“I Know What You Did Before”: General Framework for Correlation Analysis of Cyber Threat Incidents

"I Know What You Did Before": General Framework for Correlation Analysis of Cyber Threat Incidents Daegeon Kim 1 , JiYoung Woo 2 , Huy Kang Kim 1 1 School of Information Security, Korea University, Republic of Korea 2 Department of Big Data Engineering, Soonchunghyang University, Republic of Korea

INDEX Motivation Objective Event Relation Tree (ERT) Event Transition Graph (ETG) Experiments Future Research

Motivation CTI Sharing Expedites ☞ CTI sharing is being promoted nationally & internationally!

Motivation CTI Expression Frameworks by The MITRE Corporation by The MITRE Corporation by The MITRE Corporation by MANDIANT Corporation

CTI Exchange Frameworks (Platforms) by The MITRE Corporation by Computer Incident Response Center Luxembourg (CIRCL) by The CSIRT Gadgets Foundation MANTIS by Siemens Motivation

CTI Analysis Methods iDefense IntelGraph (by Verisign ) Web Intelligence Engine (by Recorded Future) Motivation ☞ But, we need a FRAMEWORK for CTI correlation analysis.

Little research has been conducted for analyzing CTI despite following advantages: Inter-operability of data (machine, vendor, organization independent) Compact expression of heterogeneous source of threat information Possibility of performing long-term and nation-wide threat analysis Motivation

Objective All types of data should be treated for integrated analysis. Temporal variations of incident events should be reflected so that CTI analyst can suppose the attacker’s intention. Propose the general framework so that the analysis can further be improved.

Event Relation Tree Event Relation Tree (ERT) is a tree-like graph expressing relations of events . EID: 1 EID: 2 EID: 3 EID: 4 EID: 5 EID: 6 Event Relations e vent name / ID (EID) timestamp IP / URL yara matching rules accounts other string info.(e.g. mutex , boundary … ) data (CTI) p arent node c hildren nodes event relations (e.g., related EID, type:data ) EID:1, account:abc123 EID:1, IP:1.1.1.1 EID:6, account:abc123 EID:7, mutex:rainbow1 EID : 7 [ ERT Example ]

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB EID: 1 May-1-2015 The initial event to analyze correlation is added in ERT as the root node.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB EID: 1 May-1-2015 The database storing CTI of incident events are provided as an input.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID 1 is already in ERT, so it is ignored.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 There is no relation between EID 1 and EID 2 in ERT, so the existence of the relation is checked. Since no relation is found, jump to next iteration.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID: 3 Jan-3-2016 EID:1, account:abc Since EID 1 has a relation with EID 3 which is not in ERT, EID 3 and the relation is stored in ERT. Especially, their relation is added to the nodes of EID 1 and EID 3 separately . Because new node is added in ERT, the recursive call of ERTC ONST function begins from it. (DFS)

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID: 3 Jan-3-2016 EID:1, account:abc Since EID 1 already has a relation with EID 3, it is ignored.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID: 3 Jan-3-2016 EID:1, account:abc There is no relation between EID 2 and EID 3 in ERT, so the existence of the relation is checked. Since no relation is found, jump to next iteration.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID: 3 Jan-3-2016 EID:1, account:abc EID 3 is already in ERT, so it is ignored.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID: 3 Jan-3-2016 EID:1, account:abc There is no relation between EID 3 and EID 4 in ERT, so the existence of the relation is checked. Since no relation is found, jump to next iteration.

