R2D2 Project: applying AI for APT detection

In the dynamic and ever-changing landscape of cybersecurity, Advanced Persistent Threats (APTs) stand out as one of the most significant challenges. These threats, characterized by their sophistication and ability to evade traditional defences, can infiltrate corporate and government networks, remaining undetected for extended periods. Effective detection of APTs is therefore a critical priority to protect the integrity and confidentiality of information.

APTs are characterized by their high sophistication and persistence in target systems. Attackers, often backed by significant resources, employ complex tactics to gain unauthorized access to systems and extract sensitive data or cause prolonged damage. These tactics include the use of custom malware, exploitation of unknown vulnerabilities (zero-day), and advanced social engineering techniques. On the defensive side, the MITRE ATT&CK framework provides a comprehensive structure detailing the various methods and techniques attackers use at each stage of the cyberattack lifecycle, allowing for a better understanding and defence against these advanced threats.

In this context, artificial intelligence (AI) emerges as a promising tool to enhance APT detection capabilities. AI, with its ability to analyse vast amounts of data and detect anomalous patterns, offers an advanced solution against traditional cybersecurity techniques. Unlike conventional methods, which often rely on predefined signatures and static rules, AI can adapt and learn from new threats in real-time.

Throughout this publication, we will demonstrate how AI is being applied at S2 Grupo for APT detection within the framework of the R2D2 (Reliability, Resilience, and Defense technology for the grid) project, examining both current challenges and potential benefits. We will analyse the distinctive characteristics of APTs, the obstacles in their detection, and how AI-based solutions can overcome these challenges.

Understanding APTs

APTs are designed to infiltrate and remain within networks for long periods without being detected. Their main characteristics include persistence over time, targeting very specific objectives, significant resources at their disposal, and the use of advanced techniques to avoid detection.

Their lifecycle can be divided into several phases, each with its own tactics and techniques. This cycle is widely represented in the MITRE ATT&CK framework, which breaks down the different stages and methods used by attackers:

1. Reconnaissance: Gathering information about the target to identify potential vulnerabilities and attack vectors. This can include network scanning, social engineering, and searching for public information.
2. Infiltration: Initial access to the target system through techniques like phishing, exploitation of vulnerabilities, or the use of stolen credentials.
3. Establishing Footholds and Privilege Escalation: Once inside, persistent footholds are established using custom malware and privilege escalation techniques to ensure continued presence.
4. Lateral Movement: Moving laterally within the network, compromising other systems and accounts to expand access and gather more information.
5. Exfiltration and Maintenance: Sensitive data is slowly extracted to avoid detection, while attackers maintain their presence in the target system.
6. Covering Tracks and Evasion: To avoid detection, traces of activity are removed and advanced techniques are used to hide their presence.

APT Detection

Detecting APTs presents multiple challenges due to the sophistication and adaptability of these attacks. Here are some of the main obstacles that hinder the identification and mitigation of APTs:

• Evasion Techniques: Use of very specific malware, encryption and obfuscation techniques to hide activity, exploitation of unknown vulnerabilities, slow and meticulous behaviours that go unnoticed.
• Limitations of Traditional Detection Techniques: Late reactions, dependence on static signatures, lots of noise in the form of false positives.
• Need for a Holistic and Dynamic Approach: Integration of multiple data sources and advanced technologies that can evolve along with the threats.

However, artificial intelligence and machine learning are revolutionizing how these threats are detected and mitigated. The power of these technologies allows for the development of solutions that greatly enhance defence capabilities.

Threat Intelligence

Over the years, the security team at S2 Grupo has collected a vast amount of threat intelligence, including detailed information on the tactics and techniques employed by various APTs, structured according to the MITRE ATT&CK framework standards. This properly normalized database provides an invaluable resource for identifying patterns and behaviours associated with these groups’ activities.

Added to this is the internal tool, Carmen, focused on APT detection and facilitating the Threat Hunting process. This tool incorporates, among other capabilities, a series of analysers designed to identify signs of APT presence within an organization.

Artificial Intelligence

To improve the accuracy and effectiveness of APT detection by Carmen, the development of an AI module is proposed as a complement. This module receives as input both historical threat intelligence and the standardized results of Carmen’s analysers, to correlate the two sources of information. It is important to first standardize the analysers output to align it with threat intelligence. This module consists of two main phases:

1. Projection in an N-dimensional Space: Using Natural Language Processing (NLP) techniques, each tactic and technique from the threat intelligence database is projected into an N-dimensional space. This same process is applied to Carmen’s analyser results. By representing this data in a common space, we can measure distances and relationships between them. If an analyser’s results are close to any known threats in this space, a possible correlation is identified, indicating signs of an APT.

2. Correlation and APT Detection: In the second phase, all generated alerts are correlated. This correlation is done through an algorithm that acts as a probability calculator to estimate the risk of an APT. By correlating multiple signs and alerts, the algorithm provides an estimated associated risk, allowing for a more accurate and rapid assessment of the situation. This approach not only increases detection accuracy but also enables early threat identification, giving organizations the opportunity to respond before significant damage occurs.

In conclusion, as APT detection is an imperative need in today’s digital era, AI emerges as a strong ally in this fight. The module described here, developed within the framework of the European R2D2 project, presents an innovative approach that combines artificial intelligence, NLP, and a threat intelligence database, enabling the Carmen tool with new capabilities to favour early threat identification, a crucial aspect for preventing and mitigating significant damage. Implementing these new technologies represents a vital step towards a more proactive and robust cybersecurity, ensuring the resilience of digital infrastructures against the most advanced threats.

Funded by the European Union. Views and opinions expressed are however those of the author(s) only and do not necessarily reflect those of the European Union. Neither the European Union nor the granting authority can be held responsible for them. Horizon Europe – Grant agreement Nº 101075714.