt, Toshiro Yano and Gustavsson, 2014).

The conventional model is based on a static defence, like antivirus software and IDS; it
then assumes that the attacker has an advantage over the defenders and undiscovered
software vulnerabilities. The incident response team of Lockheed Martin published a
white paper to explain why conventional defences are not enough in order to protect or-
ganisations from sophisticated attackers like APTs. The paper suggests a new approach
to avoid the installation of static defences, then waits until the next attack. This approach
is based on constantly monitoring systems to collect evidence related to the attackers that
are trying to access the systems and networks. The network defenders should study tactics
and methodologies of the attackers to anticipate and mitigate future intrusions through
analysing the actions of attackers, finding patterns, and identify capability gaps. Moreo-
ver, the approach shows multiple steps called The Cyber Kill Chain that attackers have to
precede a plan and execute an attack. The attacker has to complete the entire phase in
order to execute a successful attack, while the defender must stop the attacker completing
one or more steps. This theory can defend against APTs, unknown vulnerabilities, and
attack signatures that cannot be detect by defence tools. The APT kill chain is based on
variations to represent the details level, but its content is always the same. Figure 17
shows a lifecycle of APT kill chain in details (Schilling and Jackson, 2013).

41
Figure 17: Lifecycle of an APT kill chain (Schilling and Jackson, 2013)

The model of kill chain, shown in Figure 17, illustrates the phases of the life cycle of the
APT kill chain that allows the breakdown of a complicated attack to be in small phases
or stages. Moreover, these phases enable the incident response team to tackle smaller and
easier problems and develop a defence for each layer in order to migrate threats in each
phase (Hutchins, Cloppert, and Amin, 2011). The kill chain includes seven phases, as
shown in Figure 18, which provides a brief description of the phase or the purpose of it.

42
 Phase Description Example

Social Networking, port scan,

reconnaissance Detection, selection and profile the
passive search IPs, Haervesting
target
Emails

gather Exploit and Remote Access Decoys, Delivery system, develop

Weaponization Trojan into payload expliot with payload, Malware

USB, Infected website, Spear

transmite the weapon to the target
Phishing, Service Provider
Delivery
Execute code, third party
Execute the payload on the Victim
exploitation, activation, establish
system
foothold
Exploitation
installing the backdoor & Toot Kit, Backdoor, Establish
maintaining persistence presistence, Escalate Privilleges

interl Recon, Command Channel,

Command & Control Communicating with compromised
Maintain Presistence, Letral
host
Movement

System Distruption, Network Data Exfilitration, Expand

Actions on Target spreading, Exfilitration compromise, identify target

Figure 18: Kill Chain Phases

A brief description of the kill chain phases, as follows (Rockefeller, 2014; Hutchins,
Cloppert, and Amin, 2011; Pernet, 2007):

A. Reconnaissance

In this phase, attackers gather information about the target showing different tools and
techniques. The attacker may find various types of information related to the victim on
third party vendors by using simple Internet searches for suppliers and facilities.

B. Weaponization

The attacker in the phase prepares a payload of attacks in order to deliver it to the victim;
it may weaponized malware to target the email of the victim by attaching it to a Microsoft
Office document or a PDF. The defender can disrupt this phase by using real-time moni-
toring antivirus and spyware. Also, the attacker can target a legitimate website that the
victim used to visit by spreading a malware to infect the victim.

43
C. Delivery

The attacker, in this stage, sends a payload to the victim by USB or attaches an infected
attachment to an email that is called a phishing attack. Attackers can use social engineer-
ing techniques, such as checking LinkedIn or Facebook to customize email messages.
Defenders can use real-time monitoring antivirus and spyware to detect these infected
files.

D. Exploitation

The exploitation is based on deploying the payload into the network of the victim by the
attacker. The weapon’s code is triggered and exploits the system. For example, in 2013,
a Reuters’ report stated that RAM scraping malware can record and save several millions
of card swipes and stored stolen data for later exfiltration.

E. Installation

The attacker, in this phase, maintains access to the network and the system and establishes
a foothold in the network of the victim. Attackers can install backdoors in the system of
the target to maintain the access. For example, BlackPOS malware has compromised 70
million records of non-financial data and the attacker succeeded to move over several
target systems.

F. Command and Control (C2)

The attacker can remotely access the network of the victim; access the entire network and
may compromise servers with exfiltration malware. It can maintain command and control
to communicate between the outside Internet and the network of the victim.

G. Actions on Objectives – Attacker Acts to Accomplish Data Exfiltration

The attacker works to accomplish the goals of attack, such as intrusion to another target,
destruction of data, or exfiltration. The analysis of the victim’s data transmissions may
look like looking for a needle in a haystack, however, uploaded data to the server in China
or Russia may be flagged as suspicious if discovered.

- Sandbox

44
Sandbox refers to the security mechanism that is used to separate running programs and
executes untrusted programs or untested codes from third parties. The untested or un-
known files can be run in an isolated environment to understand what it does. Sandbox
monitors the application’s behaviour and prevents operations against the intention of us-
ers. Generally, Sandbox’s users identify given specifications, the privileges of different
programs and each resource, which is called a policy (Wright et al., 2006). For instance,
whenever a server program in Sandbox tries to access a resource, the system of sandbox
checks the privileges according to the policy. In case the policy of Sandbox allows the
operation, it then it allows the program to execute the operation, but if the policy does not
allow the operation, it will fail. Though Sandbox does not prevent exploiting vulnerabil-
ities of the malicious codes in a program or an application, Sandbox can reduce the harm-
ful effects that are caused in attacks. Many of Sandbox’s systems, like Systrace and Janus,
have a shortage; this prevents them providing satisfactorily secure confinement as one
policy. This can then be applied from the beginning of an executed application until the
end. For example, Sandbox for a server program; whenever the user logs in to an appli-
cation, the server reads the password in order to authenticate the user, this password is
not required in any other part of the application. Users who try to protect the server with
Sandbox have to choose by allowing or denying the operation in order to read the pass-
word. As a result, when the user allows the operation, the malicious code can take over a
part of the server and read the password, even with the existence of the Sandbox protec-
tion. This example shows the need to use Sandbox that allows users to switch between
different policies dynamically to apply policy properly (Shioya, Oyama and Iwasaki,
2007).

Malwares like worms, viruses and bots become more sophisticated, these require the ob-
servation and analysis of these behaviours to identify issues. An isolated Sandbox is con-
sidered by analysing the environment for observations as Sandbox has a tolerance to at-
tacks beside infections from the outside. Malware sandboxing is considered a dynamical
analysis approach because it helps the analyst to execute and monitor in real-time instead
of statically analysing the binary file. Building Sandboxes is quite easy due to the im-
provements in technologies like hardware virtualizations and OS. Virtualization technol-
ogies are usually used because malwares frequently damage analysing environments then
rebuilds it again, so it can build an isolated Sandbox based on virtualization technologies.
There are several Sandbox tools for Linux like SELinux and Apparmor, while Cuckoo is

45
supported by Windows and will be used in the study simulation besides being an open
source malware analysis system. Cuckoo represents an automated malware analysis sys-
tem to understand what the files do during executing in the isolated environment that
requires technical skills to understand the results. Cuckoo provides a method to analyse
files automatically and interactions between them and the system. The key goals are Java
files, Office documents, PDF, URLs, DLL and Windows executable (Miwa et al., 2007).

Applying the previous framework combined with the defence mechanism in Table 4 that
is based on kill chain phases will improve the results to detect and prevent APT by the
incident response team.

Table 4: The defence mechanism based on kill chain phases

Phase Countermeasures Detection Attack techniques
(Prevention)
Info. Gathering ACL, IPS, Firewall, Se- Web Network
curity Analytics, User Recognition, Foot
Awareness Training, In- monitoring, printing, Fingerprint-
formation Obfuscation NIDS, NABD, ing, Social Engineering
SIEM
Weaponization Vulnerability, NIDS Backdoor, zero-day ex-
Scanning, Auditing, ploits, OSINT, Prepar-
Patch management, NIPS ing malware
Delivery IPS, Content Filtering, Vigilant user, Watering hole attack,
Security Life Cycle, NIDS, HIDS, Supply-Chain Attack,
Identity Verification, In- Source Action Spoofing, Hack-
put Filtering, Blacklist- Correlation, ing Hardware, Injec-
ing, Configuration Con- Proxy, SIEM tion, Phishing and mali-
trol, Anti-virus software, cious links
Proxy filter
Exploitation Patching HIDS, SIEM Data Structure Attacks
Installation Access control, Password HIDS, Event Privilege
Control, Firewall, Anomaly detec- Escalation, Collecting
tion, SIEM data
Command & Firewall, Proxy, Encryp- HIDS, NIDS, Intermediary Staging
Control tion Use Content
Control, Blacklisting, Analysis, SIEM
Data Loss Prevention
Act on Objective Proxy, Password Control, Audit log, Resource Depletion,
IPS, Encryption Use HIDS, NIDS, Exploitation of
Control, Firewall SIEM Privilege/Trust, Re-
source Manipulation

46
 Chapter 4. IMPLEMENTATION (REALIZATION)

Following on from the implementation of the new framework in Chapter 3 to design and
create the required simulation model of Multi-Stage security layers to achieve the goals
and objective for this project, this chapter will conduct three different experiments, which
will be performed for both groups, and the results will be compared in Chapter 5. Three
attack attempts for both groups will be launched in order to test the ability of detecting
and preventing APT. For the purpose of the experiments for second group, USM will be
installed on VMware and set to monitor the Security log in real time and IDS logs besides
installing configuring sensors. McAfee Antivirus Plus will be installed for both groups.

4.1 Configuration and installation

Below is the software that is installed in each group, as shown in Figure 19:

Group A (Traditional) Group B (New Framework)

Anti-virus McAfee Anti-Virus McAfee

AlienVault Unified Security Management

Anti-spyware
( includes NIDS/HIDS, firewall, SIEM, etc)

Sandbox

Figure 19: Security solutions that are installed for the simulations

- McAfee Anti-Virus Plus

McAfee Antivirus Plus is award-winning security for PCs and is used by individuals to
protect Windows PCs. The digital security of McAfee allows them to be several steps
ahead of the latest online threats to keep the digital life safe. According to McAfee, there
are more than 100 Million McAfee customers world-wide and it includes the features,
below (McAfee, 2016; McAfee, 2014):

47
 • Optimize PC’s Performance by using Vulnerability Scanner and QuickClean fea-
tures in order to speed up browser and PC.

• McAfee provides WiFi Protection via NetGuard or two-way Firewall to protect

against WiFi network intrusion notifications and dangerous downloads.

• Blocks viruses, spyware, malware, Ransomware, unwanted programs and more.

• Prevent PCs from spreading SPAM and malware in additional to permanently de-
leting sensitive digital files.

