Advanced Persistent Threat - Attack Model, Detection and Response

Advanced Persistent Threats (APTs) are some of the fastest growing information security threats that organizations are facing today and represent a sophisticated attack entity emerging in the cyber threats environment.

In this project we propose a model for the APT detection problem as well as a methodology to implement the detection model on a generic organization network. We introduce a conceptual attack model, called the attack pyramid, starting from the attack trees, and an attack detection framework that takes into account all the relevant security events in an organization. The attack pyramid has the possible attack goal (e.g. sensitive data) at the top, and the lateral planes are generated from the possible attack vectors containing the relevant security events. We propose a methodology to correlate all the relevant security events in all the pyramid planes. Suppose the attack goal is the source code of organization's proprietary product, and the possible attack vectors are email service, web service and physical access to the repository servers. In this case, the methods to detect an advanced attack have to record and correlate security events in all the possible attack planes (in this case application and physical planes) and raise an alarm whenever enough evidence of an attack is collected.

The methodology is depicted in the figure below, where G represents the goal for the APT.

For more information on this project contact us at security-research@att.com