SteinerLog: Prize Collecting the Audit Logs for Threat Hunting on Enterprise Network

SteinerLog: Prize Collecting the Audit Logs for Threat Hunting on Enterprise Network

연구 분야: Safety

학회: ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security

Advanced cyberattacks are carried out in multiple stages, where each stage performs a specific task corresponding to the campaign. While these steps are designed to blend in with benign activities, they leave their activity footprints across multiple logs on the machines inside the victim environment. The majority of these footprints when looked at in isolation seem benign to the activity monitors. Existing threat hunting systems require a significant amount of human effort to correlate these events in order to detect and reconstruct an attack campaign. This paper introduces SteinerLog, an end-to-end system to automate the task of correlating the alerts to detect ongoing attack campaigns within an enterprise network. SteinerLog takes the alerts generated by mature intelligence-based and anomaly-based alerting systems and uses causal analysis to extract the group of events that are most likely to represent the attackers' activities. It performs hierarchical graph traversal to perform cross-host attacker activity correlation, which includes detecting the compromised entities, reconstructing the attackers' steps, and abstracting them into easy-to-understand attack graphs. The experiments show that it is able to detect APT campaigns in real-time and scale to an enterprise system with hundreds of workstations.