Abstract
Attackers increasingly seek to compromise organizations and their critical data with advanced stealthy methods, often utilising legitimate tools. In the main, organisations employ reactive approaches for cyber security, focused on rectifying immediate incidents and preventing repeat attacks, through protections such as vulnerability assessment and penetration testing (VAPT) security information and event management (SIEM), firewalls, anti-spam/anti-malware solutions and system patches. Such system have weaknesses in addressing modern modern stealthy attacks. Proactive approaches, have been seen as part of the solution to this problem. However, approaches such as VAPT have limited scope and only works with threats that have already been discovered. Promising methods such as threat hunting are gaining momentum, enabling organisations to identify and rapidly respond to any potential attacks, though they have been criticised for their significant cost. In this paper, we present a novel hybrid model for uncovering tactics, techniques, and procedures (TTPs) through offensive security, specifically threat hunting via adversary emulation. The proposed technique is based on a novel approach of inducing adversary emulation (mapping each respective phase) model inside the threat hunting approach. The experimental results show that the proposed approach uses threat hunting via adversary emulation and has countervailing effects on hunting advance level threats. Moreover, the threat detection ability of the proposed approach utilizes minimum resources. The proposed approach can be used to develop the offensive security-aware environment for organizations to uncover advanced attack mechanisms and test their ability for attack detection.
Highlights
A large number of enterprise networks have been attacked by adversaries, and may be currently under cyber attack
"polymorphous malware" are very good at evading antiviruses. Techniques such as threat hunting involve proactive searching for cyber threats that may be lying undetected in a network
We propose a threat hunting model via adversary emulation, with the aim of minimizing the resource utilized while increasing the efficiency of the approach
Summary
A large number of enterprise networks have been attacked by adversaries, and may be currently under cyber attack. The majority of security tools are not interactive in nature, working on specific logic – for example watching a specific gateway and searching for specific threats. In such cases, the security personnel aim to identify active threats. The security personnel aim to identify active threats This approach is based on actions performed by an adversary that will invoke the security system; such an approach is known as a "Reactive Approach". SANS presented a formal threat hunt model in 2019 [1], which opened new doors for researchers We have utilized this model and mapped an adversary emulation approach on it, to enable efficient utilization of resources to hunt threats in a timely manner
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
