Laccolith: Hypervisor-Based Adversary Emulation with Anti-Detection

被引:0
|
作者
Orbinato V. [1 ]
Feliciano M.C. [2 ]
Cotroneo D. [1 ]
Natella R. [1 ]
机构
[1] Department of Electrical Engineering and Information Technology (DIETI), Universit`a degli Studi di Napoli Federico II, Naples
[2] Secureware s.r.l., Naples
来源
IEEE Transactions on Dependable and Secure Computing | 2024年 / 21卷 / 06期
关键词
Adversary Emulation; APT; Computer architecture; Cybersecurity; Emulation; Medical services; MITRE ATT&CK; Servers; Training; TTPs; Turning; Virtualization;
D O I
10.1109/TDSC.2024.3376129
中图分类号
学科分类号
摘要
Advanced Persistent Threats (APTs) represent the most threatening form of attack nowadays since they can stay undetected for a long time. Adversary emulation is a proactive approach for preparing against these attacks. However, adversary emulation tools lack the anti-detection abilities of APTs. We introduce Laccolith, a hypervisor-based solution for adversary emulation with anti-detection to fill this gap. We also present an experimental study to compare Laccolith with MITRE CALDERA, a state-of-the-art solution for adversary emulation, against five popular anti-virus products. We found that CALDERA cannot evade detection, limiting the realism of emulated attacks, even when combined with a state-of-the-art anti-detection framework. Our experiments show that Laccolith can hide its activities from all the tested anti-virus products, thus making it suitable for realistic emulations. Authors
引用
收藏
页码:1 / 13
页数:12
相关论文
共 50 条
  • [1] Hypervisor-based Cloud Intrusion Detection System
    Nikolai, Jason
    Wang, Yong
    2014 INTERNATIONAL CONFERENCE ON COMPUTING, NETWORKING AND COMMUNICATIONS (ICNC), 2014, : 989 - 993
  • [2] Hypervisor-Based Protection of Code
    Kiperberg, Michael
    Leon, Roee
    Resh, Amit
    Algawi, Asaf
    Zaidenberg, Nezer J.
    IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, 2019, 14 (08) : 2203 - 2216
  • [3] Hypervisor-based Attestation of Virtual Environments
    Lauer, Hagen
    Kuntze, Nicolai
    2016 INT IEEE CONFERENCES ON UBIQUITOUS INTELLIGENCE & COMPUTING, ADVANCED & TRUSTED COMPUTING, SCALABLE COMPUTING AND COMMUNICATIONS, CLOUD AND BIG DATA COMPUTING, INTERNET OF PEOPLE, AND SMART WORLD CONGRESS (UIC/ATC/SCALCOM/CBDCOM/IOP/SMARTWORLD), 2016, : 333 - 340
  • [4] Hypervisor-Based White Listing of Executables
    Leon, Roee S.
    Kiperberg, Michael
    Zabag, Anat Anatey Leon
    Resh, Amit
    Algawi, Asaf
    Zaidenberg, Nezer J.
    IEEE SECURITY & PRIVACY, 2019, 17 (05) : 58 - 67
  • [5] SHADuDT: Secure hypervisor-based anomaly detection using danger theory
    Azmi, Reza
    Pishgoo, Boshra
    COMPUTERS & SECURITY, 2013, 39 : 268 - 288
  • [6] NV-Hypervisor: Hypervisor-based Persistence for Virtual Machines
    Sartakov, Vasily A.
    Kapitza, Ruediger
    2014 44TH ANNUAL IEEE/IFIP INTERNATIONAL CONFERENCE ON DEPENDABLE SYSTEMS AND NETWORKS (DSN), 2014, : 654 - 659
  • [7] Hypervisor-based malware protection with AccessMiner
    Fattori, Aristide
    Lanzi, Andrea
    Balzarotti, Davide
    Kirda, Engin
    COMPUTERS & SECURITY, 2015, 52 : 33 - 50
  • [8] Hypervisor-based efficient Proactive recovery
    Reiser, Hans P.
    Kapitza, Ruediger
    SRDS 2007: 26TH IEEE INTERNATIONAL SYMPOSIUM ON RELIABLE DISTRIBUTED SYSTEMS, PROCEEDINGS, 2007, : 83 - +
  • [9] Design of Hypervisor-based Integrated Intrusion Detection System in Cloud Computing Environment
    Wang, Chih-Hung
    Chen, Xuan-Liang
    INTELLIGENT SYSTEMS AND APPLICATIONS (ICS 2014), 2015, 274 : 972 - 981
  • [10] Energy management for hypervisor-based virtual machines
    Stoess, Jan
    Lang, Christian
    Bellosa, Rank
    USENIX ASSOCIATION PROCEEDINGS OF THE 2007 USENIX ANNUAL TECHNICAL CONFERENCE, 2007, : 1 - 14
12345