Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Attackers reveal their arsenal: An investigation of adversarial techniques in CTI reports (2401.01865v1)

Published 3 Jan 2024 in cs.CR

Abstract: Context: Cybersecurity vendors often publish cyber threat intelligence (CTI) reports, referring to the written artifacts on technical and forensic analysis of the techniques used by the malware in APT attacks. Objective: The goal of this research is to inform cybersecurity practitioners about how adversaries form cyberattacks through an analysis of adversarial techniques documented in cyberthreat intelligence reports. Dataset: We use 594 adversarial techniques cataloged in MITRE ATT&CK. We systematically construct a set of 667 CTI reports that MITRE ATT&CK used as citations in the descriptions of the cataloged adversarial techniques. Methodology: We analyze the frequency and trend of adversarial techniques, followed by a qualitative analysis of the implementation of techniques. Next, we perform association rule mining to identify pairs of techniques recurring in APT attacks. We then perform qualitative analysis to identify the underlying relations among the techniques in the recurring pairs. Findings: The set of 667 CTI reports documents 10,370 techniques in total, and we identify 19 prevalent techniques accounting for 37.3\% of documented techniques. We also identify 425 statistically significant recurring pairs and seven types of relations among the techniques in these pairs. The top three among the seven relationships suggest that techniques used by the malware inter-relate with one another in terms of (a) abusing or affecting the same system assets, (b) executing in sequences, and (c) overlapping in their implementations. Overall, the study quantifies how adversaries leverage techniques through malware in APT attacks based on publicly reported documents. We advocate organizations prioritize their defense against the identified prevalent techniques and actively hunt for potential malicious intrusion based on the identified pairs of techniques.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (72)
  1. 2014. Threat report ATT&CK Mapper - TRAM — CTID. https://ctid.mitre-engenuity.org/our-work/tram/. [Online; accessed 10-Feb-2022].
  2. 2020a. Advisory - Further TTPs associated with SVR cyber actors. Technical Report. National Cybersecurity Center.
  3. 2020b. Analysis report – WELLMAIL. https://www.cisa.gov/news-events/analysis-reports/ar20-198c. accessed: 26-Feb-2023.
  4. 2022. admin@338, Group G0018 — MITRE ATT&CK. https://attack.mitre.org/groups/G0018/. [Online; accessed 10-Feb-2022].
  5. 2022. AJAX TM, Group G0130 — MITRE ATT&CK. https://attack.mitre.org/groups/G0130/. [Online; accessed 10-Feb-2022].
  6. 2022a. APT-C-36, Group G0009 — MITRE ATT&CK. https://attack.mitre.org/groups/G0099/. [Online; accessed 10-Feb-2022].
  7. 2022b. APT18, Group G0026 — MITRE ATT&CK. https://attack.mitre.org/groups/G0026/. [Online; accessed 10-Feb-2022].
  8. 2022. Cobalt Strike Software - Enterprise — MITRE ATT&CK. https://attack.mitre.org/software/S0154/. [Online; accessed 10-Feb-2022].
  9. 2022. Credential Access Tactic TA0006 - Enterprise — MITRE ATT&CK. https://attack.mitre.org/tactics/TA0006/. [Online; accessed 10-Feb-2022].
  10. 2022. Cyber Security Statistics The Ultimate List Of Stats Data, & Trends For 2022. https://purplesec.us/resources/cyber-security-statistics/. [accessed 15-January-2023].
  11. 2022a. Duqu Software - Enterprise — MITRE ATT&CK. https://attack.mitre.org/software/S0038/. [Online; accessed 10-Feb-2022].
  12. 2022a. Empire Software - Enterprise — MITRE ATT&CK. https://attack.mitre.org/software/S0363/. [Online; accessed 10-Feb-2022].
  13. 2022a. Enterprise Tactics. https://attack.mitre.org/tactics/enterprise/. [Online; accessed 10-May-2022].
  14. 2022b. Enterprise Techniques. https://attack.mitre.org/techniques/enterprise/. [Online; accessed 10-May-2022].
  15. 2022. FlawedAmmyy — Software 0381 — MITRE ATT&CK. https://attack.mitre.org/software/S0381/. [accessed 15-January-2023].
  16. 2022b. LaZagne Software - Enterprise — MITRE ATT&CK. https://attack.mitre.org/software/S0349/. [Online; accessed 10-Feb-2022].
  17. 2022b. Mimikatz Software - Enterprise — MITRE ATT&CK. https://attack.mitre.org/software/S0002/. [Online; accessed 10-Feb-2022].
  18. 2022. MITRE ATT&CK. https://attack.mitre.org. [Online; accessed 10-Feb-2022].
  19. 2022a. tactics, techniques, and procedures (TTP). https://csrc.nist.gov/glossary/term/tactics_techniques_and_procedures. [accessed 15-Nov-2022].
