Structured Threat Intelligence Graphing (STIG) and Analysis of Kernel-mode Rootkits

Project Proposal

Background and Motivation

• Research Problem: How can enterprise environments better protect against cyber espionage through Kernel-mode Rootkits like Demodex, from advanced persistent threats like Salt Typhoon?
• Importance: Explain why the problem is important and relevant to the field. Advanced persistent threat actors like Salt Typhoon are targeting corporate intellectual property by invading telecommunication companies and broadband networks such as Verizon, AT&T, Spectrum, Lumen, and Cisco. To contribute to the knowledge of preventing cyber espionage and to better understand existing attack vectors, mitigations, and Structured Threat Intelligence Graphing (STIG maps) surrounding Kernel-mode Rootkits like Demodex.
• Challenges: It is difficult to replicate an enterprise environment with a home lab. The project will need to be scaled for reference to mimic an enterprise’s size and resources. There are also several steps for creating a successful testing environment including multiple virtual machines, a copy of a malware rootkit, and security tools to record the impact of the attack. Finally, a robust security plan and STIG map must be created to provide a security plan for future attacks.
• Objectives: This project aims to analyze the attack vectors of a Kernel-mode Rootkit like Demodex to produce a security plan and a Structured Threat Intelligence Graph (STIG) based on industry standards like the MITRE ATT&CK Framework. The data for this project will be collected from several security tools within a virtual machine after a simulated rootkit attack. This knowledge will then be applied to the STIG map and security plan.

Proposed Methodology

• Possible Solutions: Recreate a Kernel-mode Rootkit Attack, analyze the attack vectors and vulnerabilities, then create a security plan and STIG map with the findings.
• Evaluation Methods: 
• Analysis (theoretical frameworks) – compare the security plan to industry standards such as the MIRE ATT&CK framework & STIG.
• Simulation (system models) – Recreate a Kernel-mode Rootkit Attack within a virtual machine and use several security tools to analyze the impact of the attack and its vectors.
• Implementation (experimental platform) – the attack will be re-created within a virtual machine to avoid damaging our systems.

Expected Contributions

Outcomes: 
The project aims to develop a validated defense framework that effectively mitigates sophisticated cyberattacks, such as those executed by groups like Salt Typhoon. By integrating compliance standards with dynamic threat models, the framework is expected to enhance detection capabilities, reduce response times, and minimize the attack surface in enterprise environments.

Contributions: 
Advanced Knowledge- Our research endeavors to bridge the existing gap between theoretical cybersecurity models and their practical applications. By harmonizing frameworks like DISA STIGs with real-time threat analysis tools such as MITRE ATTACK, we aim to offer a comprehensive strategy that is both innovative and actionable.
• Practical Tools: Beyond theoretical insights, this project is committed to delivering tangible solutions. We plan to develop detailed guidelines and user-friendly tools that enterprises can readily adopt to fortify their security measures against advanced persistent threats.
• Framework for Future Research: The methodologies and findings from this project will serve as a foundation for subsequent studies aiming to counter advanced persistent threats.

Impacts:
• Academia: The research will contribute to the academic discourse by presenting empirical data and case studies that demonstrate the efficacy of integrated defense strategies.
• Industry: Enterprises will benefit from the implementation of the proposed framework, leading to more robust security postures and compliance with evolving regulatory standards.
• Society: Enhancing the cybersecurity of enterprise environments will protect sensitive data, maintain public trust, and ensure the resilience of critical infrastructure

.Targeted Conference/Journal

Conferences:

• USENIX Security Symposium 2025:
Details: Scheduled for August 13–15, 2025, at the Seattle Convention Center in Seattle, WA, USA. 
Justification: Renowned for its focus on the latest advances in computer systems and network security, this symposium provides an ideal platform to present research that bridges theoretical frameworks and practical implementations.

• IEEE Symposium on Security and Privacy (IEEE S&P):
Details: Recognized as a premier platform for groundbreaking cybersecurity research, IEEE S&P is scheduled for May 12–14, 2025, in San Francisco, CA. Its rigorous peer-review process and global reach make it an ideal venue to present our innovative defense framework.
Justification: As a premier venue for cutting-edge cybersecurity research, IEEE S&P is well-known for showcasing innovative defense mechanisms and theoretical advances. The rigorous peer-review process and international audience ensure that the research will be critically examined and widely disseminated.

• ACM Conference on Computer and Communications Security (CCS):
Details: Set for October 13–17, 2025, in Taipei, Taiwan, ACM CCS is esteemed for its blend of theoretical insights and practical applications. Presenting at this conference would allow us to showcase our research to an audience keen on real-world cybersecurity solutions.
Justification: ACM CCS is renowned for its blend of theoretical and practical research contributions. Its focus on real-world applicability makes it an ideal venue for presenting a project that combines theoretical modeling with empirical validation through simulations and experimental platforms.

Journals:

• Journal of Cybersecurity:
Details: This peer-reviewed journal covers a broad spectrum of cybersecurity topics, appealing to both scholars and industry professionals. Publishing our findings here would ensure they reach a diverse and relevant readership.
Justification: Its readership includes both academic researchers and industry practitioners, ensuring that the project’s findings reach a broad and relevant audience.

• IEEE Transactions on Information Forensics and Security:
Details: Known for its high-impact publications, this journal focuses on advanced theoretical models and empirical studies addressing contemporary cybersecurity challenges. Our research aligns well with its mission to disseminate significant scientific contributions.
Justification: This journal is an excellent choice for disseminating detailed empirical results and advanced theoretical models that address modern cybersecurity challenges.

Organization of the Project and Project Management

5.1 Research Team

Autumn- UC MSIT graduating May 2025. Software engineering intern at Idaho National Laboratory and Vice President of UC’s Women in Cyber Security Chapter (WiCyS). Has experience in software, pen-testing, and network analysis.
David- UC MSIT graduating May 2025, Sales Specialist with NVISION. 9 years of professional background in sales and IT. Has experience in logistics, data management & integration flow, and user & IT system process innovation.
Chiamaka- UC MSIT graduating December 2025, provisioning activation center at Spectrum. I handle the port process of telephone lines from other providers, and I ensure customer accounts have the correct codings to function.

The team will conduct individual and group research into theoretical frameworks, such as MITRE ATTACK and STIG, and the threat actor Salt Typhoon. We will then bring our unique experiences together to recreate a simulated representative attack.

5.2 Research Plan

The project will be completed over the rest of the Spring 2025 semester between Weeks 5 and 15. The project has five main stages: 1. Analysis, 2. Simulation, 3. Implementation, 4. Project Presentation, and 5. Final Report. The timeline is depicted below in Table 1.

Table 1.

Project Management

Autumn- Team Leader
As the VP of WiCyS and software engineering intern Autumn is well suited to provide leadership by clearly identifying project objectives and serving as subject matter expert. 
David- Facilitator
David has extensive practice working with clients – exploring various system assets and offering customized opportunities and will serve as a team facilitator to guide group discussion and collaboration.
Chiamaka- Project Coordinator 
Chiamaka will evaluate project outcomes/impact and act as project coordinator to keep us on task.

References

Related CVEs

• https://nvd.nist.gov/vuln/detail/cve-2024-21887
• https://nvd.nist.gov/vuln/detail/cve-2023-20273
• https://nvd.nist.gov/vuln/detail/cve-2023-20198
• https://nvd.nist.gov/vuln/detail/cve-2022-3236
• https://nvd.nist.gov/vuln/detail/cve-2021-26855

Industry Response

News

• https://www.darkreading.com/cyberattacks-data-breaches/salt-typhoon-exploits-cisco-devices-telco-infrastructure
• https://cyberscoop.com/salt-typhoon-china-ongoing-telecom-attack-spree/ 

Research Institute

• https://itif.org/publications/2025/02/13/salt-typhoon-exposes-us-cyber-vulnerabilities/

Cybersecurity Company

• https://www.armis.com/blog/breaking-down-salt-typhoon/

Government

• https://docs.fcc.gov/public/attachments/DOC-408015A1.pdf
• https://github.com/idaholab/STIG
• https://github.com/inlguy/CIE/releases/tag/v12.2.4.0 

Academia

• https://umbc.edu/stories/what-is-salt-typhoon-a-security-expert-explains-the-chinese-hackers-and-their-attack-on-us-telecommunications-networks/

Research Articles

• https://ieeexplore-ieee-org.uc.idm.oclc.org/document/10633622
• https://ieeexplore-ieee-org.uc.idm.oclc.org/document/10803317
• https://ieeexplore.ieee.org/abstract/document/9422666
• https://link.springer.com/chapter/10.1007/978-3-031-46077-7_36
• https://dl-acm-org.uc.idm.oclc.org/doi/10.1109/ICSE48619.2023.00143
• https://arxiv.org/abs/2108.01696
• http://mdpi.com/1999-4893/15/9/314