Journal of the Korea Institute of Military Science and Technology (한국군사과학기술학회지)

The Korea Institute of Military Science and Technology (한국군사과학기술학회)
권호 표지
DOI QR코드

DOI QR Code

A Study for Cyber Situation Awareness System Development with Threat Hunting

위협 헌팅을 적용한 사이버 상황인식 시스템 개발에 관한 연구

  • Lee, Jaeyeon (C2.Comm. R&D Center C4I.Cyber Team, Hanwha Systems Co. Ltd.) ;
  • Choi, Jeongin (C2.Comm. R&D Center C4I.Cyber Team, Hanwha Systems Co. Ltd.) ;
  • Park, Sanghyun (C2.Comm. R&D Center C4I.Cyber Team, Hanwha Systems Co. Ltd.) ;
  • Kim, Byeongjin (C2.Comm. R&D Center C4I.Cyber Team, Hanwha Systems Co. Ltd.) ;
  • Hyun, Dae-Won (C2.Comm. R&D Center C4I.Cyber Team, Hanwha Systems Co. Ltd.) ;
  • Kim, Gwanyoung (C2.Comm. R&D Center C4I.Cyber Team, Hanwha Systems Co. Ltd.)
  • 이재연 (한화시스템(주) 지휘통제.통신연구소 C4I.사이버팀) ;
  • 최정인 (한화시스템(주) 지휘통제.통신연구소 C4I.사이버팀) ;
  • 박상현 (한화시스템(주) 지휘통제.통신연구소 C4I.사이버팀) ;
  • 김병진 (한화시스템(주) 지휘통제.통신연구소 C4I.사이버팀) ;
  • 현대원 (한화시스템(주) 지휘통제.통신연구소 C4I.사이버팀) ;
  • 김관영 (한화시스템(주) 지휘통제.통신연구소 C4I.사이버팀)
  • Received : 2018.07.04
  • Accepted : 2018.10.19
  • Published : 2018.12.05
Download PDF
⟨ Previous Next ⟩

Abstract

Threat hunting is defined as a process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. The main concept of threat hunting is to find out weak points and remedy them before actual cyber threat has occurred. And HMM(Hunting Maturity Matrix) is suggested to evolve hunting processes with five levels, therefore, CSOC(Cyber Security Operations Center) can refer HMM how to make them safer from complicated and organized cyber attacks. We are developing a system for cyber situation awareness system with pro-active threat hunting process called unMazeTM. With this unMaze, it can be upgraded CSOC's HMM level from initial level to basic level. CSOC with unMaze do threat hunting process not only detecting existing cyber equipment post-actively, but also proactively detecting cyber threat by fusing and analyzing cyber asset data and threat intelligence.

Keywords

GSGGBW_2018_v21n6_807_f0001.png 이미지

Fig. 1. Proposed system framework for unMazeTM

GSGGBW_2018_v21n6_807_f0002.png 이미지

Fig. 2. SW functional block diagram of unMazeTM

GSGGBW_2018_v21n6_807_f0003.png 이미지

Fig. 3. SW functional diagram for gathering information of cyber assets

GSGGBW_2018_v21n6_807_f0004.png 이미지

Fig. 4. Implemented web interface for cyber asset management

GSGGBW_2018_v21n6_807_f0005.png 이미지

Fig. 5. Proposed threat hunting algorithm with threat intelligence

GSGGBW_2018_v21n6_807_f0006.png 이미지

Fig. 6. Implemented cyber COP of unMazeTM for cyber situation awareness

Table 1. Definition of threat hunting maturity matrix.

GSGGBW_2018_v21n6_807_t0001.png 이미지

Table 2. Enhancement of threat hunting maturity level with unMazeTM

GSGGBW_2018_v21n6_807_t0002.png 이미지

References

  1. Sqrrl Inc., "A Framework for Cyber Threat Hunting," https://sqrrl.com/media/Framework-for-Threat-Hunting-Whitepaper-web.pdf, 2016.
  2. Carson Zimmerman, "Ten Strategies of a World-Class Cybersecurity Operations Center," The MITRE Cooperation, pp. 8-9, p. 33, p. 45, 2014.
  3. KISA, "A Manual for CERT Management," https:// www.kisa.or.kr/public/laws/laws3.jsp, p. 3, p. 72, 2010.
  4. George P. Tadda and John S. Salerno, "Overview of Cyber Situation Awareness," in Cyber Situation Awareness, Springer, pp. 15-35, 2010.
  5. David J. Bianco, "The Pyramid of Pain," http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html, 2014.
  6. The MITRE Corporation, Systems Engineering Guide, pp. 175-183, https://www.mitre.org/publications/all/systems-engineering-guide, 2013.
  7. The MITRE Corporation, Crown Jewels Analysis, http://www.mitre.org/publications/systems-engineeringguide/enterprise-engineering/systems-engineering-formission-assurance/crown-jewels-analysis, 2013.
  8. Carbon Black Inc., "Eradicate Concealed Threats: Advanced Threat Hunting with Carbon Black," https://www.carbonblack.com/wp-content/uploads.2017/05/Cb_Threat_Hunting_Whitepaper_fin-1.pdf, 2017.
  9. Cybereason Inc., "Threat Hunting: Answering Am I Under Attack?," https://hi.cybereason.om/threat-hunting-answering-am-i-under-attack, 2017.
  10. Cybereason Inc., "Threat Hunting 2017 Survey Findings Report," https://hi.cybereason.com/2017-threat-hunting-report, 2017.
  11. Jaeyeon Lee, "A SW Framework Design for Defense Cyber Situation Awareness System," KIMST Autumn Conference Proceedings, pp. 567-568, 2017.
  12. Byeongjin Kim, "Opensource based Security Equipment and Asset Monitoring System," KIMST Annual Conference Proceedings, pp. 1367-1368, 2018.
  13. Dae-Won Hyun, "A Study on Intelligent Cyber Situation Awareness System for Cyber Attacks," KIMST Annual Conference Proceedings, pp. 1478-1479, 2018.
  14. Chris Fry and Martin Nystrom, "Security Monitoring," O'reilly, pp. 12-13, 2009.
  15. Bro Framework, https://www.bro.org/sphinx/intro/index.html.
  16. Richard A. Kemmerer, "Cybaware: A Cyber Awareness Framework for Attack Analysis, Prediction, and Visualization," In ARO/MURI Annual Review, 2014.