Cyber Kill Chain-Based Taxonomy of Advanced Persistent Threat Actors: Analogy of Tactics, Techniques, and Procedures

  • Bahrami, Pooneh Nikkhah (Dept. of Computer Science, University of Tehran) ;
  • Dehghantanha, Ali (Cyber Science Lab, School of Computer Science, University of Guelph) ;
  • Dargahi, Tooska (School of Computing, Science, and Engineering, University of Salford) ;
  • Parizi, Reza M. (School of Computing and Software Engineering, Kennesaw State University) ;
  • Choo, Kim-Kwang Raymond (Dept. of Information and Cyber Security, University of Texas at San Antonio) ;
  • Javadi, Hamid H.S. (Dept. of Computer Science, Shahed University)
  • Received : 2019.01.03
  • Accepted : 2019.04.18
  • Published : 2019.08.31


The need for cyber resilience is increasingly important in our technology-dependent society where computing devices and data have been, and will continue to be, the target of cyber-attackers, particularly advanced persistent threat (APT) and nation-state/sponsored actors. APT and nation-state/sponsored actors tend to be more sophisticated, having access to significantly more resources and time to facilitate their attacks, which in most cases are not financially driven (unlike typical cyber-criminals). For example, such threat actors often utilize a broad range of attack vectors, cyber and/or physical, and constantly evolve their attack tactics. Thus, having up-to-date and detailed information of APT's tactics, techniques, and procedures (TTPs) facilitates the design of effective defense strategies as the focus of this paper. Specifically, we posit the importance of taxonomies in categorizing cyber-attacks. Note, however, that existing information about APT attack campaigns is fragmented across practitioner, government (including intelligence/classified), and academic publications, and existing taxonomies generally have a narrow scope (e.g., to a limited number of APT campaigns). Therefore, in this paper, we leverage the Cyber Kill Chain (CKC) model to "decompose" any complex attack and identify the relevant characteristics of such attacks. We then comprehensively analyze more than 40 APT campaigns disclosed before 2018 to build our taxonomy. Such taxonomy can facilitate incident response and cyber threat hunting by aiding in understanding of the potential attacks to organizations as well as which attacks may surface. In addition, the taxonomy can allow national security and intelligence agencies and businesses to share their analysis of ongoing, sensitive APT campaigns without the need to disclose detailed information about the campaigns. It can also notify future security policies and mitigation strategy formulation.


  1. B. De Decker, J. Dittmann, C. Kraetzer, and C. Vielhauer, Communications and Multimedia Security (LNCS 8099). Heidelberg: Springer, 2014.
  2. E. Cole, Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization. Waltham, MA: Syngress, 2013.
  3. L. Wang, M. Zhang, and A. Singhal, "Network security metrics: from known vulnerabilities to zero day attacks," in From Database to Cyber Security. Cham: Springer, 2018, pp. 450-469.
  4. B. Donohue, "What is APT?," 2013 [Online]. Available:
  5. P. Chen, L. Desmet, and C. Huygens, "A study on advanced persistent threats," in Communications and Multimedia Security. Heidelberg: Springer, 2014, pp. 63-72.
  6. FireEye Labs, "APT 30 and the mechanics of a long-running cyber espionage operation," 2015 [Online]. Available:
  7. I. M. Chapman, S. P. Leblanc, and A. Partington, "Taxonomy of cyber attacks and simulation of their effects," in Proceedings of the 2011 Military Modeling & Simulation Symposium, Boston, MA, 2011, pp. 73-80.
  8. S. Hansman and R. Hunt, "A taxonomy of network and computer attacks," Computers & Security, vol. 24, no. 1, pp. 31-43, 2005.
  9. C. A. Meyers, S. S. Powers, and D. M. Faissol, "Taxonomies of cyber adversaries and attacks: a survey of incidents and approaches," Lawrence Livermore National Lab., Livermore, CA, Report No. LLNL-TR-419041, 2009.
  10. C. Simmons, C. Ellis, S. Shiva, D. Dasgupta, and Q. Wu, "AVOIDIT: a cyber attack taxonomy," in Proceedings of the 9th Annual Symposium on Information Assurance (ASIA'14), Albany, NY, 2014, pp. 2-12.
