Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Mining Temporal Attack Patterns from Cyberthreat Intelligence Reports (2401.01883v1)

Published 3 Jan 2024 in cs.CR, cs.IR, cs.LG, and cs.SE

Abstract: Defending from cyberattacks requires practitioners to operate on high-level adversary behavior. Cyberthreat intelligence (CTI) reports on past cyberattack incidents describe the chain of malicious actions with respect to time. To avoid repeating cyberattack incidents, practitioners must proactively identify and defend against recurring chain of actions - which we refer to as temporal attack patterns. Automatically mining the patterns among actions provides structured and actionable information on the adversary behavior of past cyberattacks. The goal of this paper is to aid security practitioners in prioritizing and proactive defense against cyberattacks by mining temporal attack patterns from cyberthreat intelligence reports. To this end, we propose ChronoCTI, an automated pipeline for mining temporal attack patterns from cyberthreat intelligence (CTI) reports of past cyberattacks. To construct ChronoCTI, we build the ground truth dataset of temporal attack patterns and apply state-of-the-art LLMs, natural language processing, and machine learning techniques. We apply ChronoCTI on a set of 713 CTI reports, where we identify 124 temporal attack patterns - which we categorize into nine pattern categories. We identify that the most prevalent pattern category is to trick victim users into executing malicious code to initiate the attack, followed by bypassing the anti-malware system in the victim network. Based on the observed patterns, we advocate organizations to train users about cybersecurity best practices, introduce immutable operating systems with limited functionalities, and enforce multi-user authentications. Moreover, we advocate practitioners to leverage the automated mining capability of ChronoCTI and design countermeasures against the recurring attack patterns.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (62)
  1. R. Muggah and M. Margolis, “Cybercrime to cost the world 10.5 trillion annually by 2025,” https://www.weforum.org/agenda/2023/01/global-rules-crack-down-cybercrime/, 2023.
  2. Y. Ren, Y. Xiao, Y. Zhou, Z. Zhang, and Z. Tian, “Cskg4apt: A cybersecurity knowledge graph for advanced persistent threat organization attribution,” IEEE Transactions on Knowledge and Data Engineering, 2022.
  3. M. R. Rahman, R. M. Hezaveh, and L. Williams, “What are the attackers doing now? automating cyberthreat intelligence extraction from text on pace with the changing threat landscape: A survey,” ACM Computing Surveys, vol. 55, no. 12, pp. 1–36, 2023.
  4. R. McMillan, “Definition: threat intelligence,” https://www.gartner.com/en/documents/2487216, 2013.
  5. D. Biancho, “The Pyramid of Pain,” http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html, 2014.
  6. “Collect, Exfiltrate, Sleep, Repeat,” https://thedfirreport.com/2023/02/06/collect-exfiltrate-sleep-repeat/, 2014.
  7. “IcedID Macro Ends in Nokoyawa Ransomware,” https://thedfirreport.com/2023/05/22/icedid-macro-ends-in-nokoyawa-ransomware/, 2014.
  8. “Ryuk’s Return,” https://thedfirreport.com/2020/10/08/ryuks-return/, 2014.
  9. “MITRE ATT&CK,” https://attack.mitre.org, 2022.
  10. “tactics, techniques, and procedures (ttp),” https://csrc.nist.gov/glossary/term/tactics_techniques_and_procedures, 2022.
  11. “What are tactics, techniques, and procedures (ttps)?” https://www.feroot.com/education-center/what-are-tactics-techniques-and-procedures-ttps/, 2022.
  12. “Credential Access Tactic TA0006 - Enterprise — MITRE ATT&CK,” https://attack.mitre.org/tactics/TA0006/, 2022.
  13. B. Strom, A. Applebaum, D. Miller, K. Nickels, A. Pennington, and C. Thomas, “Mitre att&ck: Design and philosophy,” https://www.mitre.org/publications/technical-papers/mitre-attack-design-and-philosophy, MITRE, Tech. Rep., 2020.
  14. “Input capture T1056 - Enterprise — MITRE ATT&CK,” https://attack.mitre.org/techniques/T1056/, 2022.
  15. “Flawedammyy — software 0381 — mitre att&ck,” https://attack.mitre.org/software/S0381/, 2022.
  16. J. Pustejovsky, J. M. Castano, R. Ingria, R. Sauri, R. J. Gaizauskas, A. Setzer, G. Katz, and D. R. Radev, “Timeml: Robust specification of event and temporal expressions in text.” New directions in question answering, vol. 3, pp. 28–34, 2003.
  17. “TimeML Markup Language for Temporal and Event Expressions,” https://timeml.github.io/site/publications/timeMLdocs/annguide_1.2.1.pdf.
