Automated ATT&CK Technique Chaining

Incident response teams need to determine what happened before and after an observation of adversary behavior in order to effectively respond to incidents. The MITRE ATT&CK knowledge base provides useful information about adversary behaviors, but provides no guidance on what most likely happened...

Full description

Saved in:
Bibliographic Details
Published in:Digital threats (Print) 2024-09
Main Authors: Skjøtskift, Geir, Eian, Martin, Bromander, Siri
Format: Article
Language:English
Subjects:
Applied computing
Formal security models
Investigation techniques
Markov-chain Monte Carlo methods
Mathematics of computing
Security and privacy
Citations: Items that this one cites
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by
cites cdi_FETCH-LOGICAL-a843-a9c8283ade9df7a578ed857f81d8f470ee47815e35f2c131b4ea356d15a3a3ef3
container_end_page
container_issue
container_start_page
container_title Digital threats (Print)
container_volume
creator Skjøtskift, Geir
Eian, Martin
Bromander, Siri
description Incident response teams need to determine what happened before and after an observation of adversary behavior in order to effectively respond to incidents. The MITRE ATT&CK knowledge base provides useful information about adversary behaviors, but provides no guidance on what most likely happened before and after an observed behavior. We have developed methods and open source tools to help incident responders answer the questions “What did most likely happen prior to this observation?” and “What are the adversary's most likely next steps given this observation?”. To be able to answer these questions, we combine semantic modeling of subject matter expert knowledge with data-driven methods trained on data from computer security incidents.
doi_str_mv 10.1145/3696013
format article
fullrecord <record><control><sourceid>acm_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1145_3696013</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>3696013</sourcerecordid><originalsourceid>FETCH-LOGICAL-a843-a9c8283ade9df7a578ed857f81d8f470ee47815e35f2c131b4ea356d15a3a3ef3</originalsourceid><addsrcrecordid>eNpNj89Lw0AQhRdRsNTi3VNA0FN0J7OT3RxD8BcWvOQext1ZGzGpZtuD_71Kq3h6D97Hg0-pU9BXAIausaxKDXigZgXZMidEe_ivH6tFSq9a6wLBOKpm6rzebtYDbyRkddteNI9ZK3419h9byZoV92M_vpyoo8hvSRb7nKv29qZt7vPl091DUy9zdgZzrrwrHHKQKkTLZJ0ERzY6CC4aq0WMdUCCFAsPCM9GGKkMQIyMEnGuLne3flqnNEns3qd-4OmzA9392HV7u2_ybEeyH_6g3_ELEB9HNw</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Automated ATT&amp;CK Technique Chaining</title><source>ACM Digital Library</source><creator>Skjøtskift, Geir ; Eian, Martin ; Bromander, Siri</creator><creatorcontrib>Skjøtskift, Geir ; Eian, Martin ; Bromander, Siri</creatorcontrib><description>Incident response teams need to determine what happened before and after an observation of adversary behavior in order to effectively respond to incidents. The MITRE ATT&amp;CK knowledge base provides useful information about adversary behaviors, but provides no guidance on what most likely happened before and after an observed behavior. We have developed methods and open source tools to help incident responders answer the questions “What did most likely happen prior to this observation?” and “What are the adversary's most likely next steps given this observation?”. To be able to answer these questions, we combine semantic modeling of subject matter expert knowledge with data-driven methods trained on data from computer security incidents.</description><identifier>ISSN: 2576-5337</identifier><identifier>EISSN: 2576-5337</identifier><identifier>DOI: 10.1145/3696013</identifier><language>eng</language><publisher>New York, NY: ACM</publisher><subject>Applied computing ; Formal security models ; Investigation techniques ; Markov-chain Monte Carlo methods ; Mathematics of computing ; Security and privacy</subject><ispartof>Digital threats (Print), 2024-09</ispartof><rights>Copyright held by the owner/author(s).</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-a843-a9c8283ade9df7a578ed857f81d8f470ee47815e35f2c131b4ea356d15a3a3ef3</cites><orcidid>0009-0001-4240-7277 ; 0009-0003-1802-1483 ; 0009-0004-7461-3202</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,780,784,27923,27924</link.rule.ids></links><search><creatorcontrib>Skjøtskift, Geir</creatorcontrib><creatorcontrib>Eian, Martin</creatorcontrib><creatorcontrib>Bromander, Siri</creatorcontrib><title>Automated ATT&amp;CK Technique Chaining</title><title>Digital threats (Print)</title><addtitle>ACM DTRAP</addtitle><description>Incident response teams need to determine what happened before and after an observation of adversary behavior in order to effectively respond to incidents. The MITRE ATT&amp;CK knowledge base provides useful information about adversary behaviors, but provides no guidance on what most likely happened before and after an observed behavior. We have developed methods and open source tools to help incident responders answer the questions “What did most likely happen prior to this observation?” and “What are the adversary's most likely next steps given this observation?”. To be able to answer these questions, we combine semantic modeling of subject matter expert knowledge with data-driven methods trained on data from computer security incidents.</description><subject>Applied computing</subject><subject>Formal security models</subject><subject>Investigation techniques</subject><subject>Markov-chain Monte Carlo methods</subject><subject>Mathematics of computing</subject><subject>Security and privacy</subject><issn>2576-5337</issn><issn>2576-5337</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><recordid>eNpNj89Lw0AQhRdRsNTi3VNA0FN0J7OT3RxD8BcWvOQext1ZGzGpZtuD_71Kq3h6D97Hg0-pU9BXAIausaxKDXigZgXZMidEe_ivH6tFSq9a6wLBOKpm6rzebtYDbyRkddteNI9ZK3419h9byZoV92M_vpyoo8hvSRb7nKv29qZt7vPl091DUy9zdgZzrrwrHHKQKkTLZJ0ERzY6CC4aq0WMdUCCFAsPCM9GGKkMQIyMEnGuLne3flqnNEns3qd-4OmzA9392HV7u2_ybEeyH_6g3_ELEB9HNw</recordid><startdate>20240913</startdate><enddate>20240913</enddate><creator>Skjøtskift, Geir</creator><creator>Eian, Martin</creator><creator>Bromander, Siri</creator><general>ACM</general><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0009-0001-4240-7277</orcidid><orcidid>https://orcid.org/0009-0003-1802-1483</orcidid><orcidid>https://orcid.org/0009-0004-7461-3202</orcidid></search><sort><creationdate>20240913</creationdate><title>Automated ATT&amp;CK Technique Chaining</title><author>Skjøtskift, Geir ; Eian, Martin ; Bromander, Siri</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a843-a9c8283ade9df7a578ed857f81d8f470ee47815e35f2c131b4ea356d15a3a3ef3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Applied computing</topic><topic>Formal security models</topic><topic>Investigation techniques</topic><topic>Markov-chain Monte Carlo methods</topic><topic>Mathematics of computing</topic><topic>Security and privacy</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Skjøtskift, Geir</creatorcontrib><creatorcontrib>Eian, Martin</creatorcontrib><creatorcontrib>Bromander, Siri</creatorcontrib><collection>CrossRef</collection><jtitle>Digital threats (Print)</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Skjøtskift, Geir</au><au>Eian, Martin</au><au>Bromander, Siri</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Automated ATT&amp;CK Technique Chaining</atitle><jtitle>Digital threats (Print)</jtitle><stitle>ACM DTRAP</stitle><date>2024-09-13</date><risdate>2024</risdate><issn>2576-5337</issn><eissn>2576-5337</eissn><abstract>Incident response teams need to determine what happened before and after an observation of adversary behavior in order to effectively respond to incidents. The MITRE ATT&amp;CK knowledge base provides useful information about adversary behaviors, but provides no guidance on what most likely happened before and after an observed behavior. We have developed methods and open source tools to help incident responders answer the questions “What did most likely happen prior to this observation?” and “What are the adversary's most likely next steps given this observation?”. To be able to answer these questions, we combine semantic modeling of subject matter expert knowledge with data-driven methods trained on data from computer security incidents.</abstract><cop>New York, NY</cop><pub>ACM</pub><doi>10.1145/3696013</doi><orcidid>https://orcid.org/0009-0001-4240-7277</orcidid><orcidid>https://orcid.org/0009-0003-1802-1483</orcidid><orcidid>https://orcid.org/0009-0004-7461-3202</orcidid><oa>free_for_read</oa></addata></record>
fulltext fulltext
identifier ISSN: 2576-5337
ispartof Digital threats (Print), 2024-09
issn 2576-5337
2576-5337
language eng
recordid cdi_crossref_primary_10_1145_3696013
source ACM Digital Library
subjects Applied computing
Formal security models
Investigation techniques
Markov-chain Monte Carlo methods
Mathematics of computing
Security and privacy
title Automated ATT&CK Technique Chaining
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-10T12%3A17%3A06IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-acm_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Automated%20ATT&CK%20Technique%20Chaining&rft.jtitle=Digital%20threats%20(Print)&rft.au=Skj%C3%B8tskift,%20Geir&rft.date=2024-09-13&rft.issn=2576-5337&rft.eissn=2576-5337&rft_id=info:doi/10.1145/3696013&rft_dat=%3Cacm_cross%3E3696013%3C/acm_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-a843-a9c8283ade9df7a578ed857f81d8f470ee47815e35f2c131b4ea356d15a3a3ef3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true