Md Rayhanur Rahman,Laurie Williams

DOI: https://doi.org/10.48550/arXiv.2211.06495

2022-11-12

Abstract:Cyberattacks use adversarial techniques to bypass system defenses, persist, and eventually breach systems. The MITRE ATT\&CK framework catalogs a set of adversarial techniques and maps between adversaries and their used techniques and tactics. Understanding how adversaries deploy techniques in conjunction is pivotal for learning adversary behavior, hunting potential threats, and formulating a proactive defense. The goal of this research is to aid cybersecurity practitioners and researchers in choosing detection and mitigation strategies through co-occurrence analysis of adversarial techniques reported in MITRE ATT&CK. We collect the adversarial techniques of 115 cybercrime groups and 484 malware from the MITRE ATT\&CK. We apply association rule mining and network analysis to investigate how adversarial techniques co-occur. We identify that adversaries pair T1059: Command and scripting interface and T1105: Ingress tool transfer techniques with a relatively large number of ATT\&CK techniques. We also identify adversaries using the T1082: System Information Discovery technique to determine their next course of action. We observe adversaries deploy the highest number of techniques from the TA0005: Defense evasion and TA0007: Discovery tactics. Based on our findings on co-occurrence, we identify six detection, six mitigation strategies, and twelve adversary behaviors. We urge defenders to prioritize primarily the detection of TA0007: Discovery and mitigation of TA0005: Defense evasion techniques. Overall, this study approximates how adversaries leverage techniques based on publicly reported documents. We advocate organizations investigate adversarial techniques in their environment and make the findings available for a more precise and actionable understanding.

Cryptography and Security

Bader Al-Sada,Alireza Sadighian,Gabriele Oligeri

DOI: https://doi.org/10.1145/3687300

IF: 16.6

2024-10-09

ACM Computing Surveys

Abstract:MITRE ATT&CK is a comprehensive framework of adversary tactics, techniques, and procedures based on real-world observations. It has been used as a foundation for threat modeling in different sectors, such as government, academia, and industry. To the best of our knowledge, no previous work has been devoted to the comprehensive collection, study, and investigation of the current state of the art leveraging the MITRE ATT&CK framework. We select and inspect more than 50 major research contributions, while conducting a detailed analysis of their methodology and objectives in relation to the MITRE ATT&CK framework. We provide a categorization of the identified papers according to different criteria such as use cases, application scenarios, adopted methodologies, and the use of additional data. Finally, we discuss open issues and future research directions involving not only the MITRE ATT&CK framework but also the fields of threat analysis, threat modeling, and in general cyber-threat intelligence.

computer science, theory & methods

Md Rayhanur Rahman,Setu Kumar Basak,Rezvan Mahdavi Hezaveh,Laurie Williams

2024-01-04

Abstract:Context: Cybersecurity vendors often publish cyber threat intelligence (CTI) reports, referring to the written artifacts on technical and forensic analysis of the techniques used by the malware in APT attacks. Objective: The goal of this research is to inform cybersecurity practitioners about how adversaries form cyberattacks through an analysis of adversarial techniques documented in cyberthreat intelligence reports. Dataset: We use 594 adversarial techniques cataloged in MITRE ATT\&CK. We systematically construct a set of 667 CTI reports that MITRE ATT\&CK used as citations in the descriptions of the cataloged adversarial techniques. Methodology: We analyze the frequency and trend of adversarial techniques, followed by a qualitative analysis of the implementation of techniques. Next, we perform association rule mining to identify pairs of techniques recurring in APT attacks. We then perform qualitative analysis to identify the underlying relations among the techniques in the recurring pairs. Findings: The set of 667 CTI reports documents 10,370 techniques in total, and we identify 19 prevalent techniques accounting for 37.3\% of documented techniques. We also identify 425 statistically significant recurring pairs and seven types of relations among the techniques in these pairs. The top three among the seven relationships suggest that techniques used by the malware inter-relate with one another in terms of (a) abusing or affecting the same system assets, (b) executing in sequences, and (c) overlapping in their implementations. Overall, the study quantifies how adversaries leverage techniques through malware in APT attacks based on publicly reported documents. We advocate organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusion based on the identified pairs of techniques.