- Sandbox

There are two online Sandbox used in the second experiment which are Malwr and
VxStream. Since 2011, Malwr provides a free malware analysis service and depends on
an open source malware analysis tool called Cuckoo Sandbox besides using VirusTotal.
Malwr is a non-commercial project (Malwr, 2016), while VxStream Sandbox provides a
free malware web service at hybrid-analysis.com. VxStream can analyse several files on
multiple different environments in parallel using any prepared Windows’ image for de-
tecting APTs besides providing SIEM system integration by CEF syslog (Payload Secu-
rity, 2016)

- AlienVault Unified Security Management (USM)

USM is an all-in-one platform designed against today’s advanced threats. USM provides
users with a compliance management solution and a unified threat detection which is
easy-to-use and affordable. AlienVault USM has an advantage over the traditional SIEM,
such as fast deployment; continuous threat intelligence; unified security monitoring; mul-
tiple security functions and simple security event management and reporting. USM pro-
vides four essential security capabilities, as shown in Figure 20, in a single console. The
new security framework, in Chapter 3, includes NIDS, HDIS, firewall and SIEM. USM
includes the requirement in addition to the vulnerability assessment and behaviour mon-
itoring.

48
 Behavioural Monitoring
Identify suspicious behaviour
and potentially compromised
systems
- Netflow Analysis
- Service Availability
Monitoring
- Full packet capture
Threat Detection
Detect malicious traffic on
your network
- Network IDS
- Host IDS
- File Integrity Monitoring
(FIM)
Figure 20: Essential security capabilities of USM
USM Configuration
In this simulation, a virtual machine of AlienVault USM has been downloaded and im-
ported into VMware fusion, as shown in Figure 21.
Figure 21: Import virtual machine of USM
Then customize the specification of the virtual machine of the USM, as shown in Figure
22.
Figure 22: Customize USM virtual machine
49
SIEM
Correlate and analyse security
event data from across your
network
- Log Management
- Event Correlation
- Incident Response
- Reporting and Alarms
Vulnerability Assessment
Identify systems on your
network that are vulnerable to
exploits
- Network Vulnerability
Testing
- Continuous Vulnerability
Monitoring
It can configure the AlienVault manually or using DHCP. I used DHCP configuration, as
shown in Figure 23.

Figure 23: Configure the management interface

After configuring the network, it should configure the access to the server of USM, as
shown in Figure 24, using user root and the password that was used first time and can be
changed in the next window.

Figure 24: Access to the server

After the complete installation of AlienVault USM, there is a web form to be filled using
the following URL: https://192.168.0.117

Figure 25: Administrator web interface

The next window, as shown in Figure 26, will be displayed after the completion of the
administration account.

50
Figure 26: Login to the admin account

The next window allows the administrator to configure and Deploy HIDS, as shown in
Figure 27, to perform monitoring, file integrity, collection of event logs and rootkit de-
tection.

Figure 27: Deploy HIDS

It can also deploy the HIDS for the host and network by configuring assets, as shown in
Figure 28, then click on the Deploy button for the HIDS deployment.

Figure 28: Network assets

51
The deployment process, as shown in Figure 29.

Figure 29: The deployment process

The next step is very important as it allows the administrator to configure the sensors of
the AlienVault USM, as shown in Figure 30.
.

Figure 30: Configuring the sensors of USM

4.2 Scenario
To show the benefits of these techniques, a simulation for an organisation is to test the
traditional methods by the first group, while the second group tests the new framework
as presented in the previous chapter. There are three attempts to attack for each group by
an adversary. The result of the simulation will show whether robust indicator maturity
and the analysis of the intrusion kill chains can help to mitigate an intrusion leveraging
and successfully detect the attack. The intrusions in the three attempts will try to leverage
a common APT tactic using malicious email to deliver a malicious file (weaponized at-
tachment) to a set of individuals. This attachment can install a backdoor to create some
outbound communications to a C2 server.

52
4.3 Intrusion Attempts
The simulation will conduct via simulating three intrusion attempts, as follows:

4.3.1 Intrusion Attempt 1

An email is sent to users of each group, which contains a malicious macro - as shown
below - that arrives as an Excel sheet attachment. When this Excel sheet attachment is
opened, the macro attempts downloading and executing malware from a remote location.

Subject: Outstanding invoices

Attachment: Invoice.docx
Message:

Kindly find attached our reminder and copy of the relevant invoices. Looking forward to
receive your prompt payment and thank you in advance.

Kind regards,

John Smith

4.3.1.1 Requirements to prepare for Attempt 1

• VMWare, Windows 7
• Microsoft Office 2010
• VMWare of Kali-Linux
• Metasploit

4.3.1.2 Preparation for Attempt 1

Metasploit Framework is toolkit for penetration testing and security assessments. Ruby
API is combined with Metasploit on a framework to create scripts that have the power of
a remote native process by an established connection over a session on a compromised
system. Meterpreter as some payload support bind shell listeners, reverse TCP connec-
tions and HTTPS stager. Metasploit Framework has over 168 different reverse shells. A
reverse shell requires the attacker to set up a listener while the victim’s machine acts as a

53
client connecting to the listener, then the attacker receives the shell. It can use a reverse
shell when the victim’s machine exists in a private network or a firewall blocks the in-
coming connection or when the payload is unable to bind to the port (Rapid7 Community,
2011).

- Creating the malicious code for the Excel sheet

The Metasploit framework starts by writing Msfconsle that represents the interface to use
the Metasploit. The code of Figure 31 means:
• Set LHOST: represent the IP address that the target machine to connect to
(192.168.52.131).
• Set LPORT: represent the port that target machine to connect to (443 Or 80 or
any port suited real situation).
Set AutoRunScript post/windows/manage/smart_migrate: This helps to migrate
the remote connection from Excel process to a different process like Explorer pro-
cess; that means even when Excel closes, attackers will still have a connection.

Figure 31: Using Metasploit framework to create VBA code

Generate-t vba: This code, as shown in Figures 31 and 32, will be allowed to generate a
basic VBA code that can be copied from the terminal in Figure 32 and pass it in an Excel
sheet.

54
Figure 32: Generating VBA code
- Setting up the Document

We need to setup the documents then deliver them to the target machine using Microsoft
Excel or Word. It should copy all of the codes from “#If Vba7 Then” to the final ‘End
Sub’ then select Macros from the View tab and name the Macro before clicking ‘Create’,
as shown in Figure 33.

Figure 33: Create new Macro

Figure 34 shows the VBA code page and it should paste the code that is copied from
Metasploit.

55
Figure 34: Add VBA code the Excel sheet

It should add visible content to the Excel sheet to trick the target, as shown in Figure 35.

Figure 35: A sample of an invoice

Finally, the excel document has to be saved as xlsm or Word Macro-Enabled Document.

56
Figure 36: Save the Excel sheet as Macro-Enabled Document

- Setting up the receiver

The next step, as shown in Figure 37, is opening the terminal and typing msfconsole to
open Metasploit. Below are the commands that are used to start the listener, as follows:

• Use exploit/multi/handler: This command allows the multi handler exploit.

• Set PAYLOAD windows/meterpreter/reverse_https: This command identify
payload (reverse_https) to the multi handler.
• Set LHOST: This command informs the handler what IP to listen to or what IP
should the target connect back to).
• Set LPORT 443: This command informs the handler what port to listen on (e.g.
443 or 80).
• Exploit: This command will create the handler and begin to listen.

57
Figure 37: Prepare the listener in Kali

4.3.2 Intrusion Attempt 2

On the next day of the first attempt, another intrusion attempt was executed. A security
analyst and incident response team identified similar characteristics that are probably re-
lated to the previous attempt. However, the analyst found some differences, as this time
an email was sent to a different department (Human Resources). The next chapter will
discuss the result of the attempts and how the analyst detected these characteristics and
blocked this activity.

4.3.2.1 Requirements to prepare for Attempt 2

• VMWare, Windows 7
• Microsoft Office 2010
• VMWare, Kali-Linux
• Metasploit
• Veil Framework

4.4.2.2 Preparation for Attempt 2

Veil Framework is used by passing antivirus solutions that are deployed at the end points
through a generating unique and random payloads for exploits. The malware of Veil
Framework changes because it moves from host to host; this provides a unique advantage

58
over traditional malware as it has a distinct signature that can be detected by various an-
tivirus solutions. Veil Framework is compatible with Metasploit, in order to custom ex-
ploits and tools and create tools which are undetectable by antivirus solutions or can dis-
able antivirus (The Security Sleuth, 2015; jitpukdebodin, 2015; Fuzzy Security, n.d.). The
second attempt uses MS14-064 OLE automation array remote code execution.

• Creating Shellcode
Writing ‘Veil-Evasion.py’, as shown in Figure 38, can start the Veil Evasion.

Figure 38: Start Veil-Evasion Framework

The Payload in the second attempt is powershell/shellcode_inject/virtual that used pow-

ershell, as shown in Figure 39.

59
Figure 39: Using the Powershell to evade the Antivirus solutions

Command generate, in Figure 40, is used to generate the code.

Figure 40: Generating the code

The output, in Figure 41, shows how the /root/veil-output/source/Experiment 1.bat file
will be used in the next step by Macro converter.

60
Figure 41: The output of the generated code

- Using Macro Converter

We return to the main menu for Veil Framework and type list to show all the available
payloads as shown in Figure 42.

Figure 42: Veil Framework main menu

We need to convert the bat file into a macro so we used auxiliary/macro converter pay-
load, as shown in Figure 43.

61
Figure 43: Choosing auxiliary/macro converter payload
The command use POSH_BACH in Figure 44, identifies the path to a Powershell batch
script.

Figure 44: Identify the path to a Powershell batch script

Then generate the code and name it as Experiment 1. This file will have extension txt, as
shown in Figure 45.

62
Figure 45: The output of the generate code will be txt file

Figure 46: Create Macro

We need to setup document, then deliver it to the target machine using Microsoft Excel
or Word. It should copy all of the codes and then select Macros from View tab and name
the Macro before clicking Create, as shown in Figure 47.

63
Figure 47: Insert VBS code

Then it should paste the code, as shown in Figure 48.

Figure 48: CV used to trick the target

Finally, the Microsoft Word document, in Figure 49, has to be saved as a Word Macro-
Enabled Document, as shown in Figure 49.

64
Figure 49: Save the document as world macro enable document

- Running Metasploit Handler

The next step, as shown in Figure 50, is opening the terminal and type msfconsole –
r /user/share/veil-output/handler/Experiment1_handler.rc to open Metasploit then exe-
cute the below commands without writing them again to listen to the target when opening
the Word document:

• Use exploit/multi/handler: This command allows us to use the multi handler ex-
ploit.

• Set PAYLOAD windows/meterpreter/reverse_https: This command identifies

the payload (reverse_https) to the multi handler.