  11. B. Zhu, A. Joseph, and S. Sastry, "A taxonomy of cyber attacks on SCADA systems," in Proceedings of 2011 International Conference on Internet of Things and 4th International Conference on Cyber, Physical and Social Computing, Dalian, China, 2011, pp. 380-388.
  12. E. M. Hutchins, M. J. Cloppert, and R. M. Amin, "Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains," Leading Issues in Information Warfare & Security Research, vol. 1, no. 1, pp. 80-106, 2011.
  13. A. Lemay, J. Calvet, F. Menet, and J. M. Fernandez, "Survey of publicly available reports on advanced persistent threat actors," Computers & Security, vol. 72, pp. 26-59, 2018.
  14. N. Virvilis and D. Gritzalis, "The big four-what we did wrong in advanced persistent threat detection?," in Proceedings of 2013 International Conference on Availability, Reliability and Security, Regensburg, Germany, 2013, pp. 248-254.
  15. M. Ussath, D. Jaeger, F. Cheng, and C. Meinel, "Advanced persistent threats: behind the scenes," in Proceedings of 2016 Annual Conference on Information Science and Systems (CISS), Princeton, NJ, 2016, pp. 181-186.
  16. T. Yadav and A. M. Rao, "Technical aspects of cyber kill chain," in Security in Computing and Communication. Cham: Springer, 2015, pp. 438-452.
  17. R. Derbyshire, B. Green, D. Prince, A. Mauthe, and D. Hutchison, "An analysis of cyber security attack taxonomies," in Proceedings of 2018 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW), London, UK, 2018, pp. 153-161.
  18. Dell SecureWorks Counter Threat Unit Threat Intelligence "Threat Group 3390 Cyberespionage," 2015 [Online]. Available:
  19. A. Chesla, "Cyber-security system and methods thereof," U.S. Patent 9565204, 2017.
  20. G. O'Gorman and G. McDonald, The Elderwood Project. Mountain View, CA: Symantec Corporation, 2012.
  21. M. Scott, "Clandestine Fox, Part Deux," 2014 [Online]. Available:
  22. Mandiant, "APT1: exposing one of China's cyber espionage units," 2013 [Online]. Available:
  23. C. Raiu, I. Soumenkov, K. Baumgartner, and V. Kamluk, "The MiniDuke mystery: PDF 0-day government spy assembler 0x29A micro backdoor," Kaspersky Lab, 2013 [Online]. Available:
  24. Novetta, "Operation SMN: Axiom Threat Actor Group Report," 2014 [Online]. Available:
  25. K. Scarfone and P. Mell, "Guide to Intrusion Detection and Prevention Systems (IDPS)," National Institute of Standards and Technology, Gaithersburg, MD, 2012.
  26. A. Fuchsberger, "Intrusion detection systems and intrusion prevention systems," Information Security Technical Report, vol. 10, no. 3, pp. 134-139, 2005.
  27. F. Casino, K. K. R. Choo, and C. Patsakis, "HEDGE: efficient traffic classification of encrypted and compressed packets," IEEE Transactions on Information Forensics and Security, vol. 14, no. 11, pp. 2916-2926, 2019.
  28. C. Raiu, "NetTraveler is back: the 'Red Star' APT returns with new tricks," 2013 [Online]. Available:
  29. Trend Micro Incorporated, "Spear-phishing email: most favored APT attack bait," 2012 [Online]. Available:
  30. I. Ghafir, V. Prenosil, M. Hammoudeh, F. J. Aparicio-Navarro, K. Rabie, and A. Jabban, "Disguised executable files in spear-phishing emails: detecting the point of entry in advanced persistent threat," in Proceedings of the 2nd International Conference on Future Networks and Distributed Systems, Amman, Jordan, 2018.
  31. K. Baumgartner and M. Golovkin, "The Naikon APT and the MsnMM campaigns," 2015 [Online]. Available:
  32. M. Shahzad, M. Z. Shafiq, and A. X. Liu, "Large scale characterization of software vulnerability life cycles," IEEE Transactions on Dependable and Secure Computing, 2019. 2893950.
