Professional Documents
Culture Documents
Cyber Incident Response and New Framewor
Cyber Incident Response and New Framewor
Cyber Incident Response and New Framewor
By
Mohamed El Metaafy
A DISSERTATION
Submitted to
MASTER OF SCIENCE
21/03/2016
ABSTRACT
Mohamed Elmetaafy
The game of security cannot be successful without understanding the rules of engage-
ment. The long-term and sophisticated attacks target companies, governments and polit-
ical activists. These incidents happen for different industries as well. A new class of threat
called Advanced Persistent Threat (APT) has emerged and is described as cyber intru-
sions against military organisations. The term APT has been overloaded and means dif-
ferent things to different people - for example, some people refer to attacks from China,
and others consider all attacks as part of the APT. This dissertation proposed framework
allows the incident response team to detect APTs more efficiently and improve the
knowledge of the incident response team about the phases of the attack by identifying and
detecting various indicators of the adversary’s attack. The multistage framework can be
described as a multi-layer security and components. The new framework includes layer
1, which has antivirus, NIDS/HIDS, firewall, etc. The logs of the previous component of
layer 1 will be used by SIEM in layer 2 to show different alerts and warnings. The com-
ponents of the framework are logging modules, SIEM, indicators, attack tree, Kill chain,
and sandbox. The aim of this project is to determine whether using a complex multistage
framework solution will limit or reduce the damage of the cyber attack and, to ask, if will
it help the incident response team to detect the APT or not. A case study simulated to
represent the benefits and the effectiveness of a new framework to limit or reduce the
APT. There are two groups to test and evaluate the framework: Group A will use the
simulation of the new framework whilst group B will use the original method in the se-
cond simulation. The results of simulation prove that the new framework succeeds to
detect the malicious files in the three attempts that allows to mitigate and detect these
types of APT by using different security solutions, SIEM, HIDS, NIDS and Sandbox;
while traditional methods that used antivirus and antispyware fails to detect or prevent
APT. The new framework provides appropriate methods for detecting APT
ii
DECLARATION
I hereby certify that this dissertation constitutes my own product, that where the language of oth-
ers is set forth, quotation marks so indicate, and that appropriate credit is given where I have used
I declare that the dissertation describes original work that has not previously been presented for
Signed,
Mohamed El Metaafy
“This dissertation contains material that is confidential and/or commercially sensitive. It is in-
cluded here on the understanding that this will not be revealed to any person not involved in the
assessment process.”
iii
ACKNOWLEDGEMENTS
Firstly, I would like to express my deepest thanks and gratitude to Dr Yongge Wang for
his advice, professional guidance and providing me with the opportunity to complete this
research
Finally, I would like to thank my mother, family and friends for their outstanding inspi-
ration to me and never ending support and encouragement.
iv
TABLE OF CONTENTS
Page
LIST OF TABLES ................................................................................................ 2
LIST OF FIGURES .............................................................................................. 3
CHAPTER 1. INTRODUCTION ......................................................................... 5
1.1 SCOPE .......................................................................................................... 5
1.2 BACKGROUND ............................................................................................. 6
1.3 PROBLEM STATEMENT ................................................................................. 7
1.4 AIMS AND OBJECTIVES................................................................................. 8
1.5 APPROACH ................................................................................................... 9
1.6 OUTCOME .................................................................................................... 9
CHAPTER 2. BACKGROUND AND REVIEW OF LITERATURE ............ 10
2.1 BACKGROUND ........................................................................................... 10
2.2 INCIDENT RESPONSE .................................................................................. 11
2.3 ADVANCED PERSISTENT THREAT .............................................................. 15
2.4 THE IMPORTANT OF INCIDENT RESPONSE IN APT....................................... 22
2.5 INTRUSIONS DETECTION ............................................................................ 23
CHAPTER 3. ANALYSIS AND DESIGN ......................................................... 32
3.1 SIEM......................................................................................................... 33
3.2 INDICATORS ............................................................................................... 36
3.3 ATTACK TREE............................................................................................ 39
3.4 CYBER KILL CHAIN ................................................................................... 41
CHAPTER 4. IMPLEMENTATION (REALIZATION)................................. 47
4.1 CONFIGURATION AND INSTALLATION ........................................................ 47
4.2 SCENARIO .................................................................................................. 52
4.3 INTRUSION ATTEMPTS ............................................................................... 53
CHAPTER 5. RESULTS AND EVALUATION ............................................... 70
5.1 THE RESULT OF THE EXPERIMENT ............................................................. 70
5.2 ANALYSING THE RESULT OF THE NEW FRAMEWORK .................................. 75
5.3 COMPARE FRAMEWORKS ........................................................................... 94
CHAPTER 6. CONCLUSIONS.......................................................................... 95
6.1 AIMS AND OBJECTIVES............................................................................... 95
6.2 CRITICAL ANALYSIS .................................................................................. 96
6.3 FUTURE WORK .......................................................................................... 97
REFERENCES..................................................................................................... 98
APPENDICES .................................................................................................... 104
1
LIST OF TABLES
2
LIST OF FIGURES
Page
3
Figure 43: Choosing auxiliary/macro_converter payload...................................... 62
Figure 44: Identify the path to a Powershell batch script ...................................... 62
Figure 45: The output of the generate code will be txt file .................................... 63
Figure 46: create Macro ........................................................................................ 63
Figure 47: insert VBS code .................................................................................... 64
Figure 48: CV used to trick the target .................................................................... 64
Figure 49: save the document as world macro enable document .......................... 65
Figure 50: using msfconsole to listen to the target ................................................ 66
Figure 51: choose payload ..................................................................................... 67
Figure 52: Generate exe file ................................................................................... 67
Figure 53: location of the exe file .......................................................................... 68
Figure 54: find Experiment 3 ................................................................................. 68
Figure 55: change the exe extension to jpg ............................................................ 68
Figure 56: using msfconsole to listen to the target ................................................ 69
Figure 57: Setting up of the exploit handler .......................................................... 70
Figure 58: McAfee quarantined the threat ............................................................. 71
Figure 59: : the scan result of McAfee................................................................... 71
Figure 60: the attacker used session 1 to connect to the victim ............................. 72
Figure 61: McAfee Antivirus Plus fails to detect the malicious Excel sheet......... 72
Figure 62: The attacker succeeds to compromise the target .................................. 73
Figure 63: The scan result of McAfee ................................................................... 73
Figure 64: McAfee Antivirus Plus the success to detect the malicious file........... 74
Figure 65: Alien Vault succeeds to detect the malware ......................................... 74
Figure 66: The result of scanning malicious file by VirusTotal ............................ 75
Figure 67: indicators of several intruders .............................................................. 77
Figure 68 : Attack tree of the APT attack for the three attempts ........................... 79
Figure 69: Dashboards overview ........................................................................... 82
Figure 70: : AlienVault Scan vulnerabilities ......................................................... 83
Figure 71: AlienVault Port Scan for one or more hosts......................................... 83
Figure 72: List of events for a host ........................................................................ 84
Figure 73: The result of analysis ............................................................................ 85
Figure 74: Further details of vulnerabilities scan .................................................. 85
Figure 75: SIEM determines priority of vulnerability ........................................... 86
Figure 76: Current vulnerability according to severity .......................................... 87
Figure 77: HIDS event trends and data source ...................................................... 88
Figure 78: vulnerability and service of host 192.168.0.119 .................................. 89
Figure 79: SIEM reports ........................................................................................ 89
Figure 80: Hash file of uploaded document in first attempt .................................. 90
Figure 81: The result of scanning document with VirusTotal ............................... 91
Figure 82: hash file of the uploaded document in the second attempt................... 91
Figure 83: the result of scanning the Excel sheet in second attempt ..................... 92
Figure 84: hash file of uploaded document in third attempt .................................. 93
Figure 85: The result of scanning JPG photo in third attempt ............................... 93
4
Chapter 1. INTRODUCTION
Cyber attacks have spread rapidly since the adoption of the Internet: starting with viruses
and worms, to malware and, nowadays, botnets. A new class of threat called Advanced
Persistent Threat (APT) has emerged and is described as cyber intrusions against military
organisations. The term APT has been overloaded and means different things to different
people - for example, some people refer to attacks from China, and others consider all
attacks as part of the APT (Mandiant, 2010; Cole, 2012, PP. 3-4). However, APT has
extended to a wide range of industries and governments; it is not just limited to the mili-
tary domain (Mandiant, 2013; Villeneuve et al., 2013; Chen, Desmet and Huygens, 2014,
Field, 2013). According to Mandiant (2010), in most cases, the standard security tools
cannot detect APT malware, such as antivirus and antimalware programs. The main hy-
potheses for the dissertation is based on using complex multistage framework solutions
in order to limit and reduce the damage of the cyber attack in addition to improving the
detection of advanced and persistent threats. The long term and sophisticated attacks tar-
get companies, governments and political activists; these incidents happen for different
industries as well. Multinational corporations can be spread over several countries, and
for multi-vectored APT challenges to establish a strong defence against APT is very im-
portant. Figure 2 shows numerous challenges for companies, governments, political ac-
tivists, etc. APT campaigns may be interested to achieve financial benefits for the country
involved in theft of valuable information and intellectual property that has a close rela-
tionship between industry and government (Thales, 2014).
1.1 Scope
The proposed framework allows the incident response team to detect APTs more effi-
ciently and improve the knowledge of the incident response team about the phases of the
attack by identifying and detecting various indicators of the adversary’s attack. The mul-
tistage framework can be described as a multi-layer security and components. The new
framework (as shown in Figure 10) includes layer 1, which has antivirus, NIDS/HIDS,
firewall, etc. The logs of the previous component of layer 1 will be used by SIEM in layer
2 to show different alerts and warnings. The incident response team can use these alerts
5
and indicators to draw the attack tree and connect parts of the complex attack; then iden-
tify the phase of the attack according to the kill chain. The incident response team can use
the sandbox to test suspicious files that are infected by malwares. The top down design
methodology will break larger processes into smaller over analysis of the intrusion kill
chains, SIEM, and robust indicator maturity. The artefact will include a model, the pro-
cesses and a framework to represent solutions of APTs.
1.2 Background
The incident refers to the adverse event that cause potential harm to data or the system,
while response stands to the taken action to understand the incident then recover the op-
eration into normal status by the incident response team (Cole, 2012). Computer security
incidents are frequently complex so it should divide this complex or large problem into
components, then test and examine the inputs and outputs of each component (Pidawekar,
2014). Seven main phases for the incident response are presented in Figure 1, as follows:
Pre-incident
• Preparing the organisation before the incident.
preparation
Detection of
•Identify the potential and possible security incident.
incidents
• Investigate and record all the details of the incident then inform the persons who should
Initial
response
know about the incident.
• According to the known facts, it should determine the best response and action to be
Formulate
response taken.
strategy
• Re-assess the data collected to understand and decide when it happened, what happened
Investigate
the incident
and determine the possible methods to prevent it in the future.
6
“If you go back to the definition of security being protection, detection and response, this
feels like the last area that needs work, and the idea of incident response coordination
and working on a response is really important and something that isn’t there.”
Schneier wants to emphasize the importance of getting prevention and detection proce-
dures with an operational incident response plan. However, we cannot eliminate all the
threats but we can migrate threats more quickly. The APT’s prevention measures should
include Data Loss Prevention technologies, firewalls, management solutions like IPS AV,
IDS, etc. In case of APT, an effective response strategy allows the incident response team
to prevent and detect more efficiently (Prosise and Mandia, 2003).
In 2012, the report of Mandiant about APT shows that 54% of compromised machines
have malware, whereas 100% of the analysed attacks used stolen credentials through the
intrusion. In the meantime, the report of Symantec illustrates 18 zero-day vulnerabilities
that have been exploited up to 30 months previous to the public disclosure. In 2014, Man-
diant provided a report that illustrated threat factors that remain undetected for about 229
days as it becomes more difficult to identify and detect attack frequently. Moreover, the
third party, like content management service providers or cloud providers, often inform
the organisations about the attack but sometimes these organisations may have been com-
promised earlier than the detection of attack that happens 6-9 months later. Incident re-
sponse is very important in order to minimize the attack’s damage, it starts from the mo-
ment of detecting the attack until the organisation is being recovered into the normal status
and it makes sure this attack does not happen again. One of the main characteristics of the
APT attack is its persistence. As a result, the incident response team has to get rid of the
attack as soon as possible (Dan, 2013). In order to deal with APT, the plan of the incident
response should have several methods to prevent, detect and respond in addition to man-
aging zero day vulnerabilities, new malwares, etc. In case the company has top-secret
data, APT incident response must have a priority in business strategy and information
security programs.
7
the organisation. Also, understanding the persistency of APT usually means the attacker
does not give up easily until he achieves his goals; the attackers may be supported by
nations or organisations with resources and capabilities to achieve their aims. Analysing
the indicators allows the incident response team to find the APT more efficiently and
connect these indicators with kill chain phases that would be more practical. Several re-
searches and dissertations discuss parts of the framework, like SIEM or intrusion detec-
tion, but these researches do not cover the whole picture of a real attack. This dissertation
covers more than one topic; connects them in a comprehensive framework and then ap-
plies it to achieve the dissertation goals.
1. To research and review IRs and APTs that are covering various topics, such as
Traditional IRs, APTs, Indicators and the Indicator Life Cycle, Cyber Adversaries,
threat model, Kill Chain and Security Information, and Event Management sys-
tems (SIEM).
2. Design and implement a new framework.
3. Provide two simulations to simulate an attack over a virtual network and are tested
by two groups of user study. The first simulation will use the framework model of
Multi-Stage attacks and imports log data from different sources to SIEM and an-
alyse it, while the second simulation will represent the original approach.