• Set LHOST: This command informs the handler what IP to listen to or what IP
the target should connect back to.

• Set LPORT 443: This command informs the handler what port to listen on (e.g.
443 or 80).

65
 • Exploit -j: This command will create the handler and begin to listen in the back-
ground.

Figure 50: Using msfconsole to listen to the target

4.3.3 Intrusion Attempt 3

On the third day, another intrusion attempt was executed. The incident response team and
the security analysts noticed that the nature of the attack had been changed, although the
email had been sent to Human Resources as a second attempt. This time the attacker sent
a photo of his graduate certificate and other qualifications. One of these photos did not
open as it included a malicious file, as shown in next section. The analysis of the attack,
in the next chapter, will discuss the attack and the counter measurement of it.

4.3.2.1 Requirements to prepare for Attempt 2

• VMWare, Windows 7
• VMWare, Kali-Linux
• Metasploit

66
 • Veil Framework

4.3.2.2 Preparation for Attempt 2

This attack used Veil Framework to bypass antivirus solutions that are deployed at the
end points through generating unique and random payloads for exploits. This attempt will
generate an EXE file then change the extension using Hex workshop.

- Creating EXE file

Writing Veil-Evasion.py and shows from the payload list python/meterpreter/rev_https -
as shown in Figure 51 - can start the Veil Evasion.

Figure 51: Choose payload

Then it should identify the following:
• Set LHOST: This command informs the handler what IP to listen or what IP the
target should connect back to).
• Set LPORT 443: This command informs the handler what port to listen on (e.g.
443 or 80).
• Generate: This command allows to generate the EXE file.

Figure 52: Generate exe file

67
Figure 53 shows the location of the generate exe file that is called Experiment 3.

Figure 53: Location of the exe file

Edit Experiment 1.exe using hex workshop in windows 7 environment. Figure 54 shows
the search window for Experiment 3.exe.

Figure 54: Find Experiment 3

Then change the extension from Experiment 3.exe to Experiment 3.jpg, as shown in Fig-
ure 55.

Figure 55: Change the exe extension to jpg

Then it can compress groups of photos and edits Winrar software to run Experiment once
uncompressed.

68
 • Running Metasploit Handler

The next step, as shown in Figure 56, is opening the terminal by typing msfconsole –
r /user/share/veil-output/handler/Experiment1_handler.rc to open Metasploit, then exe-
cutes the below commands without writing them again to listen to the target when opening
the Word document.

• Use exploit/multi/handler: This command allows use of the multi handler ex-
ploit.
• Set PAYLOAD windows/meterpreter/reverse_https: This command identify
payload (reverse_https) to the multi handler.
• Set LHOST: This command informs the handler what IP to listen or what IP the
target should connect back to.
• Set LPORT 443: This command informs handler what port to listen on (e.g. 443
or 80).
• Exploit -j: This command will create a handler and begin to listen in the back-
ground.

Figure 56: Using msfconsole to listen to the target

69
 Chapter 5. RESULTS AND EVALUATION

Following on from the implementation of the design and the experiment of the three at-
tempts, it was in order to test whether the new framework able to detect and migrate APT
or not. This chapter will show the results of the two groups; then analyse the result of the
second group (new framework) and, finally, to compare both of the results of the two
groups to evaluate the solution or the new framework.

5.1 The Result of the Experiment

Below are the results of group A (traditional) and group B (new Framework) - shown in
sections 5.1.1 and 5.1.2:

5.1.1 The Result of Group A (Traditional)

The results of the three attempts of group A:

- Attempt 1

In the previous chapter, the attacker prepares the script then creates the Macro. The last
step for the attacker in the preparation process is setting up the exploit handler to enable
the Macro of the document, as shown in Figure 57. If the target opens the document, a
Meterpreter prompt will be shown, this means we are now remotely connected.

Figure 57: Setting up of the exploit handler

70
The result of group A shows that McAfee antivirus plus successes to quarantine the threat,
as shown in Figure 58.

Figure 58: McAfee quarantined the threat

Figure 59 shows the scan result of the quarantined document. In this case, the attacker
will not get any response from the target’s side.

Figure 59: The scan result of McAfee

- Attempt 2

The second attacker used the listener of Metasploit and waited for when the target enables
the macro of the excel sheet. If the victim opens the Excel sheet, as shown in Figure 60,
a Meterpreter prompt will be shown, this means we are now remotely connected. The

71
traditional security failed to prevent or detect the attack. The attacker can use useful com-
mands, such as migrate, execute, sysinfo, PS, and upload to control or get information
from the victim.

Figure 60: The attacker used session 1 to connect to the victim

The traditional method failed to detect the malicious file or the macro code, as shown in
Figure 61.

Figure 61: McAfee Antivirus Plus fails to detect the malicious Excel sheet

- Attempt 3

In the last attack, the attacker succeeds to compromise the target. The traditional security
solutions like McAfee antivirus and antispyware failed to detect the malicious file. Figure
62 shows how the attacker starts the session and accesses the victim’s machine.

72
Figure 62: The attacker succeeds to compromise the target

McAfee antivirus fails, in Figure 7, to detect the infected file.

Figure 63: The scan result of McAfee

73
5.1.2 The Result of Group B (new framework)

The result of three attempts of group B is as follows:

- Attempt 1

The result of the first attempt of group B shows the McAfee antivirus plus the success to
quarantine the threat, as shown in Figure 64.

Figure 64: McAfee Antivirus plus the success to detect the malicious file

- Attempt 2

While the second attempt failed because of AlienVault’s IDS, Figure 65 shows the alarms
that are fired to block the malware. The kali machine of the attacker will not receive any
response from the target machine because of the firewall and the IDS of AlienVault. The
next sections will explain the results in more detail.

Figure 65: AlienVault succeeds to detect the malware

74
 - Attempt 3

The third attempt failed because of SIEM of AlienVault in addition to Sandbox (see Ap-
pendices 1 and 4). VirusTotal used by the sandbox to scan the suspicious files, as shown
in Figure 66. The file was scanned by 53 antivirus and antispyware engines.

Figure 66: The result of scanning malicious files by VirusTotal

5.2 Analysing the result of the new Framework

The intruders or adversaries try to deliver and deploy a previously unseen. The approach
of the new Framework will allow defenders and incident response teams to force the ad-
versary to avoid all mature indicators, or limit risks and improve the security. The new
framework enables incident response teams to manage systems compromised by these
intrusions to be completely under the control of the network incident response teams or
defenders; the percentage of success is increased by preventing what has been compro-
mised in the first place. The two groups’ success to detect the infected file and this attack
is considered a serious security threat or high severity, where immediate action is required
to stop a malicious macro called W97M.Downloader in the Word document that is at-
tached through a download and executed malware from a remote location. The malicious
macro of the Word document can be attached to a spam e-mail message and, when the

75
user opens the file, the Word document silently runs and attempts to connect multiple
remote servers. According to F-secure, the text file containing b64 encoded data (e.g.
macro of first attempt), targets and opens the file in the first or second attempts, where
there are 3 scripts written in: VBScript, PowerShell and Batch coding languages which
allow to download and execute files from another remote server. The malicious files act
as a backdoor for other viruses, like malware, spyware, Trojans, browser hijackers, ad-
ware and so on. These malicious files make PCs stuck and webpages crash while the users
are browsing the Internet (F-secure, n.d).

5.2.1 Indicators

Figure 67 connects the kill chain on the three attempts of the intruder and indicators by
connecting each phase of the attack with certain actions or behaviours; drawing the indi-
cator map and connecting the common indicators between intruders over multiple kill
chain phases. The incident response team and the security analyst can connect various
activities from a particular persistent threat or intrusion, which may have varying degrees
of correlation. This analysis helps to determine the patterns and behaviours of the intrud-
ers, predicting the characteristics of future intrusions with greater confidence by under-
standing the intruders’ intent, which allows the incident response team to determine tech-
nologies or individuals of interest, or even understand the mission’s objectives of the ad-
versary then evaluate targeting patterns and examine the data exfiltrated by the attacker.

76
 Figure 67: Indicators of several intruders

Below are the indicators for three attempts to attack the target using different types of
files and techniques:

Attempt 1

The analysis of the Microsoft Word document shows that it contains embedded strings
that indicate auto-execute behaviour. Moreover, it can find the keyword ‘AutoOpen’ that
indicates and runs when the Word document is opened. The result of 55 antivirus vendors
shows only three vendors identifying the file as malicious according to VirusTotal. The
full details can be seen in Appendix 2.

77
Attempt 2

The analysis of the second attempt of the attacker shows similar behaviour to the first
attempt. A Microsoft Excel sheet contains an embedded string that indicates auto-execute
behaviour. A macro has been found called ‘AutoOpen’ that indicates run when the Excel
sheet is opened. Furthermore, unusual characteristics have been found suspicious like the
keyword ‘Lib’ that indicates: ‘May run code from a DLL’; ‘Shell’ that indicates: ‘May
run a system command or an executable file’ besides installing hooks/patches the running
process.

Attempt 3
32
The behaviour of the file helps to indicate the malicious files. The third attempt file shows
several indicators as a malicious file, such as drop executable files; installs hooks/patches
the running process; pens file with deletion access rights; queries kernel debugger infor-
mation; CRC value set in PE header does not match actual value; creates/touches files in
windows directory; PE file has unusual entropy sections; creates/touches files in windows
directory; makes a branch decision directly after calling an API that is environment aware
and allocates virtual memory in foreign process, etc. The full report of malicious indica-
tors can be seen in Appendix 4. Table 5 shows the result of testing the file of the third
attempt through the external system and the result of 55 anti-virus vendors.

Table 5: The result of malicious indicators

Malicious Indicators
External Systems

- Sample was identified as malicious by a large number of Antivirus engines

Details 22/55 Antivirus vendors marked sample as malicious (40% detection
rate)
Installation/Persistence
Allocates virtual memory in foreign process
Details "<Input Sample>" allocated memory in "C:\Experiment3.exe"

78
5.2.2 Attack Tree

The attack tree can help the security analyst to understand the nature of the attack and
expect the next phases. It can read the attack tree from bottom to top. The APT’s intruder
usually uses this scenario to access the available information. The intruder sends a mali-
cious file, such as Word or Excel or a photo, as shown in the three attempts. Attackers
used payloads to exploit targets. Attackers also used Metasploit in the simulation to create
infected rootkit or file. When a target opens the infected file, the attacker can get the user
information and maintain access into the system. The intruder can also harvest the cre-
dentials of the administrator, as shown in Figure 68.