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID: 3 Jan-3-2016 EID:1, account:abc EID:5, mutex:hello EID: 5 Mar-16-2015 EID:3, mutex:hello Since EID 3 has a relation with EID 5 which is not in ERT, EID 5 and the relation is stored in ERT. Because new node is added in ERT, the recursive call of ERTC ONST function restarts from it.(DFS)

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event If EID 5 has a relation to EID 1 both of which are already in ERT, only the relation is added to the two nodes. EID: 1 May-1-2015 EID:3, account:abc EID:5, IP:1.1.1.1 EID: 3 Jan-3-2016 EID:1, account:abc EID:5, mutex:hello EID: 5 Mar-16-2015 EID:3, mutex:hello EID:1, IP:1.1.1.1

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID:5, IP:1.1.1.1 EID:4, string:wakeup EID: 3 Jan-3-2016 EID:1, account:abc EID:5, mutex:hello EID: 5 Mar-16-2015 EID:3, mutex:hello EID:1, IP:1.1.1.1 Let’s suppose no more relation is found under the node of EID 3 as the parent. Then “node” is back to EID 1 and “ new_event ” indicates EID 4. Since there is a relation exist between EID 1 and EID 4 which is not in ERT, EID 4 and the relation is added in ERT. At this point, the left and the right branches of EID 1 show different characteristics. EID: 4 Dec-11-2015 EID:1, string:wakeup

Event Relation Tree ERT Construction (example) EID: 1 EID: 2 EID: 3 EID:4 EID: 5 EID: 6 EID: 7 Event DB node new_event EID: 1 May-1-2015 EID:3, account:abc EID:5, IP:1.1.1.1 EID:4, string:wakeup EID: 3 Jan-3-2016 EID:1, account:abc EID:5, mutex:hello EID: 5 Mar-16-2015 EID:3, mutex:hello EID:1, IP:1.1.1.1 EID: 4 Dec-11-2015 EID:1, string:wakeup EID:7, boundary:alphabeta EID: 7 Apr-30-2015 EID:4, boundary:alphabeta Let’s suppose EID 4 has no other relations until EID 6 and a relation is found with EID 7. EID 7 and the relation is added to ERT.

Event Transition Graph Event Transition Graph (ETG) is constructed from ERT by sorting with respect to event time. To preserve the branching characteristic in ERT, the graph structure is adapted for ETG. EID: 1 May-1-2015 EID: 3 Jan-3-2016 EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 [ ERT ] EID: 1 May-1-2015 EID: 3 Jan-3-2016 EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 [ ETG ] EID: 3 Jan-3-2016 transformation (descending order sorting) ① ②

Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 3 Jan-3-2016 EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att ① ② ② ① ④ ③ ❶ ❷ ❸ ❹

Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att EID: 3 Jan-3-2016 EID: 5 Mar-16-2015

Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 3 Jan-3-2016 EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att EID: 3 Jan-3-2016 EID: 5 Mar-16-2015

EID: 3 Jan-3-2016 Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att ① ② ④ ③ ① ❷ ❹ ❶ ❸

EID: 3 Jan-3-2016 Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att EID: 5 Mar-16-2015

EID: 3 Jan-3-2016 Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att EID: 5 Mar-16-2015

EID: 3 Jan-3-2016 Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att EID: 5 Mar-16-2015 ① ② ④ ③ ① ❶ ❷ ❸ ❹

EID: 3 Jan-3-2016 Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att EID: 5 Mar-16-2015

EID: 3 Jan-3-2016 Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 node iter curr dir : up / down att EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015 If the ancestor of EID 1, EID 3 , had any relation to the flipped branch, it might be inserted between EID 1 and EID 3.

EID: 3 Jan-3-2016 Event Transition Graph ETG Construction (example) EID: 1 May-1-2015 node iter curr dir : up / down att EID: 5 Mar-16-2015 EID: 4 Dec-11-2015 EID: 7 Apr-30-2015

Experiments System Architecture

Experiments Dataset Generation Duration: 2011 - 2015 Collection incident events in the field: malware, spear-phishing email … from malware sharing cites.. i.e., VirusTotal Data Types: URL, IP, accounts, PDB path, mutex , boundary, filemapping , and other keywords. Size: around 18,000 records of 820 events [ Sample Data ]

Experiments Preprocessing email accounts: domains are ignored helloworld0123 @gmail.com v.s . helloworld0123 @hotmail.com directory: each directories are parsed C:\Users\ BestHacker_John \Campaign\... D:\ BestHacker_John \ MyProject \... IP classes: A, B, C, or D class B class: 1.2.3.4 → 1.2.X.X / C class : 1.1.1.1 → 1.2.3.X other heuristics and expert’s knowledge could be applied. i.e. (full name) Bart Simpson  B. Simpson

Experiments Case Study 1 At the beginning of this campaign, compromised websites were used as C2 server . But, at some point, the group used public cloud services to disguise network traffic of the malware shown to be normal .