4. The results of the evaluation from the two groups will show whether the frame-
work model of Multi-Stage attacks can identify and detect APTs and compare it
with the second simulation with default security settings.
8
1.5 Approach
The new framework will be the research method that is used to achieve the goals and
hypotheses of the dissertation. A case study will be simulated to represent the benefits
and the effectiveness of a new framework to limit or reduce the APT. There will be two
groups to test and evaluate the framework: Group A will use the simulation of the new
framework whilst group B will use the original method in the second simulation. The
scenario of the case study represents an adversary attempt to attack the network via lev-
eraging a ‘zero-day’ vulnerability and brute force attack. Since every defence has blind
spots, Intrusion Detection System (IDS) can be effective. In case the intruder triggers one
or more registered detection rules, it commonly generates negatives and positive alerts.
Also the antivirus cannot detect malware, as it does not exist in the database of signatures.
Moreover, vulnerabilities can exist for a long time and usually users do not have aware-
ness and adequate training - even the users who access sensitive assets. If the adversary
discovers these vulnerabilities via network reconnaissance or a combination of social en-
gineering, this may allow the attacker to launch serious attacks.
1.6 Outcome
The two user groups will get data from the components of the new framework and the
original approach. For example, the case study will be applied for the two frameworks
and the users of group A will get results and alerts from SIEM, HIDS/NIDS, sandbox
tools, etc. These results will be analysed and compared with the results with the original
approach.
9
Chapter 2. BACKGROUND AND REVIEW OF LITERATURE
2.1 Background
The game of security cannot be successful without understanding the rules of engage-
ment. The long-term and sophisticated attacks target companies, governments and politi-
cal activists. These incidents happen for different industries as well. Figure 2 represents
a survey for 19 industries that show the incident response share of each industry. The
technology/IT sector has the highest incident (15%) whilst engineering and consultation
are represented by 0.5% (Torres, 2014).
Multinational corporations can be spread over several countries, and for multi-vectored
APT challenges to establish a strong defence against APT is a very important aspect. The
statistics of Thales (2014) and Verizon (2015) show numerous challenges for companies,
governments, political activists, etc. APT campaigns may be interested in achieving fi-
nancial benefits for the country involved in the theft of valuable information and intellec-
tual property that has a close relationship between industry and government.
10
2.2 Incident Response
The guide from the National Institute for Standards and Technology (NIST) defines the
event in a network or a system as any observable occurrence, such as a user sending email;
receiving requests for web pages; connecting to a file share and firewall blocking a con-
nection attempt, etc. The events of adversary represent the negative consequence of these
events, such as unauthorised access to data, packet floods, malware that destroys data,
system crashes, and so on. The computer security incident defines the violation of com-
puter security policies, standard security practices or acceptable use policies (Scarfone,
Grance and Masone, 2008; Cichonski et al., 2012). The guide of NIST provides four main
phases for response to different incidents. Each of these phases can be a reiterative process
as new information becomes available (Coughanour, 2014). Figure 3 shows the Incident
Response Lifecycle that contains four phases:
Preparation:
NIST identifies the need to maintain and establish the capability of incident response be-
sides the preventing efforts to secure the environment and reduce the number of incidents.
This phase is a foundation for the incident response programs success; it contains pre-
planning activities, such as maintaining the capabilities of incident response that represent
in the form of technology and staff; network documentation; maintaining contact rosters;
creation and approval of security policies, including established incident notification pro-
cess, user privacy expectations, warning banners, etc. This preparation may include pre-
deploying incident handling assets like:
11
• Monitors, probes and sensors on critical systems to monitor processes, disk space,
CPU utilization and the access to the application.
• Tracking data based upon minimum security during normal operations, active au-
dit logs for the network components and servers and Configuration Management
Data Base (CMDB) of the corporate.
The second phase of incident response lifecycle is detection and analysis. Organisations
should be prepared to handle any incident especially incidents that use common attack
vectors. The attack vectors, below, show the common methods of attack and are used as
a basis to define a specific handling procedures, as shown in Figure 4.
12
The most important part of the incident response process for many organisations is iden-
tifying and detecting possible incidents. Furthermore, there are three factors that can be
the cause for several challenges as follows:
• The detection of incidents that have occurred by different means with multi-levels
of details. The automated detection includes: log analysers, antivirus software and
IDPSs. While the manual detection happens when a user reports a problem.
• The sign’s number or volume of incidents like receiving millions of intrusion de-
tection sensor alerts per day is not uncommon.
• Experience and the technical knowledge are vital for an efficient analysis of inci-
dent.
Signs are divided into two main categories and these are precursors and indicators. A
precursor refers to an incident that may happen in the future, while an indicator refers to
an incident that is currently underway or occurring now.
This phase is important and considered the next major step essential through the response;
this is after identifying incidents and before the damage has increased or even an incident
overwhelms resources. Kessler (2014) provides several questions requiring answers in
this stage, such as:
The strategies of containment depend on the type of incident, like containing a network-
based DDoS attack is very different from an email-borne malware infection. Organisa-
tions should create strategies and pay consideration to the duration of a solution, time and
resources needed; potential damage; service availability; need for evidence preservation
13
and effectiveness of the strategy. Eradication is used to eliminate components of the inci-
dent, such as deleting code snippets or malicious software; closing the applicable firewall
ports and disabling accounts on the system. The recovery activities are intended to restore
the affected system and rebuild the system from scratch; uninfected backups; changing
administrative passwords and adding new security parameters on boundary devices after
the incident to ensure full recovery.
The recovery portion centres on remediation of the environment in order to prevent future
reoccurrence. NIST suggests prioritisation of such actions, beginning with steps that can
be taken within days to weeks and then focusing on larger initiatives, such as infrastruc-
ture changes which may take months to implement.
Post-incident activity
NIST discussed the importance of post incident activities after the event learning action.
These results of lessons learned can help to improve the post-incident effort and record
these lessons and suggestions in the documentation of incidents. The members of the in-
cident response team should summarise and evaluate the techniques used, efforts, the
threat realized, the timing of the response and the support actions to improve the response
next time, and the mechanisms within the response team in addition to the security of the
organisation.
• Agency name
• Incident date and time
• Incident Category as shown in Table 1
• Source IP, Destination IP, Source port, Destination port and protocol
• Operating Systems, patches, etc
• Location of the system
• Impact to agency
• System Function
14
US-CERT provides a set of concepts and descriptions to improve communications be-
tween agencies. US-CERT utilises the below event categories, incident and reporting
timeframe criteria, as shown in Table 1.
15
military organisations. However, APT has extended to a wide range of industries and
governments; it is not just limited to the military domain (Mandiant, 2013; Villeneuve et
al., 2013; Chen, Desmet and Huygens, 2014, Field, 2013). According to Mandiant (2010),
in most of the cases, the standard security tools cannot detect APT malware, such as anti-
virus and anti-malware programs. The statistics of Figures 2-5 illustrate that security soft-
ware only detects 24% of all the APT malware. The statistics also show how difficult it
is to detect and identify the techniques of APT and the analysis of APT malware shows
that 10% of APT backdoor attacks were packed using common filenames, such as
iprinp.dll, iexplore.exe, svchost.exe, winzf32.dll, service persistence and process injec-
tion. The backdoors of APT can communicate by using chat protocols, APT uses back-
doors to communicate though distinct chat protocols; this allows the attackers to use file
transfers and command shells on the infected machine. This method of communication is
difficult to detect. Furthermore, Mandiant (2010) found out that 60% of APT backdoor
samples were persistent on the machine, 30% used process injections to avoid detection
and 100% of APT backdoors made only outbound connections. The persistence back-
doors, shown in Figure 5, is represented by 76% for the windows service; 21% for HKLM
run registry key and others by 3%.
76%
76%
Other
Undetected Detected
16
Figure 6: Highest risk associated with the successful APT (ISACA; 2013, P. 11)
APT is a cyber crime category that is directed at political targets and business; it requires
a high degree of stealth to be successful and achieve its goals. Damballa (2015) and
ISACA (2013, P. 11) summarises the requirements of APT, these are as follows:
• Advanced:
The attackers behind the threat use a wide range of computer intrusion techniques and
technologies, whereas the individual components of the attack may not be described
as advanced; such as using easily procured exploit materials or common malware
components generated from construction kits. Also, the attackers usually use multiple
attack tools and methodologies to compromise their target.
• Persistent:
The attacker focuses on a particular task and gives it priority rather than seeking im-
mediate financial gain. The APT’s attacker usually keeps monitoring and interacting
continuously to achieve the defined objectives using a low-and-slow approach.
• Threat:
17
The threat of APT is not based only on the automated piece of code; it also uses a
level of coordinated human involvement. The attackers are usually organized, moti-
vated, skilled, well funded and have a specific objective.
The APT made global headlines; the term of APT has been overloaded and means differ-
ent things for different people. For example, some people refer to attacks from China and
others considered all attack as part of the APT (Mandiant, 2010; Cole, 2012, PP. 3-4). In
2005, the term ‘advanced persistent threat’ had appeared to security analysts working for
the US Air Force to discuss particular espionage attacks without identifying the source of
threats (ISACA, 2013, P. 12). Joint Task Force Transformation Initiative (2011) or NIST
provided a clear definition for APT, which is:
“An adversary that possesses sophisticated levels of expertise and significant resources
which allow it to create opportunities to achieve its objectives by using multiple attack
vectors (e.g., cyber, physical, and deception). These objectives typically include estab-
lishing and extending footholds within the information technology infrastructure of the
targeted organizations for purposes of exfiltrating information, undermining or impeding
critical aspects of a mission, program, or organization; or positioning itself to carry out
these objectives in the future. The advanced persistent threat: (i) pursues its objectives
repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it;
and (iii) is determined to maintain the level of interaction needed to execute its objec-
tives.”
The definition of NIST provides a good basis to understand the difference between APTs
and traditional threats. Below is a brief explanation for the four main characteristics of
APTs concluded from the definition of NIST, as follows:
The attacks of APT have clear goals and are considered highly targeted attacks. The
targets of APTs include organisations and governments with a highly intellectual
property value. In 2013, the statistics of FireEye shows the top ten industries that are
targeted by APT, these are: governments, finance, education, high-tech, energy, tele-
communications, consulting, chemical, aerospace and healthcare. The attacks of APT
usually limit its attack range and pre-defines its targets, while the APT’s objectives
18
focus on the strategic benefits and bring competitive advantages, such as trade secrets,
intellectual property, national security data and so on. The majority of traditional
threats focus on the financial gain, like credit card data and personal information.
According to Kaspersky (2013), the APT’s actors can be highly skilled groups work-
ing for military cyber units, state intelligence, governments, or they are cyber merce-
naries hired by private companies and governments. These groups have high re-
sources, like technical perspectives and finances, that allow them to work for long
periods and get access to attack tools and zero-day vulnerabilities (Chen, Desmet and
Huygens, 2014).
The APT attack has been designed or has happened over a long-term campaign; it has
stayed undetected and undiscovered for several months or years in the target’s net-
work. The APT attackers continue the attack campaigns until the attempt is a success,
which is considered different from traditional threats. The traditional attackers have
many victims and can penetrate easy targets when they could not penetrate the initial
target (Chen, Desmet and Huygens, 2014).
APT attacks can conceal themselves and stay stealthy or undetected within the target’s
network traffic to achieve the defined objectives such as using zero-day exploits in
order to avoid signature-based detection.
According to Jeong et al. (2013, P. 60), the APT attack has six phases: intelligence gath-
ering; point of entry; command and control; lateral movement; asset discovery and data
exfiltration. While Chen, Desmet and Huygens (2014, P. 65) and Cole (2012, P. 26) dis-
cuss the six phases (below):
19
1. Reconnaissance and Weaponization
In reconnaissance or information gathering phase, the attackers study and identify the
targeted organization, collect information about the technical environment using en-
gineering techniques or open source intelligence tools. This information includes
hardware and software configurations, and employee personal profiles. The APT ac-
tors may employ big data analytics and data mining techniques to process the gathered
data.
2. Delivery
The APT actors deliver their exploits to the targets using direct and indirect methods
as shown in Figure 7. In the direct method, attackers send exploits by social engineer-
ing techniques like spear phishing. While the indirect methods (e.g. watering hole
attack) related to compromising a third party (e.g. software/hardware, website which
is regularly visited by the target), have the trust of the target then use the third party
to compromise the target (Li and Clark, 2015, PP. 98-102; Haq and Khalid, 2013;
Trend Labs APT Research Team, 2012).
attack over sending fraudulent with maare for a third party that
emails to a small group of selected are regularly visited by the target.
victims. It can be used through the when the target person visits the
phase of gathering information and infected webpages, thw
the attachment of the fraudulent deliveryaccomplishes.
emails may have a link to a
malicious site that serving drive-
by-download exploits or includes a
vulnerability exploit. Howeve,
malicious attachments is usually
used in APT attacks becuase
people normally share files like
business documents, reports
20
3. Initial Intrusion
This phase occurs when the APT actor gets unauthorised access to a computer or
network of the target. Whereas the attackers can use social engineering to get access
credentials or get legitimate access. In the previous phase, the attacker delivers a ma-
licious code; when the exploit is successfully executed in this phase, the attacker gets
access to the victim’s machine. The APT’s attacker pays more attention to vulnera-
bilities in Internet Explorer, Microsoft Office, Adobe Flash and Adobe PDF besides
having leverage zero-day exploits.
When the attacker establishes a backdoor successfully, the attacker uses the mecha-
nisms of Command and Control in order to take control of the compromised comput-
ers and the attacker uses legitimate services to evade detection as shown in Figure 8
(Cole, 2012).
When the attacker established the communication between the Command and Con-
trol server and has compromised the systems, the attacker expends inside the network
21
in the target organization to discover and collect valuable data. The attacker may
crack or steal credentials to get legitimate access to make the entire activities untrace-
able or undetectable.
