Advanced Persistent Threats (APT) are complex, targeted and effective attacks on critical IT infrastructures (CIs), public authorities and large and medium-sized enterprises in order to steal confidential data. Monitoring and investigating acts of espionage and sabotage at organizations or critical infrastructures relevant to state protection is a declared goal of the Austrian security ministries in terms of increasing overall state resilience (e.g., Austrian Security Strategy and sub-strategies based on it).

The work preceding the study pursued several goals. In an initial investigation of known APT cases, the commonalities (in terms of attack vectors used, procedures, but also subsequent processing, etc.) were identified. The goal was to create and validate a definition of an APT case that is suitable for APT-CC and, above all, Austrian conditions and that is clearly distinguishable from the existing competencies (e.g., of the Cyber Crime Competence Center or the National Defense). In addition, initiatives abroad were briefly examined, which could possibly serve as templates for Austria.

One of the major differences to the economy, where the primary focus of all parties involved after a cyber security incident has occurred is recovery, it is also one of the main tasks of a government APT-CC to manage the attribution of attacks to perpetrator groups, especially if this APT-CC is to be located within a law enforcement agency. The study therefore sheds light on what artifacts can be collected, forensically assessed, and processed during an attack to aid in this attribution process. It also briefly examines the placement of so-called "false flags" and the challenges of attribution.

Another goal was to investigate the applicability of various technologies in the regular operation of an APT-CC. In this context, IoC-based early warning systems already in use internationally by authorities and, where applicable, critical infrastructures play an essential role. The goal of such systems is to automatically monitor indicators of attacks nationwide. The study therefore describes the possible structures and operator models of such early warning systems - based on examples from other European countries.

Based on this, the study also addresses the question of which attack vectors are reflected in which artifacts and which type of sensor technology is therefore particularly desirable for the early detection of attack attempts. In doing so, a brief case study is also described, in which the steps for the justified selection of suitable data sources were carried out.

The use of complex technical tools also requires the establishment of processes necessary for this purpose and appropriate training of staff. The skills to be acquired by APT-CC staff were therefore also considered in more detail. This part also concludes with a rough outline of the structure of an APT-CC.

In parallel to the technical-organizational investigations, the legal situation was also the focus of this study. In particular, the applicability of the technologies examined (IoC-based early warning systems, forensics in relation to DS-GVO), as well as the valid legal framework conditions for the establishment of an APT-CC (services and powers) were elaborated and fully documented.

The APT-CC study ultimately sheds light on many organizational, technical and legal sub-aspects that are essential in the realization of an APT competence center. The aim is to identify ways to increase cybersecurity for security-relevant companies (especially those in the critical infrastructure sector) and to improve the exchange between governmental and non-governmental cybersecurity agencies.

The declared non-objective of this work was the concrete implementation in Austria, especially the integration into already existing structures in ministries and committees.

• Partner: REPUCO Unternehmensberatung GmbH,Technische Universität Wien, Bundesministerium für Inneres
• Projektlaufzeit: 11/2018 – 04/2020
• Förderprogramm: FFG KIRAS Sicherheitsforschung - Herbstausschreibung 2017/18