  33. L. Kharouni, F. Hacquebord, N. Huq, J. Gogolinski, F. Merces, A. Remorin, and D. Otis, "Operation pawn storm using decoys to evade detection," Trend Micro, 2014 [Online]. Available:
  34. ClearSky Cyber Security, Trend Micro, "Operation wilted tulip: exposing a cyber-espionage apparatus," 2017 [Online]. Available:
  35. Kaspersky Lab, "Energetic Bear - Crouching Yeti," 2014 [Online]. Available:
  36. S. Doherty, J. Gegeny, B. Spasojevic, and J. Baltazar, "Hidden Lynx - professional hackers for hire," 2013 [Online]. Available:
  37. Symantec Corporation, "The Waterbug attack group" 2016 [Online]. Available:
  38. S. Shevchenko, "Agent.btz: a threat that hit pentagon," 2008 [Online]. Available:
  39. Trend Micro Incoporated, "A look at the threats to air-gapped systems," 2017 [Online]. Available:
  40. M. Guri and D. Bykhovsky, "air-jumper: covert air-gap exfiltration/infiltration via security cameras & infrared (IR)," Computers & Security, vol. 82, pp. 15-29, 2019.
  41. R. Benchea, C. Vatamanu, A. Maximciuc, and V. Luncasu, "APT28 under the scope," 2015 [Online]. Available:
  42. J. Calvet, "Sednit espionage group attacking air-gapped networks," 2014 [Online]. Available:
  43. Q. Do, B. Martini, and K. K. R. Choo, "The role of the adversary model in applied security research," Computers & Security, vol. 81, no. 156-181, 2018.
  44. S. O'Malley and K. K. R. Choo, "Bridging the air gap: Inaudible data exfiltration by insiders," in Proceedings of the 20th Americas Conference on Information Systems (AMCIS), Savannah, GA, 2014, pp. 7-10.
  45. D. Creus T. Halfpop, and R. Falcone, "Sofacy's 'Komplex' OS X Trojan," 2016 [Online]. Available:
  46. Kaspersky Lab, "The ProjectSauron APT," 2016 [Online]. Available:
  47. GReAT, "ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms," 2016 [Online]. Available:
  48. R. S. Ross, "Managing information security risk: organization, mission, and information system view," National Institute of Standards and Technology, Gaithersburg, MD, 2011.
  49. FireEye Labs, "Less than zero: a survey of zero-day attacks in 2013 and what they say about the traditional security model," 2013 [Online]. Available:
  50. L. Ablon and A. Bogart, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. Santa Monica, CA: Rand Corporation, 2017.
  51. L. Bilge and T. Dumitras, "Before we knew it: an empirical study of zero-day attacks in the real world," in Proceedings of the 2012 ACM Conference on Computer and Communications Security, Raleigh, NC, 2012, pp. 833-844.
  52. N. Moran and M. Oppenheim, "Darwin's Favorite APT Group," 2014 [Online]. Available:
  53. V. Kotov and F. Massacci, "Anatomy of exploit kits," in Engineering Secure Software and Systems. Heidelberg: Springer, 2013, pp. 181-196.
  54. Kaspersky Lab, "Exploits: how great is the threat?," 2017 [Online]. Available:
  55. Minerva Labs and ClearSky Cyber Security, "CopyKittens Attack Group," 2015 [Online]. Available:
  56. Symantec Corporation, "The increased use of powershell in attacks," 2016 [Online]. Available:
  57. N. Villeneuve, J. T. Bennett, N. Moran, T. Haq, M. Scott, and K. Geers, "Operation 'KE3CHANG': Targeted Attacks against Ministries of Foreign Affairs," 2014 [Online]. Available:
  58. FireEye Lab, "Operation DeputyDog: Zero-Day (CVE-2013-3893) attack against Japanese targets," 2013 [Online]. Available:
  59. J. Miller-Osborn, "Credential-based attacks: exposing the ecosystem and motives behind credential phishing, theft and abuse," 2017 [Online]. Available:
  60. Dell SecureWorks Counter Threat Unit Threat Intelligence, "Hacker group creates network of fake LinkedIn profiles," 2015 [Online]. Available:
  61. FireEye iSIGHT Intelligence, "APT28: at the center of the storm," 2017 [Online]. Available:
  62. D. Alperovitch, "Bears in the Midst: intrusion into the Democratic National Committee," 2016 [Online]. Available:
  63. C. Missaoui, S. Bachouch, I. Abdelkader, and S. Trabelsi, "Who is reusing stolen passwords? An empirical study on stolen passwords and countermeasures," in Cyberspace Safety and Security. Cham: Springer, 2018, pp. 3-17.