Figure 68: Attack tree of the APT attack for the three attempts

79
5.2.3 Kill Chain

The kill chain helps to analyse several intrusions over time in addition to overlapping
indicators and identifying commonalities. Moreover, it provides a highly dimensional
correlation among several kill chain phases. Defender and incident response teams can
recognise and define intrusion campaigns then connect these activities from a particular
persistent threat. Consistent indicators can be a main indicator and help incident response
teams to prioritise development and maintain the courses of action. Figure 11 illustrates
the indicators of the three attempts that have different degrees of correlation but often
align and identify these key indicators. The less volatile indicators allow the response
teams to predict the characteristics of future intrusions. One of the objectives of the new
framework is identifying the patterns, behaviours, techniques, tactics and procedures of
the intruders. Table 2 connects the kill chain with the behaviour and indicators of the
intruders. The incident response team can defend the system by identifying the phase of
the attack. When the attacker sends the infected file (e.g. three attempts of the experi-
ment), this means the attacker exists in the third phase of the kill chain and the intruder
tries to exploit the network system. If the security framework failed to detect the malicious
file, the defender can monitor the traffic in and out of the network and for each host.

Table 6: Intrusion Attempts 1, 2 and 3

Phase Attempt 1 Attempt 2 Attempt 3

Reconnaissance [Recipient List] [Recipient List] Benign [Recipient List]

Benign DOCX XLSX Benign JPG

Weaponization Using Using Metasploit and Veil Using Metasploit

Metasploit algo- encryption algorithm and Veil encryption
rithm algorithm

Delivery The email in- The email include subject, The email include
clude subject, body and attachment (Ex- subject, body and
body and at- cel sheet) attachment (Photo)
tachment (Word
Document)

Test..@ya- x..@yahoo.com Tests..@ya-

hoo.com hoo.com

Exploitation embedded_pe - embedded_pe - Contains [JPG edited with

Contains an an embedded PE32 file hex workshop]
embedded embedded_win_api - A [EXE encrypted
PE32 file non-Windows executable

80
 embed- contains win32 API func- with Veil]
ded_win_api - tions names
A non-Win- shellcode - Matched shell-
dows executa- code byte patterns
ble contains
win32 API
functions
names
shellcode -
Matched shell-
code byte pat-
terns
Installation C:\...\IEXPLORE.hlp msvcp90.dll,
C:\...\IEUpd.exe msvcr90.dll, py-
C:\Program Files\Microsoft Office\Of- thon27.dll,
fice12\Normal.dotm _socket.pyd.,_ssl.p
C:\Documents and Settings\User\Applica- yd, select.pyd,
tion Data\Microsoft\Templates\Normal.dotm _ctypes.pyd,msvcm
C:\Documents and Settings\User\Applica- 90.dll, bz2.pyd,
tion Data\Microsoft\Templates\~$Nor- _hashlib.pyd
mal.dotm

C2 HTTP request/ HTTPs request

5.2.4 SIEM, Firewall and IDS of AlienVault

AlienVault has four main windows:

1- Dashboards

The security analyst or the incident response team can get an overview of the network
by visiting the dashboards, as shown in Figure 69. Dashboards contain security
events; top 10 event categories; latest SIEM vs logger events; host events and SIEM
events by sensors. USM of AlienVault succeeds to reduce or prevent APT in three
attempts. The results of the report of USM can be seen in Appendix 1.

81
Figure 69: Dashboards overview

2- Analysis

AlienVault allows defenders to analyse the vulnerabilities of the network and hosts, as
shown in Figure 70. The sensors, IDS and firewall of AlienVault have been configured
in the previous chapter so that AlienVault can detect vulnerability in real time or in sched-
uled time.

82
Figure 70: AlienVault scan vulnerabilities

Also AlienVault can scan the ports for one or more hosts in the network, as shown in
Figure 71.

Figure 71: AlienVault Port Scan for one or more hosts

83
The USM of AlienVault records all the events and enables the incident response team or
defender to check various events and investigate whether the incident is harmful or not.
The events in Figure 72 can be used as indicators of APT that enable defenders to reduce
risks.

Figure 72: List of events for a host

The analysis of vulnerability in real time in addition to SIEM and IDS have succeeded to
detect the malicious files in the first and second attempts. Figure 73 shows the results of
the analysis that include port scan and suspicious behaviour.

84
Figure 73: The result of analysis

AlienVault can be linked to the kill chain to identify the phase of attack as it informs the
defenders about the reconnaissance and port scan activities. Figure 74 shows further de-
tails of the result of the scan including statistics of total events, duration and elapsed time.

Figure 74: Further details of vulnerabilities scan

85
The incident response team can use the USM to determine the priority of a vulnerability,
created time, status and type of it, as shown in Figure 75.

Figure 75: SIEM determines priority of vulnerability

3- Environment

USM allows the incident response team to understand the risk that threatens the network
and shows the results in a graphical method. Figure 76 illustrates the current vulnerability
in graphical method according to the severity. The graph represents vulnerability for host
192.168.0.119 that includes 4 high, 1 medium, and 17 low according to the severity. Ap-
pendix 1 shows the full report of vulnerability and the malicious files.

86
 Figure 76: Current vulnerability according to severity

Event trends and data sources of HIDS are shown in the graphical method of Figure 77.
The defender can easily understand the graphical chart and identify threats and risk of
IDS, invalid login, syscheck, system error, windows and authentication success by click-
ing on the type of data source to see more details.

87
Figure 77: HIDS event trends and data source

When the incident response team or the security analyst clicks the chart of HIDS or a
particular host, AlienVault will be redirect it to another window containing further details,
such as vulnerabilities, alarms, events, software, services, and groups, as shown in Figure
78. Host 192.168.0.119 has some high severity vulnerability, such as DCE Services Enu-
meration, 3com switch2hub and buffer overflow.

88
Figure 78: Vulnerability and service of host 192.168.0.119

4- Reports

The reports in Figure 79 shows the results of previous scans and alarm reports that allow
the defender to see further details by clicking the required report. For example, when the
incident response team clicks the Malware Alarm, the USM will show details of how
SIEM succeeded to prevent first and second attempts (see Appendix 1).

Figure 79: SIEM reports

89
5.2.5 Sandbox

The results of sandbox is based on Malwr that provides malware analysis services using
Cuckoo sandbox and VirusTotal in addition to VxStream Sandbox v3.30, which is pow-
ered by payload security. The online sandbox is a great idea to test and analyse files online
to improve the security. Appendices 2, 3 and 4 show the full report of Cuckoo sandbox
and VxStream Sandbox v3.30 including a virus scan by VirusTotal. Below are six screen-
shots from the report that can help to detect the malicious files. The incident response
team can use online Sandbox to investigate an incident and support other security solu-
tions, such SIEM, IDS, firewall, anti-virus, etc. The results of using online sandbox in the
three attempts are as follows:

- Attempt 1

The online Cuckoo Sandbox that is powered by Malwr displays the hash results of the
uploaded file to the server, as shown in Figure 80.

Figure 80: Hash file of uploaded document in first attempt

Malwr use VirusTotal to scan the document file with 55 security solutions (antivirus and
antispyware). Only three antivirus succeed to detect the malicious file, as shown in Figure
81.

90
Figure 81: The result of scanning document with VirusTotal

- Attempt 2

The hash file of the Excel sheet displayed in Figure 82 will be analysed with Malwr.

Figure 82: Hash file of the uploaded document in the second attempt

91
The results of scanning, shown in Figure 83, indicates that only Avast and CalmAv have
the ability to detect the malicious file.

Figure 83: The result of scanning the Excel sheet in the second attempt

- Attempt 3

The hash file of the photo that is uploaded to the server of Malwr is to be analysed, as
shown in Figure 84.

92
Figure 84: Hash file of uploaded document in the third attempt

The result of scanning, shown in Figure 85, indicates that several security solutions have
the ability to detect the malicious file.

Figure 85: The result of scanning JPG photo in the third attempt

93
5.3 Compare Frameworks
As can be seen from previous sections, the new framework succeeds to detect the mali-
cious files in the three attempts that allows to mitigate and detect these types of APT by
using different security solutions, SIEM, HIDS, NIDS and Sandbox; while traditional
methods that used antivirus and antispyware fails to detect or prevent APT. The new
framework provides appropriate methods for detecting APT. Table 3 shows the result of
a comparison between the results of the experiment for both groups.

Table 7: The results comparison of group A and B

Group A (Traditional) Group B (New Framework)
Attempt 1 Success Success
Attempt 2 Failed Success
Attempt 3 Failed Success

94
 Chapter 6. CONCLUSIONS
The main goal of the dissertation was to determine whether the framework could
help the incident response team to identify the objectives, intent and strategies of
the attacker then respond correctly against these APTs; moreover, the framework
can map the numerous links, relationships, and procedures. The next section of
this chapter (6.2) will examine how the four main aims and objectives of this
dissertation were met. A critical analysis of the new framework and the experi-
ments were conducted in Section 6.3, whereas 6.4 will discuss the future work
that is related to the subject of the dissertation.

6.1 Aims and objectives

There are four main aims and objectives, outlined in Chapter 1, that are required
to be met to complete the dissertation, as follows:

1. To research and review IRs and APTs that are covering various topics,
such as Traditional IRs, APTs, Indicators and the Indicator Life Cycle,
Cyber Adversaries, threat model, kill chain, and Security Information and
Event Management systems (SIEM).
2. Design and implement a new framework.
3. Provide two simulations to simulate an attack over a virtual network and
are tested by two groups of user study. The first simulation will use the
framework model of Multi-Stage attacks and imports log data from dif-
ferent sources to SIEM and analyse it, while the second simulation will
represent the original approach.
4. The results of the evaluation from the two groups will show whether the
framework model of Multi-Stage attacks can identify and detect APTs
and compare it with a second simulation with default security settings.

6.1.1 Objective 1

The first objective was met in Chapters 2 and 3. The literature review discussed the
incident response and phases of it besides reviewing different meanings of APT,
phases of APT (e.g. intelligence gathering, point of entry, command and control,

95
lateral movement, asset discovery and data exfiltration) and connects it to the kill
chain. Also, Chapter 3 focuses on SIEM and the indicators of attack in further detail.

6.1.2 Objective 2

Designing and implementing a new framework was the second objective to be met.
A simulation model of Multi-Stage was designed in Chapter 2 and implemented in
Chapter 3. The new framework includes various components, such as anti-virus,
firewalls, HIDS/NIDS, SIEM, indicators, attack tree, kill chain, and Sandbox. The
new framework succeeds to identify the attack phase of the attacker and applies the
defence mechanism that helps to detect and prevent APT.

6.1.3 Objective 3

The third objective was met in Chapter 4 by conducting different experiments for
both groups as three attack attempts for both groups (traditional approach and
new framework) were launched in order to test the ability of detecting and pre-
venting APT.

6.1.4 Objective 4

The final objective was met in Chapter 5 by evaluating the results of the two groups.
The new framework model of Multi-Stage attacks’ success was to identify and de-
tect APTs compared with a traditional approach. The traditional approach succeeds
to detect only one attack and failed to detect other advanced attacks; while the new
framework succeeds to prevent and reduce or eliminate APT.

6.2 Critical Analysis

The aim and objectives of this dissertation have been met as seen in section 6.1.
This section provides a critical analysis of the simulation model of Multi-Stage and
experiments that were carried out. The new framework success is to detect the APT
but simulation only simulates a limited number of attacks. In reality, the incident
response team works in corporation with thousands of employees over several coun-
tries; they cannot use the full framework for each incident. For example, Sandbox

96
is a good technology that allows the incident response team to detect Malware and
malicious files but is difficult to apply to thousands of incidents in a limited time.
Moreover, the scenario of the simulation is based on installing SIEM, antivirus, and
other technologies, it then starts the attack to measure whether the new framework
can detect the attack or not. However, the scenario does not discuss or study if the
attacker is already in the network and works low and slow.

There are also strengths that if the attacker carried out APT over a much longer
period of time, the incident response team can connect different incidents using a
kill chain, monitoring traffic and log data from a variety of sources (e.g. Firewall,
SIEM software, Intrusion Detection System, etc.) on the network to detect the APT.

6.3 Future Work

APTs are able to be carried out by highly experienced hackers that can develop
advanced malware, such as Stuxnet; these can be identified easily as the attacker
encrypts the malicious files. Moreover, the dissertation does consider what if the
attacker is already inside the network and other components, like SIEM installed
after the intruder control hosts or the network. If the attacker works low and slow,
the incident response team may take some time to collect various indicators and
detect the malicious behaviour with different tools or keep an eye on the traffic
inside the network. The experiment scenario is based on already installed compo-
nents of the new framework and investigates new attacks closely, but what if the
company or organisation has been hacked long time ago and the attacker maintains
access in the network, and has all the credentials to work low and slow? This would
certainly further complicate the scenario in order to be implemented, but it should
be investigated.

97
REFERENCES
Anderson, J. P. (1980). Computer security threat monitoring and surveillance (Vol. 17).
Technical report, James P. Anderson Company, Fort Washington, Pennsylvania.

Bhatt, P., Toshiro Yano, E. and Gustavsson, P. M. (2014). Towards a Framework to De-
tect Multi-stage Advanced Persistent Threats Attacks. In Service Oriented System Engi-
neering (SOSE), 2014 IEEE 8th International Symposium on (pp. 390-395). IEEE

Bhatt, S., Manadhata, P.K. and Zomlot, L. (2014). The operational role of security infor-
mation and event management systems. Security & Privacy, IEEE, 12(5), pp.35-41.

Chappel, M. (2014). Endpoint Threat Detection, Response and Prevention for Dummies.
John Wiley & Sons, Inc., pp.12-17.

Chen, P., Desmet, L. and Huygens, C. (2014). A Study on Advanced Persistent Threats.
In Communications and Multimedia Security (pp. 63-72). Springer Berlin Heidelberg.

Cole, E. (2012). Advanced persistent threat: understanding the danger and how to protect
your organization. Newnes.

Coughanour, D. (2014). emote forensics in incident response. Master degree. Utica Col-
lege.

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident
handling guide. NIST Special Publication, 800, 61.

Damballa (2015). Advanced Persistent Threat (APT). [online] Damballa.com. Available

at: https://www.damballa.com/paper/advanced-persistent-threats-a-brief-description/
[Accessed 1 Nov. 2015].

Dan, M. (2013). APT1: Exposing One of China’s Cyber Espionage Units. [online] man-
diant.com. Available at: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[Accessed 4 Oct. 2015].

Dempster, P. (2015). Brute Force Attack Detection and Mitigation using a SIEM Archi-
tecture. Undergraduate. Edinburgh Napier University.

Denning, D. E. (1987). An intrusion-detection model. Software Engineering, IEEE Trans-

actions on, (2), 222-232.

Edge, K.S., Dalton, G.C., Raines, R. and Mills, R.F. (2006). Using attack and protection
trees to analyze threats and defenses to homeland security. In Military Communications
Conference, 2006. MILCOM 2006. IEEE (pp. 1-7). IEEE.

Field, T. (2013). The Need for Speed: 2013 Incident Response Survey. [online]
ismgcorp.com. Available at: http://docs.ismgcorp.com/files/handbooks/Incident-Re-
sponse-Survey-2013/fireeye_Incident_response_survey_report.pdf [Accessed 22 Nov.

98
2015].

FireEye (2012). Cyber Attacks on Government How APT Attacks are Compromising Fed-
eral Agencies and How to Stop Them. [online] Available at:
http://www.locked.com/sites/default/files/Cyber-Attacks-on-Government-White-Pa-
per.pdf [Accessed 10 Nov. 2015].

Forrest, S., Hofmeyr, S., Somayaji, A. and Longstaff, T. (1996, May). A sense of self for
unix processes. In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on
(pp. 120-128). IEEE.

F-secure (n.d.). W97M.Downloader.QK Description | F-Secure Labs. [online] F-se-

cure.com. Available at: https://www.f-secure.com/v-descs/w97m_downloader_qk.shtml
[Accessed 27 Feb. 2016].

Flåten, O. and Lund, M. S. (2014). How Good are Attack Trees for Modelling Advanced
Cyber Threats?. Norsk informasjonssikkerhetskonferanse (NISK), 7(1).

Fuzzy Security (n.d.). FuzzySecurity | Exploits: MS14-064 OLE Automation Array Re-
mote Code Execution. [online] Fuzzysecurity.com. Available at: http://www.fuzzysecu-
rity.com/exploits/21.html [Accessed 14 Feb. 2016].

Garofalo, A., Di Sarno, C., Matteucci, I., Vallini, M., & Formicola, V. (2014). Closing
the loop of SIEM analysis to Secure Critical Infrastructures. arXiv preprint
arXiv:1405.2995.

Ginter, A. (2012). DuQu, Stuxnet, APT and Other Failures of ICS Security.. [online] wa-
terfall-security.ca. Available at: http://waterfall-security.ca/resources/wf-afpm-failures-
P-12-02.pdf [Accessed 22 Nov. 2015].

Giura, P., & Wang, W. (2012). A context-based detection framework for advanced per-
sistent threats. In Cyber Security (CyberSecurity), 2012 International Conference on (pp.
69-74). IEEE.

Green, J. A. (2015). Cyber Warfare: A Multidisciplinary Analysis. Routledge.

Haq, T. and Khalid, Y. (2013). Internet Explorer 8 Exploit Found in Watering Hole Cam-
paign Targeting Chinese Dissidents Threat Research. [online] FireEye. Available at:
https://www.fireeye.com/blog/threat-research/2013/03/internet-explorer-8-exploit-
found-in-watering-hole-campaign-targeting-chinese-dissidents.html [Accessed 7 Nov.
2015].

Heady, R., Luger, G. F., Maccabe, A. and Servilla, M. (1990). The architecture of a net-
work level intrusion detection system. Department of Computer Science, College of En-
gineering, University of New Mexico.

Hutchins, E. M., Cloppert, M. J. and Amin, R. M. (2011). Intelligence-driven computer

network defense informed by analysis of adversary campaigns and intrusion kill chains.
Leading Issues in Information Warfare & Security Research, 1, 80.

99
ISACA (2013) Advanced Persistent Threats: How to Manage the Risk to your Business.
Isaca

Jackson, K. (2010). 'Aurora' Attacks Still Under Way, Investigators Closing In On Mal-
ware Creators. [online] Dark Reading. Available at: http://www.darkreading.com/at-
tacks-breaches/aurora-attacks-still-under-way-investigators-closing-in-on-malware-cre-
ators/d/d-id/1132922 [Accessed 10 Nov. 2015].

Jeong, H. Y., Obaidat, M. S., Yen, N. Y., & Park, J. J. J. H. (Eds.). (2013). Advances in
Computer Science and its Applications: CSA 2013 (Vol. 279). Springer Science & Busi-
ness Media.

jitpukdebodin, S. (2015). Howto: Embedding Veil Powershell payloads into Office Doc-
uments. [Blog] Offensive Security Blog. Available at:
http://www.r00tsec.com/2014/06/howto-embedding-veil-powershell.html [Accessed 14
Feb. 2016].

Joint Task Force Transformation Initiative. (2011). Managing Information Security Risk:
Organization, Mission, and Information System View. NIST Special Publication, (800-
39), 800-39.

Kaspersky (2013). The Icefog APT: A Tale of Cloak and Three Daggers. [online] . Avail-
able at: http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf

Kessler, M (2014) computer Incident Response and Forensics Team Management .

Syngress

Knapp, E. D., & Langill, J. T. (2014). Industrial Network Security: Securing critical in-
frastructure networks for smart grid, SCADA, and other Industrial Control Systems.
Syngress.

Koskei, J. K. (2008). An attacker intention discovery layer for intrusion detection systems
using hidden Markov models (Doctoral dissertation, Oklahoma State University).

Li, Q., and Clark, G. (2015). Security Intelligence: A Practitioner's Guide to Solving En-
terprise Security Challenges. John Wiley & Sons.

Mandiant (2010). The Advanced Persistent Threat. [online] https://dl.mandiant.com.

Available at: https://dl.mandiant.com/EE/assets/PDF_MTrends_2010.pdf [Accessed 1
Nov. 2015].

Mandiant, (2013). APT1: Exposing One of China’s Cyber Espionage Unit. [online] in-
telreport.mandiant.com. Available at: http://intelreport.mandiant.com/Mandi-
ant_APT1_Report.pdf [Accessed 22 Nov. 2015].

Mandiant (2014). M-Trends reports - Mandiant. [online] mandiant.com. Available at:

https://dl.mandiant.com/EE/library/WP_M-Trends2014_140409.pdf [Accessed 15 Nov.
2015].

100
Makrushin, D. (2015). Indicators of compromise as a way to reduce risk - Securelist.
[online] Securelist.com. Available at: https://securelist.com/blog/security-poli-
cies/71915/indicators-of-compromise-as-a-way-to-reduce-risk/ [Accessed 6 Dec. 2015].
Malwr (2016). Malwr - Malware Analysis by Cuckoo Sandbox. [online] Malwr.com.
Available at: https://malwr.com/about/ [Accessed 28 Feb. 2016].

McAfee (2016). Trusted anti-virus for every device you own | McAfee AntiVirus Plus.
[online] Mcafee.com. Available at: https://www.mcafee.com/consumer/en-
us/store/m0/catalog/mav_512/mcafee-antivirus-
plus.html?pkgid=512#sthash.QuENQ1FS.dpuf [Accessed 13 Feb. 2016].

