Approximate Automated Campaign Analysis with Density Based Clustering

Abstract

The modern cybersecurity landscape is characterised by the increasing number of actors capable of performing advanced and highly impactful hacking. The situation has worsened significantly in the last decade because more and more of the critical infrastructure is connected to the Internet, because the capabilities of attackers have improved and because their numbers have increased.
Threat Intelligence emerged as a valuable domain to enhance security defences by studying threats motives, techniques, tools and procedures. Campaign analysis is a process that belongs to this domain and deals with following attackers through time by linking several hack attempts that share a threat actor, a victim and that have a specific goal. Unfortunately, this process is rarely applied in practice because the campaign analysis models available in literature rely on manual investigation by security professionals. This approach can become quickly too expensive, both regarding time and human resources.
In this thesis project, we improve the state of the art by automating a popular campaign analysis framework introduced in 2011 by Lockheed Martin security researchers Hutchins et al. We do not only automate the process: we also improve its recall performance to provide security analyst with more interesting and complete findings. Hopefully, this will empower all organisations, of any size an security profile, to perform their threat intelligence. Lowering the adoption threshold is a fundamental requirement that is inescapable if we want security to improve horizontally throughout all industry sectors. Widespread adoption of campaign analysis would lead to a broader and quicker understanding of threat campaigns and goals, contributing to a safer society.