6. Data Exfiltration
The main target of an APT attack is stealing sensitive information to get strategic
benefits; therefore, data exfiltration is an important phase. The APT factors usually
transfer encrypted and compressed data to external locations of the attacker’s. The
attackers used secure protocols during transmission process such as SSL/TLS or even
leverage feature of Tor network (Chen, Desmet and Huygens, 2014, P. 68; Jeong et
al., 2013, P. 60).
22
in addition to managing zero day vulnerabilities, new malwares, etc. In case that a com-
pany has top-secret data, APT incident response must have a priority in business strategy
and information security programs (Mandiant, 2014; Chappel, 2014).
The plan of incident response deals with all adverse events and prospective threats that
can damage the organisation. The purpose of an incident plan is ensuring that actions
should be taken to limit, reduce or prevent any recurrence of the particular event whenever
a damage event takes place. There are various important elements that should be consid-
ered in the incident response plan, as follows (Pidawekar, 2014; Cole, 2012):
23
•Attempted break-ins: These can be detected
1 via identifying violations of security
constraints or typical behaviour profiles
Anderson (1980) categorised intruders as external intruders and internal intruders. Ander-
son also divided the intrusion detection into misuse/signature-based intrusion detection
and anomaly-based intrusion detection.
24
• Anomaly-based intrusion detection
Table 2 shows popular, past APT attacks based on the categories of APTs and the associ-
ated attack vectors which are Stuxnet, Flame, Operation Aurora, Duqu, mini-Duque,
Night Dragon, RSA Breach and Red. Then they are compared according to detection, PE
executable, key logging, initial infection, motivation, encryption, evasion and replication
(Giura and Wang, 2012; Knapp and Langill, P. 41, 2014; Zulkefli, Singh and Malim,
2015):
25
Table 2: Analysis of past APT attacks
APT’s Stuxnet Operation Flame Duqu Night RSA Red Mini-
Name Aurora Dragon Breach Duqu
Detected 2010 2010 2012 2011 2011 2011 2012 2013
PE Execut- DLL DLL, EXE OCX DLL EXE EXE EXE EXE
able
Initial in- Unknown Spear Unknown MS word Unknown Excel, MS Word PDF
fection but, by phishing but, by the- Spear &Excel,
theory, it is (malicious ory, it is phishing Spear
caused by links) caused by (Java) phishing
USB de- USB de- (Java)
vice vice
Key log- NO NO Yes NO Yes Yes NO NO
ging
26
Replication Removable Manual Manual Manual Manual Manual Manual Manual
drive ,
Network
Motivation Sabotage, Gathering Gathering Gathering Stealing in- Stealing in- Gathering
Slowing information information information formation formation information
down the
program
Encryption XOR PORT 443, XOR, RC4, XOR, VICTIMS Unknown XOR Unique
HTTP Subs CBS, AES DEPEND per
victim,
XOR,
ROL
Evasion Yes Yes Yes Yes Yes Yes NO Yes
Stuxnet
In 2010, a sophisticated computer worm was discovered and the samples date back to
June 2009, it was then called Stuxnet. Stuxnet is an APT attack against Iranian uranium
enrichment infrastructures, specifically the Natanz uranium enrichment plant. This was
done through exploiting Microsoft Windows’ vulnerability; then spreading in the entire
network by targeting Siemens’ equipment and software, causing it to malfunction. This
type of threat can be threatening to the security of control systems, like supervisory con-
trols and data acquisition (SCADA) that was used to control vital infrastructures and net-
works such as offshore equipment, fuel onshore, fuel pumping devices, water valves de-
vices, electricity generation, etc (Giura and Wang, 2012).
Operation Aurora
Another attack, called Operation Aurora, began in mid-2009 until December 2009 and
was achieved over a series of cyber attacks. Operation Aurora used a malware attack
against 30 main companies, such as Google, Adobe, Symantec, Yahoo, Morgan Stanley,
Northrop Grumman, etc (FireEye, 2012; Jackson, 2010).
Duqu
In 2011, a malware was detected which had close similarities with Stuxnet. Researchers
believe the same team who developed Stuxnet developed Duqu, but the main goal of Duqu
was espionage instead of distruction. Duqu used malware to infect over 50 targets world-
wide. Duqu remained active after the activation for 36 days before self-destructing; how-
ever, attackers can change the destruction time to remain as long as required. Duqu is
harder to detect and allows attackers to access other systems on the network as well as
compromising all certificates to signed components (Ginter, 2012).
Night Dragon
In 2011, McAfee discovered a series of attacks against petrochemical, energy and oil. The
main purpose of the attack was extracting information. Night Dragon is an APT that in-
filtrated critical systems and was involved in the theft of sensitive information that could
be used for different purposes or motivations. It started with SQL injections against the
web servers through standard tools and acquired additional usernames and passwords to
27
infiltrate the internal PCs and servers. Moreover, Night Dragon established Remote Ad-
ministration Toolkits (RATs) and C&C servers. Important information had been extracted
from these systems and this information could be used in further targeted attacks (Knapp
and Langill, P. 41, 2014).
RSA Breach
In 2011, the security division of storage EMC (RSA) became a victim of cyber attacks.
With the generating of tokens, the SecurID one-time password of a thousand RSA cus-
tomers should have been reissued. The attackers were successful at exfiltrating EMC (a
forensic tool called Netwitness which was used by EMC to capture data packets for sus-
picious behaviours). The investigation found that, with the infected machines, attackers
succeeded in revealing the encryption key of EMC to decrypt the exfiltration traffic. The
capture traffic shows that secret seeds to SecurID tokens were stolen (Green, 2015, P. 13).
Flame
In 2012, a modular malware called Flame was discovered by CrySyS Lab of the Budapest
University of Technology and Economics, Kaspersky Lab, Computer Emergency Re-
sponse Team (CERT) and MAHER Center of Iranian National. Flame APT attacks Mi-
crosoft Windows’ operating system in Middle Eastern countries, like attacking Iranian
Oil Ministry computers to collect intelligence for cyber sabotage. The command and con-
trol server of Flame malware has called back operations to download other malware mod-
ules (Jajodia et al., 2015, P. 38). Flame is like Duke and has the ability to intercept emails,
screenshots; used microphones to record conversations and capture various types of in-
formation.
Red October
In 2012, Red October was discovered. Researchers thought that Red October had been
active since May 2007; it aimed to gather information from governmental, diplomatic and
scientific agencies. The characteristics of Red October seemed to be different, with three
malware samples. Furthermore, it used one component to connect to C&C Servers by
using minimalistic architecture. The research was estimated and identified modules of
over 1000 that could be downloaded and executed by the attackers as to perform a wide
28
range of tasks. For this reason, the detection of Red October took several years. Red Oc-
tober allowed attackers to steal information from iPhones, Nokia phones and recover de-
leted files from removable drives (Virvilis and Gritzalis, 2013).
MiniDuke
MiniDuke was detected in 2013. The architecture of MiniDuke included pure assembly
coding for its payload and modern exploitation techniques in order to bypass the PDF
sandbox of Adobe (Virvilis, Gritzalis and Apostolopoulos, 2013).
Attackers can use various methods to gain access into the system of the victim - as shown
in Tables 3a and 3b. The tables below shows how these methods used protocol exploita-
tion and malware in order to achieve the goals of the attackers whenever targeting the
victim. The tables also discuss the attacker’s methods, attacks, motivations and tech-
niques, as below (Giura and Wang, 2012, Virvilis, Gritzalis, and Apostolopoulos, 2013;
Zulkefli, Singh and Malim, 2015):
29
Table 3a: Methods to get into the victim's computer
Methods Exploiting com- Exploiting web infra-
structure spear phishing Exploiting social network
munication
Motives -Redirect users - redirect users to a -whenever the user - encourage the user to
to malicious malicious domain via redirected to a mali- click on the link provided.
30
sites inserting malicious cious domain then
- spear phishing iframe into the data- malware downloaded
- hosting mal- base of vulnerable into the system or by
ware website. downloading infected
-extract the details of attachment
the database by using
SQL vulnerabilities
Technique - DNS cache poi- browsing vulnerable - Spear phishing -Social engineering
soning website - using malicious
- Malware Iframe
-Attach files embed-
ded with malicious
code
Table 3b: Methods to get into the victim's computer
Methods Physical attack Exploiting co-loca- Rootkit and
tion services Remote Ac-
cess Control
31
Motives - The malware copy itself clicking the malware, gath- Hide the infection and
when the USB stick plug ering information, hosting downloading malware into
into another system the system
of malware for drive-by
- Direct malware installation -Allows remote manage-
-Capture keystroke and exe- download and take control ment
cute payload on the hosting server.
The aim of this project is to determine whether using a complex multistage framework
solution will limit or reduce the damage of the cyber attack and, to ask, if will it help the
incident response team to detect the advanced and persistent threats or not. In order to
design and create the required simulation model of Multi-Stage, security layers are de-
signed to achieve the goals and objectives for this project. Figure 10 shows the compo-
nents of the framework that is logging modules, SIEM, indicators, attack tree, Kill chain,
and sandbox. Each of these components are briefly discussed; it then identifies the de-
fence mechanism - as shown in Table 1 - based on linking all of the components of the
framework, such as HIDS, SIEM, kill chain, sandbox, etc. Identifying the attack phase of
the attacker and applying the defence mechanism will help to detect and prevent APT.
32
3.1 SIEM
According to the report of Nicolett and Kavanagh (2011) Security Information and Event
Management systems (SIEMs) are implemented to deal with compliance reporting re-
quirements and improving the ability for dealing with various security incidents, besides
allowing the organisation to collect and analyse various security events and information
in networked infrastructures. Organisations can implement SIEM systems for many rea-
sons, such as insider threats, compliance threats and the costs of security incidents and
recovery (Dempster, 2015). Furthermore, SIEM can be used to detect internal and exter-
nal threats; monitoring database access; servers; user actions and providing analytic ca-
pabilities to the incident response team (Nicolett and Kavanagh, 2012). SIEM can be used
in the forensic analysis, it may also considered to be a valuable asset in protecting critical
infrastructures in order to track and identify the attacker, and then provide these evidences
to the court (Garofalo et al., 2014). A SIEM can collect data from applications and mon-
itored networks over a group of sensors - as shown in Figure 11 - then forward the events
to a core facility in order to be processed at a correlation engine that analyses the event’s
stream and generates alarms, while the other SIEM components deal with other infor-
mation for post-processing.
Figure 11: A SIEM system architecture (Bhatt, Manadhata, and Zomlot, 2014)
SIEMs have a vital role in the security management tasks and network of organisations
to ensure that operations under a wide range of fault scenarios are correct. The security
33
solutions regularly focus on malicious actions, such as firewalls, intrusion detection sys-
tems, antivirus software, etc. While SIEM systems are built to deal with the sort of actions
that eventually occur. A traditional solution, like a firewall, can defend the network from
malicious outsiders and control the traffic by separating security perimeters – like LAN
from a WAN. Firewalls decide to drop the packet or let it go through, depending on the
header and content analysis. The analysis performed at various levels of the OSI stack is
based on the rules of the application. Numerous vendors, such as Dell, SonicWall, Palo
Alto and Juniper provide the network appliances like a firewall. The failure of the firewall
can lead to serious impacts on the system’s security. For example, Firewalls are allowed
to access the resources of the network or prevent traffic to go through the firewall, but the
failure of some of its components may lead to a compromise in the network. When the
attack is handled in the early stages by the firewall, the performance would be increased
by efficient tests. Firewalls includes two phases, as follows (Bhatt, Manadhata, and Zom-
lot, 2014):
• Pre-filtering: This phase checks all messages in order to discard all attacks from
external adversaries and only allows messages to go through from a pre-defined
group of senders (the sensors of the SIEM) and this sender is authenticated cor-
rectly. The external source of the Denial-of-Service (DoS) would be immediately
dropped in order to prevent messages from overloading the next stage.
• Filtering: This phase enforces additional refined application level policies that
need an accurate inspection of message fields to observe certain ordering rules.
For example, when initial setup is performed with the engine, the sensor is allowed
to send data.
The systems of SIEM are designed in order to meet the challenges and collect events from
various sources. The devices and network systems, such as Windows/Linux servers/desk-
tops, IDS, VPN, proxy server, firewalls, switches and routers, generate logs by the se-
cond. The log files have information of all user activities, devices and systems in the
network infrastructures in addition to investigating the organisation's security posture by
forensic tools. The log files’ analysis helps to understand objects access, system and de-
vice level activities (read, write or delete files); user level activities (login success; login
failure); website visits; network bandwidth consumed; account management; traffic dis-
tribution; host session status, and network security activities (network anomalies; attack
34
signatures or identifying virus). The rule engine of SIEM allows triggering alerts from
stored events and the correlation of events from various sensors (Dempster, 2015; Nicolett
and Kavanagh, 2012). The main strength of SIEM systems is the advantage of crossing
correlate logs from various sources and used attributes in order to define scenarios and
meaningful attack patterns that alert security analysts. Moreover, SIEM allows the inci-
dent response team to investigate and detect stealthy, slow attacks and APTs. There are
numerous vendors of SIEM products, as shown in Figure 12; they provide various prod-
ucts, such as Splunk, AlienVault, ArcSight, Q1 Labs, NitroSecurity, Trustwave, S21sec,
etc.
Figure 12: Magic Quadrant for SIEM (Nicolett and Kavanagh, 2012)
These products have the same basic function and provide the services, below (Dempster,
2015):
Collection: collecting logs from various sources like servers, network devices, appli-
cations, databases and security devices.
Consolidation: the data of log files is being aggregated and normalised.
Correlation: categorised the linked log events to detect and identify threats.
Communication: An alert will be generated in case an attack has been detected
through the correlation phase.