Cryptography and Security

Vasileios Mavroeidis,Ryan Hohimer,Tim Casey,Audun Jøsang

DOI: https://doi.org/10.23919/CyCon51939.2021.9468305

2021-09-20

Abstract:As the cyber threat landscape is constantly becoming increasingly complex and polymorphic, the more critical it becomes to understand the enemy and its modus operandi for anticipatory threat reduction. Even though the cyber security community has developed a certain maturity in describing and sharing technical indicators for informing defense components, we still struggle with non-uniform, unstructured, and ambiguous higher-level information, such as the threat actor context, thereby limiting our ability to correlate with different sources to derive more contextual, accurate, and relevant intelligence. We see the need to overcome this limitation in order to increase our ability to produce and better operationalize cyber threat intelligence. Our research demonstrates how commonly agreed upon controlled vocabularies for characterizing threat actors and their operations can be used to enrich cyber threat intelligence and infer new information at a higher contextual level that is explicable and queryable. In particular, we present an ontological approach to automatically inferring the types of threat actors based on their personas, understanding their nature, and capturing polymorphism and changes in their behavior and characteristics over time. Such an approach not only enables interoperability by providing a structured way and means for sharing highly contextual cyber threat intelligence but also derives new information at machine speed and minimizes cognitive biases that manual classification approaches entail.

Cryptography and Security

Nataliya D Brantly,Aaron F. Brantly

DOI: https://doi.org/10.1080/02684527.2024.2321693

2024-02-28

Abstract:ABSTRACT The Russian war on Ukraine presents a multifaceted landscape for the analysis of the cyber dimensions of contemporary war and their strategic, operational, and tactical impacts. While the long-anticipated disabling and devastating cyber blitzkrieg did not happen at the beginning of the full-scale Russian invasion of Ukraine in February 2022, the persistent utilization of a variety of cyber tools by both sides in this war points to the hybrid warfare strategy taking place not only on the ground but also in cyberspace. Cyberattacks on Ukrainian critical infrastructure, governmental entities and different parts of the economy have been a constant feature in Ukraine’s struggle to maintain its national security. These cyberattacks had a varying level of success. Yet, their role in the Russia–Ukraine war is still not fully understood or extensively studied. This work analyses cyber incidents from the first period of conflict, starting in November 2013 until 23 February 2022, and examines their objective and subjective impacts at the domestic and the international levels. This work also reviews the post-escalation period starting from 24 February 2022, using the data collected directly from the publicly available Ukrainian governmental sources and international cyber firms. This work aims to address the role and impact of cyber operations in an ongoing Russia–Ukraine war on both the people, networked systems, and other physical contests of warfare and the soldiers in the trenches is the principal subject of this article.

Political Science,Computer Science

Stefano M. Nicoletti,Milan Lopuhaä-Zwakenberg,Mariëlle Stoelinga,Fabio Massacci,Carlos E. Budde

2024-10-19

Abstract:The landscape of cyber threats grows more complex by the day. Advanced Persistent Threats carry out systematic attack campaigns against which cybersecurity practitioners must defend. Examples of such organized attacks are operations Dream Job, Wocao, WannaCry or the SolarWinds Compromise. To evaluate which risks are most threatening, and which campaigns to prioritize against when defending, cybersecurity experts must be equipped with the right toolbox. In particular, they must be able to (a) obtain likelihood values for each attack campaign recorded in the wild and (b) reliably and transparently operationalize these values to carry out quantitative comparisons among campaigns. This will allow security experts to perform quantitatively-informed decision making that is transparent and accountable. In this paper we construct such a framework by: (1) quantifying the likelihood of attack campaigns via data-driven procedures on the MITRE knowledge base and (2) introducing a methodology for automatic modelling of MITRE intelligence data: this is complete in the sense that it captures any attack campaign via template attack tree models. (3) We further propose a computational framework to carry out this comparisons based on the cATM formal logic, and implement this into an open-source Python tool. Finally, we validate our approach by quantifying the likelihood of all MITRE campaigns, and comparing the likelihood of the Wocao and Dream Job MITRE campaigns -- generated with our proposed approach -- against "ad hoc" traditionally-built attack tree models, demonstrating how our methodology is substantially lighter in modelling effort, and still capable of capturing all the quantitative relevant data.

