Closing the Gap with APTs Through Semantic Clusters and Automated Cybergames

Defenders spend significant time interpreting low-level events while attackers, especially Advanced Persistent Threats (APTs), think and plan their activities at a higher strategic level. In this paper, we close this semantic gap by making the attackers’ strategy an explicit machine-readable component of intrusion detection. We introduce the concept of semantic clusters, which combine high-level technique and tactic annotations with a set of events providing evidence for those annotations. We then use a fully automated cybergaming environment, in which a red team is programmed to emulate APT behavior, to assess and improve defensive posture. Semantic clusters both provide the basis of scoring these cybergames and highlight promising defensive improvements. In a set of experiments, we demonstrate effective defensive adjustments which can be made using this higher-level information about adversarial strategy.