Abstract:The landscape of cyber threats grows more complex by the day. Advanced Persistent Threats carry out systematic attack campaigns against which cybersecurity practitioners must defend. Examples of such organized attacks are operations Dream Job, Wocao, WannaCry or the SolarWinds Compromise. To evaluate which risks are most threatening, and which campaigns to prioritize against when defending, cybersecurity experts must be equipped with the right toolbox. In particular, they must be able to (a) obtain likelihood values for each attack campaign recorded in the wild and (b) reliably and transparently operationalize these values to carry out quantitative comparisons among campaigns. This will allow security experts to perform quantitatively-informed decision making that is transparent and accountable. In this paper we construct such a framework by: (1) quantifying the likelihood of attack campaigns via data-driven procedures on the MITRE knowledge base and (2) introducing a methodology for automatic modelling of MITRE intelligence data: this is complete in the sense that it captures any attack campaign via template attack tree models. (3) We further propose a computational framework to carry out this comparisons based on the cATM formal logic, and implement this into an open-source Python tool. Finally, we validate our approach by quantifying the likelihood of all MITRE campaigns, and comparing the likelihood of the Wocao and Dream Job MITRE campaigns -- generated with our proposed approach -- against "ad hoc" traditionally-built attack tree models, demonstrating how our methodology is substantially lighter in modelling effort, and still capable of capturing all the quantitative relevant data.

What problem does this paper attempt to address?

The core problem that this paper attempts to solve is: **How to quantify the probability of attack activities recorded in the MITRE ATT&CK knowledge base and provide a systematic method to quantitatively compare these attack activities, so as to help cybersecurity experts make transparent and well - founded decisions**. Specifically, the paper aims to solve the following two main problems: 1. **Lack of a flexible method for extracting probability data from MITRE ATT&CK**: - At present, there is no simple and effective method to extract fine - grained probability data from MITRE ATT&CK to evaluate the possibility of specific attack activities occurring. 2. **Lack of a general method for formal modeling and querying any attack activities that may be recorded in MITRE**: - There is no comprehensive method to formally model and query all attack activities recorded in MITRE for structured analysis and comparison. To solve these problems, the author proposes a formal framework based on MITRE's public resources, which can: - Quantify the probability of attack techniques through a data - driven method; - Use these probability data to build formal models for quantitative comparison between attack activities; - Provide automated tools and methods to generate attack tree templates, thereby reducing the workload of manual modeling. In addition, the author also verifies the effectiveness of his method through actual cases. For example, by comparing the traditional manually - constructed attack tree models of the "Wocao" and "Dream Job" attack activities with the automatically - generated attack tree templates, it proves the superiority of the new method in terms of modeling efficiency and data capture. ### Formula Representation Some of the key formulas involved in the paper are as follows: - **Conditional probability calculation formula**: \[ p(E|A)=\frac{\sum_{C\in\mathcal{C}}1_{C[A]}(E)}{|\mathcal{A}^{\downarrow}|} \] where \(E\) is an attack technique, \(A\) is a tactical objective, \(C[A]\) represents the set of techniques used to achieve the tactical objective \(A\) in the attack activity \(C\), and \(\mathcal{A}^{\downarrow}\) represents the multiset of techniques used to achieve the tactical objective \(A\) in all attack activities. Through these formulas and methods, the paper provides a systematic and automated way for cybersecurity experts to better understand and respond to complex cyber threats.

How hard can it be? Quantifying MITRE attack campaigns with attack trees and cATM logic

Think That Attackers Think: Using First-Order Theory of Mind in Intrusion Response System.

Modeling Attack, Defense and Threat Trees and the Cyber Kill Chain, ATT&CK and STRIDE Frameworks as Blackboard Architecture Networks

Investigating co-occurrences of MITRE ATT\&CK Techniques

MITRE ATT&CK: State of the Art and Way Forward

ATM: a Logic for Quantitative Security Properties on Attack Trees

Defender Policy Evaluation and Resource Allocation Using MITRE ATT&CK Evaluations Data

Defense of Advanced Persistent Threat on Industrial Internet of Things With Lateral Movement Modeling

Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix

Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting

Towards Automating the Construction & Maintenance of Attack Trees: a Feasibility Study

Attackers reveal their arsenal: An investigation of adversarial techniques in CTI reports

QuADTool: Attack-Defense-Tree Synthesis, Analysis and Bridge to Verification

Discovering, quantifying, and displaying attacks

Linking Common Vulnerabilities and Exposures to the MITRE ATT&CK Framework: A Self-Distillation Approach

Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports

Battle Ground: Data Collection and Labeling of CTF Games to Understand Human Cyber Operators

CVE2ATT&CK: BERT-Based Mapping of CVEs to MITRE ATT&CK Techniques

Quantitative analysis of attack-fault trees via Markov decision processes

Enhancing cybersecurity defenses: a multicriteria decision-making approach to MITRE ATT&CK mitigation strategy