Experiments [ ERT ] boundary used in C2 server mutex in malware cloud service used as C2 server : the initial event

Experiments [ ETG ] the oldest event in Ⓑ the first appeared event in Ⓐ : descending start points (graph roots) boundary used in C2 server mutex in malware cloud service used as C2 server

Experiments Case Study 2 The attacker group of the second case study is as known as Lazarus Group who attacked Sony Pictures Entertainment (SPE) in 2014. Novetta , “Operation Blockbuster: Unraveling the Long Thread of the Sony Attack ”, 2015. Several types of malware were distributed by compromised websites and spear-phishing email while keep changing the functionality of them.

Experiments [ ETG (ERT: left-bottom) ] boundary phising scam

Experiments Timeline Comparison of Analysis to Novetta’s Report * * Novetta , “Operation Blockbuster: Unraveling the Long Thread of the Sony Attack,” 2015.

Future Research Currently, only directly string matching methods are applied to each CIT of events. Probabilistic or heuristic approach need to be added. i.e., calculating similarity score (probability) of events. finding a relation from full name and initial of name. EID: 1 EID: 2 EID: 3 a b c d Does the relations of “EID: 1- EID: 2” and “EID: 2 - EID: 3” have the same similarity level ? C:\Program Files Can we think EID: 1 and EID: 2 really have the meaningful relation? EID: 1 EID: 2 EID: 1 EID: 2 Bart Simpson bartsimpson.com B. Simpson bsimpson.net Isn’t it possible to say EID: 1 and EID: 2 has a relation?

b c b Future Research May 2015 Aug. 2015 Dec. 2015 a c d Feb. 2015 EID: 2 EID: 3 EID: 4 ERT ETG a d Feb. 2015 EID: 2 EID: 4 Dec. 2015 EID: 3 May 2015 EID: 1 Aug. 2015 EID: 1 It seems more reasonable to maintain the event sequence “EID: 3 - EID: 2 - EID: 4”; EID: 1 may not have any relation to EID: 4. b c a d Feb. 2015 EID: 2 EID: 4 Dec. 2015 EID: 3 May 2015 EID: 1 Aug. 2015 Currently, ETG preserve the chain of branches if the events lies on the ancestor-sibling relation in ERT. Also, probabilistic approach needs to be added. i.e., calculating relation score (probability) of events.

Q & A Daegeon Kim [email protected]

“I Know What You Did Before”: General Framework for Correlation Analysis of Cyber Threat Incidents

About This Presentation

Slide Content

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

“I Know What You Did Before”: General Framework for Correlation Analysis of Cyber Threat Incidents

About This Presentation

Slide Content

Slide 1

Slide 2

Slide 3

Slide 4

Slide 5

Slide 6

Slide 7

Slide 8

Slide 9

Slide 10

Slide 11

Slide 12

Slide 13

Slide 14

Slide 15

Slide 16

Slide 17

Slide 18

Slide 19

Slide 20

Slide 21

Slide 22

Slide 23

Slide 24

Slide 25

Slide 26

Slide 27

Slide 28

Slide 29

Slide 30

Slide 31

Slide 32

Slide 33

Slide 34

Slide 35

Slide 36

Slide 37

Slide 38

Slide 39

Slide 40

Slide 41

Slide 42

Slide 43

Slide 44

Slide 45

Tags

Categories

Download

Quick Actions

Statistics

Related Slideshows

8-top-ai-courses-for-customer-support-representatives-in-2025.pptx

7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx

25-essential-ai-courses-for-user-support-specialists-in-2025.pptx

8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx

Know for Certain

PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx