Attracting the APT actors into deception system: identifying ways to attract an APT actor
Rantanen, Outi (2024)
2024
All rights reserved. This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.
Julkaisun pysyvä osoite on
https://urn.fi/URN:NBN:fi:amk-202404075904
https://urn.fi/URN:NBN:fi:amk-202404075904
Tiivistelmä
Improving situational awareness is an emerging trend in the field of information security. The organisation’s must identify the proper technical data sources and the non-technical cyber threat intelligence sources in the business environment to create and maintain situational awareness. As the cyber defence techniques develop so does the attacker’s techniques. An Advanced persistent threat might prepare a cyber-attack for weeks or months ahead before the initial access by gathering information of the organisation.
A cyber deception system is a way to lure and deceive the attacker into the honeynet system, that can be monitored to set alarm of certain actions in the honeynet system. Deception systems can be used for collecting information about the attacker to create a more precise situational picture. It can also be used to collect cyber threat intelligence from the attacker.
The real-world cyber-attack cases were a way to identify and chart techniques used on a cyber-attack. These techniques were used to model lures to a honeypot system to attract an APT actor to show interest in it. The APT actor fingerprints its main targets and does not trigger the attack’s next stage on main targets if the requirements of the target are not met. Therefore, an APT actor will not engage the next stages of the cyber-attack if it discovers it is inside of a deception system or a sandbox.
The deception system needs to be as real as possible and if possible integrated into a real enterprise network. The most important added value of a deception system is the ability to detect and assist on stopping a cyber-attack on its earliest stage.
The research material identifies 192 different techniques used by the APT actor Turla. The most used techniques are Discovery and Command and Control techniques. 30 % of the Turla malwares has system information capabilities and over 40 % of all the Turla software can use System Network Configuration Discovery techniques. The most sophisticated malwares that used the widest range of techniques were Empire, Kazuar, and Uroburos.
A cyber deception system is a way to lure and deceive the attacker into the honeynet system, that can be monitored to set alarm of certain actions in the honeynet system. Deception systems can be used for collecting information about the attacker to create a more precise situational picture. It can also be used to collect cyber threat intelligence from the attacker.
The real-world cyber-attack cases were a way to identify and chart techniques used on a cyber-attack. These techniques were used to model lures to a honeypot system to attract an APT actor to show interest in it. The APT actor fingerprints its main targets and does not trigger the attack’s next stage on main targets if the requirements of the target are not met. Therefore, an APT actor will not engage the next stages of the cyber-attack if it discovers it is inside of a deception system or a sandbox.
The deception system needs to be as real as possible and if possible integrated into a real enterprise network. The most important added value of a deception system is the ability to detect and assist on stopping a cyber-attack on its earliest stage.
The research material identifies 192 different techniques used by the APT actor Turla. The most used techniques are Discovery and Command and Control techniques. 30 % of the Turla malwares has system information capabilities and over 40 % of all the Turla software can use System Network Configuration Discovery techniques. The most sophisticated malwares that used the widest range of techniques were Empire, Kazuar, and Uroburos.