Control: controlling the storage of data and how it can be stored.
35
3.2 Indicators
According to Hutchins, Clopperty and Amin (2014), indication is a fundamental element
that has three main types, as follows:
• Atomic indicators: These types cannot be divided into smaller parts and keeps
their meaning according to the circumstance of an intrusion such as vulnerability
identifiers, email addresses and IP addresses.
• Computed indicators: These types are derived from data involved in an incident
such as regular expressions and hash values.
• Behavioural indicators: These types are a combination between atomic and com-
puted indicators and can be qualified by quantity; for instance, the intruder may
use a backdoor to generate network traffic matching afterwards by replacing it
with matching MD5 hash whenever the access established.
The incident response team need to analyse these indicators through leveraging them in
their tools and utilising these indicators whenever matching the discovered activities that
may lead to additional indicators. Figure 13 shows the cycle between the previous actions
and indicators over the lifecycle of the indicators (Hutchins, Clopperty and Amin, 2014;
Nige Security Guy, 2013b).
Revealed
Figure 13: Indicator life cycle states (Hutchins, Clopperty and Amin, 2014)
36
3.2.1 Indicators of Compromise
Indicators of compromise have a valuable benefit for technical information on any given
APT for incident response team and security administrators. The indicators of compro-
mise (IOCs) can help various security teams to discover any malicious activity within the
network and systems then take appropriate action. Generally, there is no formal format to
describe these indicators but various types of structured data are supported and used
within the industry. IOCs are based on signs of malicious activity that are fed into auto-
mated tools in order to check infrastructure for signs of infection and combat advanced
attackers, besides being a forensic artefact of an intrusion on a network. IOCs are related
to observables and stateful properties or measurable events, these include a wide range
from measurable events like registry key on a host, to stateful property. The incident re-
sponse teams use APT detection framework to check and optimise gaps in the organisa-
tion and in addition to monitoring and detecting the below elements, as follows (Nige
Security Guy, 2013a):
The previous elements are considered an early indicator that allows detect and contain
security incidents in early stages before causing serious loss. The capability of the inci-
dent handler or security analyst to collect and record IOCs in complete detail is a very
important success factor. Figure 14 shows the phases and lifecycle of hunt indicators of
compromise; these start by searching for indicators; investigating compromise systems;
analysing new evidence; develop indicators and applying shared IOC libraries. As shown
37
in Chapter 2, the incident response team follows various phases to overcome the APT’s
incident, such as detection, containment, investigation, eradicate/recover and rinse/repeat.
APT has patterns and attributes that can be monitored by various open sources, readily
available and commercial tools for the earlier detection of APT behaviour, or outbound
traffic. Monitoring a combination of hosts and networks can be essential to detect APTs,
such as Squert, Sguil, Splunk and Snort (Nige Security Guy, 2013a).
Figure 14: Hunting for Indicators of Compromise (Nige Security Guy, 2013b)
There are various commercial solutions for IOC; although in several cases, the abilities
of similar programs are sufficient in order to check systems for various signs of infection.
Loki is an example of an IOC scanner used to search the target system for different indi-
cators of malicious activity. Loki scanner is also used to unpack the archive that contains
utilities, then adds related attributes of IOC to Loki’s knowledge base and divides into
three categories that are located in a folder called Signature (Makrushin, 2015).
- Filename-iocs: include all the attributes of the system generated from the activity
of various threats.
- Hash-iocs: include several hashes of malicious components, such as MD5, SHA1
and SHA256 that appear after the infection.
38
- False positive-hashes: includes all exception hashes, such as MD5, SHA1 and
SHA256 that are marked as false positives.
Goal
39
• The incident response team can delineate attacks deductively.
• The attack tree helps the security analyst to analyse the attack and provide trans-
parent and relative technique for characterising attacks and attackers.
• The attack tree is a highly flexible and able to model any type of threat and attacks.
• The generated data from the attack tree can support the security framework and
understand the logical structure.
These threats look for valuable data of military or economic stature and may persist for a
long time - this is known as APT. According to Flaten and Lund (2014), the attack tree is
useful to model the APT as it provides a good overview of a threat and can support other
models to understand the threat. Figure 16 is an example of the attack tree that shows an
APT called Operation Aurora. The high level display shows how an attacker can attack
servers and get access to valuable information. The defender should decompose the tree
as in-depth as possible to show the effective defences of the tree’s construction. Operation
Aurora (as mentioned in Chapter 2) hit Google between mid-2009 to December 2009.
Access system
valuable
information
40
3.4 Cyber Kill Chain
Incident response teams, malware analysts and forensic investigators, in order to work in
a chained manner and analyse offensive actions of a cyber attacker, can use the model of
the cyber kill chain. Using the kill chain model - by the security analysts - allows them to
think like the attacker and understand what has happened in each phase of the kill chain.
Recently, cyber attacks have become more complex, destructive and dangerous by using
multiple redundant attack vectors in order to multiply the effect and make it difficult for
the incident response team (Bhatt, Toshiro Yano and Gustavsson, 2014).
The conventional model is based on a static defence, like antivirus software and IDS; it
then assumes that the attacker has an advantage over the defenders and undiscovered
software vulnerabilities. The incident response team of Lockheed Martin published a
white paper to explain why conventional defences are not enough in order to protect or-
ganisations from sophisticated attackers like APTs. The paper suggests a new approach
to avoid the installation of static defences, then waits until the next attack. This approach
is based on constantly monitoring systems to collect evidence related to the attackers that
are trying to access the systems and networks. The network defenders should study tactics
and methodologies of the attackers to anticipate and mitigate future intrusions through
analysing the actions of attackers, finding patterns, and identify capability gaps. Moreo-
ver, the approach shows multiple steps called The Cyber Kill Chain that attackers have to
precede a plan and execute an attack. The attacker has to complete the entire phase in
order to execute a successful attack, while the defender must stop the attacker completing
one or more steps. This theory can defend against APTs, unknown vulnerabilities, and
attack signatures that cannot be detect by defence tools. The APT kill chain is based on
variations to represent the details level, but its content is always the same. Figure 17
shows a lifecycle of APT kill chain in details (Schilling and Jackson, 2013).
41
Figure 17: Lifecycle of an APT kill chain (Schilling and Jackson, 2013)
The model of kill chain, shown in Figure 17, illustrates the phases of the life cycle of the
APT kill chain that allows the breakdown of a complicated attack to be in small phases
or stages. Moreover, these phases enable the incident response team to tackle smaller and
easier problems and develop a defence for each layer in order to migrate threats in each
phase (Hutchins, Cloppert, and Amin, 2011). The kill chain includes seven phases, as
shown in Figure 18, which provides a brief description of the phase or the purpose of it.
42
Phase Description Example
A brief description of the kill chain phases, as follows (Rockefeller, 2014; Hutchins,
Cloppert, and Amin, 2011; Pernet, 2007):
A. Reconnaissance
In this phase, attackers gather information about the target showing different tools and
techniques. The attacker may find various types of information related to the victim on
third party vendors by using simple Internet searches for suppliers and facilities.
B. Weaponization
The attacker in the phase prepares a payload of attacks in order to deliver it to the victim;
it may weaponized malware to target the email of the victim by attaching it to a Microsoft
Office document or a PDF. The defender can disrupt this phase by using real-time moni-
toring antivirus and spyware. Also, the attacker can target a legitimate website that the
victim used to visit by spreading a malware to infect the victim.
43
C. Delivery
The attacker, in this stage, sends a payload to the victim by USB or attaches an infected
attachment to an email that is called a phishing attack. Attackers can use social engineer-
ing techniques, such as checking LinkedIn or Facebook to customize email messages.
Defenders can use real-time monitoring antivirus and spyware to detect these infected
files.
D. Exploitation
The exploitation is based on deploying the payload into the network of the victim by the
attacker. The weapon’s code is triggered and exploits the system. For example, in 2013,
a Reuters’ report stated that RAM scraping malware can record and save several millions
of card swipes and stored stolen data for later exfiltration.
E. Installation
The attacker, in this phase, maintains access to the network and the system and establishes
a foothold in the network of the victim. Attackers can install backdoors in the system of
the target to maintain the access. For example, BlackPOS malware has compromised 70
million records of non-financial data and the attacker succeeded to move over several
target systems.
The attacker can remotely access the network of the victim; access the entire network and
may compromise servers with exfiltration malware. It can maintain command and control
to communicate between the outside Internet and the network of the victim.
The attacker works to accomplish the goals of attack, such as intrusion to another target,
destruction of data, or exfiltration. The analysis of the victim’s data transmissions may
look like looking for a needle in a haystack, however, uploaded data to the server in China
or Russia may be flagged as suspicious if discovered.
- Sandbox
44
Sandbox refers to the security mechanism that is used to separate running programs and
executes untrusted programs or untested codes from third parties. The untested or un-
known files can be run in an isolated environment to understand what it does. Sandbox
monitors the application’s behaviour and prevents operations against the intention of us-
ers. Generally, Sandbox’s users identify given specifications, the privileges of different
programs and each resource, which is called a policy (Wright et al., 2006). For instance,
whenever a server program in Sandbox tries to access a resource, the system of sandbox
checks the privileges according to the policy. In case the policy of Sandbox allows the
operation, it then it allows the program to execute the operation, but if the policy does not
allow the operation, it will fail. Though Sandbox does not prevent exploiting vulnerabil-
ities of the malicious codes in a program or an application, Sandbox can reduce the harm-
ful effects that are caused in attacks. Many of Sandbox’s systems, like Systrace and Janus,
have a shortage; this prevents them providing satisfactorily secure confinement as one
policy. This can then be applied from the beginning of an executed application until the
end. For example, Sandbox for a server program; whenever the user logs in to an appli-
cation, the server reads the password in order to authenticate the user, this password is
not required in any other part of the application. Users who try to protect the server with
Sandbox have to choose by allowing or denying the operation in order to read the pass-
word. As a result, when the user allows the operation, the malicious code can take over a
part of the server and read the password, even with the existence of the Sandbox protec-
tion. This example shows the need to use Sandbox that allows users to switch between
different policies dynamically to apply policy properly (Shioya, Oyama and Iwasaki,
2007).
Malwares like worms, viruses and bots become more sophisticated, these require the ob-
servation and analysis of these behaviours to identify issues. An isolated Sandbox is con-
sidered by analysing the environment for observations as Sandbox has a tolerance to at-
tacks beside infections from the outside. Malware sandboxing is considered a dynamical
analysis approach because it helps the analyst to execute and monitor in real-time instead
of statically analysing the binary file. Building Sandboxes is quite easy due to the im-
provements in technologies like hardware virtualizations and OS. Virtualization technol-
ogies are usually used because malwares frequently damage analysing environments then
rebuilds it again, so it can build an isolated Sandbox based on virtualization technologies.
There are several Sandbox tools for Linux like SELinux and Apparmor, while Cuckoo is
45
supported by Windows and will be used in the study simulation besides being an open
source malware analysis system. Cuckoo represents an automated malware analysis sys-
tem to understand what the files do during executing in the isolated environment that
requires technical skills to understand the results. Cuckoo provides a method to analyse
files automatically and interactions between them and the system. The key goals are Java
files, Office documents, PDF, URLs, DLL and Windows executable (Miwa et al., 2007).
Applying the previous framework combined with the defence mechanism in Table 4 that
is based on kill chain phases will improve the results to detect and prevent APT by the
incident response team.
46
Chapter 4. IMPLEMENTATION (REALIZATION)
Following on from the implementation of the new framework in Chapter 3 to design and
create the required simulation model of Multi-Stage security layers to achieve the goals
and objective for this project, this chapter will conduct three different experiments, which
will be performed for both groups, and the results will be compared in Chapter 5. Three
attack attempts for both groups will be launched in order to test the ability of detecting
and preventing APT. For the purpose of the experiments for second group, USM will be
installed on VMware and set to monitor the Security log in real time and IDS logs besides
installing configuring sensors. McAfee Antivirus Plus will be installed for both groups.
Sandbox
Figure 19: Security solutions that are installed for the simulations
47
• Optimize PC’s Performance by using Vulnerability Scanner and QuickClean fea-
tures in order to speed up browser and PC.
• Prevent PCs from spreading SPAM and malware in additional to permanently de-
leting sensitive digital files.
- Sandbox
There are two online Sandbox used in the second experiment which are Malwr and
VxStream. Since 2011, Malwr provides a free malware analysis service and depends on
an open source malware analysis tool called Cuckoo Sandbox besides using VirusTotal.
Malwr is a non-commercial project (Malwr, 2016), while VxStream Sandbox provides a
free malware web service at hybrid-analysis.com. VxStream can analyse several files on
multiple different environments in parallel using any prepared Windows’ image for de-
tecting APTs besides providing SIEM system integration by CEF syslog (Payload Secu-
rity, 2016)
USM is an all-in-one platform designed against today’s advanced threats. USM provides
users with a compliance management solution and a unified threat detection which is
easy-to-use and affordable. AlienVault USM has an advantage over the traditional SIEM,
such as fast deployment; continuous threat intelligence; unified security monitoring; mul-
tiple security functions and simple security event management and reporting. USM pro-
vides four essential security capabilities, as shown in Figure 20, in a single console. The
new security framework, in Chapter 3, includes NIDS, HDIS, firewall and SIEM. USM
includes the requirement in addition to the vulnerability assessment and behaviour mon-
itoring.
48
Behavioural Monitoring SIEM
Identify suspicious behaviour Correlate and analyse security
and potentially compromised event data from across your
systems network
- Netflow Analysis - Log Management
- Service Availability - Event Correlation
Monitoring - Incident Response
- Full packet capture - Reporting and Alarms
In this simulation, a virtual machine of AlienVault USM has been downloaded and im-
ported into VMware fusion, as shown in Figure 21.
