Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
GPT-4o
Gemini 2.5 Pro Pro
o3 Pro
GPT-4.1 Pro
DeepSeek R1 via Azure Pro
2000 character limit reached

OSTINATO: Cross-host Attack Correlation Through Attack Activity Similarity Detection (2312.09321v1)

Published 14 Dec 2023 in cs.CR

Abstract: Modern attacks against enterprises often have multiple targets inside the enterprise network. Due to the large size of these networks and increasingly stealthy attacks, attacker activities spanning multiple hosts are extremely difficult to correlate during a threat-hunting effort. In this paper, we present a method for an efficient cross-host attack correlation across multiple hosts. Unlike previous works, our approach does not require lateral movement detection techniques or host-level modifications. Instead, our approach relies on an observation that attackers have a few strategic mission objectives on every host that they infiltrate, and there exist only a handful of techniques for achieving those objectives. The central idea behind our approach involves comparing (OS agnostic) activities on different hosts and correlating the hosts that display the use of similar tactics, techniques, and procedures. We implement our approach in a tool called Ostinato and successfully evaluate it in threat hunting scenarios involving DARPA-led red team engagements spanning 500 hosts and in another multi-host attack scenario. Ostinato successfully detected 21 additional compromised hosts, which the underlying host-based detection system overlooked in activities spanning multiple days of the attack campaign. Additionally, Ostinato successfully reduced alarms generated from the underlying detection system by more than 90%, thus helping to mitigate the threat alert fatigue problem

Definition Search Book Streamline Icon: https://streamlinehq.com
References (19)
  1. 2021: Year in review. https://thedfirreport.com/2022/03/07/2021-year-in-review/
  2. Adversarial tactics, techniques and common knowledge. https://attack.mitre.org/
  3. Apt cybercriminal campagin collections. https://bit.ly/364iN8U
  4. Detecting lateral movement with windows event logs. https://bit.ly/3hQyF1D
  5. Mandiant. https://bit.ly/3MA0N7b (2013)
  6. Alert fatigue: 31.9% anaysts ignore alerts. https://bit.ly/3MyE9fA (2017)
  7. Automated incident response. https://bit.ly/3hPm3Ia (2017)
  8. New research from advanced threat analytics finds mssp incident responders overwhelmed by false-positive security alerts. https://prn.to/37hqsS9 (2018)
  9. Destructive attack “dustman”. https://bit.ly/3tHX7YC (2019)
  10. Dramatic reductions in alert fatigue with crowdscore. https://bit.ly/3IZD9is (2019)
  11. Tc engagement-5. https://github.com/darpa-i2o/Transparent-Computing (2019)
  12. Optc dataset. https://github.com/FiveDirections/OpTC-data (2020)
  13. Groups. https://attack.mitre.org/groups/ (2021)
  14. Lateral movement. https://bit.ly/3t63ru1 (2021)
  15. Lateral tool transfer. https://attack.mitre.org/techniques/T1570/ (2021)
  16. What makes lateral movement so hard to detect? https://bit.ly/3hUl0qg (2021)
  17. Gallagher, B.: Matching structure and semantics: A survey on graph-based pattern matching. In: AAAI Fall Symposium: Capturing and Using Patterns for Evidence Detection. pp. 45–53 (2006)
  18. Joachims, T.: Text categorization with support vector machines: Learning with many relevant features. In: European conference on machine learning. Springer
  19. King, D.: Spotting the signs of lateral movement. https://splk.it/3vTiQ2C (2018)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Dice Question Streamline Icon: https://streamlinehq.com

Follow-up Questions

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now