Cross-Machine Multi-Phase Advanced Persistent Threat Detection and Investigation via Provenance Analytics

Attack detection and investigation are an iterative process in practice, in
which security analysts still play an important role as of today. Security
systems for attack detection and investigation need to be designed with
this human-in-the-loop aspect in mind. A practical, reliable attack detection
system is not just a classification system. Rather, it facilitates the investigation
process in unearthing the root causes and attack ramifications, by providing
contextualized and more interpretable detection results. Security analysts
often find it difficult and time consuming to investigate on, associate and
understand the detection results of currently deployed security systems. A
swift and accurate attack detection & investigation process is crucial for
timely and proper attack recovery & remediation.
To support speedy and thorough attack detection & investigation, provenance-based
security systems have been proposed over the past few years. These systems
have proven to be inherently suitable for this critical mission: providing
security analysts with insightful, contextualized, and actionable detection
results for further investigation in a highly automated manner. ... mehrProvenance-based
systems produce attack graphs by parsing system logs recording what
has occurred in a computer system at a fine-granular level. Such graphs manifest
and link causally related system activities. Given a suspicious event as a
starting point, a backward tracing and forward tracing in a graph can quickly
expose more related malicious system activities caused by attackers, i.e., the
root cause and attack ramifications, respectively. Provenance-based security
systems have demonstrated excellent performance in reducing false alarms,
supplying security analysts with accurate and self-explanatory attack graphs,
in particular for sophisticated attacks conducted by Advanced Persistent
Threat (APT) actors.
Despite the success, our examination of existing provenance-based systems
yields the finding that these systems suffer from several major limitations,
and can be rendered ineffective facing evasive real-world APT actors. First,
they are fundamentally susceptible to evasive attacks employing persistence
techniques. Second, existing provenance-based systems are limited to tracing
inside a single machine, and unable to trace across machines and reveal the
extend of attackers’ traversal inside a network. Third, these systems only
process system logs from general-purpose OS like Windows and Linux, but
not logs from devices of embedded systems.
To tackle the first weakness of prior provenance-based systems, we present
CPD, which is, to our knowledge, the first system specialized for persistence
detection, and hence multi-phase APT detection and investigation. CPD is
powered by two novel concepts: pseudo-dependency edges, which effectively
reconnect fragmented attack graphs resulted from persistence techniques,
and expert-guided edges, which capacitate faster tracing and reduced log size.
Moreover, we create HADES to overcome the second constraint of provenance-based
systems in combating APT actors. HADES demonstrates, to our knowledge,
the first approach capable of performing accurate causality-based
cross-machine tracing. In HADES, we introduce a lightweight authentication
anomaly detection model and a novel concept called logon session-based execution
partitioning and tracing, which together empower efficient and accurate
cross-machine APT detection and investigation.
Last, we design our third system COMMANDER to further strengthen the defense
line against cross-machine multi-phase APT attacks. Our extensive
analysis of APT threat reports reveals that HADES’s cross-machine tracing
functionality is vulnerable to several evasive attack techniques routinely
employed by APT actors: persistence, session hijacking, and port forwarding.
Recognizing this, we introduce a modular design in COMMANDER, in which it
integrates CPD with HADES, and incorporates another two specialized detectors
for session hijacking and port forwarding, respectively. These specialized
detectors make complementary contributions to safeguarding robust and
correct whole network tracing, by delivering critical information to guide
and adjust the tracing process. Moreover, COMMANDER is designed for detection
and investigation of attacks against industrial-sector organizations.
That is, it includes parsers for logs from some popular industrial controllers,
and detection rules for attack techniques of APT actors on industrial control
systems. COMMANDER can accurately attribute the malicious system activities
on these industrial controllers to the true identity behind those actions, even
if the access originates from the enterprise networks.