APTer: Towards the Investigation of APT Attribution.

The rise of Advanced Persistent Threats (APTs) in recent years has sparked widespread concern in the cyber domain. APT-based cyberattacks are often stealthy, multistaged, slow-moving, low-profile, and time-consuming. Furthermore, these attacks consist of a series of steps, each employing a different technique variation. Consequently, most existing approaches are inadequate for analyzing the behavior of such attacks effectively. To prevent potential compromises, a proactive APT defense strategy that can identify potential APT stages and attribute them to a specific APT group is required. Therefore, for both public and private organizations, the correlation and attribution of these attacks are crucial. In this paper, we propose APTer, a preliminary effort towards the archetype of APT attribution. The first aim of the research is to correlate multiple stages of APTs based on threat alerts. To define and correlate the APT stages, APTer first eliminates redundant threat alerts and clusters the remaining ones. Second, APTer uses a novel APT stage prediction mechanism to forecast future APT phases. We have developed a prediction model to determine the next APT stages. Finally, APTer attributes the identified and predicted stages to a particular APT group. APT attribution aims to find MITRE ATT&CK Tools, Tactics, and Procedures (TTPs) that indicate possible threats by a specific group correlated with the MITRE ATT&CK knowledge base. Additionally, we perform mapping of Common Vulnerability Exploits (CVEs) to MITRE ATT&CK to provide additional knowledge about existing vulnerabilities that can be mapped to the MITRE ATT&CK technique. We have evaluated our work on real-world datasets from Third Party. Our results show that APTer can correlate, predict, attribute, and map with high accuracy of 97.3% and low false-positive rates of 2.1%.