SoK：对高级持续威胁攻击中的恶意软件技术的实证调查

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-08-09 DOI:10.1016/j.cose.2025.104618

Md Rayhanur Rahman , Setu Kumar Basak , Rezvan Mahdavi Hezaveh , Laurie Williams

{"title":"SoK：对高级持续威胁攻击中的恶意软件技术的实证调查","authors":"Md Rayhanur Rahman , Setu Kumar Basak , Rezvan Mahdavi Hezaveh , Laurie Williams","doi":"10.1016/j.cose.2025.104618","DOIUrl":null,"url":null,"abstract":"<div><h3>Context:</h3><div>Adversaries launch advanced persistent threat (APT) attacks, where adversaries design their attack for a specific target and aim to remain undetected for a prolonged time. The attackers deploy a plethora of techniques for delivering and operating multiple malware in manual or automated manners. Cybersecurity vendors publish technical reports, known as cyberthreat intelligence reports, on past APT attacks, a rich information source on malware techniques. To defend organizations, prevalent techniques observed across malware in APT attacks and their association need to be identified.</div></div><div><h3>Objective:</h3><div>The goal of this research is to aid cybersecurity practitioners in defending against APT attacks by analyzing malware techniques documented in cyberthreat intelligence reports.</div></div><div><h3>Methodology:</h3><div>We construct a curated set of 798 cyberthreat intelligence reports and then analyze the reported malware techniques using MITRE ATT&CK, a well-known terminology of cyberattack techniques, cybercriminal groups, and campaigns in APT attacks. We analyze the frequency and trend of techniques, followed by a qualitative analysis. Next, we perform association rule mining to identify co-occurring techniques, followed by a qualitative analysis.</div></div><div><h3>Findings:</h3><div>We identify that obtaining information on the operating and network system of the victim environment is the most prevalent technique and appears in the highest number of co-occurring pairs. We identify that spear-phishing is the most prevalent way of initial infection. We also identify three prevalent misuses of system functionalities: Macros in Office documents, the Registry in Windows, and the Task scheduler. We advocate that organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusions based on the identified association among malware techniques.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104618"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"SoK: An empirical investigation of malware techniques in advanced persistent threat attacks\",\"authors\":\"Md Rayhanur Rahman , Setu Kumar Basak , Rezvan Mahdavi Hezaveh , Laurie Williams\",\"doi\":\"10.1016/j.cose.2025.104618\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><h3>Context:</h3><div>Adversaries launch advanced persistent threat (APT) attacks, where adversaries design their attack for a specific target and aim to remain undetected for a prolonged time. The attackers deploy a plethora of techniques for delivering and operating multiple malware in manual or automated manners. Cybersecurity vendors publish technical reports, known as cyberthreat intelligence reports, on past APT attacks, a rich information source on malware techniques. To defend organizations, prevalent techniques observed across malware in APT attacks and their association need to be identified.</div></div><div><h3>Objective:</h3><div>The goal of this research is to aid cybersecurity practitioners in defending against APT attacks by analyzing malware techniques documented in cyberthreat intelligence reports.</div></div><div><h3>Methodology:</h3><div>We construct a curated set of 798 cyberthreat intelligence reports and then analyze the reported malware techniques using MITRE ATT&CK, a well-known terminology of cyberattack techniques, cybercriminal groups, and campaigns in APT attacks. We analyze the frequency and trend of techniques, followed by a qualitative analysis. Next, we perform association rule mining to identify co-occurring techniques, followed by a qualitative analysis.</div></div><div><h3>Findings:</h3><div>We identify that obtaining information on the operating and network system of the victim environment is the most prevalent technique and appears in the highest number of co-occurring pairs. We identify that spear-phishing is the most prevalent way of initial infection. We also identify three prevalent misuses of system functionalities: Macros in Office documents, the Registry in Windows, and the Task scheduler. We advocate that organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusions based on the identified association among malware techniques.</div></div>\",\"PeriodicalId\":51004,\"journal\":{\"name\":\"Computers & Security\",\"volume\":\"157 \",\"pages\":\"Article 104618\"},\"PeriodicalIF\":5.4000,\"publicationDate\":\"2025-08-09\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Computers & Security\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167404825003074\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q1\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825003074","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

背景：攻击者发起高级持续性威胁（APT）攻击，攻击者针对特定目标设计攻击，目的是长时间不被发现。攻击者部署了大量的技术，以手动或自动的方式交付和操作多个恶意软件。网络安全供应商发布了关于过去APT攻击的技术报告，称为网络威胁情报报告，这是恶意软件技术的丰富信息源。为了保护组织，需要识别在APT攻击中观察到的恶意软件的流行技术及其关联。目的：本研究的目的是通过分析网络威胁情报报告中记录的恶意软件技术，帮助网络安全从业者防御APT攻击。方法：我们构建了一套精心策划的798个网络威胁情报报告，然后使用MITRE ATT&；CK（一个众所周知的网络攻击技术、网络犯罪集团和APT攻击活动术语）分析报告的恶意软件技术。我们分析了技术的频率和趋势，然后进行了定性分析。接下来，我们执行关联规则挖掘以识别共同发生的技术，然后进行定性分析。研究结果：我们发现，获取受害者环境的操作和网络系统的信息是最普遍的技术，并且出现在最多的共同发生对中。我们发现鱼叉式网络钓鱼是最普遍的初始感染方式。我们还指出了三种常见的系统功能误用：Office文档中的宏、Windows中的注册表和任务调度程序。我们建议组织优先考虑针对已识别的流行技术的防御，并根据已识别的恶意软件技术之间的关联积极寻找潜在的恶意入侵。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

SoK: An empirical investigation of malware techniques in advanced persistent threat attacks

Context:

Adversaries launch advanced persistent threat (APT) attacks, where adversaries design their attack for a specific target and aim to remain undetected for a prolonged time. The attackers deploy a plethora of techniques for delivering and operating multiple malware in manual or automated manners. Cybersecurity vendors publish technical reports, known as cyberthreat intelligence reports, on past APT attacks, a rich information source on malware techniques. To defend organizations, prevalent techniques observed across malware in APT attacks and their association need to be identified.

Objective:

The goal of this research is to aid cybersecurity practitioners in defending against APT attacks by analyzing malware techniques documented in cyberthreat intelligence reports.

Methodology:

We construct a curated set of 798 cyberthreat intelligence reports and then analyze the reported malware techniques using MITRE ATT&CK, a well-known terminology of cyberattack techniques, cybercriminal groups, and campaigns in APT attacks. We analyze the frequency and trend of techniques, followed by a qualitative analysis. Next, we perform association rule mining to identify co-occurring techniques, followed by a qualitative analysis.

Findings:

We identify that obtaining information on the operating and network system of the victim environment is the most prevalent technique and appears in the highest number of co-occurring pairs. We identify that spear-phishing is the most prevalent way of initial infection. We also identify three prevalent misuses of system functionalities: Macros in Office documents, the Registry in Windows, and the Task scheduler. We advocate that organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusions based on the identified association among malware techniques.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.