A Cascade Approach for APT Campaign Attribution in System Event Logs: Technique Hunting and Subgraph Matching

TL;DR

This paper introduces a cascade approach combining technique hunting and subgraph matching to attribute APT campaigns from system event logs, leveraging MITRE ATT&CK annotations for improved detection of sophisticated cyber threats.

Contribution

The study presents a novel cascade method that integrates technique hunting with subgraph matching for accurate APT campaign attribution using annotated system logs.

Findings

Reliable performance on five real-world APT campaigns

Effective identification of attack sequences in system logs

Improved attribution accuracy over existing methods

Abstract

As Advanced Persistent Threats (APTs) grow increasingly sophisticated, the demand for effective detection methods has intensified. This study addresses the challenge of identifying APT campaign attacks through system event logs. A cascading approach, name SFM, combines Technique hunting and APT campaign attribution. Our approach assumes that real-world system event logs contain a vast majority of normal events interspersed with few suspiciously malicious ones and that these logs are annotated with Techniques of MITRE ATT&CK framework for attack pattern recognition. Then, we attribute APT campaign attacks by aligning detected Techniques with known attack sequences to determine the most likely APT campaign. Evaluations on five real-world APT campaigns indicate that the proposed approach demonstrates reliable performance.