Skip to main content
SpringerLink
Log in

Mapping the Security Events to the MITRE ATT &CK Attack Patterns to Forecast Attack Propagation (Extended Abstract)

  • Conference paper
  • First Online:
Attacks and Defenses for the Internet-of-Things (ADIoT 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13745))

Included in the following conference series:

Abstract

Modern information systems generate a lot of events. Analysis of the events allows detecting malicious activity within the system. There are a lot of event correlation techniques intended for the detection of cyber security incidents and different types of cyber attacks, as well as there are a lot of techniques for multi-step attack modeling. At the same time, most modern security event management solutions do not allow mapping the detected security incidents to the specific stage of the targeted multi-step cyber attack, forecasting the next steps of the cyber attack, and selecting the proactive responses automatically. In this paper the technique to map the detected incidents to the stages of the targeted cyber attacks is proposed. The technique is based on the set of correlation rules “Emerging Threats” for events correlation to get cyber security incidents and on the set of “Targeted Attack Analyzer (Indicators Of Attack)” rules describing security incidents (signatures) using Sigma language and integrated with the MITRE ATT &CK database. The developed technique allows mapping the events detected in the system under analysis to the MITRE ATT &CK attack patterns and in prospect forecasting the targeted cyber attack development and automatically responding against the detected cyber security incidents. The technique is implemented using Python language and tested to demonstrate mapping of the detected incidents to the known attack patterns using the deployed test environment.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://www.splunk.com/en_us/products/enterprise-security.html.

  2. 2.

    https://www.ibm.com/qradar/security-qradar-siem.

  3. 3.

    http://www.microfocus.com/en-us/cyberres/secops/arcsight-esm.

  4. 4.

    https://www.ptsecurity.com/ww-en/products/mpsiem/.

  5. 5.

    https://mitre.ptsecurity.com/en-US/techniques?utm_source=pt-main-en &utm_medium=slider &utm_campaign=mitre.

  6. 6.

    https://flask.palletsprojects.com/en/2.1.x/.

  7. 7.

    https://www.kali.org/.

References

  1. Kaspersky Anti Targeted Attack Platform: Indicators of compromise (IOC) and attack (IOA) for threat hunting. https://support.kaspersky.com/KATA/3.7.1/en-US/194907.htm

  2. MITRE: MITRE ATT &CK Knowledge base. https://attack.mitre.org/

  3. Proofpoint Inc.: Proofpoint Emerging Threats Rules. https://rules.emergingthreats.net/open/suricata-5.0/rules/

  4. Sigma: SigmaHQ. https://github.com/SigmaHQ/sigma/tree/master/rules

  5. Ajmal, A.B., Shah, M.A., Maple, C., Asghar, M.N., Islam, S.U.: Offensive security: towards proactive threat hunting via adversary emulation. IEEE Access 9, 126023–126033 (2021). https://doi.org/10.1109/ACCESS.2021.3104260

    Article  Google Scholar 

  6. Al-Shaer, R., Spring, J.M., Christou, E.: Learning the associations of MITRE ATT &CK adversarial techniques. In: 2020 IEEE Conference on Communications and Network Security (CNS), pp. 1–9 (2020). https://doi.org/10.1109/CNS48642.2020.9162207

  7. Croxton, F., Cowden, D.: Applied General Statistics (1959)

    Google Scholar 

  8. Doynikova, E., Novikova, E., Gaifulina, D., Kotenko, I.: Towards attacker attribution for risk analysis. In: Garcia-Alfaro, J., Leneutre, J., Cuppens, N., Yaich, R. (eds.) CRiSIS 2020. LNCS, vol. 12528, pp. 347–353. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-68887-5_22

  9. Elitzur, A., Puzis, R., Zilberman, P.: Attack hypothesis generation. In: 2019 European Intelligence and Security Informatics Conference (EISIC), pp. 40–47 (2019). https://doi.org/10.1109/EISIC49498.2019.9108886

  10. Kim, K., Shin, Y., Lee, J., Lee, K.: Automatically attributing mobile threat actors by vectorized att &ck matrix and paired indicator. Sensors 21(19) (2021). https://doi.org/10.3390/s21196522

  11. Kotenko, I., Fedorchenko, A., Doynikova, E.: data analytics for security management of complex heterogeneous systems: event correlation and security assessment tasks. In: Shandilya, S.K., Wagner, N., Nagar, A.K. (eds.) Advances in Cyber Security Analytics and Decision Systems. EICC, pp. 79–116. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-19353-9_5

  12. Kotenko, I., Gaifulina, D., Zelichenok, I.: Systematic literature review of security event correlation methods. IEEE Access 10, 43387–43420 (2022). https://doi.org/10.1109/ACCESS.2022.3168976

    Article  Google Scholar 

  13. Nisioti, A., Loukas, G., Laszka, A., Panaousis, E.: Data-driven decision support for optimizing cyber forensic investigations. IEEE Trans. Inform. Foren. Secur. 16, 2397–2412 (2021). https://doi.org/10.1109/TIFS.2021.3054966

    Article  Google Scholar 

Download references

Funding

This research is being supported by the grant of RSF #21-71-20078 in SPC RAS.

Author information

Authors and Affiliations

  1. A.F. Mozhaysky Military-Space Academy, Zhdanovskaya str. 13, St. Petersburg, 197198, Russia

    Roman Kryukov & Vladimir Zima

  2. St. Petersburg Federal Research Center of the Russian Academy of Sciences (SPC RAS), St. Petersburg Institute for Informatics and Automation of the Russian Academy of Sciences, 14-th Liniya, 39, St. Petersburg, 199178, Russia

    Elena Fedorchenko, Evgenia Novikova & Igor Kotenko

Authors
  1. Roman Kryukov
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vladimir Zima
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Elena Fedorchenko
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Evgenia Novikova
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Igor Kotenko
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Elena Fedorchenko .

Editor information

Editors and Affiliations

  1. Hong Kong Polytechnic University, Hong Kong, China

    Wenjuan Li

  2. University of Nottingham, Nottingham, UK

    Steven Furnell

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kryukov, R., Zima, V., Fedorchenko, E., Novikova, E., Kotenko, I. (2022). Mapping the Security Events to the MITRE ATT &CK Attack Patterns to Forecast Attack Propagation (Extended Abstract). In: Li, W., Furnell, S., Meng, W. (eds) Attacks and Defenses for the Internet-of-Things. ADIoT 2022. Lecture Notes in Computer Science, vol 13745. Springer, Cham. https://doi.org/10.1007/978-3-031-21311-3_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-21311-3_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-21310-6

  • Online ISBN: 978-3-031-21311-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation