Hasso-Plattner-Institut25 Jahre HPI
Hasso-Plattner-Institut25 Jahre HPI

Martin Ussath

Analytical Approaches for Advanced Attacks

Nowadays, an increasing number of attacks try to compromise single computer systems as well as complete IT infrastructures. Therefore, various security systems, such as firewalls, antivirus solutions, or Intrusion Detection Systems (IDSs), are used to detect and prevent attacks. Especially enterprise networks are targeted by advanced attacks that use certain tactics, techniques, and procedures to bypass deployed security systems and to hinder analysis efforts. For this type of attack, including Advanced Persistent Threats (APTs), it is common to perform multiple malicious activities to achieve the intended objective. Thus, it is necessary to identify the relevant attack steps to get a comprehensive understanding of the complete attack. Furthermore, it is vital to consider the related malicious activities during analyses, because the single attack steps might appear benign. Currently, manual analytical approaches are often used to analyze centrally collected log events from different systems to identify advanced attacks in a comprehensive way and to provide reasonable countermeasures. Especially the tracing and the description of relations between different attack activities make these manual approaches often complex and time consuming.

In this thesis, different automated analytical approaches are proposed and evaluated to support the identification and analysis of advanced attacks. First, the novel event attribute tainting approach is proposed to correlate related log events based on similar or identical event attributes. This correlation approach makes use of different methods to mimic manual correlation procedures and to achieve reasonable correlation results. Moreover, the tainting-based correlation approach creates taint graphs to enable the easy retracing of multi-step attacks. Another analytical approach utilizes taint graphs to automatically derive valid multi-step detection signatures. For the creation of such signatures, the approach analyzes the graph structure of a taint graph and describes a suitable signature that contains the correlated log events and their relations. Furthermore, it is necessary to share relevant details about performed malicious activities with other potential targets to support investigations and analysis efforts. For this reason, an extended variant of the Structured Threat Information eXpression (STIX) format is proposed to enable the sharing of complex patterns that describe various objects and their relations. Additionally, the approach of an enhanced sinkhole system is proposed to allow the gathering of comprehensive details about infected systems and executed malware. This approach depends on DNS sinkholing and can be applied to collect further details about advanced attacks.