Then customize the specification of the virtual machine of the USM, as shown in Figure
22.
49
It can configure the AlienVault manually or using DHCP. I used DHCP configuration, as
shown in Figure 23.
After configuring the network, it should configure the access to the server of USM, as
shown in Figure 24, using user root and the password that was used first time and can be
changed in the next window.
After the complete installation of AlienVault USM, there is a web form to be filled using
the following URL: https://192.168.0.117
The next window, as shown in Figure 26, will be displayed after the completion of the
administration account.
50
Figure 26: Login to the admin account
The next window allows the administrator to configure and Deploy HIDS, as shown in
Figure 27, to perform monitoring, file integrity, collection of event logs and rootkit de-
tection.
It can also deploy the HIDS for the host and network by configuring assets, as shown in
Figure 28, then click on the Deploy button for the HIDS deployment.
51
The deployment process, as shown in Figure 29.
4.2 Scenario
To show the benefits of these techniques, a simulation for an organisation is to test the
traditional methods by the first group, while the second group tests the new framework
as presented in the previous chapter. There are three attempts to attack for each group by
an adversary. The result of the simulation will show whether robust indicator maturity
and the analysis of the intrusion kill chains can help to mitigate an intrusion leveraging
and successfully detect the attack. The intrusions in the three attempts will try to leverage
a common APT tactic using malicious email to deliver a malicious file (weaponized at-
tachment) to a set of individuals. This attachment can install a backdoor to create some
outbound communications to a C2 server.
52
4.3 Intrusion Attempts
The simulation will conduct via simulating three intrusion attempts, as follows:
An email is sent to users of each group, which contains a malicious macro - as shown
below - that arrives as an Excel sheet attachment. When this Excel sheet attachment is
opened, the macro attempts downloading and executing malware from a remote location.
Kindly find attached our reminder and copy of the relevant invoices. Looking forward to
receive your prompt payment and thank you in advance.
Kind regards,
John Smith
• VMWare, Windows 7
• Microsoft Office 2010
• VMWare of Kali-Linux
• Metasploit
Metasploit Framework is toolkit for penetration testing and security assessments. Ruby
API is combined with Metasploit on a framework to create scripts that have the power of
a remote native process by an established connection over a session on a compromised
system. Meterpreter as some payload support bind shell listeners, reverse TCP connec-
tions and HTTPS stager. Metasploit Framework has over 168 different reverse shells. A
reverse shell requires the attacker to set up a listener while the victim’s machine acts as a
53
client connecting to the listener, then the attacker receives the shell. It can use a reverse
shell when the victim’s machine exists in a private network or a firewall blocks the in-
coming connection or when the payload is unable to bind to the port (Rapid7 Community,
2011).
The Metasploit framework starts by writing Msfconsle that represents the interface to use
the Metasploit. The code of Figure 31 means:
• Set LHOST: represent the IP address that the target machine to connect to
(192.168.52.131).
• Set LPORT: represent the port that target machine to connect to (443 Or 80 or
any port suited real situation).
Set AutoRunScript post/windows/manage/smart_migrate: This helps to migrate
the remote connection from Excel process to a different process like Explorer pro-
cess; that means even when Excel closes, attackers will still have a connection.
Generate-t vba: This code, as shown in Figures 31 and 32, will be allowed to generate a
basic VBA code that can be copied from the terminal in Figure 32 and pass it in an Excel
sheet.
54
Figure 32: Generating VBA code
- Setting up the Document
We need to setup the documents then deliver them to the target machine using Microsoft
Excel or Word. It should copy all of the codes from “#If Vba7 Then” to the final ‘End
Sub’ then select Macros from the View tab and name the Macro before clicking ‘Create’,
as shown in Figure 33.
Figure 34 shows the VBA code page and it should paste the code that is copied from
Metasploit.
55
Figure 34: Add VBA code the Excel sheet
It should add visible content to the Excel sheet to trick the target, as shown in Figure 35.
Finally, the excel document has to be saved as xlsm or Word Macro-Enabled Document.
56
Figure 36: Save the Excel sheet as Macro-Enabled Document
The next step, as shown in Figure 37, is opening the terminal and typing msfconsole to
open Metasploit. Below are the commands that are used to start the listener, as follows:
57
Figure 37: Prepare the listener in Kali
On the next day of the first attempt, another intrusion attempt was executed. A security
analyst and incident response team identified similar characteristics that are probably re-
lated to the previous attempt. However, the analyst found some differences, as this time
an email was sent to a different department (Human Resources). The next chapter will
discuss the result of the attempts and how the analyst detected these characteristics and
blocked this activity.
• VMWare, Windows 7
• Microsoft Office 2010
• VMWare, Kali-Linux
• Metasploit
• Veil Framework
Veil Framework is used by passing antivirus solutions that are deployed at the end points
through a generating unique and random payloads for exploits. The malware of Veil
Framework changes because it moves from host to host; this provides a unique advantage
58
over traditional malware as it has a distinct signature that can be detected by various an-
tivirus solutions. Veil Framework is compatible with Metasploit, in order to custom ex-
ploits and tools and create tools which are undetectable by antivirus solutions or can dis-
able antivirus (The Security Sleuth, 2015; jitpukdebodin, 2015; Fuzzy Security, n.d.). The
second attempt uses MS14-064 OLE automation array remote code execution.
• Creating Shellcode
Writing ‘Veil-Evasion.py’, as shown in Figure 38, can start the Veil Evasion.
59
Figure 39: Using the Powershell to evade the Antivirus solutions
The output, in Figure 41, shows how the /root/veil-output/source/Experiment 1.bat file
will be used in the next step by Macro converter.
60
Figure 41: The output of the generated code
We return to the main menu for Veil Framework and type list to show all the available
payloads as shown in Figure 42.
We need to convert the bat file into a macro so we used auxiliary/macro converter pay-
load, as shown in Figure 43.
61
Figure 43: Choosing auxiliary/macro converter payload
The command use POSH_BACH in Figure 44, identifies the path to a Powershell batch
script.
Then generate the code and name it as Experiment 1. This file will have extension txt, as
shown in Figure 45.
62
Figure 45: The output of the generate code will be txt file
We need to setup document, then deliver it to the target machine using Microsoft Excel
or Word. It should copy all of the codes and then select Macros from View tab and name
the Macro before clicking Create, as shown in Figure 47.
63
Figure 47: Insert VBS code
Finally, the Microsoft Word document, in Figure 49, has to be saved as a Word Macro-
Enabled Document, as shown in Figure 49.
64
Figure 49: Save the document as world macro enable document
The next step, as shown in Figure 50, is opening the terminal and type msfconsole –
r /user/share/veil-output/handler/Experiment1_handler.rc to open Metasploit then exe-
cute the below commands without writing them again to listen to the target when opening
the Word document:
• Use exploit/multi/handler: This command allows us to use the multi handler ex-
ploit.
• Set LHOST: This command informs the handler what IP to listen to or what IP
the target should connect back to.
• Set LPORT 443: This command informs the handler what port to listen on (e.g.
443 or 80).
65
• Exploit -j: This command will create the handler and begin to listen in the back-
ground.
On the third day, another intrusion attempt was executed. The incident response team and
the security analysts noticed that the nature of the attack had been changed, although the
email had been sent to Human Resources as a second attempt. This time the attacker sent
a photo of his graduate certificate and other qualifications. One of these photos did not
open as it included a malicious file, as shown in next section. The analysis of the attack,
in the next chapter, will discuss the attack and the counter measurement of it.
• VMWare, Windows 7
• VMWare, Kali-Linux
• Metasploit
66
• Veil Framework
This attack used Veil Framework to bypass antivirus solutions that are deployed at the
end points through generating unique and random payloads for exploits. This attempt will
generate an EXE file then change the extension using Hex workshop.
67
Figure 53 shows the location of the generate exe file that is called Experiment 3.
Edit Experiment 1.exe using hex workshop in windows 7 environment. Figure 54 shows
the search window for Experiment 3.exe.
68
• Running Metasploit Handler
The next step, as shown in Figure 56, is opening the terminal by typing msfconsole –
r /user/share/veil-output/handler/Experiment1_handler.rc to open Metasploit, then exe-
cutes the below commands without writing them again to listen to the target when opening
the Word document.
• Use exploit/multi/handler: This command allows use of the multi handler ex-
ploit.
• Set PAYLOAD windows/meterpreter/reverse_https: This command identify
payload (reverse_https) to the multi handler.
• Set LHOST: This command informs the handler what IP to listen or what IP the
target should connect back to.
• Set LPORT 443: This command informs handler what port to listen on (e.g. 443
or 80).
• Exploit -j: This command will create a handler and begin to listen in the back-
ground.
69
Chapter 5. RESULTS AND EVALUATION
Following on from the implementation of the design and the experiment of the three at-
tempts, it was in order to test whether the new framework able to detect and migrate APT
or not. This chapter will show the results of the two groups; then analyse the result of the
second group (new framework) and, finally, to compare both of the results of the two
groups to evaluate the solution or the new framework.
- Attempt 1
In the previous chapter, the attacker prepares the script then creates the Macro. The last
step for the attacker in the preparation process is setting up the exploit handler to enable
the Macro of the document, as shown in Figure 57. If the target opens the document, a
Meterpreter prompt will be shown, this means we are now remotely connected.
70
The result of group A shows that McAfee antivirus plus successes to quarantine the threat,
as shown in Figure 58.
Figure 59 shows the scan result of the quarantined document. In this case, the attacker
will not get any response from the target’s side.
- Attempt 2
The second attacker used the listener of Metasploit and waited for when the target enables
the macro of the excel sheet. If the victim opens the Excel sheet, as shown in Figure 60,
a Meterpreter prompt will be shown, this means we are now remotely connected. The
71
traditional security failed to prevent or detect the attack. The attacker can use useful com-
mands, such as migrate, execute, sysinfo, PS, and upload to control or get information
from the victim.
The traditional method failed to detect the malicious file or the macro code, as shown in
Figure 61.
Figure 61: McAfee Antivirus Plus fails to detect the malicious Excel sheet
- Attempt 3
In the last attack, the attacker succeeds to compromise the target. The traditional security
solutions like McAfee antivirus and antispyware failed to detect the malicious file. Figure
62 shows how the attacker starts the session and accesses the victim’s machine.
72
Figure 62: The attacker succeeds to compromise the target
73
5.1.2 The Result of Group B (new framework)
- Attempt 1
The result of the first attempt of group B shows the McAfee antivirus plus the success to
quarantine the threat, as shown in Figure 64.
Figure 64: McAfee Antivirus plus the success to detect the malicious file
- Attempt 2
While the second attempt failed because of AlienVault’s IDS, Figure 65 shows the alarms
that are fired to block the malware. The kali machine of the attacker will not receive any
response from the target machine because of the firewall and the IDS of AlienVault. The
next sections will explain the results in more detail.
74
- Attempt 3
The third attempt failed because of SIEM of AlienVault in addition to Sandbox (see Ap-
pendices 1 and 4). VirusTotal used by the sandbox to scan the suspicious files, as shown
in Figure 66. The file was scanned by 53 antivirus and antispyware engines.
75
user opens the file, the Word document silently runs and attempts to connect multiple
remote servers. According to F-secure, the text file containing b64 encoded data (e.g.
macro of first attempt), targets and opens the file in the first or second attempts, where
there are 3 scripts written in: VBScript, PowerShell and Batch coding languages which
allow to download and execute files from another remote server. The malicious files act
as a backdoor for other viruses, like malware, spyware, Trojans, browser hijackers, ad-
ware and so on. These malicious files make PCs stuck and webpages crash while the users
are browsing the Internet (F-secure, n.d).
5.2.1 Indicators
Figure 67 connects the kill chain on the three attempts of the intruder and indicators by
connecting each phase of the attack with certain actions or behaviours; drawing the indi-
cator map and connecting the common indicators between intruders over multiple kill
chain phases. The incident response team and the security analyst can connect various
activities from a particular persistent threat or intrusion, which may have varying degrees
of correlation. This analysis helps to determine the patterns and behaviours of the intrud-
ers, predicting the characteristics of future intrusions with greater confidence by under-
standing the intruders’ intent, which allows the incident response team to determine tech-
nologies or individuals of interest, or even understand the mission’s objectives of the ad-
versary then evaluate targeting patterns and examine the data exfiltrated by the attacker.
76
Figure 67: Indicators of several intruders
Below are the indicators for three attempts to attack the target using different types of
files and techniques:
Attempt 1
The analysis of the Microsoft Word document shows that it contains embedded strings
that indicate auto-execute behaviour. Moreover, it can find the keyword ‘AutoOpen’ that
indicates and runs when the Word document is opened. The result of 55 antivirus vendors
shows only three vendors identifying the file as malicious according to VirusTotal. The
full details can be seen in Appendix 2.
77
Attempt 2
The analysis of the second attempt of the attacker shows similar behaviour to the first
attempt. A Microsoft Excel sheet contains an embedded string that indicates auto-execute
behaviour. A macro has been found called ‘AutoOpen’ that indicates run when the Excel
sheet is opened. Furthermore, unusual characteristics have been found suspicious like the
keyword ‘Lib’ that indicates: ‘May run code from a DLL’; ‘Shell’ that indicates: ‘May
run a system command or an executable file’ besides installing hooks/patches the running
process.
Attempt 3
32
The behaviour of the file helps to indicate the malicious files. The third attempt file shows
several indicators as a malicious file, such as drop executable files; installs hooks/patches
the running process; pens file with deletion access rights; queries kernel debugger infor-
mation; CRC value set in PE header does not match actual value; creates/touches files in
windows directory; PE file has unusual entropy sections; creates/touches files in windows
directory; makes a branch decision directly after calling an API that is environment aware
and allocates virtual memory in foreign process, etc. The full report of malicious indica-
tors can be seen in Appendix 4. Table 5 shows the result of testing the file of the third
attempt through the external system and the result of 55 anti-virus vendors.
