Multi-step Attack Pattern Detection on Normalized Event Logs

Looking at recent cyber-attacks in the news, a growing complexity and sophistication of attack techniques can be observed. Many of these attacks are performed in multiple steps to reach the core of the targeted network. Existing signature detection solutions are focused on the detection of a single step of an attack, but they do not see the big picture. Furthermore, current signature languages cannot integrate valuable external threat intelligence, which would simplify the creation of complex signatures and enables the detection of malicious activities seen by other targets. We extend an existing multi-step signature language to support attack detection on normalized log events, which were collected from various applications and devices. Additionally, the extended language supports the integration of external threat intelligence and allows us to reference current threat indicators. With this approach, we can create generic signatures that stay up-to-date. Using our language, we could detect various login brute-force attempts on multiple applications with only one generic signature.