Abstract
Detecting the latest advanced persistent threats (APTs) using conventional information protection systems is a challenging task. Although various systems have been employed to detect such attacks, they are limited by their respective operating systems. Furthermore, they are developed as closed platforms and cannot be customized to meet user environments. To overcome these limitations, open-source endpoint detection and response (EDR) techniques are needed. In this study, we construct one that integrates open-source security frameworks combining GRR (Google Rapid Response) and osquery. A threat-detecting case study is conducted to validate the feasibility of the proposed open-source EDR system. Additionally, APT coverage for the proposed EDR system is analyzed using MITRE’s Adversarial Tactics, Techniques, and Common Knowledge model. The assessment result shows that APT tactics having high levels of threat detection using non-customized osquery configurations comprise 28.5 % of all detections, which is lower than the other response levels. The performance of open-source EDR can be increased by customizing osquery for specific purposes and environments. Open-source EDR combining GRR and osquery has the potential to provide the detection-coverage efficient threat detection system and has the advantage of flexible integration with other applications; it can also be developed for evolving system environments such as cloud and internet of things.
Highlights
Cyber-attack techniques constantly improve, and advanced persistent threats (APTs) cause serious security problems for companies and organizations [1]
Bahrami et al [5] proposed a taxonomy of APT attacks based on the cyber kill-chain model, according to which tactics, techniques, and procedures for detecting APT attacks were identified
The open-source endpoint detection and response (EDR) is a cost-effective security tool with high expected value in terms of flexibility, utilization, and scalability, and it can be used in next-generation digital platforms that become hyper-connected, hyper-intelligent, and globally scaled
Summary
Cyber-attack techniques constantly improve, and advanced persistent threats (APTs) cause serious security problems for companies and organizations [1] It is difficult for existing information protection systems to detect the latest APTs because they attack the targets persistently for a prolonged period using intelligent advanced hacking techniques in a high-density, high-capacity, and high-speed network environment [2]. The most representative method of responding to APTs includes using a cyber kill chain, as first devised as a military security concept in 2011 by Lockheed Martin. It defines cyberattacks in multiple stages, identifies threats to organizational processes in advance, and analyzes, detects, and prevents cyberattacks and intrusions [3]. To respond effectively to APTs, behavior-based detection techniques must be applied alongside the kill-chain model [6].
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
