Cyber Threat Intelligence
Our focus is on systematic curation, characterization, measurement, and forensics of cyber threat intelligence (e.g., malware samples, infection traces, natural language threat descriptions).
Publications
Poirot: Aligning Attack Behavior with Kernel Audit Records for Cyber Threat Hunting
Cyber threat intelligence (CTI) is being used to search for indicators of attacks that might have compromised an enterprise network for a long time without being discovered. To have a more effective analysis, CTI open standards have incorporated descriptive relationships showing how the indicators or observables are related to each other. However, these relationships are either completely overlooked in information gathering or not used for threat hunting. In this paper, we propose a system, called Poirot, which uses these correlations to uncover the steps of a successful attack campaign. We use kernel audits as a reliable source that covers all causal relations and information flows among system entities and model threat hunting as an inexact graph pattern matching problem. Our technical approach is based on a novel similarity metric which assesses an alignment between a query graph constructed out of CTI correlations and a provenance graph constructed out of kernel audit log records. We evaluate Poirot on publicly released real-world incident reports as well as reports of an adversarial engagement designed by DARPA, including ten distinct attack campaigns against different OS platforms such as Linux, FreeBSD, and Windows. Our evaluation results show that Poirot is capable of searching inside graphs containing millions of nodes and pinpoint the attacks in a few minutes, and the results serve to illustrate that CTI correlations could be used as robust and reliable artifacts for threat hunting
HOLMES: Real-time APT Detection through Correlation of Suspicious Information Flows
In this paper, we present a new approach for the detection of Advanced and Persistent Threats (APTs). Our approach is inspired by several case studies of real-world APTs that highlight some common goals of APT actors. In a nutshell, our approach aims to produce a detection signal that indicates the presence of a coordinated set of activities that are part of an APT campaign. One of the main challenges addressed by our approach involves developing a suite of techniques that make the detection signal robust and reliable. At a high-level, the techniques we develop effectively leverage the correlation between suspicious information flows that arise during an attacker campaign. In addition to its detection capability, our system (called HOLMES) is also able to generate a high-level graph that summarizes the attacker’s actions in real-time. This graph can be used by an analyst for an effective cyber response. In addition to operating as a detection system by itself, the system can be co-deployed with other IDS systems to improve cyber detection and response within the enterprise. An evaluation of our approach against some real-world APTs indicates that our system can detect APT campaigns with high precision and low false alarm rate, and the compact high-level graphs produced by our system is an effective summary of an attack campaign that is useful for planning real-time cyber-response operations.
ProPatrol: Attack Investigation via Extracted High-Level Tasks
Kernel audit logs are a valuable source of information in the forensic investigation of a cyber attack. However, the coarse gran- ularity of dependency information available in audit logs leads to the construction of huge attack graphs which contain false or inaccurate dependencies. To overcome this problem, we propose a system, called ProPatrol, which compartmentalizes the application logs by extract- ing high-level tasks from application contexts. For doing so, ProPatrol learns a model for an application’s high-level tasks based on analyzing the sequence of system calls it generates. The benefit of this approach is that it considers an application as a black-box and does not rely on binary code instrumentations or source code modifications. Our experiments with enterprise-level attacks show that ProPatrol adds only less than 2% runtime overhead, minimalizes the manual investigation effort required for forensic analysis, and can quickly pinpoint the root cause of attacks.
SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data
We present an approach and system for real-time recon- struction of attack scenarios on an enterprise host. To meet the scalability and real-time needs of the problem, we develop a platform-neutral, main-memory based, de- pendency graph abstraction of audit-log data. We then present efficient, tag-based techniques for attack detec- tion and reconstruction, including source identification and impact analysis. We also develop methods to reveal the big picture of attacks by construction of compact, vi- sual graphs of attack steps. Our system participated in a red team evaluation organized by DARPA and was able to successfully detect and reconstruct the details of the red team’s attacks on hosts running Windows, FreeBSD and Linux.