{"title":"使用 siem 规则集检测高级持续性威胁","authors":"Adem Şi̇mşek, A. Koltuksuz","doi":"10.36962/piretc28072023-25","DOIUrl":null,"url":null,"abstract":"Cyber-attacks move towards a sophisticated, destructive, and persistent position, as in the case of Stuxnet, Dark Hotel, Poseidon, and Carbanak. These attacks are called Advanced Persistent Threats (APT) in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. In today's digitalized life, these attacks threaten the main critical life areas. This threat is followed by critical infrastructures, finance, energy, and aviation agencies. One of the biggest APT attacks was Stuxnet which targeted software on computers controlling the programmable logic controllers (PLCs) used to automate machine processes. The other one was the Deep Panda attack discovered in 2015 which compromised over 4 million US personnel records because of the ongoing cyberwar between China and the U.S. This paper attempts to explain the difficulties of detecting APTs and to examine the studies in this area. In addition, this paper presents a new approach to detecting APTs using the SIEM solution. In this approach, it is recommended to establish APT rulesets in SIEM solutions by using the indicators left behind by the attacks. In the rulesets, 3 basic indicator types are considered, and examples are shared. Keywords: Cyber security, cyber war, APT, SIEM, Intrusion Detection System.","PeriodicalId":107886,"journal":{"name":"PIRETC-Proceeding of The International Research Education & Training Centre","volume":"9 1","pages":""},"PeriodicalIF":0.0000,"publicationDate":"2023-10-02","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS\",\"authors\":\"Adem Şi̇mşek, A. Koltuksuz\",\"doi\":\"10.36962/piretc28072023-25\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Cyber-attacks move towards a sophisticated, destructive, and persistent position, as in the case of Stuxnet, Dark Hotel, Poseidon, and Carbanak. These attacks are called Advanced Persistent Threats (APT) in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. In today's digitalized life, these attacks threaten the main critical life areas. This threat is followed by critical infrastructures, finance, energy, and aviation agencies. One of the biggest APT attacks was Stuxnet which targeted software on computers controlling the programmable logic controllers (PLCs) used to automate machine processes. The other one was the Deep Panda attack discovered in 2015 which compromised over 4 million US personnel records because of the ongoing cyberwar between China and the U.S. This paper attempts to explain the difficulties of detecting APTs and to examine the studies in this area. In addition, this paper presents a new approach to detecting APTs using the SIEM solution. In this approach, it is recommended to establish APT rulesets in SIEM solutions by using the indicators left behind by the attacks. In the rulesets, 3 basic indicator types are considered, and examples are shared. Keywords: Cyber security, cyber war, APT, SIEM, Intrusion Detection System.\",\"PeriodicalId\":107886,\"journal\":{\"name\":\"PIRETC-Proceeding of The International Research Education & Training Centre\",\"volume\":\"9 1\",\"pages\":\"\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2023-10-02\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"PIRETC-Proceeding of The International Research Education & Training Centre\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.36962/piretc28072023-25\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"PIRETC-Proceeding of The International Research Education & Training Centre","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.36962/piretc28072023-25","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
DETECTION OF ADVANCED PERSISTENT THREATS USING SIEM RULESETS
Cyber-attacks move towards a sophisticated, destructive, and persistent position, as in the case of Stuxnet, Dark Hotel, Poseidon, and Carbanak. These attacks are called Advanced Persistent Threats (APT) in which an intruder establishes an undetected presence in a network in order to steal sensitive data over a prolonged period of time. In today's digitalized life, these attacks threaten the main critical life areas. This threat is followed by critical infrastructures, finance, energy, and aviation agencies. One of the biggest APT attacks was Stuxnet which targeted software on computers controlling the programmable logic controllers (PLCs) used to automate machine processes. The other one was the Deep Panda attack discovered in 2015 which compromised over 4 million US personnel records because of the ongoing cyberwar between China and the U.S. This paper attempts to explain the difficulties of detecting APTs and to examine the studies in this area. In addition, this paper presents a new approach to detecting APTs using the SIEM solution. In this approach, it is recommended to establish APT rulesets in SIEM solutions by using the indicators left behind by the attacks. In the rulesets, 3 basic indicator types are considered, and examples are shared. Keywords: Cyber security, cyber war, APT, SIEM, Intrusion Detection System.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