Malicious Indicators
External Systems
78
5.2.2 Attack Tree
The attack tree can help the security analyst to understand the nature of the attack and
expect the next phases. It can read the attack tree from bottom to top. The APT’s intruder
usually uses this scenario to access the available information. The intruder sends a mali-
cious file, such as Word or Excel or a photo, as shown in the three attempts. Attackers
used payloads to exploit targets. Attackers also used Metasploit in the simulation to create
infected rootkit or file. When a target opens the infected file, the attacker can get the user
information and maintain access into the system. The intruder can also harvest the cre-
dentials of the administrator, as shown in Figure 68.
Figure 68: Attack tree of the APT attack for the three attempts
79
5.2.3 Kill Chain
The kill chain helps to analyse several intrusions over time in addition to overlapping
indicators and identifying commonalities. Moreover, it provides a highly dimensional
correlation among several kill chain phases. Defender and incident response teams can
recognise and define intrusion campaigns then connect these activities from a particular
persistent threat. Consistent indicators can be a main indicator and help incident response
teams to prioritise development and maintain the courses of action. Figure 11 illustrates
the indicators of the three attempts that have different degrees of correlation but often
align and identify these key indicators. The less volatile indicators allow the response
teams to predict the characteristics of future intrusions. One of the objectives of the new
framework is identifying the patterns, behaviours, techniques, tactics and procedures of
the intruders. Table 2 connects the kill chain with the behaviour and indicators of the
intruders. The incident response team can defend the system by identifying the phase of
the attack. When the attacker sends the infected file (e.g. three attempts of the experi-
ment), this means the attacker exists in the third phase of the kill chain and the intruder
tries to exploit the network system. If the security framework failed to detect the malicious
file, the defender can monitor the traffic in and out of the network and for each host.
Delivery The email in- The email include subject, The email include
clude subject, body and attachment (Ex- subject, body and
body and at- cel sheet) attachment (Photo)
tachment (Word
Document)
80
embed- contains win32 API func- with Veil]
ded_win_api - tions names
A non-Win- shellcode - Matched shell-
dows executa- code byte patterns
ble contains
win32 API
functions
names
shellcode -
Matched shell-
code byte pat-
terns
Installation C:\...\IEXPLORE.hlp msvcp90.dll,
C:\...\IEUpd.exe msvcr90.dll, py-
C:\Program Files\Microsoft Office\Of- thon27.dll,
fice12\Normal.dotm _socket.pyd.,_ssl.p
C:\Documents and Settings\User\Applica- yd, select.pyd,
tion Data\Microsoft\Templates\Normal.dotm _ctypes.pyd,msvcm
C:\Documents and Settings\User\Applica- 90.dll, bz2.pyd,
tion Data\Microsoft\Templates\~$Nor- _hashlib.pyd
mal.dotm
1- Dashboards
The security analyst or the incident response team can get an overview of the network
by visiting the dashboards, as shown in Figure 69. Dashboards contain security
events; top 10 event categories; latest SIEM vs logger events; host events and SIEM
events by sensors. USM of AlienVault succeeds to reduce or prevent APT in three
attempts. The results of the report of USM can be seen in Appendix 1.
81
Figure 69: Dashboards overview
2- Analysis
AlienVault allows defenders to analyse the vulnerabilities of the network and hosts, as
shown in Figure 70. The sensors, IDS and firewall of AlienVault have been configured
in the previous chapter so that AlienVault can detect vulnerability in real time or in sched-
uled time.
82
Figure 70: AlienVault scan vulnerabilities
Also AlienVault can scan the ports for one or more hosts in the network, as shown in
Figure 71.
83
The USM of AlienVault records all the events and enables the incident response team or
defender to check various events and investigate whether the incident is harmful or not.
The events in Figure 72 can be used as indicators of APT that enable defenders to reduce
risks.
The analysis of vulnerability in real time in addition to SIEM and IDS have succeeded to
detect the malicious files in the first and second attempts. Figure 73 shows the results of
the analysis that include port scan and suspicious behaviour.
84
Figure 73: The result of analysis
AlienVault can be linked to the kill chain to identify the phase of attack as it informs the
defenders about the reconnaissance and port scan activities. Figure 74 shows further de-
tails of the result of the scan including statistics of total events, duration and elapsed time.
85
The incident response team can use the USM to determine the priority of a vulnerability,
created time, status and type of it, as shown in Figure 75.
3- Environment
USM allows the incident response team to understand the risk that threatens the network
and shows the results in a graphical method. Figure 76 illustrates the current vulnerability
in graphical method according to the severity. The graph represents vulnerability for host
192.168.0.119 that includes 4 high, 1 medium, and 17 low according to the severity. Ap-
pendix 1 shows the full report of vulnerability and the malicious files.
86
Figure 76: Current vulnerability according to severity
Event trends and data sources of HIDS are shown in the graphical method of Figure 77.
The defender can easily understand the graphical chart and identify threats and risk of
IDS, invalid login, syscheck, system error, windows and authentication success by click-
ing on the type of data source to see more details.
87
Figure 77: HIDS event trends and data source
When the incident response team or the security analyst clicks the chart of HIDS or a
particular host, AlienVault will be redirect it to another window containing further details,
such as vulnerabilities, alarms, events, software, services, and groups, as shown in Figure
78. Host 192.168.0.119 has some high severity vulnerability, such as DCE Services Enu-
meration, 3com switch2hub and buffer overflow.
88
Figure 78: Vulnerability and service of host 192.168.0.119
4- Reports
The reports in Figure 79 shows the results of previous scans and alarm reports that allow
the defender to see further details by clicking the required report. For example, when the
incident response team clicks the Malware Alarm, the USM will show details of how
SIEM succeeded to prevent first and second attempts (see Appendix 1).
89
5.2.5 Sandbox
The results of sandbox is based on Malwr that provides malware analysis services using
Cuckoo sandbox and VirusTotal in addition to VxStream Sandbox v3.30, which is pow-
ered by payload security. The online sandbox is a great idea to test and analyse files online
to improve the security. Appendices 2, 3 and 4 show the full report of Cuckoo sandbox
and VxStream Sandbox v3.30 including a virus scan by VirusTotal. Below are six screen-
shots from the report that can help to detect the malicious files. The incident response
team can use online Sandbox to investigate an incident and support other security solu-
tions, such SIEM, IDS, firewall, anti-virus, etc. The results of using online sandbox in the
three attempts are as follows:
- Attempt 1
The online Cuckoo Sandbox that is powered by Malwr displays the hash results of the
uploaded file to the server, as shown in Figure 80.
90
Figure 81: The result of scanning document with VirusTotal
- Attempt 2
The hash file of the Excel sheet displayed in Figure 82 will be analysed with Malwr.
Figure 82: Hash file of the uploaded document in the second attempt
91
The results of scanning, shown in Figure 83, indicates that only Avast and CalmAv have
the ability to detect the malicious file.
Figure 83: The result of scanning the Excel sheet in the second attempt
- Attempt 3
The hash file of the photo that is uploaded to the server of Malwr is to be analysed, as
shown in Figure 84.
92
Figure 84: Hash file of uploaded document in the third attempt
The result of scanning, shown in Figure 85, indicates that several security solutions have
the ability to detect the malicious file.
Figure 85: The result of scanning JPG photo in the third attempt
93
5.3 Compare Frameworks
As can be seen from previous sections, the new framework succeeds to detect the mali-
cious files in the three attempts that allows to mitigate and detect these types of APT by
using different security solutions, SIEM, HIDS, NIDS and Sandbox; while traditional
methods that used antivirus and antispyware fails to detect or prevent APT. The new
framework provides appropriate methods for detecting APT. Table 3 shows the result of
a comparison between the results of the experiment for both groups.
94
Chapter 6. CONCLUSIONS
The main goal of the dissertation was to determine whether the framework could
help the incident response team to identify the objectives, intent and strategies of
the attacker then respond correctly against these APTs; moreover, the framework
can map the numerous links, relationships, and procedures. The next section of
this chapter (6.2) will examine how the four main aims and objectives of this
dissertation were met. A critical analysis of the new framework and the experi-
ments were conducted in Section 6.3, whereas 6.4 will discuss the future work
that is related to the subject of the dissertation.
There are four main aims and objectives, outlined in Chapter 1, that are required
to be met to complete the dissertation, as follows:
1. To research and review IRs and APTs that are covering various topics,
such as Traditional IRs, APTs, Indicators and the Indicator Life Cycle,
Cyber Adversaries, threat model, kill chain, and Security Information and
Event Management systems (SIEM).
2. Design and implement a new framework.
3. Provide two simulations to simulate an attack over a virtual network and
are tested by two groups of user study. The first simulation will use the
framework model of Multi-Stage attacks and imports log data from dif-
ferent sources to SIEM and analyse it, while the second simulation will
represent the original approach.
4. The results of the evaluation from the two groups will show whether the
framework model of Multi-Stage attacks can identify and detect APTs
and compare it with a second simulation with default security settings.
6.1.1 Objective 1
The first objective was met in Chapters 2 and 3. The literature review discussed the
incident response and phases of it besides reviewing different meanings of APT,
phases of APT (e.g. intelligence gathering, point of entry, command and control,
95
lateral movement, asset discovery and data exfiltration) and connects it to the kill
chain. Also, Chapter 3 focuses on SIEM and the indicators of attack in further detail.
6.1.2 Objective 2
Designing and implementing a new framework was the second objective to be met.
A simulation model of Multi-Stage was designed in Chapter 2 and implemented in
Chapter 3. The new framework includes various components, such as anti-virus,
firewalls, HIDS/NIDS, SIEM, indicators, attack tree, kill chain, and Sandbox. The
new framework succeeds to identify the attack phase of the attacker and applies the
defence mechanism that helps to detect and prevent APT.
6.1.3 Objective 3
The third objective was met in Chapter 4 by conducting different experiments for
both groups as three attack attempts for both groups (traditional approach and
new framework) were launched in order to test the ability of detecting and pre-
venting APT.
6.1.4 Objective 4
The final objective was met in Chapter 5 by evaluating the results of the two groups.
The new framework model of Multi-Stage attacks’ success was to identify and de-
tect APTs compared with a traditional approach. The traditional approach succeeds
to detect only one attack and failed to detect other advanced attacks; while the new
framework succeeds to prevent and reduce or eliminate APT.
The aim and objectives of this dissertation have been met as seen in section 6.1.
This section provides a critical analysis of the simulation model of Multi-Stage and
experiments that were carried out. The new framework success is to detect the APT
but simulation only simulates a limited number of attacks. In reality, the incident
response team works in corporation with thousands of employees over several coun-
tries; they cannot use the full framework for each incident. For example, Sandbox
96
is a good technology that allows the incident response team to detect Malware and
malicious files but is difficult to apply to thousands of incidents in a limited time.
Moreover, the scenario of the simulation is based on installing SIEM, antivirus, and
other technologies, it then starts the attack to measure whether the new framework
can detect the attack or not. However, the scenario does not discuss or study if the
attacker is already in the network and works low and slow.
There are also strengths that if the attacker carried out APT over a much longer
period of time, the incident response team can connect different incidents using a
kill chain, monitoring traffic and log data from a variety of sources (e.g. Firewall,
SIEM software, Intrusion Detection System, etc.) on the network to detect the APT.
97
REFERENCES
Anderson, J. P. (1980). Computer security threat monitoring and surveillance (Vol. 17).
Technical report, James P. Anderson Company, Fort Washington, Pennsylvania.
Bhatt, P., Toshiro Yano, E. and Gustavsson, P. M. (2014). Towards a Framework to De-
tect Multi-stage Advanced Persistent Threats Attacks. In Service Oriented System Engi-
neering (SOSE), 2014 IEEE 8th International Symposium on (pp. 390-395). IEEE
Bhatt, S., Manadhata, P.K. and Zomlot, L. (2014). The operational role of security infor-
mation and event management systems. Security & Privacy, IEEE, 12(5), pp.35-41.
Chappel, M. (2014). Endpoint Threat Detection, Response and Prevention for Dummies.
John Wiley & Sons, Inc., pp.12-17.
Chen, P., Desmet, L. and Huygens, C. (2014). A Study on Advanced Persistent Threats.
In Communications and Multimedia Security (pp. 63-72). Springer Berlin Heidelberg.
Cole, E. (2012). Advanced persistent threat: understanding the danger and how to protect
your organization. Newnes.
Coughanour, D. (2014). emote forensics in incident response. Master degree. Utica Col-
lege.
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012). Computer security incident
handling guide. NIST Special Publication, 800, 61.
Dan, M. (2013). APT1: Exposing One of China’s Cyber Espionage Units. [online] man-
diant.com. Available at: http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf
[Accessed 4 Oct. 2015].
Dempster, P. (2015). Brute Force Attack Detection and Mitigation using a SIEM Archi-
tecture. Undergraduate. Edinburgh Napier University.
Edge, K.S., Dalton, G.C., Raines, R. and Mills, R.F. (2006). Using attack and protection
trees to analyze threats and defenses to homeland security. In Military Communications
Conference, 2006. MILCOM 2006. IEEE (pp. 1-7). IEEE.
Field, T. (2013). The Need for Speed: 2013 Incident Response Survey. [online]
ismgcorp.com. Available at: http://docs.ismgcorp.com/files/handbooks/Incident-Re-
sponse-Survey-2013/fireeye_Incident_response_survey_report.pdf [Accessed 22 Nov.
98
2015].
FireEye (2012). Cyber Attacks on Government How APT Attacks are Compromising Fed-
eral Agencies and How to Stop Them. [online] Available at:
http://www.locked.com/sites/default/files/Cyber-Attacks-on-Government-White-Pa-
per.pdf [Accessed 10 Nov. 2015].
