Concept for a security investigation framework

Abstract

The number of detected and analyzed Advanced Persistent Threat (APT) campaigns increased over the last years. Two of the main objectives of such campaigns are to maintain long-term access to the environment of the target and to stay undetected. To achieve these goals the attackers use sophisticated and customized techniques for the lateral movement, to ensure that these activities are not detected by existing security systems. During an investigation of an APT campaign all stages of it are relevant to clarify important details like the initial infection vector or the compromised systems and credentials. Most of the currently used approaches, which are utilized within security systems, are not able to detect the different stages of a complex attack and therefore a comprehensive security investigation is needed. In this paper we describe a concept for a Security Investigation Framework (SIF) that supports the analysis and the tracing of multi-stage APTs. The concept includes different automatic and semi-automatic approaches that support the investigation of such attacks. Furthermore, the framework leverages different information sources, like log files and details from forensic investigations and malware analyses, to give a comprehensive overview of the different stages of an attack. The overall objective of the SIF is to improve the efficiency of investigations and reveal undetected details of an attack.