•  
  •  
 

Abstract

Effective cyber defense must build upon a deep understanding of real-world cyberattacks to guide the design and deployment of appropriate defensive measures against current and future attacks. In this abridged paper (of which the full paper is available online), we present important concepts for understanding Advanced Persistent Threats (APTs), our methodology to characterize APTs through the lens of attack flows, and a detailed case study of APT28 that demonstrates our method’s viability to draw useful insights. This paper makes three technical contributions. First, we propose a novel method of constructing attack flows to describe APTs. This abstraction allows technical audiences, e.g., defensive cyber operators, to parse and infer valuable details, while allowing management- and business-minded audiences to holistically visualize the attacks’ progression without being overwhelmed by technical details. Second, we provide a case study on a real-world APT to demonstrate the effectiveness of our attack flow methodology that systematizes cyberattack tactics, techniques, and procedures. This technical characterization potentially can, for example, train machine learning models to detect and recognize such cyberattacks automatically. Third, we show that the attack flow representation also allows us to draw insights into the strengths, weaknesses, impact, and sophistication of APTs, as well as to identify potential mitigation approaches. We find that APT28 tends to employ unsophisticated techniques when possible and the root cause for APT28’s success is social engineering. The full version of this paper details additional case studies and comparative analysis of multiple APTs, leading to further insights.

Share

COinS