  18. L. Martin, “Cyber Kill-Chain,” https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html.
  19. “The VERIS Framework,” https://verisframework.org/.
  20. MITRE, “CAPEC - Common Attack Pattern and Enumeration,” https://capec.mitre.org/.
  21. B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “Mitre att&ck: Design and philosophy,” in Technical report.   The MITRE Corporation, 2018.
  22. “Github aptnotes,” https://github.com/aptnotes/data.
  23. M. Grootendorst, “Creating a class-based tf-idf with scikit-learn,” https://towardsdatascience.com/creating-a-class-based-tf-idf-with-scikit-learn-caea7b15b858.
  24. J. Opitz and S. Burst, “Macro f1 and macro f1,” arXiv preprint arXiv:1911.03347, 2019.
  25. J. L. Campbell, C. Quincy, J. Osserman, and O. K. Pedersen, “Coding in-depth semistructured interviews: Problems of unitization and intercoder reliability and agreement,” Sociological Methods & Research, vol. 42, no. 3, pp. 294–320, 2013.
  26. R. J. Howarth, “Dictionary of mathematical geosciences,” Cham: Springer, 2017.
  27. Doron Karmi, “A Look Into Konni 2019 Campaign,” https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b, 2020.
  28. G. Piatetsky-Shapiro, “Discovery, analysis, and presentation of strong rules,” Knowledge Discovery in Data-bases, pp. 229–248, 1991.
  29. M. Hahsler, “A probabilistic comparison of commonly used interest measures for association rules,” https://mhahsler.github.io/arules/docs/measures.pdf.
  30. S. Ö. Arik and T. Pfister, “Tabnet: Attentive interpretable tabular learning,” in Proceedings of the AAAI conference on artificial intelligence, vol. 35, no. 8, 2021, pp. 6679–6687.
  31. M. Schlichtkrull, T. N. Kipf, P. Bloem, R. Van Den Berg, I. Titov, and M. Welling, “Modeling relational data with graph convolutional networks,” in The Semantic Web: 15th International Conference, ESWC 2018, Heraklion, Crete, Greece, June 3–7, 2018, Proceedings 15.   Springer, 2018, pp. 593–607.
  32. M. L. McHugh, “Interrater reliability: the kappa statistic,” Biochemia Medica, pp. 276–282, 2012.
  33. Adi Peretz and Erick Thek, “Earth Vetala MuddyWater Continues to Target Organizations in the Middle East,” https://www.trendmicro.com/en_us/research/21/c/earth-vetala—muddywater-continues-to-target-organizations-in-t.html, 2021.
  34. “BumbleBee Roasts Its Way to Domain Admin,” https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/, 2022.
  35. NIRAJ SHIVTARKAR and AVINASH KUMAR, “Lyceum .NET DNS Backdoor,” https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor, 2022.
  36. “From Zero to Domain Admin,” https://thedfirreport.com/2021/11/01/from-zero-to-domain-admin/, 2021.
  37. “Cryptominers Exploiting WebLogic RCE CVE-2020-14882,” https://thedfirreport.com/2020/11/12/cryptominers-exploiting-weblogic-rce-cve-2020-14882/, 2020.
  38. “WebLogic RCE Leads to XMRig,” https://thedfirreport.com/2021/06/03/weblogic-rce-leads-to-xmrig/, 2021.
  39. “Trickbot Leads Up to Fake 1Password Installation,” https://thedfirreport.com/2021/08/16/trickbot-leads-up-to-fake-1password-installation/, 2021.
  40. “Quantum Ransomware,” https://thedfirreport.com/2022/04/25/quantum-ransomware/, 2022.
  41. Z. Li, J. Zeng, Y. Chen, and Z. Liang, “Attackg: Constructing technique knowledge graph from cyber threat intelligence reports,” in European Symposium on Research in Computer Security.   Springer, 2022, pp. 589–609.
  42. G. Husari, E. Al-Shaer, M. Ahmed, B. Chu, and X. Niu, “Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of cti sources,” in Proceedings of the 33rd annual computer security applications conference, 2017, pp. 103–115.
  43. S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, “Holmes: real-time apt detection through correlation of suspicious information flows,” in 2019 IEEE Symposium on Security and Privacy (SP).   IEEE, 2019, pp. 1137–1152.
  44. Z. Zhu and T. Dumitras, “Chainsmith: Automatically learning the semantics of malicious campaigns by mining threat intelligence reports,” in 2018 IEEE European symposium on security and privacy (EuroS&P).   IEEE, 2018, pp. 458–472.
  45. J. Liu, J. Yan, J. Jiang, Y. He, X. Wang, Z. Jiang, P. Yang, and N. Li, “Tricti: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network,” Cybersecurity, vol. 5, no. 1, p. 8, 2022.
