Abstract
Modern information systems generate a lot of events. Analysis of the events allows detecting malicious activity within the system. There are a lot of event correlation techniques intended for the detection of cyber security incidents and different types of cyber attacks, as well as there are a lot of techniques for multi-step attack modeling. At the same time, most modern security event management solutions do not allow mapping the detected security incidents to the specific stage of the targeted multi-step cyber attack, forecasting the next steps of the cyber attack, and selecting the proactive responses automatically. In this paper the technique to map the detected incidents to the stages of the targeted cyber attacks is proposed. The technique is based on the set of correlation rules “Emerging Threats” for events correlation to get cyber security incidents and on the set of “Targeted Attack Analyzer (Indicators Of Attack)” rules describing security incidents (signatures) using Sigma language and integrated with the MITRE ATT &CK database. The developed technique allows mapping the events detected in the system under analysis to the MITRE ATT &CK attack patterns and in prospect forecasting the targeted cyber attack development and automatically responding against the detected cyber security incidents. The technique is implemented using Python language and tested to demonstrate mapping of the detected incidents to the known attack patterns using the deployed test environment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
References
Kaspersky Anti Targeted Attack Platform: Indicators of compromise (IOC) and attack (IOA) for threat hunting. https://support.kaspersky.com/KATA/3.7.1/en-US/194907.htm
MITRE: MITRE ATT &CK Knowledge base. https://attack.mitre.org/
Proofpoint Inc.: Proofpoint Emerging Threats Rules. https://rules.emergingthreats.net/open/suricata-5.0/rules/
Sigma: SigmaHQ. https://github.com/SigmaHQ/sigma/tree/master/rules
Ajmal, A.B., Shah, M.A., Maple, C., Asghar, M.N., Islam, S.U.: Offensive security: towards proactive threat hunting via adversary emulation. IEEE Access 9, 126023–126033 (2021). https://doi.org/10.1109/ACCESS.2021.3104260
Al-Shaer, R., Spring, J.M., Christou, E.: Learning the associations of MITRE ATT &CK adversarial techniques. In: 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2020). https://doi.org/10.1109/CNS48642.2020.9162207
Croxton, F., Cowden, D.: Applied General Statistics (1959)
Doynikova, E., Novikova, E., Gaifulina, D., Kotenko, I.: Towards attacker attribution for risk analysis. In: Garcia-Alfaro, J., Leneutre, J., Cuppens, N., Yaich, R. (eds.) CRiSIS 2020. LNCS, vol. 12528, pp. 347–353. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68887-5_22
Elitzur, A., Puzis, R., Zilberman, P.: Attack hypothesis generation. In: 2019 European Intelligence and Security Informatics Conference (EISIC), pp. 40–47 (2019). https://doi.org/10.1109/EISIC49498.2019.9108886
Kim, K., Shin, Y., Lee, J., Lee, K.: Automatically attributing mobile threat actors by vectorized att &ck matrix and paired indicator. Sensors 21(19) (2021). https://doi.org/10.3390/s21196522
Kotenko, I., Fedorchenko, A., Doynikova, E.: data analytics for security management of complex heterogeneous systems: event correlation and security assessment tasks. In: Shandilya, S.K., Wagner, N., Nagar, A.K. (eds.) Advances in Cyber Security Analytics and Decision Systems. EICC, pp. 79–116. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-19353-9_5
Kotenko, I., Gaifulina, D., Zelichenok, I.: Systematic literature review of security event correlation methods. IEEE Access 10, 43387–43420 (2022). https://doi.org/10.1109/ACCESS.2022.3168976
Nisioti, A., Loukas, G., Laszka, A., Panaousis, E.: Data-driven decision support for optimizing cyber forensic investigations. IEEE Trans. Inform. Foren. Secur. 16, 2397–2412 (2021). https://doi.org/10.1109/TIFS.2021.3054966
Funding
This research is being supported by the grant of RSF #21-71-20078 in SPC RAS.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kryukov, R., Zima, V., Fedorchenko, E., Novikova, E., Kotenko, I. (2022). Mapping the Security Events to the MITRE ATT &CK Attack Patterns to Forecast Attack Propagation (Extended Abstract). In: Li, W., Furnell, S., Meng, W. (eds) Attacks and Defenses for the Internet-of-Things. ADIoT 2022. Lecture Notes in Computer Science, vol 13745. Springer, Cham. https://doi.org/10.1007/978-3-031-21311-3_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-21311-3_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-21310-6
Online ISBN: 978-3-031-21311-3
eBook Packages: Computer ScienceComputer Science (R0)