A process mining-based method for attacker profiling using the MITRE ATT&CK taxonomy
DOI:
https://doi.org/10.5753/jisa.2024.3902Keywords:
Cybersecurity, process mining, attacker behavior, threat intelligence, MITRE ATT&CK FrameworkAbstract
Cybersecurity intelligence involves gathering and analyzing data to understand cyber adversaries’ capabilities, intentions, and behaviors to establish adequate security measures. The MITRE ATT&CK framework is valuable for gaining insight into cyber threats since it details attacker tactics, techniques, and procedures. However, to fully understand an attacker’s behavior, it is necessary to connect individual tactics. In this context, Process Mining (PM) can be used to analyze runtime events from information systems, thereby discovering causal relations between those events. This article presents a novel approach combining Process Mining with the MITRE ATT&CK framework to discover process models of different attack strategies. Our approach involves mapping low-level system events to corresponding event labels from the MITRE ATT&CK taxonomy, increasing the abstraction level for attacker profiling. We demonstrate the effectiveness of our approach using real datasets of human and automated (malware) behavior. This exploration helps to develop more efficient and adaptable security strategies to combat current cyber threats and provides valuable guidelines for future research.
Downloads
References
Aslan, O. and Samet, R. (2020). A comprehensive review on malware detection approaches. IEEE Access, 8:6249-6271. DOI: 10.1109/ACCESS.2019.2963724.
Azzini, A., Braghin, C., Damiani, E., and Zavatarelli, F. (2013). Using semantic lifting for improving process mining: a data loss prevention system case study. In Proc. of the 3rd Intl. Symp. on Data-driven Process Discovery and Analysis, volume 1027 of CEUR Workshop Proceedings, pages 62-73. CEUR-WS.org. Available online [link].
Berady, A., Jaume, M., Triem Tong, V. V., and Guette, G. (2022). Pwnjutsu: A dataset and a semantics-driven approach to retrace attack campaigns. IEEE Transactions on Network and Service Management, 19(4):5252-5264. DOI: 10.1109/TNSM.2022.3183476.
Center, C. S. R. (2015). Cyber attack: Definition. Available online [link].
Charter, B. (2008). EVTX and Windows EventLogging. Technical report, SANS Institute. Available online [link].
Daszczyszak, R., Ellis, D., Luke, S., and Whitley, S. (2019). Ttp-based hunting. Technical report, Internet Engineering Task Force. The MITRE Corporation. Available online [link].
Davies, S. R., Macfarlane, R., and Buchanan, W. J. (2021). Review of current ransomware detection techniques. In 2021 International Conference on Engineering and Emerging Technologies (ICEET), pages 1-6. DOI: 10.1109/ICEET53442.2021.9659643.
de Alvarenga, S. C., Zarpelão, B. B., Junior, S. B., Miani, R. S., and Cukier, M. (2015). Discovering attack strategies using process mining. In Intl. Conf. on Telecommunications, pages 119-125, Brussels, Belgium. International Academy, Research, and Industry Association (IARIA). DOI: 10.13140/RG.2.1.4524.4008.
Dehghantanha, A., Conti, M., and Dargahi, T. (2018). Cyber Threat Intelligence. Springer Cham, Switzerland. DOI: 10.1007/978-3-319-73951-9.
Depaire, B., Swinnen, J., Jans, M., and Vanhoof, K. (2013). A process deviation analysis framework. In Business Process Management Workshops, pages 701-706. Springer. DOI: 10.1007/978-3-642-36285-9_69.
Dingledine, R. (2023). The tor project. Available online [link].
Elastic (2017). Wcry/wanacry ransomware technical analysis. Available online [link].
Elastic (2023). Elastic Stack. Available online [link].
Fisher, T. (2022). Net command. Available online [link].
for Threat-Informed Defense, C. (2022). Attack flow. Available online [link].
Fredriksson, T., Bosch, J., and Olsson, H. H. (2020). Machine learning models for automatic labeling: A systematic literature review. In Proceedings of the 15th International Conference on Software Technologies - ICSOFT, pages 552-561, Online Event. INSTICC, SciTePress. DOI: 10.5220/0009972705520561.
Group-IB (2018). the evolution of ransomware and its distribution methods. Technical report, Group-IB. Available online [link].
Kao, D.-Y. and Hsiao, S.-C. (2018). The dynamic analysis of wannacry ransomware. In 2018 20th International Conference on Advanced Communication Technology (ICACT), pages 1-1. DOI: 10.23919/ICACT.2018.8323681.
Konsta, A. M., Spiga, B., Lluch-Lafuente, A., and Dragoni, N. (2023). A survey of automatic generation of attack trees and attack graphs. CoRR, abs/2302.14479. DOI: 10.1016/j.cose.2023.103602.
Leemans, S. J. J., Fahland, D., and van der Aalst, W. M. P. (2013). Discovering block-structured process models from event logs - a constructive approach. In Application and Theory of Petri Nets and Concurrency, pages 311-329, Berlin. Springer. DOI: 10.1007/978-3-642-38697-8_17.
Leemans, S. J. J., Fahland, D., and van der Aalst, W. M. P. (2014). Discovering block-structured process models from incomplete event logs. In Application and Theory of Petri Nets and Concurrency, pages 91-110. Springer. DOI: 10.1007/978-3-319-07734-5_6.
Lyon, G. (2023). Utility for network discovery and security auditing. Available online [link].
M., S. (2021). A sysmon configuration file for everybody. Available online [link].
Macak, M., Daubner, L., Fani Sani, M., and Buhnova, B. (2022). Process mining usage in cybersecurity and software reliability analysis: A systematic literature review. Array, 13:100120. DOI: 10.1016/j.array.2021.100120.
Malin, C. H., Casey, E., and Aquilina, J. M. (2012). Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides. Syngress Publishing. Available online [link].
Messe, N., Chiprianov, V., Belloir, N., Hachem, J. E., Fleurquin, R., and Sadou, S. (2020). Asset-oriented threat modeling. In 19th IEEE Intl. Conf. on Trust, Security and Privacy in Computing and Communications (TrustCom), pages 491-501, Guangzhou, China. IEEE. DOI: 10.1109/TrustCom50675.2020.00073.
Microsoft (2023). System monitor tool. Available online [link].
MITRE (2023). Mitre enterprise tactics. Available online [link].
Myers, D., Radke, K., Suriadi, S., and Foo, E. (2017). Process discovery for industrial control system cyber attack detection. In ICT Systems Security and Privacy Protection, pages 61-75, Rome, Italy. Springer. DOI: 10.1007/978-3-319-58469-0_5.
Nahorney, B. (2020). Threat trends: Endpoint security. Available online [link].
Peacock, C. (2022). Suspicious network command rule. Available online [link].
Rodríguez, M., Betarte, G., and Calegari, D. (2023). Discovering attacker profiles using process mining and the MITRE att&ck taxonomy. In 12th Latin-American Symp. on Dependable and Secure Computing, LADC 2023, pages 146-155. ACM. DOI: 10.1145/3615366.3615372.
Rodríguez, M., Betarte, G., and Calegari, D. (2021). A process mining-based approach for attacker profiling. In 2021 IEEE URUCON, pages 425-429, Uruguay. IEEE. DOI: 10.1109/URUCON53396.2021.9647342.
Roth, F. and Patzke, T. (2022). Sigma: Generic signature format for siem systems. Available online [link].
Spitzner, L. (2002). Honeypots: Tracking Hackers. Addison-Wesley, USA. Available online [link].
Strom, B., Applebaum, A., Miller, D., Nickels, K., Pennington, A., and Thomas, C. (2018). Mitre att&ck: Design and philosophy. Technical report, The MITRE Corporation. Available online [link].
van der Aalst, W. and de Medeiros, A. (2005). Process mining and security: Detecting anomalous process executions and checking process conformance. ENTCS, 121:3-21. Porc. of 2nd Intl. Workshop on Security Issues with Petri Nets and other Computational Models (WISP). DOI: 10.1016/j.entcs.2004.10.013.
van der Aalst, W. M. P. (2016). Process Mining - Data Science in Action, Second Edition. Springer, Netherlands. DOI: 10.1007/978-3-662-49851-4.
van Dongen, B. F., de Medeiros, A. K. A., Verbeek, H. M. W., Weijters, A. J. M. M., and van der Aalst, W. M. P. (2005). The prom framework: A new era in process mining tool support. In Applications and Theory of Petri Nets, pages 444-454, Berlin. Springer. DOI: 10.1007/11494744_25.
Waggabat (2023). Zircolite: Sigma-based detection tool. Available online [link].
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2024 Journal of Internet Services and Applications
This work is licensed under a Creative Commons Attribution 4.0 International License.