- PDFView PDF
Under a Creative Commons license
Open access
Abstract
The main contribution of this paper is to provide an accurate taxonomy for Persistence techniques, which allows the detection of novel techniques and the identification of appropriate countermeasures. Persistence is a key tactic for advanced offensive cyber operations. The techniques that achieve persistence have been largely analyzed in particular environments, but there is no suitable platform–agnostic model to structure persistence techniques. This lack causes a serious problem in the modeling of activities of advanced threat actors, hindering both their detection and the implementation of countermeasures against their activities. In this paper we analyze previous work in this field and propose a novel taxonomy for persistence techniques based on persistence points, a key concept we introduce in our work as the basis for the proposed taxonomy. Our work will help analysts to identify, classify and detect compromises, significantly reducing the amount of effort needed for these tasks. It follows a logical structure that can be easy to expand and adapt, and it can be directly used in commonly accepted industry standards such as MITRE ATT&CK.
Keywords
TTP
Persistence
Advanced Persistent Threat
Malware
MITRE ATT&CK
Cited by [0]
Antonio Villalón-Huerta is Chief Security Officer at S2 Grupo. He holds a MSc in Computer Engineering from the Universidad Politecnica de Valencia, Spain. With 25 years of experience in the cyber security field, in his career he has executed and managed analysis, defense, attack and exploitation projects, as well as designed and managed security operations and incident response centers. Antonio is the author of different books, articles and chapters on the subjects of cyber security and cyber intelligence, as well as a regular speaker in many congresses and courses. His research interests include the Russian cyber intelligence community and the modeling and detection of advanced threat actors.
Dr. H. Marco-Gisbert [M’13-SM’18] is an associate professor and cybersecurity researcher at the Universitat Politecnica de Valencia, Spain. He holds a PhD in Computer Science, Cybersecurity, from Universitat Politecnica de Valencia. Hector is senior member of the Institute of Electrical and Electronics [IEEE], and member of the Engineering and Physical Sciences Research Council [EP- SRC] in UK. Previously, he was associate professor at University of the West of Scotland, UK and cybersecurity researcher at the Universitat Politecnica de Valencia where he co-founded the “cybersecurity research group”. Hector was part of the team developing the multi-processor version of the XtratuM hypervisor to be used by the European Space Agency in its space crafts. He participated in multiple research projects as Principal Investigator and Co-Investigator. Hector is author of many papers of computer security and cloud computing. He has been invited multiple times to reputed cybersecurity conferences such as Black Hat and DeepSec. Hector has published more than 10 Common Vulnerabilities and Exposures [CVE] affecting important software such as the Linux kernel. He has received honors and awards from Google, Packet Storm Security and IBM for his security contributions to the design and implementation of the Linux ASLR. Hector’s professional interests include low level cybersecurity, secure and non-secure world kernel and userland security, virtualization security and applied cryptography.
Ismael Ripoll-Ripoll received the PhD in computer science from the Universitat Politécnica de Valéncia in 1996, where he is currently professor of several cybersecurity subjects in the Department of Computing Engineering. In reverse chronological order: before working on security, he participated in multiple research projects related to hypervisor solutions for European spacecrafts; dynamic memory allocation algorithms; Real-Time Linux; and hard real-time scheduling theory. Currently, he is applying all this background to the security field. His current research interests include memory error defense/attacks techniques [SSP and ASLR] and software diversication. He is the leader of the Cybersecurity researcher group at the UPV.
© 2022 The Author[s]. Published by Elsevier Ltd.