Forrest, S., Hofmeyr, S., Somayaji, A. and Longstaff, T. (1996, May). A sense of self for
unix processes. In Security and Privacy, 1996. Proceedings., 1996 IEEE Symposium on
(pp. 120-128). IEEE.
Flåten, O. and Lund, M. S. (2014). How Good are Attack Trees for Modelling Advanced
Cyber Threats?. Norsk informasjonssikkerhetskonferanse (NISK), 7(1).
Fuzzy Security (n.d.). FuzzySecurity | Exploits: MS14-064 OLE Automation Array Re-
mote Code Execution. [online] Fuzzysecurity.com. Available at: http://www.fuzzysecu-
rity.com/exploits/21.html [Accessed 14 Feb. 2016].
Garofalo, A., Di Sarno, C., Matteucci, I., Vallini, M., & Formicola, V. (2014). Closing
the loop of SIEM analysis to Secure Critical Infrastructures. arXiv preprint
arXiv:1405.2995.
Ginter, A. (2012). DuQu, Stuxnet, APT and Other Failures of ICS Security.. [online] wa-
terfall-security.ca. Available at: http://waterfall-security.ca/resources/wf-afpm-failures-
P-12-02.pdf [Accessed 22 Nov. 2015].
Giura, P., & Wang, W. (2012). A context-based detection framework for advanced per-
sistent threats. In Cyber Security (CyberSecurity), 2012 International Conference on (pp.
69-74). IEEE.
Haq, T. and Khalid, Y. (2013). Internet Explorer 8 Exploit Found in Watering Hole Cam-
paign Targeting Chinese Dissidents Threat Research. [online] FireEye. Available at:
https://www.fireeye.com/blog/threat-research/2013/03/internet-explorer-8-exploit-
found-in-watering-hole-campaign-targeting-chinese-dissidents.html [Accessed 7 Nov.
2015].
Heady, R., Luger, G. F., Maccabe, A. and Servilla, M. (1990). The architecture of a net-
work level intrusion detection system. Department of Computer Science, College of En-
gineering, University of New Mexico.
99
ISACA (2013) Advanced Persistent Threats: How to Manage the Risk to your Business.
Isaca
Jackson, K. (2010). 'Aurora' Attacks Still Under Way, Investigators Closing In On Mal-
ware Creators. [online] Dark Reading. Available at: http://www.darkreading.com/at-
tacks-breaches/aurora-attacks-still-under-way-investigators-closing-in-on-malware-cre-
ators/d/d-id/1132922 [Accessed 10 Nov. 2015].
Jeong, H. Y., Obaidat, M. S., Yen, N. Y., & Park, J. J. J. H. (Eds.). (2013). Advances in
Computer Science and its Applications: CSA 2013 (Vol. 279). Springer Science & Busi-
ness Media.
jitpukdebodin, S. (2015). Howto: Embedding Veil Powershell payloads into Office Doc-
uments. [Blog] Offensive Security Blog. Available at:
http://www.r00tsec.com/2014/06/howto-embedding-veil-powershell.html [Accessed 14
Feb. 2016].
Joint Task Force Transformation Initiative. (2011). Managing Information Security Risk:
Organization, Mission, and Information System View. NIST Special Publication, (800-
39), 800-39.
Kaspersky (2013). The Icefog APT: A Tale of Cloak and Three Daggers. [online] . Avail-
able at: http://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/icefog.pdf
Knapp, E. D., & Langill, J. T. (2014). Industrial Network Security: Securing critical in-
frastructure networks for smart grid, SCADA, and other Industrial Control Systems.
Syngress.
Koskei, J. K. (2008). An attacker intention discovery layer for intrusion detection systems
using hidden Markov models (Doctoral dissertation, Oklahoma State University).
Li, Q., and Clark, G. (2015). Security Intelligence: A Practitioner's Guide to Solving En-
terprise Security Challenges. John Wiley & Sons.
Mandiant, (2013). APT1: Exposing One of China’s Cyber Espionage Unit. [online] in-
telreport.mandiant.com. Available at: http://intelreport.mandiant.com/Mandi-
ant_APT1_Report.pdf [Accessed 22 Nov. 2015].
100
Makrushin, D. (2015). Indicators of compromise as a way to reduce risk - Securelist.
[online] Securelist.com. Available at: https://securelist.com/blog/security-poli-
cies/71915/indicators-of-compromise-as-a-way-to-reduce-risk/ [Accessed 6 Dec. 2015].
Malwr (2016). Malwr - Malware Analysis by Cuckoo Sandbox. [online] Malwr.com.
Available at: https://malwr.com/about/ [Accessed 28 Feb. 2016].
McAfee (2016). Trusted anti-virus for every device you own | McAfee AntiVirus Plus.
[online] Mcafee.com. Available at: https://www.mcafee.com/consumer/en-
us/store/m0/catalog/mav_512/mcafee-antivirus-
plus.html?pkgid=512#sthash.QuENQ1FS.dpuf [Accessed 13 Feb. 2016].
McAfee, (2014). McAfee AntiVirus Plus. [online] mcafee.com. Available at: http://down-
load.mcafee.com/products/manuals/en-us/MAV_DataSheet_2015.pdf [Accessed 13 Feb.
2016].
Miwa, S., Miyachi, T., Eto, M., Yoshizumi, M. and Shinoda, Y., (2007). Design issues of
an isolated sandbox used to analyze malwares. In Advances in Information and Computer
Security (pp. 13-27). Springer Berlin Heidelberg.
Nicolett, M., & Kavanagh, K. M. (2012). Critical capabilities for security information and
event management. Gartner RAS Core Research,(ID: G00227900).
Nicolett, M. and Kavanagh, K.M. (2011). Magic quadrant for security information and
event management. Gartner RAS Core Reasearch Note (May 2009).
Nige Security Guy (2013a). APT Detection Indicators - Part 1. [online] Nige the Security
Guy. Available at: https://nigesecurityguy.wordpress.com/2013/12/12/apt-detection-in-
dicators-part-1/ [Accessed 6 Dec. 2015].
Nige Security Guy (2013b). APT Detection Indicators - Part 2. [online] Nige the Security
Guy. Available at: https://nigesecurityguy.wordpress.com/2014/01/10/apt-detection-in-
dicators-part-2/ [Accessed 6 Dec. 2015].
Payload Security (2016). Frequently Asked Questions · Free Automated Malware Analy-
sis Service - powered by VxStream Sandbox. [online] Hybrid-analysis.com. Available at:
https://www.hybrid-analysis.com/faq [Accessed 28 Feb. 2016].
Pernet, C. (2007). APT Kill chain - Part 2 : Global view - Airbus D&S CyberSecurity
blog. [online] Blog.airbuscybersecurity.com. Available at: http://blog.airbuscybersecu-
rity.com/post/2014/04/APT-Kill-chain-Part-2-%3A-Global-view [Accessed 3 Jan. 2016].
Prosise, C. and Mandia, K., (2003). Incident response & computer forensics (p. 11).
McGraw-Hill/Osborne.
Pidawekar, L. (2014). APT – Will the current incident response methodologies be effec-
tive?. [online] Available at: https://dl.packetstormsecurity.net/papers/general/apt-ir-ef-
fectiveness.pdf [Accessed 4 Oct. 2015].
101
Rapid7 Community (2011). Metasploit: Meterpreter HTTP/HTTPS Communication |
Rapid7 Community. [online] Community.rapid7.com. Available at: https://commu-
nity.rapid7.com/community/metasploit/blog/2011/06/29/meterpreter-httphttps-commu-
nication [Accessed 14 Feb. 2016].
Rockefeller, C (2014). A “Kill Chain” Analysis of the 2013 Target Data Breach. [online]
www.covert.io. Available at: http://www.covert.io/research-papers/secu-
rity/A%20Kill%20Chain%20Analysis%20of%20the%202013%20Tar-
get%20Data%20Breach.pdf [Accessed 3 Jan. 2016].
Scarfone, K. A., Grance, T., and Masone, K. (2008). SP 800-61 Rev. 1. Computer Secu-
rity Incident Handling Guide. Technical Report. NIST, Gaithersburg, MD, United States.
Schilling, J. and Jackson, D. (2013). Breaking the Kill Chain. [online] Brighttalk.com.
Available at: https://www.brighttalk.com/webcast/10979/111867 [Accessed 18 Dec.
2015].
Schilling, J. and Jackson, D. (2015). Breaking the Kill Chain. [online] Brighttalk.com.
Available at: https://www.brighttalk.com/webcast/10979/111867 [Accessed 18 Dec.
2015].
Shioya, T., Oyama, Y. and Iwasaki, H., (2007). A sandbox with a dynamic policy based
on execution contexts of applications. In Advances in Computer Science–ASIAN 2007.
Computer and Network Security (pp. 297-311). Springer Berlin Heidelberg.
Sushil Jajodia, Paulo Shakarian, V.S. Subrahmanian, Vipin Swarup, Cliff Wang (2015)
Cyber Warfare: Building the Scientific Foundation. Springer
Thales (2014). hales Cyber Incident Response: Dealing with Targeted Attacks in Multi-
national Corporations. [online] https://www.thalesgroup.com. Available at:
https://www.thalesgroup.com/sites/default/files/asset/document/thales_cyber_inci-
dent_response_0.pdf [Accessed 4 Oct. 2015].
The Security Sleuth (2015). Using Veil to bypass antivirus and disguise a Metasploit
backdoor. [online] security-sleuth.com. Available at: http://www.security-
sleuth.com/sleuth-blog/2015/2/3/using-veil-with-metasploit [Accessed 14 Feb. 2016].
Trend Labs APT Research Team (2012). Spear-Phishing Email: Most Favored APT At-
tack Bait. [online] trendmicro.co.uk. Available at: http://www.trendmicro.co.uk/cloud-
content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-fa-
vored-apt-attack-bait.pdf [Accessed 7 Nov. 2015].
Torres, A. (2014). Incident Response: How to Fight Back. [online] Sans.org. Available
at: https://www.sans.org/reading-room/whitepapers/analyst/incident-response-fight-
35342 [Accessed 4 Oct. 2015].
102
at: https://www.us-cert.gov/government-users/reporting-requirements [Accessed 1 Nov.
2015].
Wright, Schroh, Proulx, Skaburskis and Cort (2006) The Sandbox for analysis: concepts
and methods. In Proceedings of the SIGCHI conference on Human Factors in computing
systems (pp. 801-810). ACM.
Verizon, (2015). Quantify the impact of a data breach with new data from the 2015 DBIR.
2015 Data Breach Investigations Report. [online] Verizon, pp.8-24. Available at:
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-re-
port-2015_en_xg.pdf [Accessed 22 Nov. 2015].
Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M. and Geers, K. (2013). Oper-
ation Ke3chang: Targeted Attacks Against Ministries of Foreign Affairs « Executive Re-
search. [online] FireEye. Available at: https://www.fireeye.com/blog/executive-perspec-
tive/2013/12/ operation-ke3chang-targeted-attacks-against-ministries-of-foreign-af-
fairs.html [Accessed 22 Nov. 2015].
Virvilis, N. and Gritzalis, D. (2013). The big four-what we did wrong in advanced per-
sistent threat detection?. In Availability, Reliability and Security (ARES), 2013 Eighth
International Conference on (pp. 248-254). IEEE.
Virvilis, N., Gritzalis, D. and Apostolopoulos, T. (2013). Trusted Computing vs. Ad-
vanced Persistent Threats: Can a defender win this game?. In Ubiquitous Intelligence and
Computing, 2013 IEEE 10th International Conference on and 10th International Confer-
ence on Autonomic and Trusted Computing (UIC/ATC) (pp. 396-403). IEEE.
Zulkefli, Z., Singh, M. M., & Malim, N. H. A. H. (2015). Advanced Persistent Threat
Mitigation Using Multi Level Security–Access Control Framework. In Computational
Science and Its Applications--ICCSA 2015 (pp. 90-105). Springer International Publish-
ing.
103
APPENDICES
Appendix 1
2016-
Scan
Job Name: Scan1 02-12
time:
07:17:30
2016-
Ultimate - Full and Fast scan Gener-
Profile: 02-12
including Destructive tests ated:
09:11:22
I
Se-
Hi Me n
HostIP HostName ri- Low
gh d f
ous
o
192.168.0.1 Host-192-168-0- 1
-- 4 1 --
19 119 7
192.168.0.119 Host-192-168-0-119
High:
An attacker may use this fact to gain more knowledge about the remote
104
host.
Solution:
filter incoming traffic to this port.
High
Endpoint: ncacn_ip_tcp:192.168.0.119[49153]
Endpoint: ncacn_ip_tcp:192.168.0.119[49153]
Endpoint: ncacn_ip_tcp:192.168.0.119[49153]
Endpoint: ncacn_ip_tcp:192.168.0.119[49153]
105
Annotation: Security Center
Endpoint: ncacn_ip_tcp:192.168.0.119[49153]
Endpoint: ncacn_ip_tcp:192.168.0.119[49154]
Endpoint: ncacn_ip_tcp:192.168.0.119[49154]
Endpoint: ncacn_ip_tcp:192.168.0.119[49154]
Endpoint: ncacn_ip_tcp:192.168.0.119[49154]
Annotation: AppInfo
Endpoint: ncacn_ip_tcp:192.168.0.119[49154]
Annotation: AppInfo
Endpoint: ncacn_ip_tcp:192.168.0.119[49154]
Annotation: AppInfo
Endpoint: ncacn_ip_tcp:192.168
106
UUID: 367abb81-9844-35f1-ad32-98f038001003, version 2
Endpoint: ncacn_ip_tcp:192.168.0.119[49166]
An attacker may use this fact to gain more knowledge about the remote
host.