Cryptography and Security,Logic in Computer Science

Ming Liu,Zhi Xue,Xiangjian He,Jinjun Chen

DOI: https://doi.org/10.1109/mce.2019.2892220

2019-01-01

IEEE Consumer Electronics Magazine

Abstract:The term cyberthreat intelligence (CTI) is widespread and gaining much attention in the area of the Internet of Things (IoT), as CTI has shown capabilities regarding the defense of advanced persistent threats (APTs). The key component of CTI is the sharing of threat information, which conventionally was a time-consuming manual process.

Tim Ackermann,Markus Karch,Jörg Kippe

DOI: https://doi.org/10.1515/auto-2023-0057

2023-09-09

at - Automatisierungstechnik

Abstract:With the increasing frequency of cyberattacks on Industrial Control Systems (ICS), the subject of cybersecurity is becoming increasingly important. Cyber Threat Intelligence (CTI) provides information about cyber adversaries, including their intentions and attack techniques. This paper analyzes the availability of open-source CTI for ICS, with a particular focus on technical indicators that can aid in detecting cyberattacks. Furthermore, this paper examines the automated integration of CTI data into SIEM systems and introduces CTIExchange as a tool that facilitates this integration by connecting Threat Intelligence Platforms with detection tools.

automation & control systems

Anna Georgiadou,Spiros Mouzakitis,Dimitris Askounis

DOI: https://doi.org/10.3390/s21093267

IF: 3.9

2021-05-09

Sensors

Abstract:The MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) Framework provides a rich and actionable repository of adversarial tactics, techniques, and procedures. Its innovative approach has been broadly welcomed by both vendors and enterprise customers in the industry. Its usage extends from adversary emulation, red teaming, behavioral analytics development to a defensive gap and SOC (Security Operations Center) maturity assessment. While extensive research has been done on analyzing specific attacks or specific organizational culture and human behavior factors leading to such attacks, a holistic view on the association of both is currently missing. In this paper, we present our research results on associating a comprehensive set of organizational and individual culture factors (as described on our developed cyber-security culture framework) with security vulnerabilities mapped to specific adversary behavior and patterns utilizing the MITRE ATT&CK framework. Thus, exploiting MITRE ATT&CK’s possibilities towards a scientific direction that has not yet been explored: security assessment and defensive design, a step prior to its current application domain. The suggested cyber-security culture framework was originally designed to aim at critical infrastructures and, more specifically, the energy sector. Organizations of these domains exhibit a co-existence and strong interaction of the IT (Information Technology) and OT (Operational Technology) networks. As a result, we emphasize our scientific effort on the hybrid MITRE ATT&CK for Enterprise and ICS (Industrial Control Systems) model as a broader and more holistic approach. The results of our research can be utilized in an extensive set of applications, including the efficient organization of security procedures as well as enhancing security readiness evaluation results by providing more insights into imminent threats and security risks.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Peng Gao,Fei Shao,Xiaoyuan Liu,Xusheng Xiao,Zheng Qin,Fengyuan Xu,Prateek Mittal,Sanjeev R. Kulkarni,Dawn Song

DOI: https://doi.org/10.1109/icde51399.2021.00024

2020-01-01

Abstract:Log-based cyber threat hunting has emerged as an important solution to counter sophisticated attacks. However, existing approaches require non-trivial efforts of manual query construction and have overlooked the rich external threat knowledge provided by open-source Cyber Threat Intelligence (OSCTI). To bridge the gap, we propose ThreatRaptor, a system that facilitates threat hunting in computer systems using OSCTI. Built upon system auditing frameworks, ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, (3) a query synthesis mechanism that automatically synthesizes a TBQL query for hunting, and (4) an efficient query execution engine to search the big audit logging data. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.

