Automated ATT&CK Technique Chaining

Incident response teams need to determine what happened before and after an observation of adversary behavior in order to effectively respond to incidents. The MITRE ATT&CK knowledge base provides useful information about adversary behaviors, but provides no guidance on what most likely happened...

Full description

Saved in:
Bibliographic Details
Published in:Digital threats (Print) 2024-09
Main Authors: Skjøtskift, Geir, Eian, Martin, Bromander, Siri
Format: Article
Language:English
Subjects:
Applied computing
Formal security models
Investigation techniques
Markov-chain Monte Carlo methods
Mathematics of computing
Security and privacy
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Incident response teams need to determine what happened before and after an observation of adversary behavior in order to effectively respond to incidents. The MITRE ATT&CK knowledge base provides useful information about adversary behaviors, but provides no guidance on what most likely happened before and after an observed behavior. We have developed methods and open source tools to help incident responders answer the questions “What did most likely happen prior to this observation?” and “What are the adversary's most likely next steps given this observation?”. To be able to answer these questions, we combine semantic modeling of subject matter expert knowledge with data-driven methods trained on data from computer security incidents.
ISSN:2576-5337
2576-5337
DOI:10.1145/3696013