Orbinato, Vittorio (2023) A Cyber Threat Intelligence-driven Framework for Adversary Emulation. [Tesi di dottorato]
Anteprima |
Testo
Orbinato_Vittorio_36.pdf Download (8MB) | Anteprima |
| Tipologia del documento: | Tesi di dottorato |
|---|---|
| Lingua: | English |
| Titolo: | A Cyber Threat Intelligence-driven Framework for Adversary Emulation |
| Autori: | Autore Email Orbinato, Vittorio vittorio.orbinato@unina.it |
| Data: | 12 Dicembre 2023 |
| Numero di pagine: | 118 |
| Istituzione: | Università degli Studi di Napoli Federico II |
| Dipartimento: | Ingegneria Elettrica e delle Tecnologie dell'Informazione |
| Dottorato: | Information technology and electrical engineering |
| Ciclo di dottorato: | 36 |
| Coordinatore del Corso di dottorato: | nome email Russo, Stefano stefano.russo@unina.it |
| Tutor: | nome email Cotroneo, Domenico [non definito] Natella, Roberto [non definito] |
| Data: | 12 Dicembre 2023 |
| Numero di pagine: | 118 |
| Parole chiave: | Adversary Emulation, Cyber Threat Intelligence, Cybersecurity, Proactive Security |
| Settori scientifico-disciplinari del MIUR: | Area 09 - Ingegneria industriale e dell'informazione > ING-INF/05 - Sistemi di elaborazione delle informazioni |
| Depositato il: | 13 Dic 2023 07:55 |
| Ultima modifica: | 10 Mar 2026 14:40 |
| URI: | http://www.fedoa.unina.it/id/eprint/15653 |
Abstract
In the ever-evolving landscape of cybersecurity, the challenges faced by organizations in safeguarding their digital assets and data have grown exponentially. Traditional reactive security measures, which focus on responding to attackers after they have breached the perimeter, are no longer sufficient in the current dynamic threat environment, resulting in delayed detection and business damage. To effectively protect against Advanced Persistent Threats (APTs), organizations must shift their paradigm toward proactive security measures. Adversary emulation is the pivotal strategy within this landscape, i.e., a strategy that emulates the TTPs employed by real-world threat actors to anticipate their moves and enhance defensive capabilities accordingly. Unfortunately, adversary emulation also presents some drawbacks that limit its adoption. First, the scenarios emulated with this paradigm are not representative of real-world threat actors since adversary emulation lacks integration with CTI to provide insights into the TTPs employed by APTs. This happens since CTI still comes in unstructured forms, e.g., threat and incident reports written by security analysts, making it challenging to process this information automatically to replicate the attackers' behavior. Second, security practitioners cannot rely upon open-source adversary emulation tools to effectively emulate APTs. These solutions only provide educational emulation without being able to evade basic detection countermeasures in actual deployment scenarios. To address these issues, this dissertation devises a CTI-driven framework for adversary emulation. The framework provides a pipeline to automatically extract attack techniques from CTI documents and generate adversary emulation plans. In addition, it offers a novel solution for adversary emulation (Laccolith) able to perform malicious actions in a non-detectable way, to emulate the behavior of complex APTs realistically. Laccolith was tested against multiple AV/EDR solutions to assess its effectiveness for adversary emulation.
Downloads
Downloads per month over past year
Actions (login required)
 |
Modifica documento |