Zahra Jadidi,Yi Lu

DOI: https://doi.org/10.1109/access.2021.3133260

IF: 3.9

2021-01-01

IEEE Access

Abstract:An Industrial Control System (ICS) adversary often takes different actions to exploit vulnerabilities, pass the border between Information Technology (IT) and Operational Technology (OT) networks, and launch a targeted attack against OT networks. Detecting these threat actions in early phases before the final stage of the attacks can be executed against industrial endpoints can help prevent adversaries from achieving their goals. Threat hunting in IT networks has been previously studied, and several hunting methods have been proposed. However, these methods are not sufficient for ICSs, as the integration of industrial legacy systems with advanced IT networks has introduced new types of vulnerabilities and changed the behaviour of attacks. The lack of a unified hunting solution for integrated IT and OT networks is the gap that is considered in our paper. The contribution of this paper is an ICS Threat Hunting Framework (ICS-THF) which focuses on detecting cyber threats against ICS devices in the earliest phases of the attack lifecycle. ICS-THF consists of three stages, threat hunting triggers, threat hunting, and cyber threat intelligence. The threat hunting trigger stage identifies events or external resources that can trigger the hunting stage. The hunting stage uses a combination of the MITRE ATT&CK Matrix and a Diamond model of intrusion analysis to generate a hunting hypothesis and to predict the future behaviour of the adversary. This hypothesis will be validated by analysing Diamond models of threat actions. Finally, the cyber threat intelligence stage is responsible for generating Indicators of Compromise (IoCs) to be used for future threat hunting. The Black Energy 3 malware, PLC-Blaster malware, and SWaT dataset are used in this paper to evaluate the efficiency of the proposed framework.

Lingzi Li,Cheng Huang,Junren Chen

DOI: https://doi.org/10.1016/j.cose.2024.103815

IF: 5.105

2024-03-27

Computers & Security

Abstract:As cyber attacks are growing, Cyber Threat Intelligence (CTI) enhances the ability of security systems to resist novel cyber threats. However, since most CTI is unstructured data written in natural language, it needs to be understood and summarized by security experts to be effectively utilized. To address the problem, we adopt the ATT&CK matrix as the taxonomy to propose a method for automated mapping of unstructured threat intelligence to tactics and techniques. The proposed method contains a pre-processor for text denoising, a label extractor for classifying which tactics and techniques category the text belongs to, and a post-processor for correcting the classification results. The label extractor consists of two multi-label classifiers based on DistilBERT for tactics and techniques classification respectively. The post-processor corrects the classification results based on the relations between tactics, techniques, and sub-techniques in the matrix, eliminating errors caused by the independence between categories. In the evaluation, we collect the text data from the ATT&CK knowledge base and real cyber threat reports to build an experiment dataset, which contains 26,602 sentence samples. We apply the proposed method to the dataset to verify its effectiveness. The results show that the proposed method can accurately retrieve tactics and techniques with F0.5 score of 85.50% and 75.17% respectively, which outperforms the baseline method by about 10%.

computer science, information systems

Erik Hemberg,Jonathan Kelly,Michal Shlapentokh-Rothman,Bryn Reinstadler,Katherine Xu,Nick Rutar,Una-May O'Reilly

DOI: https://doi.org/10.48550/arXiv.2010.00533

2021-02-11

Abstract:Many public sources of cyber threat and vulnerability information exist to help defend cyber systems. This paper links MITRE's ATT&CK MATRIX of Tactics and Techniques, NIST's Common Weakness Enumerations (CWE), Common Vulnerabilities and Exposures (CVE), and Common Attack Pattern Enumeration and Classification list (CAPEC), to gain further insight from alerts, threats and vulnerabilities. We preserve all entries and relations of the sources, while enabling bi-directional, relational path tracing within an aggregate data graph called BRON. In one example, we use BRON to enhance the information derived from a list of the top 10 most frequently exploited CVEs. We identify attack patterns, tactics, and techniques that exploit these CVEs and also uncover a disparity in how much linked information exists for each of these CVEs. This prompts us to further inventory BRON's collection of sources to provide a view of the extent and range of the coverage and blind spots of public data sources.

Cryptography and Security

Alexandros Papanikolaou,Aggelos Alevizopoulos,Christos Ilioudis,Konstantinos Demertzis,Konstantinos Rantos

DOI: https://doi.org/10.48550/arXiv.2301.03445

2023-01-09

Abstract:Developing intelligent, interoperable Cyber Threat Information (CTI) sharing technologies can help build strong defences against modern cyber threats. CTIs allow the community to share information about cybercriminals' threats and vulnerabilities and countermeasures to defend themselves or detect malicious activity. A crucial need for success is that the data connected to cyber risks be understandable, organized, and of good quality. The receiving parties may grasp its content and utilize it effectively. This article describes an innovative cyber threat intelligence management platform (CTIMP) for industrial environments, one of the Cyber-pi project's significant elements. The suggested architecture, in particular, uses cyber knowledge from trusted public sources and integrates it with relevant information from the organization's supervised infrastructure in an entirely interoperable and intelligent way. When combined with an advanced visualization mechanism and user interface, the services mentioned above provide administrators with the situational awareness they require while also allowing for extended cooperation, intelligent selection of advanced coping strategies, and a set of automated self-healing rules for dealing with threats.

Cryptography and Security

Susan Snyman

DOI: https://doi.org/10.25159/2663-6689/15567

2024-10-01

Politeia

Abstract:Purpose: The war in Ukraine brought attention to “new” tactics on the battlefield—namely cyber warfare. It is attracting increased attention from media and civilians, enabling civilians from countries outside of Ukraine to help fight for Ukraine. The impact of cyber warfare on kinetic war efforts is not well understood. Methodology: Secondary data were collected, which included verified reports of cyber interventions in support of either party to the Russian-Ukraine war. Various cyber interventions are discussed in terms of the type of intervention, modus operandi, and potential effect. All data have been published in English by credible sources. The effect of cyber interventions will be analysed to determine their potential impact on states that are party to an asymmetrical war. Findings: Cyber warfare can potentially act as a force multiplier in kinetic efforts through actionable intelligence collected. Currently, the effect of cyber warfare seems to be negligible, as neither party to the Russian-Ukraine war effort has achieved its political ideologies. In fact, the use of drones has brought about an escalation in violence. Implications: A better understanding of cyber interventions and more effective application of these in a kinetic war could potentially aid a nation-state in achieving its ideological objectives faster, thereby reducing the intensity of the negative socioeconomic impact on nation-states not party to the conflict. Current scholarly debates about cyber warfare view the impact of cyber interventions in a kinetic effort as negligible. This article will point to a linchpin that could change the current opinion of scholars.

Svitlana Lehominova,Halyna Haidur

DOI: https://doi.org/10.28925/2663-4023.2023.22.5467

2023-01-01

Abstract:Taking into account the process of complication of the geopolitical and geoeconomic landscape space, the development of information technologies and the formation of new security challenges associated with the emergence of new cyber threats, there is a need for constant monitoring and forecasting of them in order to prevent consequences in the form of damage and leakage of valuable and confidential information. The authors analyzed the new predictable cyber security threats to organizations, with special attention paid to the protection of endpoints. Threats identified in the field of artificial intelligence development (underground development of malicious Large Language Models (LLM); “Script Kiddies” update; voice fraud for social engineering, which is created by artificial intelligence); changing trends in the behavior of threat actors (attacks on supply chains against managed file transfer solutions, malware threats that are becoming multilingual); as new emerging threats and attack methods (growing QR code rivalry; stealth attacks on peripheral devices; Python implementation in Excel creating a potentially new vector for attacks; LOL drivers changing action algorithms). The resulting detection of future threats emphasizes the need for strategic planning for the adoption of new technologies and platforms: such as Endpoint Detection and Response (EDR) capabilities, as well as the use of EDR as part of a multi-instrumented enhanced detection and response (XDR) architecture. Gartner’s research has been proven to have a tremendous impact on improving organizations’ threat detection capabilities by providing valuable insight into the strengths and weaknesses of each cybersecurity service provider with respect to emerging threat intelligence, by focusing organizations’ attention on opportunities to identify gaps in their existing security infrastructure and adopt sound decisions to invest in additional solutions or services that effectively address these gaps. The spheres of activity of the world’s leading companies were analyzed, their connection with Ukrainian companies was found, and further cooperation was proposed for the effective protection of national cyberspace.