CVSS Base Score: 5.0
107
High:
Lock Mac addresses on each port of the remote switch or buy newer switch.
CVSS
Base Vector:
Description :
The remote host on the local network seems to be connected through
a switch which can be turned into a hub when flooded
addresses. This turns the switch into learning mode, where traffic goes every-
where.
An attacker may use this flaw in the remote switch
CVSS Base Score: 7.8 Family name: Denial of Service Category: denial
Copyright: (C) 2009 Vlatko Kosturjak Summary: Detects 3com switch2hub vuln
Version: $Revision: 2244 $
108
High:
Easy File Management Web Server USERID Buffer Overflow Vulnerability Risk:
High
Application: general
Port: 0
Protocol: tcp
ScriptID: 805096
Summary:
The host is running Easy File Management Web
Server and is prone to buffer
overflow vulnerability.
Insight:
The flaw is due to an error when processing
web requests and can be ex-
ploited to cause a buffer overflow via an overly long
string passed to USERID in a
HEAD or GET request.
109
110
111
112
113
114
115
116
117
118
119
120
121
Appendix 2
Quick Overview
122
123
124
125
126
127
128
129
130
Appendix 3
Quick Overview
Screenshots
131
132
Antivirus
133
Behavioural Analysis
134
135
136
Dropped Files
137
138
Appendix 4
Quick Overview
139
140
141
142
143
144
145
146
147
148
149
Appendix 5
Project Title: Cyber incident response and new framework for the APT
DA Class ID: UKL1.CKIT.702.H00023862
150
The Specification:
The main hypotheses for the dissertation is based on using complex multistage framework
solutions in order to limit and reduce the damage of the cyber attack in addition to im-
proving the detection of advanced and persistent threats. The long term and sophisticated
attacks target companies, governments and political activists; these incidents happen for
different industries as well. Figure 1 represents a survey for 19 industries that show the
incident response share of each industry. The technology/IT sector has highest incident
(15%) whilst engineering and consultation are represented by 0.5% (Torres,2014).
Multinational corporations can be spread over several countries, and for multi-vectored
APT challenges to establish a strong defence against APT is very important. Figure 2
shows numerous challenges for companies, governments, political activists, etc. APT
campaigns may be interested to achieve financial benefits for the country involved in theft
of valuable information and intellectual property that has a close relationship between
industry and government (Thales, 2014).
151
Figure 2: Cyber Incident Response for multinational corporations (Thales, 2014).
1. To research and review IRs and APTs that are covering various topics, such as
Traditional IRs, APTs, Indicators and the Indicator Life Cycle, Cyber Adversaries,
threat model, Kill Chain and Security Information, and Event Management sys-
tems (SIEM).
2. Design and implement a new framework.
3. Provide two simulations to simulate an attack over a virtual network and are tested
by two groups of user study. The first simulation will use the framework model of
152
Multi-Stage attacks and imports log data from different sources to SIEM and an-
alyse it, while the second simulation will represent the original approach.
4. The results of the evaluation from the two groups will show whether the frame-
work model of Multi-Stage attacks can identify and detect APTs and compare it
with the second simulation with default security settings.
Proposed solution
The proposed framework allows the incident response team to detect APTs more effi-
ciently and improve the knowledge of the incident response team about the phases of the
attack by identifying and detecting various indicators of the adversary’s attack. The mul-
tistage framework can be described as a multi-layer security and components. The new
framework (as shown in Figure 5) includes layer 1, which has antivirus, NIDS/HIDS,
firewall, etc. The logs of the previous component of layer 1 will be used by SIEM in layer
2 to show different alerts and warnings. The incident response team can use these alerts
and indicators to draw the attack tree and connect parts of the complex attack; then iden-
tify the phase of the attack according to the kill chain. The incident response team can use
the sandbox to test suspicious files that are infected by malwares. The top down design
methodology will break larger processes into smaller over analysis of the intrusion kill
chains, SIEM, and robust indicator maturity. The artefact will include a model, the pro-
cesses and a framework to represent solutions of APTs.
Literature Survey:
The incident refers to the adverse event that cause potential harm to data or the system,
while response stands to the taken action to understand the incident then recover the op-
eration into normal status by the incident response team (Cole, 2012). Computer security
incidents are frequently complex so it should divide this complex or large problem into
components, then test and examine the inputs and outputs of each component (Pidawekar,
2014). Seven main phases for the incident response are presented in Figure 1, as follows:
153
Pre-incident
• Preparing the organization before the incident being.
preparation
Detection of
•Identify the potential and possible security incident.
incidents
• Investigate and record all the details of the incident the inform the persons who should
Initial
response
know about the incident.
• According to the known facts, it should determine the best response and action to be
Formulate
response taken.
strategy
• Re-assess the data collected to understand and decide when it happen, what happened
Investigate
the incident
and determine the possible methods to prevent it in the future.
Prosise and Mandia (2003) mention seven main components of incident response and
represent the relation between the component and order of them as shown in Figure 4:
154
“If you go back to the definition of security being protection, detection and response, this
feels like the last area that needs work, and the idea of incident response coordination
and working on a response is really important and something that isn’t there.”
Schneier wants to emphasize the importance of getting prevention and detection proce-
dures with an operational incident response plan. However, we cannot eliminate all the
threats but we can migrate threats more quickly. The APT’s prevention measures should
include Data Loss Prevention technologies, firewalls, management solutions like IPS AV,
IDS, etc. In case of APT, an effective response strategy allows the incident response team
to prevent and detect more efficiently (Prosise and Mandia, 2003).
In 2012, the report of Mandiant about APT shows that 54% of compromised machines
have malware, whereas 100% of the analysed attacks used stolen credentials through the
intrusion. In the meantime, the report of Symantec illustrates 18 zero-day vulnerabilities
that have been exploited up to 30 months previous to the public disclosure. In 2014, Man-
diant provided a report that illustrated threat factors that remain undetected for about 229
days as it becomes more difficult to identify and detect attack frequently. Moreover, the
third party, like content management service providers or cloud providers, often inform
the organisations about the attack but sometimes these organisations may have been com-
promised earlier than the detection of attack that happens 6-9 months later. Incident re-
sponse is very important in order to minimize the attack’s damage, it starts from the mo-
ment of detecting the attack until the organisation is being recovered into the normal sta-
tus and it makes sure this attack does not happen again. One of the main characteristics
of the APT attack is its persistence. As a result, the incident response team has to get rid
of the attack as soon as possible (Dan, 2013). In order to deal with APT, the plan of the
incident response should have several methods to prevent, detect and respond in addition
to managing zero day vulnerabilities, new malwares, etc. In case the company has top-
secret data, APT incident response must have a priority in business strategy and infor-
mation security programs
The new framework will be the research method that is used to achieve the goals and
hypotheses of the dissertation. A case study will be simulated to represent the benefits
and the effectiveness of a new framework to limit or reduce the APT. There will be two
155
groups to test and evaluate the framework: Group A will use the simulation of the new
framework whilst group B will use the original method in the second simulation. The
scenario of the case study represents an adversary attempt to attack the network via lev-
eraging a ‘zero-day’ vulnerability and brute force attack. Since every defence has blind
spots, Intrusion Detection System (IDS) can be effective. In case the intruder triggers one
or more registered detection rules, it commonly generates negatives and positive alerts.
Also the antivirus cannot detect malware, as it does not exist in the database of signatures.
Moreover, vulnerabilities can exist for a long time and usually users do not have aware-
ness and adequate training - even the users who access sensitive assets. If the adversary
discovers these vulnerabilities via network reconnaissance or a combination of social en-
gineering, this may allow the attacker to launch serious attacks.
The two user groups will get data from the components of the new framework and the
original approach. For example, the case study will be applied for the two frameworks
and the users of group A will get results and alerts from SIEM, HIDS/NIDS, sandbox
tools, etc. This results will be analysed and compared with results with original approach.
skills Description
There are several tools and software that will be used in the simulation as shown in Ta-
ble 2
156
Category Software Purpose
SIEM Splunk/ Alien- Splunk is a SIEM that can index, capture, and
correlate real-time data in a searchable repos-
Vault
itory. Splunk can also generate reports,
graphs, dashboards, alerts, and visualiza-
tions.
The aim of this project is to determine whether using a complex multistage framework
solution will limit or reduce the damage of the cyber attack and, to ask, if will it help the
incident response team to detect the advanced and persistent threats or not. In order to
157
design and create the required simulation model of Multi-Stage, security layers are de-
signed to achieve the goals and objectives for this project. Figure 5 shows the components
of the framework that is logging modules, SIEM, indicators, attack tree, Kill chain, and
sandbox. Each of these components are briefly discussed; it then identifies the defence
mechanism - as shown in Table 3 - based on linking all of the components of the frame-
work, such as HIDS, SIEM, kill chain, sandbox, etc. Identifying the attack phase of the
attacker and applying the defence mechanism will help to detect and prevent APT.
- SIEM
According to the report of Nicolett and Kavanagh (2011) Security Information and Event
Management systems (SIEMs) are implemented to deal with compliance reporting re-
quirements and improving the ability for dealing with various security incidents, besides
allowing the organisation to collect and analyse various security events and information
in networked infrastructures. Organisations can implement SIEM systems for many rea-
sons, such as insider threats, compliance threats and the costs of security incidents and
recovery (Dempster, 2015). Furthermore, SIEM can be used to detect internal and exter-
nal threats; monitoring database access; servers; user actions and providing analytic ca-
pabilities to the incident response team (Nicolett and Kavanagh, 2012). SIEM can be used
158
in the forensic analysis, it may also considered to be a valuable asset in protecting critical
infrastructures in order to track and identify the attacker, and then provide these evidences
to the court (Garofalo et al., 2014). There are numerous vendors of SIEM products, they
provide various products such as Splunk, AlienVault, ArcSight, Q1 Labs, etc. These prod-
ucts have the same basic function and provide the services, below (Dempster, 2015):
Collection: collecting logs from various sources like servers, network devices, appli-
cations, databases and security devices.
Consolidation: the data of log files is being aggregated and normalised.
Correlation: categorised the linked log events to detect and identify threats.
Communication: An alert will be generated in case an attack has been detected
through the correlation phase.
Control: controlling the storage of data and how it can be stored.
- Indicators
• Atomic indicators: These types cannot be divided into smaller parts and keeps
their meaning according to the circumstance of an intrusion such as vulnerability
identifiers, email addresses and IP addresses.
• Computed indicators: These types are derived from data involved in an incident
such as regular expressions and hash values.
• Behavioural indicators: These types are a combination between atomic and com-
puted indicators and can be qualified by quantity; for instance, the intruder may
use a backdoor to generate network traffic matching afterwards by replacing it
with matching MD5 hash whenever the access established.
The incident response team need to analyse these indicators through leveraging them in
their tools and utilising these indicators whenever matching the discovered activities that
may lead to additional indicators. Figure 13 shows the cycle between the previous actions
and indicators over the lifecycle of the indicators (Hutchins, Clopperty and Amin, 2014;
Nige Security Guy, 2013b).
159
Revealed
Figure 6: Indicator life cycle states (Hutchins, Clopperty and Amin, 2014)
-Attack Tree
Attack tree is a technique used to analyse and describe attack towards the system; the
incident response team can use it to conduct security analysis. For example, the malware
has been developed from a simple malware into self-replication, and in some cases anti-
virus and other technologies cannot stop them easily. These types of threats look for the
valuable data of military or economic and may persist for a long time, this is known as
APT. According to Flaten and Lund (2014), attack tree is useful to model the APT as it
provides a good overview of a threat and can support other models to understand the
threat.
The model of kill chain can be used by incident response teams, malware analysts and
forensic investigators in order to work in a chained manner and analyze offensive actions
of a cyber attacker. Using kill chain model by the security analysts allows them to think
like the attacker and understand what has happened in each phase of the kill chain. Re-
cently, cyber attacks have become more complex, destructive and dangerous by using
multiple redundant attack vectors in order to multiply the effect and make it difficult for
the incident response team (Bhatt, Toshiro Yano and Gustavsson, 2014). The model of
160
kill chain allows to breakdown a complicated attack into small phases or stages. Moreo-
ver, these phases enable the incident response team to tackle smaller and easier problems
and develop a defense for each layer in order to migrate threats in each phase (Hutchins,
Cloppert, and Amin, 2011). Kill chain includes seven phases as shown in Figure 7 that
provides a brief description of the phase or the purpose of it.
- Sandbox
Sandbox refers to the security mechanism which used to separate running programs and
execute un-trusted programs or untested code from third parties. The untested or unknown
file can be run in an isolated environment to understand what it does. Malware sandbox-
ing is considered a dynamical analysis approach because it helps the analyst to executed
and monitor in real-time instead of statically analyzing the binary file. There several sand-
box tools for linux like SELinux and Apparmor, while Cuckoo is supported by Windows
and will be used in the study case simulation. Cuckoo represents an automated malware
161
analysis system to understand what the files do during executing in the isolated environ-
ment which requires technical skills to understand the results. Applying the previous
framework combined with defense mechanism in Table 3 that is based on kill chain
phases will improve the results to detect and prevent APT by the incident response team.
The simulation will be tested by two groups of users. The new approach simulation will
be evaluated, then the results will be compared with results from the original approach to
identify whether the new framework has improved the security and detected the APT or
not. The evaluation for both groups of users will be as follows:
162
- Evaluate whether the new framework helps and improves detection for APT com-
pared with the original approach.
- Evaluate which approach can use the analytical data to migrate APT's more effi-
ciently.
- Evaluate which approach can use the analytical data to expect future attacks of
APT’s.
Plan:
Figure 1 represents the basic structure for the project, this includes four main phases: re-
lated work, develop new framework, analysis process and case study.
163
Figure 2: Scheduled Gantt chart of Incident response & APT project
164