Skip to content

APT detection frameworks and nation-state actors

Published on Leave a comment on APT detection frameworks and nation-state actors
Twitter distributed background from CrowdStrike

What is an advanced persistent threat (APT)?

An advanced persistent threat is a “Threat from a highly organized attacker with significant resources that is carried out over a long period of time” (McMillian, 2021). McMillian describes victims as large corporations or government entities and by well-funded group of highly skilled individuals from nation-states. Most of these attacks are hard to detect but can be through logs and performance metrics capturing environmental abnormalities.

What is a Nation-state actor?

“Nation-state or state sponsors are usually foreign governments. They are interested in pilfering data, including intellectual property and research and development data, from major manufacturers, tech companies, government agencies, and defense contractors. They have the most resources and are the best organized of any of the threat actor groups.” (McMillian, 2021).

“The security firm Mandiant tracked several APTs over a period of 7 years, all originating in China, specifically Shanghai and the Pudong region. These APTs were simply named APT1, Apt2, and so on.” (Easttom, 2018).

“The attacks were linked to PLA Unit 61398 of China’s military. The Chinese government regards this unit’s activities as classified, but it appears that offensive cyber warfare is one of its tasks. Just one of the APTs from this group compromised 141 companies in 20 different industries. APT1 was able to maintain access to victim networks for an average of 365 days, and in one case for 1, 764 days. APT1 is responsible for stealing 6.5 terabytes of information from a single organization over a 10-month timeframe.” (Easttom, 2018).

CrowdStrike 2022 Global Threat Report

CrowdStrike’s annual 2022 Global Threat Report describes the various naming conventions to categorize adversaries according to nation-state affiliations. These are the codenames for various adversary actors studied by CloudStrike when analyzing the various tactics, techniques, and procedures (TTP) case studies.

Mandiant M-Trends 2022 Report

The annual Mandiant M-Trends 2022 Report highlights the techniques most frequently used in 2021 with regards to MITRE ATT&CK. The 10 most frequently seen techniques are listed below and tied to the various MITRE ATTA&CK framework identifiers.

APT detection frameworks

MITRE ATT&CK

MITRE ATT&CK is a knowledge base of adversary tactics and techniques based on real-world observations. The knowledge base is used as a foundation for the development of specific threat models and methodologies. These threat models are created by the private sector, government, and cybersecurity product and service community. The ATT&CK framework is open to the community for use at no charge to develop and mature our ability to detect and defend against common adversary targets.

MITRE Engage (formerly MITRE Shield)

MITRE Engage was formerly the MITRE Shield framework leveraging MITRE ATT&CK. The specific framework is used to plan and discuss adversary engagement operations showing you how to engage adversaries to best achieve cybersecurity goals. There are several tools and guides focusing on matrix, playbook process, community, standards, and mindset. Framework provides a starter kit which leads you down a path with basics, language, methodologies, adversary engagement, and joining the community.

Lockheed Martin Cyber Kill Chain

The Cyber Kill Chain is developed by Lockheed Martin and is part of their Intelligence Driven Defense model. The primary purpose of the chain is to determine how far down a path an intrusion has progressed and how to terminate the intrusion before it gets to the end of the chain of events. The model identifies what adversaries must do to achieve their ultimate goal. The framework has seven steps to enhance visibility into an attack and enrich an analyst’s understanding of an adversary’s tactics, techniques, and procedures. These seven steps from Lockheed Martin are listed below.

  1. Reconnaissance – Harvesting email addresses, conference information, etc.
  2. Weaponization – Coupling exploit with backdoor into deliverable payload.
  3. Delivery – Delivering weaponized bundle to the victim via email, web, USB, etc.
  4. Exploitation – Exploiting a vulnerability to execute code on victim’s system.
  5. Installation – Installing Malware on the asset
  6. Command & Control (C2) – Command channel for remote manipulation of victim
  7. Actions on objectives – With ‘Hands on Keyboard’ access, intruders accomplish their original goals

Diamond Model (Caltagirone et al, 2013)

“The model describes that an adversary deploys a capability over some infrastructure against a victim. These activities are called events and are the atomic features. Analysts or machines populate the model’s vertices as events are discovered and detected. The vertices are linked with edges highlighting the natural relationship between the features. By pivoting across edges and within vertices, analysts expose more information about adversary operations and discover new capabilities, infrastructure, and victims. The interactions about the diamond are defined by the axioms surrounding the various events occurring about the diamond.” (Caltagirone et al, 2013). These axioms and interactions focus on the diamond event, adversaries, victims, phases, resources, and social-political factors with relationship to persistent adversary relationships. The seven main axioms from the paper are listed below, and how these relate to various threads various adversaries would take during a kill chain path.

  • Axiom 1 – For every intrusion event there exists an adversary taking a step towards an intended goal by using a capability over infrastructure against a victim to produce a result.
  • Axiom 2 – There exists a set of adversaries (insiders, outsiders, individuals, groups, and organizations) which seek to compromise computer systems or networks to further their intent and satisfy their needs.
  • Axiom 3 – Every system, and by extension every victim asset, has vulnerabilities and exposures.
  • Axiom 4 – Every malicious activity contains two or more phases which must be successfully executed in succession to achieve the desired result.
  • Axiom 5 – Every intrusion event requires one or more external resources to be satisfied prior to success.
  • Axiom 6 – A relationship always exists between the Adversary and their Victim(s) even if distant, fleeting, or indirect.
  • Axiom 7 – There exists a sub-set of the set of adversaries which have the motivation, resources, and capabilities to sustain malicious effects for a significant length of time against one or more victims while resisting mitigation efforts. Adversary-Victim relationships in this sub-set are called persistent adversary relationships.

MITRE Caldera

Caldera is a framework that automates adversary simulations. Security teams can build adversary profiles and launch them in the network to see where there are weaknesses. This helps test defenses and people’s ability to detect specific threats. The framework consists of the core system and plugins. The core system is the framework code which includes an asynchronous command-and-control (C2) server. The plugins expand the framework to provide agents, reports, and collections of TTPs. The GitHub repository for MITRE Caldera is below and can be leveraged by Red Team (attack) efforts to build a stronger Blue Team (defend).

GitHub for MITRE Caldera

References

Leave a Reply

Your email address will not be published. Required fields are marked *

Unless otherwise indicated, the content and opinions expressed on this web site are those of the author(s). They are not endorsed by and do not necessarily reflect the views of the George Washington University.
Viewing Message: 1 of 1.
 Notice

This site uses cookies to offer you a better browsing experience. Visit GW’s Website Privacy Notice to learn more about how GW uses cookies.