Yonghyun Jo,Oongjae Choi,Jiwoon You,Youngkyun Cha,Dong Hoon Lee

DOI: https://doi.org/10.3390/s22051860

IF: 3.9

2022-02-26

Sensors

Abstract:Cybersecurity is important on ships that use information and communication technology. On such ships, the work, control, and sensor systems are connected for steering, navigation, and cargo management inside the hull, and a cyberattack can have physical consequences such as sinking and crashing. Research on ship cybersecurity is a new challenge, and related studies are lacking. Cyberattack models can provide better insight. With this study, we aim to introduce a cyberattack analysis method based on the MITRE ATT&CK framework so that a cyberattack model for ships can be established. In addition, we identify the characteristics of the attack phase by analyzing cases of hacking and vulnerability research for ship systems using tactics, techniques, and procedures, and suggest the minimum measures essential for defense. Using the ship cyberattack model, we aim to identify the characteristics of the systems used for ship navigation, communication, and control; provide an understanding of the threats and vulnerabilities; and suggest mitigation measures through the proposed model. We believe the results of this study could guide future research.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Md Rayhanur Rahman,Rezvan Mahdavi-Hezaveh,Laurie Williams

DOI: https://doi.org/10.48550/arXiv.2109.06808

2021-09-14

Cryptography and Security

Abstract:Cybersecurity researchers have contributed to the automated extraction of CTI from textual sources, such as threat reports and online articles, where cyberattack strategies, procedures, and tools are described. The goal of this article is to aid cybersecurity researchers understand the current techniques used for cyberthreat intelligence extraction from text through a survey of relevant studies in the literature. We systematically collect "CTI extraction from text"-related studies from the literature and categorize the CTI extraction purposes. We propose a CTI extraction pipeline abstracted from these studies. We identify the data sources, techniques, and CTI sharing formats utilized in the context of the proposed pipeline. Our work finds ten types of extraction purposes, such as extraction indicators of compromise extraction, TTPs (tactics, techniques, procedures of attack), and cybersecurity keywords. We also identify seven types of textual sources for CTI extraction, and textual data obtained from hacker forums, threat reports, social media posts, and online news articles have been used by almost 90% of the studies. Natural language processing along with both supervised and unsupervised machine learning techniques such as named entity recognition, topic modelling, dependency parsing, supervised classification, and clustering are used for CTI extraction. We observe the technical challenges associated with these studies related to obtaining available clean, labelled data which could assure replication, validation, and further extension of the studies. As we find the studies focusing on CTI information extraction from text, we advocate for building upon the current CTI extraction work to help cybersecurity practitioners with proactive decision making such as threat prioritization, automated threat modelling to utilize knowledge from past cybersecurity incidents.

Valentine Legoy,Marco Caselli,Christin Seifert,Andreas Peter

DOI: https://doi.org/10.48550/arXiv.2004.14322

2020-04-29

Cryptography and Security

Abstract:Over the last years, threat intelligence sharing has steadily grown, leading cybersecurity professionals to access increasingly larger amounts of heterogeneous data. Among those, cyber attacks' Tactics, Techniques and Procedures (TTPs) have proven to be particularly valuable to characterize threat actors' behaviors and, thus, improve defensive countermeasures. Unfortunately, this information is often hidden within human-readable textual reports and must be extracted manually. In this paper, we evaluate several classification approaches to automatically retrieve TTPs from unstructured text. To implement these approaches, we take advantage of the MITRE ATT&CK framework, an open knowledge base of adversarial tactics and techniques, to train classifiers and label results. Finally, we present rcATT, a tool built on top of our findings and freely distributed to the security community to support cyber threat report automated analysis.