  20. 2022b. What are Tactics, Techniques, and Procedures (TTPs)? https://www.feroot.com/education-center/what-are-tactics-techniques-and-procedures-ttps/. [accessed 15-Nov-2022].
  21. 2023. Best practices for MITRE ATT&CK Mapping. In Technical report. The MITRE Corporation.
  22. 2023. mitre-attack/attack-stix-data. https://github.com/mitre-attack/attack-stix-data. accessed: 26-February-2023.
  23. Formulation of Association Rule Mining (ARM) for an Effective Cyber Attack Attribution in Cyber Threat Intelligence (CTI). International Journal of Advanced Computer Science and Applications 12, 4 (2021). https://doi.org/10.14569/IJACSA.2021.0120418
  24. Learning the Associations of MITRE ATT & CK Adversarial Techniques. In 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, Avignon, France, 1–9. https://doi.org/10.1109/CNS48642.2020.9162207
  25. An empirical analysis of blockchain cybersecurity incidents. In 2019 IEEE Asia-Pacific Conference on Computer Science and Data Engineering (CSDE). IEEE, 1–8.
  26. The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle.. In USENIX Security Symposium. 3505–3522.
  27. MITRE ATT&CK. 2022. MITRE ATT&CK. https://attack.mitre.org. Online. Accessed: 10-Feb-2023.
  28. Exploring the information content of cyber breach reports and the relationship to internal controls. International Journal of Accounting Information Systems 46 (2022), 100568.
  29. One size does not fit all: A longitudinal analysis of brazilian financial malware. ACM Transactions on Privacy and Security (TOPS) 24, 2 (2021), 1–31.
  30. Catalin Cimpanu. 2022. FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. https://therecord.media/fbi-fin7-hackers-target-us-companies-with-badusb-devices-to-install-ransomware/. accessed: 26-Feb-2023.
  31. Henry Dalziel. 2014. Introduction. In How to define and build an effective cyber threat intelligence capability. Syngress.
  32. Panning for gold: Automatically analysing online social engineering attack surfaces. computers & security 69 (2017), 18–34.
  33. Attack Hypothesis Generation. In 2019 European Intelligence and Security Informatics Conference (EISIC). IEEE, Oulu, Finland, 40–47. https://doi.org/10.1109/EISIC49498.2019.9108886
  34. Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence. 2021 IEEE 37th International Conference on Data Engineering (ICDE) (2021), 193–204.
  35. HinCTI: A Cyber Threat Intelligence Modeling and Identification System Based on Heterogeneous Information Network. IEEE Transactions on Knowledge and Data Engineering 34, 2 (Feb. 2022), 708–722. https://doi.org/10.1109/TKDE.2020.2987019
  36. Michael Gorelik. 2017. FIN7 TAKES ANOTHER BITE AT THE RESTAURANT INDUSTRY. https://blog.morphisec.com/fin7-attacks-restaurant-industry. accessed: 26-Feb-2023.
  37. Mapping Cyber Threat Intelligence to Probabilistic Attack Graphs. In 2021 IEEE International Conference on Cyber Security and Resilience (CSR). IEEE, Rhodes, Greece, 304–311. https://doi.org/10.1109/CSR51186.2021.9527970
  38. Antonio Jose Horta Neto and Anderson Fernandes Pereira dos Santos. 2020. Cyber Threat Hunting Through Automated Hypothesis and Multi-Criteria Decision Making. In 2020 IEEE International Conference on Big Data (Big Data). IEEE, Atlanta, GA, USA, 1823–1830. https://doi.org/10.1109/BigData50022.2020.9378213
  39. TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources. In Proceedings of the 33rd Annual Computer Security Applications Conference. ACM, 103–115.
  40. Attack Forecast and Prediction. (2021).
  41. A systematic analysis of the capital one data breach: Critical lessons learned. ACM Transactions on Privacy and Security 26, 1 (2022), 1–29.
  42. Swati Khandelwal. 2019. New Group of Hackers Targeting Businesses with Financially Motivated Cyber Attacks. https://thehackernews.com/2019/11/financial-cyberattacks.html. [Online; accessed 10-Feb-2022].
  43. Co-Occurrence Based Security Event Analysis and Visualization for Cyber Physical Systems. In HCI International 2020 - Posters, Constantine Stephanidis and Margherita Antona (Eds.). Vol. 1226. Springer International Publishing, Cham, 540–548. https://doi.org/10.1007/978-3-030-50732-9_70
  44. An empirical analysis of cyber security incidents at a large organization. Department of Management Science and Engineering, Stanford University, School of Information 30 (2016).
  45. Survey of publicly available reports on advanced persistent threat actors. Computers & Security 72 (2018), 26–59.
  46. AttacKG: Constructing Technique Knowledge Graph from Cyber Threat Intelligence Reports. In ESORICS.
  47. Henry B Mann. 1945. Nonparametric tests against trend. Econometrica: Journal of the econometric society (1945), 245–259.
  48. Brian W Matthews. 1975. Comparison of the predicted and observed secondary structure of T4 phage lysozyme. Biochimica et Biophysica Acta (BBA)-Protein Structure 405, 2 (1975), 442–451.
  49. Towards a definition of cyberspace tactics, techniques and procedures. In 2017 IEEE International Conference on Big Data (Big Data). IEEE, 4674–4679.
  50. Mike Mclean. 2022. 2022 Must-Know Cyber Attack Statistics and Trends. https://www.embroker.com/blog/cyber-attack-statistics/. [accessed 15-Nov-2022].
  51. Rob McMillan. 2013. Definition: threat intelligence. https://www.gartner.com/en/documents/2487216. [accessed 15-January-2021].
  52. Polymer: An Adaptive Kill Chain Expanding Cyber Threat Hunting to Multi-Platform Environments. In 2021 IEEE International Conference on Big Data (Big Data). IEEE, Orlando, FL, USA, 2128–2135. https://doi.org/10.1109/BigData52589.2021.9671731
  53. A CASE STUDY OF THE CAPITAL ONE DATA BREACH: WHY DIDN’T COMPLIANCE REQUIREMENTS HELP PREVENT IT? Journal of Information System Security 17, 1 (2021).
  54. An Association Rule Mining-Based Framework for Profiling Regularities in Tactics Techniques and Procedures of Cyber Threat Actors. In 2018 International Conference on Smart Computing and Electronic Enterprise (ICSCEE). IEEE, Shah Alam, 1–6. https://doi.org/10.1109/ICSCEE.2018.8538379
  55. Kris Oosthoek and Christian Doerr. 2019. Sok: Att&ck techniques and trends in windows malware. In Security and Privacy in Communication Networks: 15th EAI International Conference, SecureComm 2019, Orlando, FL, USA, October 23-25, 2019, Proceedings, Part I 15. Springer, 406–425.
  56. Gregory Piatetsky-Shapiro. 1991. Discovery, analysis, and presentation of strong rules. Knowledge discovery in databases (1991), 229–238.
  57. Creating Cybersecurity Knowledge Graphs From Malware After Action Reports. IEEE Access 8 (2020), 211691–211703.
  58. What Are the Attackers Doing Now? Automating Cyberthreat Intelligence Extraction from Text on Pace with the Changing Threat Landscape: A Survey. ACM Comput. Surv. (nov 2022). https://doi.org/10.1145/3571726 Just Accepted.
  59. Johnny Saldaña. 2015. The coding manual for qualitative researchers. Sage.
  60. Hamza Saleem and Muhammad Naveed. 2020. SoK: Anatomy of Data Breaches. Proc. Priv. Enhancing Technol. 2020, 4 (2020), 153–174.
  61. Proactively Identifying Emerging Hacker Threats from the Dark Web: A Diachronic Graph Embedding Framework (D-GEF). ACM Transactions on Privacy and Security 23, 4 (Nov. 2020), 1–33. https://doi.org/10.1145/3409289
  62. Extractor: Extracting Attack Behavior from Threat Reports. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 598–615.
  63. A Novel Enhanced Naïve Bayes Posterior Probability (ENBPP) Using Machine Learning: Cyber Threat Analysis. Neural Processing Letters 53, 1 (Feb. 2021), 177–209. https://doi.org/10.1007/s11063-020-10381-x
  64. Focusing on the Weakest Link: A Similarity Analysis on Phishing Campaigns Based on the ATT&CK Matrix. Security and Communication Networks 2022 (2022).
  65. MITRE ATT&CK: Design and Philosophy. Technical Report. MITRE.
  66. Mitre att&ck: Design and philosophy. In Technical report. The MITRE Corporation.
  67. Selecting the right interestingness measure for association patterns. In Proceedings of the eighth ACM SIGKDD international conference on Knowledge discovery and data mining. 32–41.
  68. Robert L Thorndike. 1953. Who belongs in the family. In Psychometrika. Citeseer.
  69. A close look at a daily dataset of malware samples. ACM Transactions on Privacy and Security (TOPS) 22, 1 (2019), 1–30.
  70. Plenty of phish in the sea: Analyzing potential pre-attack surfaces. In Computer Security–ESORICS 2020: 25th European Symposium on Research in Computer Security, ESORICS 2020, Guildford, UK, September 14–18, 2020, Proceedings, Part II 25. Springer, 272–291.
  71. A Taxonomy for Threat Actors’ Persistence Techniques. Computers & Security 121 (2022), 102855.
  72. A Taxonomy for Threat Actors’ Delivery Techniques. Applied Sciences 12, 8 (2022), 3929.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Md Rayhanur Rahman (8 papers)
  2. Setu Kumar Basak (7 papers)
  3. Rezvan Mahdavi Hezaveh (1 paper)
  4. Laurie Williams (53 papers)
Citations (2)
View on Semantic Scholar