McAfee, (2014). McAfee AntiVirus Plus. [online] mcafee.com. Available at: http://down-
load.mcafee.com/products/manuals/en-us/MAV_DataSheet_2015.pdf [Accessed 13 Feb.
2016].

Miwa, S., Miyachi, T., Eto, M., Yoshizumi, M. and Shinoda, Y., (2007). Design issues of
an isolated sandbox used to analyze malwares. In Advances in Information and Computer
Security (pp. 13-27). Springer Berlin Heidelberg.

Nicolett, M., & Kavanagh, K. M. (2012). Critical capabilities for security information and
event management. Gartner RAS Core Research,(ID: G00227900).

Nicolett, M. and Kavanagh, K.M. (2011). Magic quadrant for security information and
event management. Gartner RAS Core Reasearch Note (May 2009).

Nige Security Guy (2013a). APT Detection Indicators - Part 1. [online] Nige the Security
Guy. Available at: https://nigesecurityguy.wordpress.com/2013/12/12/apt-detection-in-
dicators-part-1/ [Accessed 6 Dec. 2015].

Nige Security Guy (2013b). APT Detection Indicators - Part 2. [online] Nige the Security
Guy. Available at: https://nigesecurityguy.wordpress.com/2014/01/10/apt-detection-in-
dicators-part-2/ [Accessed 6 Dec. 2015].

Payload Security (2016). Frequently Asked Questions · Free Automated Malware Analy-
sis Service - powered by VxStream Sandbox. [online] Hybrid-analysis.com. Available at:
https://www.hybrid-analysis.com/faq [Accessed 28 Feb. 2016].

Pernet, C. (2007). APT Kill chain - Part 2 : Global view - Airbus D&S CyberSecurity
blog. [online] Blog.airbuscybersecurity.com. Available at: http://blog.airbuscybersecu-
rity.com/post/2014/04/APT-Kill-chain-Part-2-%3A-Global-view [Accessed 3 Jan. 2016].

Prosise, C. and Mandia, K., (2003). Incident response & computer forensics (p. 11).
McGraw-Hill/Osborne.

Pidawekar, L. (2014). APT – Will the current incident response methodologies be effec-
tive?. [online] Available at: https://dl.packetstormsecurity.net/papers/general/apt-ir-ef-
fectiveness.pdf [Accessed 4 Oct. 2015].

101
Rapid7 Community (2011). Metasploit: Meterpreter HTTP/HTTPS Communication |
Rapid7 Community. [online] Community.rapid7.com. Available at: https://commu-
nity.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-commu-
nication [Accessed 14 Feb. 2016].

Rockefeller, C (2014). A “Kill Chain” Analysis of the 2013 Target Data Breach. [online]
www.covert.io. Available at: http://www.covert.io/research-papers/secu-
rity/A%20Kill%20Chain%20Analysis%20of%20the%202013%20Tar-
get%20Data%20Breach.pdf [Accessed 3 Jan. 2016].

Scarfone, K. A., Grance, T., and Masone, K. (2008). SP 800-61 Rev. 1. Computer Secu-
rity Incident Handling Guide. Technical Report. NIST, Gaithersburg, MD, United States.

Schilling, J. and Jackson, D. (2013). Breaking the Kill Chain. [online] Brighttalk.com.
Available at: https://www.brighttalk.com/webcast/10979/111867 [Accessed 18 Dec.
2015].

Schilling, J. and Jackson, D. (2015). Breaking the Kill Chain. [online] Brighttalk.com.
Available at: https://www.brighttalk.com/webcast/10979/111867 [Accessed 18 Dec.
2015].

Shioya, T., Oyama, Y. and Iwasaki, H., (2007). A sandbox with a dynamic policy based
on execution contexts of applications. In Advances in Computer Science–ASIAN 2007.
Computer and Network Security (pp. 297-311). Springer Berlin Heidelberg.

Sushil Jajodia, Paulo Shakarian, V.S. Subrahmanian, Vipin Swarup, Cliff Wang (2015)
Cyber Warfare: Building the Scientific Foundation. Springer

Thales (2014). hales Cyber Incident Response: Dealing with Targeted Attacks in Multi-
national Corporations. [online] https://www.thalesgroup.com. Available at:
https://www.thalesgroup.com/sites/default/files/asset/document/thales_cyber_inci-
dent_response_0.pdf [Accessed 4 Oct. 2015].

The Security Sleuth (2015). Using Veil to bypass antivirus and disguise a Metasploit
backdoor. [online] security-sleuth.com. Available at: http://www.security-
sleuth.com/sleuth-blog/2015/2/3/using-veil-with-metasploit [Accessed 14 Feb. 2016].

Trend Labs APT Research Team (2012). Spear-Phishing Email: Most Favored APT At-
tack Bait. [online] trendmicro.co.uk. Available at: http://www.trendmicro.co.uk/cloud-
content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-fa-
vored-apt-attack-bait.pdf [Accessed 7 Nov. 2015].

Torres, A. (2014). Incident Response: How to Fight Back. [online] Sans.org. Available
at: https://www.sans.org/reading-room/whitepapers/analyst/incident-response-fight-
35342 [Accessed 4 Oct. 2015].

Us-cert (2014). Incident Reporting System | US-CERT. [online] Us-cert.gov. Available

102
at: https://www.us-cert.gov/government-users/reporting-requirements [Accessed 1 Nov.
2015].

Wright, Schroh, Proulx, Skaburskis and Cort (2006) The Sandbox for analysis: concepts
and methods. In Proceedings of the SIGCHI conference on Human Factors in computing
systems (pp. 801-810). ACM.

Verizon, (2015). Quantify the impact of a data breach with new data from the 2015 DBIR.
2015 Data Breach Investigations Report. [online] Verizon, pp.8-24. Available at:
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-re-
port-2015_en_xg.pdf [Accessed 22 Nov. 2015].

Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M. and Geers, K. (2013). Oper-
ation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs « Executive Re-
search. [online] FireEye. Available at: https://www.fireeye.com/blog/executive-perspec-
tive/2013/12/ operation-ke3chang-targeted-attacks-against-ministries-of-foreign-af-
fairs.html [Accessed 22 Nov. 2015].

Virvilis, N. and Gritzalis, D. (2013). The big four-what we did wrong in advanced per-
sistent threat detection?. In Availability, Reliability and Security (ARES), 2013 Eighth
International Conference on (pp. 248-254). IEEE.

Virvilis, N., Gritzalis, D. and Apostolopoulos, T. (2013). Trusted Computing vs. Ad-
vanced Persistent Threats: Can a defender win this game?. In Ubiquitous Intelligence and
Computing, 2013 IEEE 10th International Conference on and 10th International Confer-
ence on Autonomic and Trusted Computing (UIC/ATC) (pp. 396-403). IEEE.

Zulkefli, Z., Singh, M. M., & Malim, N. H. A. H. (2015). Advanced Persistent Threat
Mitigation Using Multi Level Security–Access Control Framework. In Computational
Science and Its Applications--ICCSA 2015 (pp. 90-105). Springer International Publish-
ing.

103
APPENDICES

Appendix 1

AlienVault: I.T Security Vulnerability Report

2016-
Scan
Job Name: Scan1 02-12
time:
07:17:30

2016-
Ultimate - Full and Fast scan Gener-
Profile: 02-12
including Destructive tests ated:
09:11:22

I
Se-
Hi Me n
HostIP HostName ri- Low
gh d f
ous
o

192.168.0.1 Host-192-168-0- 1
-- 4 1 --
19 119 7

192.168.0.119 Host-192-168-0-119

High:

DCE Services Enumeration Risk: High
Application: msrpc

Port: 135 Protocol: tcp ScriptID: 10736

Summary:
Distributed Computing Environment (DCE) services running on the

remote host can be enumerated by connecting on port 135 and doing the appro-
priate queries.

An attacker may use this fact to gain more knowledge about the remote

104
host.
Solution:
filter incoming traffic to this port.

CVSS Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P CVSS Base Score: 5.0

Family name: Windows
Category: infos
Copyright: This script is Copyright

(C) 2001

Summary: Enumerates the remote DCE services Version: $Revision: 2325 $

High

DCE Services Enumeration Risk: High
Application: msrpc
Port: 135

Protocol: tcp
ScriptID: 10736
Vulnerability Detection Result:
Distributed

Computing Environment (DCE) services running on the remote host can be enu-
merated by connecting on port 135 and doing the appropriate queries. An at-
tacker may use this fact to gain more knowledge
about the remote host.
Here is
the list of DCE services running on this host:
Port: 49152/tcp

UUID: d95afe70-a6d5-4259-822e-2c84da1ddb0d, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49152] Port: 49153/tcp 


UUID: f6beaff7-1e19-4fbb-9f8f-b89e2018337c, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49153] 


Annotation: Event log TCPIP 


UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d6, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49153] 


Annotation: DHCPv6 Client LRPC Endpoint 


UUID: 3c4728c5-f0ab-448b-bda1-6ce01eb0a6d5, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49153] 


Annotation: DHCP Client LRPC Endpoint 


UUID: 06bba54a-be05-49f9-b0a0-30f790261023, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49153] 


105
 Annotation: Security Center 


UUID: 30adc50c-5cbc-46ce-9a0e-91914789e23c, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49153] 


Annotation: NRP server endpoint Port: 49154/tcp 


UUID: 86d35949-83c9-4044-b424-db363231fd0c, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49154] 


UUID: 552d076a-cb29-4e44-8b6a-d15e59e2c0af, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49154] 


Annotation: IP Transition Configuration endpoint 


UUID: 98716d03-89ac-44c7-bb8c-285824e51c4a, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49154] 


Annotation: XactSrv service 


UUID: 201ef99a-7fa0-444c-9399-19ba84f12a1a, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49154] 


Annotation: AppInfo 


UUID: 5f54ce7d-5b79-4175-8584-cb65313a0e98, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49154] 


Annotation: AppInfo 


UUID: fd7a0523-dc70-43dd-9b2e-9c5ed48225b1, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49154] 


Annotation: AppInfo 


UUID: 58e604e8-9adb-4d2e-a464-3b0683fb1480, version 1 


Endpoint: ncacn_ip_tcp:192.168

Annotation: AppInfo Port: 49157/tcp

106
 UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2 


Endpoint: ncacn_ip_tcp:192.168.0.119[49157] Port: 49166/tcp 


UUID: 12345778-1234-abcd-ef00-0123456789ac, version 1 


Endpoint: ncacn_ip_tcp:192.168.0.119[49166] 


Named pipe : lsass 


Win32 service or process : lsass.exe 


Description : SAM access
Solution : filter incoming traffic to this

port(s). 


CVSS Base Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Solution:

filter incoming traffic to this port.
Summary:
Distributed Computing Environ-

ment (DCE) services running on the remote host can be enumerated by connect-
ing on port 135 and doing the appropriate queries.

