Resumen
The cyber threat landscape evolves considerably every year, and Advanced Persistent Threats (APTs) continue to present challenges to the organisations, due to their sophisticated level of expertise and extensive resources. Traditional defenses are not often adequate to mitigate the risk of nuanced Tactics, Techniques and Procedures (TTPs) employed by APT groups, whereas the cost of the implementation indicates the need for proper selection and prioritization of more tailored security measures. This thesis aims to bridge this gap by leveraging clustering algorithms to categorize APT groups based on their behaviors and characteristics, thereby enabling the formulation of tailored mitigation strategies.
Our research work begins by detailing the current state of cybersecurity, and how Artificial Intelligence (AI) and Machine Learning (ML) are employed for threat identification. Even though there is a lot of bibliography around anomaly detection in logs and categorisation of APT groups based on the malware samples they deploy, there is no relevant work on APT clustering that makes use of their TTPs. The obvious research question is if we can show that such clustering exists, so that organisation can focus on the techniques of the cluster of groups that mostly target them, and tailor their mitigation strategies accordingly.
To prove our hypothesis, we select and prepare the relevant dataset and we apply different clustering algorithms to assess the clusterability of APT data. The results prove that there exists indeed such clustering, which allows us to select the most common TTPs per cluster and propose the corresponding mitigation strategies, resulting in prioritised and tailored security measures to be implemented.
Overall, this thesis contributes to the optimisation of cybersecurity defenses by introducing a structured approach to represent cyber attacks using their TTPs, and then cluster APT groups based on those specific techniques in order to propose tailored mitigation strategies that enhance the resilience of the organisations against advanced threats.