A Framework for Advanced Persistent Threat Attribution using Zachman Ontology

Abstract

Advanced Persistent Threat (APT) is a type of cyber attack that infiltrates a targeted organization and exfiltrates sensitive data over an extended period of time or to cause sabotage. Recently, there has been a trend of nation states backing APT groups in order to further their political and financial interests, making the APT attribution process increasingly important. The APT attribution process involves identifying the actors behind an attack and their motivations, using a method of logical inference called abductive reasoning to determine the most likely explanation for a set of observations. While various attribution methods and frameworks have been proposed by the security community, many of them lack granularity and are dependent on the skills of practitioners rather than a standardized process. This can hinder both the understandability and reproducibility of attribution efforts as this process is practiced but not engineered. To address these issues, we propose a new framework for the APT attribution process based on the Zachman ontology, which offers greater granularity by posing specific primitive questions at various levels of the attribution process. This allows for more accurate conclusions about the attackers and their motivations, helping organizations to better protect themselves against future attacks.