An attacker may use this fact to gain more knowledge about the remote
host.
CVSS Base Score: 5.0

Family name: Windows
Category: infos
Copyright: This script is Copyright

(C) 2001 Dave Aitel (ported to NASL by rd and Pavel Kankovsky)

Summary: Enumerates the remote DCE services Version: $Revision: 2325 $

107
High:

3com switch2hub Risk: High Application: general

Port: 0 Protocol: tcp ScriptID: 80103

Vulnerability Detection Result:
Fake IP address not specified. Skipping this check.

Solution:

Lock Mac addresses on each port of the remote switch or buy newer switch.
CVSS
Base Vector:

AV:N/AC:L/Au:N/C:N/I:N/A:C Summary:
The remote host is subject to the

switch to hub flood attack.

Description :
The remote host on the local network seems to be connected through
a switch which can be turned into a hub when flooded

by different mac addresses.
The theory is to send a lot of packets (> 1000000) to

the port of the switch we are connected to, with random mac

addresses. This turns the switch into learning mode, where traffic goes every-
where.
An attacker may use this flaw in the remote switch

to sniff data going to this host
Reference : http://www.securitybug-

ware.org/Other/2041.html

CVSS Base Score: 7.8 Family name: Denial of Service Category: denial

Copyright: (C) 2009 Vlatko Kosturjak Summary: Detects 3com switch2hub vuln
Version: $Revision: 2244 $

108
High:

Easy File Management Web Server USERID Buffer Overflow Vulnerability Risk:
High


Application: general
Port: 0
Protocol: tcp
ScriptID: 805096


Vulnerability Detection Result:
bannerHTTP/1.1 404 Object Not Found
Content-

Length: 31

Content-Type: text/html
Server: Microsoft-Windows-NT/5.1
UPnP/1.0 UPnP-Device-Host/1.0
Microsoft-HTTPAPI/2.0
Date: Fri, 12 Feb 2016 12:01:23 GMT

Connection: close


Impact:
Successful exploitation may allow remote
attackers to cause the appli-
cation to crash, creating a denial-of-service
condition.
Impact Level: Application


Summary:


The host is running Easy File Management Web
Server and is prone to buffer
overflow vulnerability.


Insight:
The flaw is due to an error when processing
web requests and can be ex-
ploited to cause a buffer overflow via an overly long
string passed to USERID in a
HEAD or GET request.


Affected Software/OS:
Easy File Management Web Server version 5.6


CVSS Base Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P


Vulnerability Detection Method:
Send a crafted request via HTTP GET
and check

whether it is able to crash or not.


Solution:
No solution or patch is available as of
6th January, 2016. Information

regarding this issue will updated once the
solution details are available.
For up-
dates refer to http://www.efssoft.com


References:
https://www.exploit-db.com/exploits/37808
CVSS Base Score:

5.0
Family name: Denial of Service
Category: denial
Copyright: Copyright (C)
2015 Greenbone Networks GmbH
Summary: NOSUMMARY
Version: $Revi-
sion: 2352

109
110
111
112
113
114
115
116
117
118
119
120
121
Appendix 2

Quick Overview

122
123
124
125
126
127
128
129
130
Appendix 3
Quick Overview

Screenshots

131
132
Antivirus

133
Behavioural Analysis

134
135
136
Dropped Files

137
138
Appendix 4
Quick Overview

139
140
141
142
143
144
145
146
147
148
149
Appendix 5

Specification and Design Report

Version 15

Student's Name: Mohamed Elmetaafy

Student's Number: H00029871

Student's Email Address: Mohamed.Elmetaafy@my.ohecampus.com

Project Title: Cyber incident response and new framework for the APT
DA Class ID: UKL1.CKIT.702.H00023862

Name of DA: Yongge Wang

Name of GDI: Samuel Sambasivam

Name of SSM: Marco Mirpourian

150
The Specification:

The main hypotheses for the dissertation is based on using complex multistage framework
solutions in order to limit and reduce the damage of the cyber attack in addition to im-
proving the detection of advanced and persistent threats. The long term and sophisticated
attacks target companies, governments and political activists; these incidents happen for
different industries as well. Figure 1 represents a survey for 19 industries that show the
incident response share of each industry. The technology/IT sector has highest incident
(15%) whilst engineering and consultation are represented by 0.5% (Torres,2014).

Figure 1: Industries Represented (Torres, 2014).

Multinational corporations can be spread over several countries, and for multi-vectored
APT challenges to establish a strong defence against APT is very important. Figure 2
shows numerous challenges for companies, governments, political activists, etc. APT
campaigns may be interested to achieve financial benefits for the country involved in theft
of valuable information and intellectual property that has a close relationship between
industry and government (Thales, 2014).

151
Figure 2: Cyber Incident Response for multinational corporations (Thales, 2014).

Aims and objectives:

The project will provide a comprehensive framework to represent a model of Multi-Stage

attacks. This multistage model includes an attack threat model to analyse and describe
attacks towards computer systems; in addition, understanding the characteristics of the
adversary. The output of the attack threat model can help to identify the phase of the attack
on the Kill-Chain attack model. The framework can help the incident response team to
identify the objectives, intent and strategies of the attacker; then respond correctly against
these APTs. Moreover, the framework can map the numerous links, relationships and
procedures. To meet the previous aims, the below objects must be met:

1. To research and review IRs and APTs that are covering various topics, such as
Traditional IRs, APTs, Indicators and the Indicator Life Cycle, Cyber Adversaries,
threat model, Kill Chain and Security Information, and Event Management sys-
tems (SIEM).
2. Design and implement a new framework.
3. Provide two simulations to simulate an attack over a virtual network and are tested
by two groups of user study. The first simulation will use the framework model of

152
 Multi-Stage attacks and imports log data from different sources to SIEM and an-
alyse it, while the second simulation will represent the original approach.
4. The results of the evaluation from the two groups will show whether the frame-
work model of Multi-Stage attacks can identify and detect APTs and compare it
with the second simulation with default security settings.

Proposed solution

The proposed framework allows the incident response team to detect APTs more effi-
ciently and improve the knowledge of the incident response team about the phases of the
attack by identifying and detecting various indicators of the adversary’s attack. The mul-
tistage framework can be described as a multi-layer security and components. The new
framework (as shown in Figure 5) includes layer 1, which has antivirus, NIDS/HIDS,
firewall, etc. The logs of the previous component of layer 1 will be used by SIEM in layer
2 to show different alerts and warnings. The incident response team can use these alerts
and indicators to draw the attack tree and connect parts of the complex attack; then iden-
tify the phase of the attack according to the kill chain. The incident response team can use
the sandbox to test suspicious files that are infected by malwares. The top down design
methodology will break larger processes into smaller over analysis of the intrusion kill
chains, SIEM, and robust indicator maturity. The artefact will include a model, the pro-
cesses and a framework to represent solutions of APTs.

Literature Survey:

The incident refers to the adverse event that cause potential harm to data or the system,
while response stands to the taken action to understand the incident then recover the op-
eration into normal status by the incident response team (Cole, 2012). Computer security
incidents are frequently complex so it should divide this complex or large problem into
components, then test and examine the inputs and outputs of each component (Pidawekar,
2014). Seven main phases for the incident response are presented in Figure 1, as follows:

153
 Pre-incident
• Preparing the organization before the incident being.
preparation

Detection of
•Identify the potential and possible security incident.
incidents

• Investigate and record all the details of the incident the inform the persons who should
Initial
response
know about the incident.

• According to the known facts, it should determine the best response and action to be
Formulate
response taken.
strategy

• Re-assess the data collected to understand and decide when it happen, what happened
Investigate
the incident
and determine the possible methods to prevent it in the future.

• Write a report about the investigation to the decision makers.

Reporting

• Record the learned lesson and apply them next time.

Resolution

Figure 3: Incident Response Phases

Prosise and Mandia (2003) mention seven main components of incident response and
represent the relation between the component and order of them as shown in Figure 4:

Figure 4: Seven components of incident response (Prosise and Mandia, 2003)

Schneier (2013), a pioneer security researcher says in his blogs:

154
“If you go back to the definition of security being protection, detection and response, this
feels like the last area that needs work, and the idea of incident response coordination
and working on a response is really important and something that isn’t there.”

Schneier wants to emphasize the importance of getting prevention and detection proce-
dures with an operational incident response plan. However, we cannot eliminate all the
threats but we can migrate threats more quickly. The APT’s prevention measures should
include Data Loss Prevention technologies, firewalls, management solutions like IPS AV,
IDS, etc. In case of APT, an effective response strategy allows the incident response team
to prevent and detect more efficiently (Prosise and Mandia, 2003).

In 2012, the report of Mandiant about APT shows that 54% of compromised machines
have malware, whereas 100% of the analysed attacks used stolen credentials through the
intrusion. In the meantime, the report of Symantec illustrates 18 zero-day vulnerabilities
that have been exploited up to 30 months previous to the public disclosure. In 2014, Man-
diant provided a report that illustrated threat factors that remain undetected for about 229
days as it becomes more difficult to identify and detect attack frequently. Moreover, the
third party, like content management service providers or cloud providers, often inform
the organisations about the attack but sometimes these organisations may have been com-
promised earlier than the detection of attack that happens 6-9 months later. Incident re-
sponse is very important in order to minimize the attack’s damage, it starts from the mo-
ment of detecting the attack until the organisation is being recovered into the normal sta-
tus and it makes sure this attack does not happen again. One of the main characteristics
of the APT attack is its persistence. As a result, the incident response team has to get rid
of the attack as soon as possible (Dan, 2013). In order to deal with APT, the plan of the
incident response should have several methods to prevent, detect and respond in addition
to managing zero day vulnerabilities, new malwares, etc. In case the company has top-
secret data, APT incident response must have a priority in business strategy and infor-
mation security programs

Conduct of the Project:

The new framework will be the research method that is used to achieve the goals and
hypotheses of the dissertation. A case study will be simulated to represent the benefits
and the effectiveness of a new framework to limit or reduce the APT. There will be two

155
groups to test and evaluate the framework: Group A will use the simulation of the new
framework whilst group B will use the original method in the second simulation. The
scenario of the case study represents an adversary attempt to attack the network via lev-
eraging a ‘zero-day’ vulnerability and brute force attack. Since every defence has blind
spots, Intrusion Detection System (IDS) can be effective. In case the intruder triggers one
or more registered detection rules, it commonly generates negatives and positive alerts.
Also the antivirus cannot detect malware, as it does not exist in the database of signatures.
Moreover, vulnerabilities can exist for a long time and usually users do not have aware-
ness and adequate training - even the users who access sensitive assets. If the adversary
discovers these vulnerabilities via network reconnaissance or a combination of social en-
gineering, this may allow the attacker to launch serious attacks.

