Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out APT organization tracking governance based on knowledge graph. The content of the article is of high quality, so the editor will share it with you for reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Advanced persistent threat (APT) is increasingly becoming a major threat in cyberspace that can not be ignored against important assets of governments and enterprises. Because APT attacks often have clear attack intentions, and their attack methods are highly hidden and latent, traditional network detection methods are usually unable to detect them effectively. In recent years, the detection and defense technology of APT attacks has gradually attracted the attention of governments and network security researchers.

I. Research on APT organizational governance in developed countries

1.1 at the strategic level, the United States emphasizes "America first" and "strength for peace".

The Trump administration has successively released the National Security Strategy report, the Defense Department Cyber Strategy and the National Cyber Strategy, interpreting Trump's "America first" strategy, emphasizing "cyber deterrence" and "using strength to promote peace." highlight the importance of cyber warfare, put the role of "military and force" before diplomacy and state, and emphasize the protection of US infrastructure to ensure the continued prosperity of the United States. At the same time, it emphasizes the importance of artificial intelligence (AI) for economic growth.

1.2 at the regulatory level, the United States legislates for APT organization tracking

On September 5, 2018, the U.S. House of Representatives voted to pass the Cyber deterrence and response Act of 2018, which aims to prevent and sanction future state-backed cyber attacks against the United States in order to protect the political, economic and critical infrastructure of the United States. The bill requires the President of the United States to confirm the list of Advanced persistent threats (APT) organizations, publish them in the Federal Gazette (Federal Register) and update them regularly.

1.3 at the attack level, the US military develops advanced cyber warfare tools based on knowledge graph

In September 2010, "*" disclosed that the Pentagon strives to make a pre-emptive strike in cyber warfare and achieve the "5D" effect of deception, rejection, separation, demotion and destruction. The research on the attack level of cyber warfare has always been the focus of the US government and subordinate research institutions. according to the models built around cyber warfare in the United States in recent years, the battlefield network is mapped with multi-level knowledge graph. Combined with shooting range exercises for model verification is an important research direction.

1.3.1 Plan X of DARPA uses knowledge graph to draw battlefield map to support VR operation

PLAN X is a project unveiled by DARPA in 2012 with the main goal of developing revolutionary technologies to understand, plan and manage cyberwarfare in a real-time, large-scale and dynamic network environment. Based on an established general map, it helps military network operators to carry out network intrusion tasks in a visual way in the battlefield. PLAN X uses the technology of automatic construction of battlefield network graph to transform the network map, combat unit and capability set into nodes and edges in the map. Based on the tactical targets set in advance by the fighters, the automatic map search is carried out to find the best intrusion path and intrusion scheme, and provide them to the fighters.

1.3.2 MITRE's CyGraph prototype supports cyber warfare

CyGraph is the prototype system of MITRE in graph model research. CyGraph uses hierarchical graph structure, including network architecture (Network Infrastructure), security status (Security Posture), network threat (Cyber Threats) and task dependency (Mission Dependencies), to support attack surface identification and attack situation understanding for critical asset protection.

Fig. 1.1 Multi-layer graph structure of CyGraph

1.4 at the defense level, develop a new generation of APT description language model based on ATT&CK

ATT&CK is a model and knowledge base that reflects the attack behavior of each attack life cycle. ATT&CK uses the knowledge base to analyze the opponent attack method to evaluate the existing protection system. At the same time, it can be combined with the shooting range to carry out attack simulation testing and automatic verification. At the same time, many foreign security manufacturers use its detection to track the actual effect of APT organizations.

Figure 1.2 Comparative analysis of ATT&CK 's TTP capabilities for lazarus and APT15

2. The practice of APT organization tracking based on knowledge graph

The practice of APT tracking based on knowledge graph takes the threat meta-language model as the core and uses a top-down approach to construct APT knowledge graph.

2.1 entity Class Construction based on threat Meta-language Model

APT knowledge type definition refers to all kinds of current security standards, such as general attack pattern enumeration and classification of attack mechanisms (CAPEC), malware attribute enumeration and characteristics (MAEC) and common vulnerabilities and exposures (CVE), etc., twelve knowledge types are designed: attack patterns, campaigns, defense measures, identity, threat indicators, intrusion sets, malicious code, observable entities, reports, attackers, tools, vulnerabilities.

2.2 Ontology structure of APT knowledge graph

Knowledge type definition only forms isolated knowledge nodes with relevant information describing the organizational characteristics of APT, and there is no semantic relationship between knowledge nodes. On the one hand, the semantic design extracts the expert knowledge about vulnerabilities, vulnerabilities, assets and attack mechanisms contained in the National vulnerability Library (NVD). Secondly, it refers to the seven types of relationships defined by STIX. The overview of STIX2.0 object relations is shown in figure 2.1 below.

Figure 2.1 STIX2.0 structure diagram

Summarize many kinds of semantic relations involved in the APT report, including "indication", "use", "belong" and other semantic relations, and construct the ontology structure as shown in figure 2.2.

Figure 2.2 Ontology structure of APT knowledge graph

2.3 Construction of knowledge base of APT attack organization

In this paper, the APT knowledge base is established in a top-down way. Firstly, the operation of information extraction and alignment is carried out. Based on the ontology of APT knowledge graph, the knowledge entities, attributes and knowledge relations related to APT organization are extracted from massive data. After that, the attribute disambiguation fusion supplement is carried out according to the knowledge attributes defined in the APT knowledge ontology, and the APT knowledge base is output.

APT organization related information sources include structured data (structured intelligence database, STIX intelligence), semi-structured data (Alienvault and other open source intelligence community websites, IBM x-force intelligence community websites, MISP, ATT&CK), unstructured data (Talos security blog, Github APT reports).

2.4 experiment and Application

The APT topic knowledge graph constructed in this paper currently contains 257 APT organizations, as shown in figure 2.3.

Figure 2.3 Overview of APT Organization

Combined with the ontology structure of the knowledge graph, the APT32 attack organization is portrayed by semantic search, as shown in Fig. 2.4,2.5.

Figure 2.4 APT32 diamond model

Figure 2.5 APT 32 Portrait

The portrait information includes infrastructure, technical means and attack tools controlled by the APT32 organization. Combined with the knowledge of APT portraits, through the real-time monitoring and comparison of APT organizational features and marking the organizational relevance of events, the real-time monitoring and statistics of APT organizational activity is realized.

Based on the IDS and sandbox probe equipment in a certain environment, big data analyzed the cluster experimental environment composed of four servers, and combined with the characteristics of APT organization portraits provided by the knowledge graph, a total of 5 APT organizations were found active from June 2 to June 9, 2019. The results are shown in figure 2.6.

Figure 2.6 APT Organization tracking

III. Countermeasures and suggestions

1. Improve the formulation of policies and regulations related to APT attacks. At present, our government has not issued policies and regulations specifically in response to APT attacks, which is very disadvantageous to promote, standardize and guide the analysis and detection of domestic APT attacks.

2. Recommend the research ecology of co-construction, co-research and sharing. The cooperation between our government and enterprises needs to be further deepened to build technical solutions and model standards that can be used at the industry and national levels.

3. Construct a unified information sharing format and strengthen the sharing of information. GB/T 36643-2018 "Information Security Technology Network Security threat Information format Specification" has not been widely used in domestic governments and enterprises since its implementation.

4. Strengthen the construction of general threat meta-language model. At present, China has not yet constructed a complete set of general threat meta-language to support a unified threat intelligence expression format and the sharing of threat intelligence and knowledge related to APT.

On how to carry out knowledge graph-based APT organization tracking governance is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.