  64. M. S. Webb, "Evaluating tool based automated malware analysis through persistence mechanism detection," Ph.D. dissertation, Kansas State University, Manhattan, KS, 2018.
  65. N. Moran, S. Omkar Vashisht, M. Scott, and T. Haq, "Operation ephemeral hydra: IE Zero-Day linked to DeputyDog uses diskless method," 2013 [Online]. Available:
  66. Y. M. Wang, R. Roussev, C. Verbowski, A. Johnson, M. W. Wu, Y. Huang, and S. Y. Kuo, "Gatekeeper: monitoring auto-start extensibility points (ASEPs) for spyware management," in Proceedings of the 18th Large Installation System Administration Conference (LISA), Atlanta, GA, 2004, pp. 33-46.
  67. N. Miloslavskaya, "Remote attacks taxonomy and their verbal indicators," Procedia Computer Science, vol. 123, pp. 278-284, 2018.
  68. Symantec Corporation, ""Forkmeiamfamous": Seaduke, latest weapon in the Duke armory," 2015 [Online]. Available:
  69. B. E. Strom, J. A. Battaglia, M. S. Kemmerer, W. Kupersanin, D. P. Miller, C. Wampler, S. M. Whitley, and R. D. Wolf, "Finding cyber threats with ATT&CK-based analytics," The MITRE Corporation, Bedford, MA, Technical Report No. MTR170202, 2017.
  70. McAfee Labs, "Global energy cyberattacks: 'Night Dragon'," 2011 [Online]. Available:
  71. A. Hosseini, "Ten process injection techniques: a technical survey of common and trending process injection techniques," 2017 [Online]. Available:
  72. Microsoft, "Working with the AppInit DLLs registry value," 2018 [Online]. Available:
  73. M-Lab, "DLL search order hijacking revisited," 2010 [Online]. Available:
  74. Microsoft, "Dynamic-link library search order," 2018 [Online]. Available:
  75. S. Narang, "Backdoor.Barkiofork targets aerospace and defense industry," 2013 [Online]. Available:
  76. Symantec Corporation, "Backdoor.Barkiofork," 2013 [Online]. Available:
  77. A. Stewart, "DLL side-loading: a thorn in the side of the anti-virus industry," 2016 [Online]. Available:
  78. Dell SecureWorks Counter Threat Unit Threat Intelligence, "Threat Group 3390 cyberespionage," 2015 [Online]. Available:
  79. J. Grunzweig, "Unit 42 Technical Analysis: Seaduke," 2015 [Online]. Available:
  80. G Data SecurityLabs, "COM Object hijacking: the discreet way of persistence," 2014 [Online]. Available:
  81. ESET, "En route with Sednit," 2016 [Online]. Available:
  82. V. Rusakov and S. Golovanov "Attacks before system startup," 2014 [Online]. Available:
  83. J. Gardiner, M. Cova, and S. Nagaraja, "Command & Control: Understanding, Denying and Detecting-A review of malware C2 techniques, detection and defences," 2014 [Online]. Available:
  84. D. Chiu, S. H. Weng, and J. Chiu, "Backdoor use in targeted attacks," Trend Micro Incorporated, Irving, TX, 2014.
  85. S. Shafieian, D. Smith, and M. Zulkernine, "Detecting DNS tunneling using ensemble learning," in Network and System Security. Cham: Springer, 2017, pp. 112-127.
  86. S. Tanase, "Satellite Turla: APT command and control in the sky," 2015 [Online]. Available:
  87. J. Power, "Mind the gap: are air-gapped systems safe from breaches?," 2014 [Online]. Available:
  88. Symantec Corporation, "Flamer: highly sophisticated and discreet threat targets the Middle East," 2012 [Online]. Available:
  89. Microsoft, "Featured intelligence (Microsoft Security Intelligence Report Volume 19)," 2015 [Online]. Available: