Securing information systems against advanced persistent threats (APTs).

Abstract

Advanced Persistent Threats (APTs) have been a major challenge in securing both Information Technology (IT) and Operational Technology (OT) systems. APTs are sophisticated attacks that masquerade their actions to navigate around defenses, breach networks, often over multiple network hosts, and evade detection. APTs also use a "low-and-slow" approach over a long period of time. While APTs have drawn increasing attention from the industrial security community, recent security products are inadequate at helping companies defend against APTs attacks due to APTs' prolonged, stealthy characteristics, sophisticated levels of expertise and significant resources. The current best practice for dealing with APTs requires a wide range of security countermeasures, resulting in a multi-step detection approach that opens new research directions. The detection of a single step of APT lifecycle does not infer detection of a complete APT full scenario. The accurate detection and prevention of APT in real time is an ongoing challenge. This research aims to investigate APT attack detection and develop a novel multi-step APT attack detection framework to detect APT attack steps. An APT steps analysis and correlation framework termed "APTDASAC" is proposed. This approach takes into consideration the distributed and multi-level nature of industrial control system (ICS) architecture, and reflects on multi-step APT attack lifecycles. The implementation is carried out in three stages: stage one is "Data input and probing layer", which involves data gathering and processing; the second stage is "Data analysis and Correlation layer", which applies the core process of APTDASAC to learn the behaviour of attack steps from the sequence data, correlate and link the related output; and stage three "Decision layer", in which the ensemble probability approach is utilized to integrate the output and make attack prediction. The framework was validated with four different datasets and four case studies: i) network transactions between a remote terminal unit (RTU) and a master control unit (MTU) in-house supervisory control and data acquisition (SCADA) gas pipeline control system; ii) a case study of command and response injection attack; iii) a scenario based on network traffic containing hybrid of the real modern normal and the contemporary synthesized attack activities of the network traffic; and iv) APT_alerts - a historic record of APT alerts generated through a monitored network. The system achieved the probability average prediction accuracy of 86.73%. It also achieved a significant detection rate of 93.50%, 80.98%, 85.19% and 80.90% for each individual APT lifecycle detectable steps (A, B, C and D). Experimentally, APTDASAC achieved a significant attacks detection capability, but also demonstrated that attack detection techniques that performed very well in one domain may not yield the same good result in another domain. This suggests that the robustness and resilience of operational systems to withstand attack and maintain system performance and resilience are determined by the safety and security measures in place, which are specific to the system in question.