The two user groups will get data from the components of the new framework and the
original approach. For example, the case study will be applied for the two frameworks
and the users of group A will get results and alerts from SIEM, HIDS/NIDS, sandbox
tools, etc. This results will be analysed and compared with results with original approach.

There are numerous skills required to execute this project

skills Description

Networking Skills Advanced skills to understand the networking is required such as

DHCP, IPv4, IPv6, DNS, NAT, Routers and switches, ARP, OSI
model, VLANs, etc.
Operating systems It should use more than an operating system like windows, Linux,
Mac OS x, etc.
Linux skill is essential in this project to launch attacks. Kali
Linux which is advanced penetration testing will be used to pre-
pare for the attack and launch attacks as well.
Virtualization Understanding virtualization software packages such as Virtual-
Box or VMWare Workstation is very important to create the sim-
ulation.
Security Concepts A&good understanding of security concepts and technologies are
required. For example, intrusion detection system, secure sockets
Technologies
layer, firewalls and other skills are needed in the simulation.
Table 1: Required skills for the project

There are several tools and software that will be used in the simulation as shown in Ta-
ble 2

156
 Category Software Purpose

virtualization VirtualBox or VMware or VirtualBox are virtualiza-

tion software providers for computers, they
VMWare
are considered far different than working
with real physical servers. This software can
simulate the real operating system to learn
how to deal with different issues or how to
troubleshoot performance problems.

sandbox Cuckoo A free and open source system and automated

malware analysis system.

SIEM Splunk/ Alien- Splunk is a SIEM that can index, capture, and
correlate real-time data in a searchable repos-
Vault
itory. Splunk can also generate reports,
graphs, dashboards, alerts, and visualiza-
tions.

Operating Kali Kali is a distribution of Debian-based Linux

that aimed at advanced Penetration Testing.
system

Operating Windows XP/7 The operating system for hosts in simulation.

system

Operating Windows The operating system for the server in simu-

lation.
system Server
2003/2008

Firewall Comodo/ Comodo Is a network security system that

controls and monitors incoming and outgoing
zonealarm
traffic according to predetermined security
rules.

IDS snort snort is IDS software that is used to monitor

system activities or networks for policy vio-
lations and malicious activities then create a
reports.
Table2: Software that will be used in the Simulation
The Design:

The aim of this project is to determine whether using a complex multistage framework
solution will limit or reduce the damage of the cyber attack and, to ask, if will it help the
incident response team to detect the advanced and persistent threats or not. In order to

157
design and create the required simulation model of Multi-Stage, security layers are de-
signed to achieve the goals and objectives for this project. Figure 5 shows the components
of the framework that is logging modules, SIEM, indicators, attack tree, Kill chain, and
sandbox. Each of these components are briefly discussed; it then identifies the defence
mechanism - as shown in Table 3 - based on linking all of the components of the frame-
work, such as HIDS, SIEM, kill chain, sandbox, etc. Identifying the attack phase of the
attacker and applying the defence mechanism will help to detect and prevent APT.

Figure 5: Multi-stage framework

- SIEM

According to the report of Nicolett and Kavanagh (2011) Security Information and Event
Management systems (SIEMs) are implemented to deal with compliance reporting re-
quirements and improving the ability for dealing with various security incidents, besides
allowing the organisation to collect and analyse various security events and information
in networked infrastructures. Organisations can implement SIEM systems for many rea-
sons, such as insider threats, compliance threats and the costs of security incidents and
recovery (Dempster, 2015). Furthermore, SIEM can be used to detect internal and exter-
nal threats; monitoring database access; servers; user actions and providing analytic ca-
pabilities to the incident response team (Nicolett and Kavanagh, 2012). SIEM can be used

158
in the forensic analysis, it may also considered to be a valuable asset in protecting critical
infrastructures in order to track and identify the attacker, and then provide these evidences
to the court (Garofalo et al., 2014). There are numerous vendors of SIEM products, they
provide various products such as Splunk, AlienVault, ArcSight, Q1 Labs, etc. These prod-
ucts have the same basic function and provide the services, below (Dempster, 2015):

Collection: collecting logs from various sources like servers, network devices, appli-
cations, databases and security devices.
Consolidation: the data of log files is being aggregated and normalised.
Correlation: categorised the linked log events to detect and identify threats.
Communication: An alert will be generated in case an attack has been detected
through the correlation phase.
Control: controlling the storage of data and how it can be stored.

- Indicators

According to Hutchins, Clopperty and Amin (2014), indication is a fundamental element

that has three main types, as follows:

• Atomic indicators: These types cannot be divided into smaller parts and keeps
their meaning according to the circumstance of an intrusion such as vulnerability
identifiers, email addresses and IP addresses.
• Computed indicators: These types are derived from data involved in an incident
such as regular expressions and hash values.
• Behavioural indicators: These types are a combination between atomic and com-
puted indicators and can be qualified by quantity; for instance, the intruder may
use a backdoor to generate network traffic matching afterwards by replacing it
with matching MD5 hash whenever the access established.

The incident response team need to analyse these indicators through leveraging them in
their tools and utilising these indicators whenever matching the discovered activities that
may lead to additional indicators. Figure 13 shows the cycle between the previous actions
and indicators over the lifecycle of the indicators (Hutchins, Clopperty and Amin, 2014;
Nige Security Guy, 2013b).

159
 Revealed

Utilized Discover Mature

Figure 6: Indicator life cycle states (Hutchins, Clopperty and Amin, 2014)

-Attack Tree

Attack tree is a technique used to analyse and describe attack towards the system; the
incident response team can use it to conduct security analysis. For example, the malware
has been developed from a simple malware into self-replication, and in some cases anti-
virus and other technologies cannot stop them easily. These types of threats look for the
valuable data of military or economic and may persist for a long time, this is known as
APT. According to Flaten and Lund (2014), attack tree is useful to model the APT as it
provides a good overview of a threat and can support other models to understand the
threat.

- Cyber Kill Chain

The model of kill chain can be used by incident response teams, malware analysts and
forensic investigators in order to work in a chained manner and analyze offensive actions
of a cyber attacker. Using kill chain model by the security analysts allows them to think
like the attacker and understand what has happened in each phase of the kill chain. Re-
cently, cyber attacks have become more complex, destructive and dangerous by using
multiple redundant attack vectors in order to multiply the effect and make it difficult for
the incident response team (Bhatt, Toshiro Yano and Gustavsson, 2014). The model of

160
kill chain allows to breakdown a complicated attack into small phases or stages. Moreo-
ver, these phases enable the incident response team to tackle smaller and easier problems
and develop a defense for each layer in order to migrate threats in each phase (Hutchins,
Cloppert, and Amin, 2011). Kill chain includes seven phases as shown in Figure 7 that
provides a brief description of the phase or the purpose of it.

Phase Description Example

Social Networking, port scan,

Detection, selection and profile the
reconnaissance passive search IPs, Haervesting
target
Emails

gather Exploit and Remote Access Decoys, Delivery system, develop

Trojan into payload expliot with payload, Malware
Weaponization

USB, Infected website, Spear

transmite the weapon to the target
Phishing, Service Provider
Delivery
Execute code, third party
Execute the payload on the Victim
exploitation, activation, establish
system
foothold
Exploitation
installing the backdoor & Toot Kit, Backdoor, Establish
maintaining persistence presistence, Escalate Privilleges

Command & Control interl Recon, Command Channel,

Communicating with compromised
Maintain Presistence, Letral
host
Movement

Actions on Target System Distruption, Network Data Exfilitration, Expand

spreading, Exfilitration compromise, identify target

Figure 7: Kill Chain Phases

- Sandbox

Sandbox refers to the security mechanism which used to separate running programs and
execute un-trusted programs or untested code from third parties. The untested or unknown
file can be run in an isolated environment to understand what it does. Malware sandbox-
ing is considered a dynamical analysis approach because it helps the analyst to executed
and monitor in real-time instead of statically analyzing the binary file. There several sand-
box tools for linux like SELinux and Apparmor, while Cuckoo is supported by Windows
and will be used in the study case simulation. Cuckoo represents an automated malware

161
analysis system to understand what the files do during executing in the isolated environ-
ment which requires technical skills to understand the results. Applying the previous
framework combined with defense mechanism in Table 3 that is based on kill chain
phases will improve the results to detect and prevent APT by the incident response team.

Phase Countermeasures (Prevention)

Detection Attack techniques
Info. Gathering ACL, IPS, Firewall , Se- Web Network
curity Analytics, User Recognition, Foot
Awareness Training, In- monitoring, printing, Fingerprint-
formation Obfuscation NIDS, ing, Social Engineering
NABD,SIEM
Weaponization Vulnerability, NIDS backdoor, zero-day ex-
Scanning, Auditing, ploits, OSINT, Prepar-
Patch management, NIPS ing malware
Delivery IPS, Content Filtering, Vigilant user, Watering hole attack,
Security Life Cycle, NIDS, HIDS, Supply-Chain Attack,
Identity Verification, In- Source Action Spoofing,
put Filtering, Blacklist- Correlation, Hacking Hardware, In-
ing, Configuration Con- Proxy, SIEM jection, Phishing and
trol, Anti-virus software, malicious links
Proxy filter
Exploitation Patching HIDS, SIEM Data Structure Attacks
Installation Access control, Password HIDS, Event Privilege
Control, Firewall, Anomaly detec- Escalation, Collecting
tion, SIEM data
Command & Firewall, Proxy, Encryp- HIDS, NIDS, Intermediary Staging
Control tion Use Content
Control, Blacklisting, Analysis, SIEM
Data Loss Prevention
Act on Objective Proxy ,Password Control, Audit log, Resource Depletion,
IPS , Encryption Use HIDS, NIDS, Exploitation of
Control, Firewall SIEM Privilege/Trust, Re-
sourceManipulation

Table 3: the defence mechanism based on kills chain phases.

Statement of Deliverables:

The simulation will be tested by two groups of users. The new approach simulation will
be evaluated, then the results will be compared with results from the original approach to
identify whether the new framework has improved the security and detected the APT or
not. The evaluation for both groups of users will be as follows:

162
 - Evaluate whether the new framework helps and improves detection for APT com-
pared with the original approach.
- Evaluate which approach can use the analytical data to migrate APT's more effi-
ciently.
- Evaluate which approach can use the analytical data to expect future attacks of
APT’s.

Plan:

Figure 1 represents the basic structure for the project, this includes four main phases: re-
lated work, develop new framework, analysis process and case study.

Figure 1: Incident response & APT project breakdown structure

Figure 1 helps to create Figure 2 to represent Scheduled Gantt chart of Incident

response & APT project. The chart includes three milestones for the three phases
which are at the end of Literature, develop new frame work and the completion of
the project.

163
Figure 2: Scheduled Gantt chart of Incident response & APT project

164