  46. W. Ge, J. Wang, T. Lin, B. Tang, and X. Li, “Explainable cyber threat behavior identification based on self-adversarial topic generation,” Computers & Security, vol. 132, p. 103369, 2023.
  47. V. Orbinato, M. Barbaraci, R. Natella, and D. Cotroneo, “Automatic mapping of unstructured cyber threat intelligence: An experimental study:(practical experience report),” in 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE).   IEEE, 2022, pp. 181–192.
  48. Y. You, J. Jiang, Z. Jiang, P. Yang, B. Liu, H. Feng, X. Wang, and N. Li, “Tim: threat context-enhanced ttp intelligence mining on unstructured threat data,” Cybersecurity, vol. 5, no. 1, p. 3, 2022.
  49. Y. Wu, Q. Liu, X. Liao, S. Ji, P. Wang, X. Wang, C. Wu, and Z. Li, “Price tag: towards semi-automatically discovery tactics, techniques and procedures of e-commerce cyber threat intelligence,” IEEE Transactions on Dependable and Secure Computing, 2021.
  50. K. Ahmed, S. K. Khurshid, and S. Hina, “Cyberentrel: Joint extraction of cyber entities and relations using deep learning,” Computers & Security, vol. 136, p. 103579, 2024.
  51. C.-C. Huang, P.-Y. Huang, Y.-R. Kuo, G.-W. Wong, Y.-T. Huang, Y. S. Sun, and M. C. Chen, “Building cybersecurity ontology for understanding and reasoning adversary tactics and techniques,” in 2022 IEEE International Conference on Big Data (Big Data).   IEEE, 2022, pp. 4266–4274.
  52. K. Satvat, R. Gjomemo, and V. Venkatakrishnan, “Extractor: Extracting attack behavior from threat reports,” in 2021 IEEE European Symposium on Security and Privacy (EuroS&P).   IEEE, 2021, pp. 598–615.
  53. X. Zhao, R. Jiang, Y. Han, A. Li, and Z. Peng, “A survey on cybersecurity knowledge graph construction,” Computers & Security, p. 103524, 2023.
  54. M. R. Rahman, R. Mahdavi-Hezaveh, and L. Williams, “A literature review on mining cyberthreat intelligence from unstructured texts,” in 2020 International Conference on Data Mining Workshops (ICDMW).   IEEE, 2020, pp. 516–525.
  55. C. Shin, I. Lee, and C. Choi, “Exploiting ttp co-occurrence via glove-based embedding with mitre att&ck framework,” IEEE Access, 2023.
  56. R. Al-Shaer, J. M. Spring, and E. Christou, “Learning the associations of mitre att & ck adversarial techniques,” in 2020 IEEE Conference on Communications and Network Security (CNS).   IEEE, 2020, pp. 1–9.
  57. M. R. Rahman and L. Williams, “Investigating co-occurrences of mitre att\\\backslash\&ck techniques,” arXiv preprint arXiv:2211.06495, 2022.
  58. T. Chen, H. Zeng, M. Lv, and T. Zhu, “Ctimd: Cyber threat intelligence enhanced malware detection using api call sequences with parameters,” Computers & Security, vol. 136, p. 103518, 2024.
  59. P. Gao, F. Shao, X. Liu, X. Xiao, Z. Qin, F. Xu, P. Mittal, S. R. Kulkarni, and D. Song, “Enabling efficient cyber threat hunting with cyber threat intelligence,” in 2021 IEEE 37th International Conference on Data Engineering (ICDE).   IEEE, 2021, pp. 193–204.
  60. A. Berady, M. Jaume, V. V. T. Tong, and G. Guette, “From ttp to ioc: Advanced persistent graphs for threat hunting,” IEEE Transactions on Network and Service Management, vol. 18, no. 2, pp. 1321–1333, 2021.
  61. Y.-T. Huang, C. Y. Lin, Y.-R. Guo, K.-C. Lo, Y. S. Sun, and M. C. Chen, “Open source intelligence for malicious behavior discovery and interpretation,” IEEE Transactions on Dependable and Secure Computing, vol. 19, no. 2, pp. 776–789, 2021.
  62. S. M. Milajerdi, B. Eshete, R. Gjomemo, and V. Venkatakrishnan, “Poirot: Aligning attack behavior with kernel audit records for cyber threat hunting,” in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, 2019, pp. 1795–1812.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Md Rayhanur Rahman (8 papers)
  2. Brandon Wroblewski (2 papers)
  3. Quinn Matthews (1 paper)
  4. Brantley Morgan (1 paper)
  5. Tim Menzies (128 papers)
  6. Laurie Williams (53 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets