Analysis Of Cyber Threat Detection And Emulation Using MITRE Attack Framework

Rajesh, P. K.; Alam, Mansoor; Tahernezhadi, M.; Monika, A; Chanakya, Gm

doi:10.1109/idsta55301.2022.9923170

Cited by 14 publications

(7 citation statements)

References 23 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Security Operations Centers (SOCs) also utilize the MITRE ATT&CK framework for its standardized approach to describing adversarial behaviors throughout the cyber-attack lifecycle. The MITRE ATT&CK maps adversarial behaviours into a structured matrix representation of tactics and techniques followed by procedures [24]. By incorporating botnet-related techniques into the MITRE ATT&CK matrix, organizations can map specific tactics, techniques, and procedures (TTPs) associated with botnets, enhancing their overall threat detection capabilities.…”

Section: Related Workmentioning

confidence: 99%

Botnet Detection and Incident Response in Security Operation Center (SOC): A Proposed Framework

Muhammad,

Ismail,

Hassan

2024

IJACSA

View full text Add to dashboard Cite

In the dynamic landscape of evolving cyber threats, Security Operations Centers (SOCs) play an important role in protecting digital assets. Among these threats, botnets are particularly challenging due to their ability to take over many devices and launch coordinated attacks. Through comparative analysis, the research gaps in existing frameworks have been identified. Based on these insights, a botnet detection and incident response framework aligned with SOC practices has been proposed. This proposed framework emphasizes proactive measures by integrating threat intelligence, detection and monitoring tools to detect botnet attack and facilitate rapid response. Future research will focus on conducting evaluation and validation studies to assess the effectiveness and performance of the framework in controlled environments. This effort will contribute to develop the framework and ensuring it aligns with practical cybersecurity needs.

show abstract

Section: Related Workmentioning

confidence: 99%

Botnet Detection and Incident Response in Security Operation Center (SOC): A Proposed Framework

Muhammad,

Ismail,

Hassan

2024

IJACSA

View full text Add to dashboard Cite

show abstract

“…Integrating the Cyber Kill Chain framework into Disaster Recovery (DR) planning is highly advantageous. It identifies potential threats early, facilitates prompt and targeted responses, and effectively allocates defensive resources [4] [5]. Tools such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical for detecting early signs of an attack and preventing progression.…”

Section: Disrupting the Cyber Kill Chain: A Proactive Defense Strategymentioning

confidence: 99%

Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises

Tahmasebi

2024

JIS

View full text Add to dashboard Cite

As cyber threats keep changing and business environments adapt, a comprehensive approach to disaster recovery involves more than just defensive measures. This research delves deep into the strategies required to respond to threats and anticipate and mitigate them proactively. Beginning with understanding the critical need for a layered defense and the intricacies of the attacker's journey, the research offers insights into specialized defense techniques, emphasizing the importance of timely and strategic responses during incidents. Risk management is brought to the forefront, underscoring businesses' need to adopt mature risk assessment practices and understand the potential risk impact areas. Additionally, the value of threat intelligence is explored, shedding light on the importance of active engagement within sharing communities and the vigilant observation of adversary motivations. "Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises" is a comprehensive guide for organizations aiming to fortify their cybersecurity posture, marrying best practices in proactive and reactive measures in the ever-challenging digital realm.

show abstract

“…MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge) framework is a model developed to discuss the life cycle of cyber attacks [86]. ATT&CK is a knowledge base which discusses attackers' behaviours and the attack processes they follow based on the observations recorded in real-time [106,119]. A matrix representation is provided by ATT&CK that allows to map attackers' tactics and techniques to identify their behaviours.…”

Section: Future Of Iot Kill Chainmentioning

confidence: 99%

“…A matrix representation is provided by ATT&CK that allows to map attackers' tactics and techniques to identify their behaviours. This helps detect attacks and provides defence based on the intelligence gained [119]. CKC is another model designed to identify and defend against cyber attacks by understanding adversaries, as discussed in Chapter 2.…”

Section: Future Of Iot Kill Chainmentioning

confidence: 99%

Deception-Based Security Framework for IoT: An Empirical Study

Haseeb¹

View full text Add to dashboard Cite

A large number of Internet of Things (IoT) devices in use has provided a vast attack surface. The security in IoT devices is a significant challenge considering constrained resources, designed with poor security measures and their associated configuration and maintenance flaws. Vulnerable IoT devices are used to perform different attacks such as Distributed Denial of Service (DDoS) caused by malware infection and propagation. In the literature, attacks on IoT devices have been captured and analysed using deception systems such as honeypots to discover patterns of target selection, login credentials used, commands executed by the attackers in the attack process and study behaviours of IoT malware and botnets. However, previous studies are limited in presenting an in-depth analysis of complete attack structures, grouping attacks without the subjective bias of experts' domain knowledge and proposing empirically-proven methods to detect human attackers. These studies also do not use the existing knowledge of attacks to design or improve deception-based defences. The overall goal of this thesis is understanding IoT attacks, threat actors and their behaviours and uses probabilistic modelling and prior knowledge to propose a deception-based security framework. A key feature of this thesis is the experimental data collection and empirical analysis using categorisation and clustering techniques. To achieve the overall goal, this research conducts an experimental study in which a honeypot is deployed to capture IoT attacks. Using the Cyber Kill Chain (CKC) model, more than 30,000 captured attacks are empirically analysed and an IoT Kill Chain (IoTKC) model is designed. The IoTKC model presents attack process followed for the exploitation of IoT devices and each phase is an abstraction of attackers' activities, tools, techniques and tactics used. The knowledge gained about IoT attacks is used to propose a deception-based security framework. A pre-planning phase is introduced on top of other traditional phases, i.e., creating deception-based defence, performing defence, evaluating, monitoring and updating defence. The knowledge of prior attacks helps predict attack actions based on the probabilities of following a sequence and subsequently choosing defensive measures. The framework also discusses attackers' behaviour in the process and various quantification measures for evaluating the performance of attack and defence actions. This research also proposes a feature set extracted from captured IoT attacks based on manually mapping commands with IoTKC steps, behaviour of attackers and utilisation of resources. Various clustering algorithms are applied to the data set prepared by identified features and random tree models are designed to highlight the distribution of attacks and classification features. Further extending the analysis, this thesis proposes a new approach comprised of feature construction using Autoencoder (AE) and clustering IoT attacks to understand the attacks distribution based on changes in commands and the links between captured attacks. The proposed approach also handles domain knowledge and subjective bias limitations by removing the process of manually correlating commands. Overall the findings related to understanding and clustering IoT attacks show that most of the attacks captured are automated and active attack campaigns on the Internet. A larger experimental study is therefore required to acquire larger data set and further study other types of attacks and attackers behind them. Before conducting the new experiment, this research performs a risk assessment study using Failure Modes and Effects Analysis (FMEA) for a honeypot-based cyber security experiment. The analysis identifies the factors affecting a cyber security experiment regarding deceptive capabilities, increasing exposure, avoiding detection, deploying and monitoring honeypots. Moreover, for the relevant configurations, components and deceptive capabilities in the experiment; the analysis provides details on possible failure modes, their effects on experimental results, the possible causes of failures and available controls to detect and mitigate potential failures. This research then conducts a large experimental study by deploying 15 server honeypots in various geographical locations around the world and collecting attack data for a period of two months. A representative feature set is proposed to identify the behavioural characteristics of human attackers when interacting with the target system. Our analysis also discusses various case studies of human attackers and reports observations on their interaction behaviours with the target systems and intentions to perform attacks. We also discuss the advantages of increasing deception by comparing attacks received on honeypots with various deceptive capabilities. Changing configurations and increasing deception at various levels help make the honeypot more appealing to lure IoT-specific attacks and convince attackers to maintain longer engagements.

show abstract

Analysis Of Cyber Threat Detection And Emulation Using MITRE Attack Framework

Cited by 14 publications

References 23 publications

Botnet Detection and Incident Response in Security Operation Center (SOC): A Proposed Framework

Botnet Detection and Incident Response in Security Operation Center (SOC): A Proposed Framework

Beyond Defense: Proactive Approaches to Disaster Recovery and Threat Intelligence in Modern Enterprises

Deception-Based Security Framework for IoT: An Empirical Study

Contact Info

Product

Resources

About