Cyber security threat modeling based on the MITRE Enterprise ATT&amp;CK Matrix

Xiong, Wenjun; Legrand, Emeline; Åberg, Oscar; Lagerström, Robert

doi:10.1007/s10270-021-00898-7

Cited by 88 publications

(51 citation statements)

References 54 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Exceptions are papers that utilize some well-known enumerations and knowledge bases. A threat modeling language that utilized ATT&CK was proposed in [10]. ATT&CK and CVE (Common Vulnerabilities and Exposures [11]) were utilized in [12].…”

Section: B Attack Graphsmentioning

confidence: 99%

Identification of Attack Paths Using Kill Chain and Attack Graphs

Sadlek

Čeleda

Tovarňák

2022

NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Kill chain and attack graphs are threat modeling concepts that enable determining weak security defense points. We propose a novel kill chain attack graph that merges kill chain and attack graphs together. This approach determines possible chains of attacker's actions and their materialization within the protected network. The graph generation uses a categorization of threats according to violated security properties. The graph allows determining the kill chain phase the administrator should focus on and applicable countermeasures to mitigate possible cyber threats. We implemented the proposed approach for a predefined range of cyber threats, especially vulnerability exploitation and network threats. The approach was validated on a real-world use case. Publicly available implementation contains a proof-of-concept kill chain attack graph generator.

show abstract

Section: B Attack Graphsmentioning

confidence: 99%

Identification of Attack Paths Using Kill Chain and Attack Graphs

Sadlek

Čeleda

Tovarňák

2022

NOMS 2022-2022 IEEE/IFIP Network Operations and Management Symposium

View full text Add to dashboard Cite

show abstract

“…Several academic studies propose original security methods and models using the ATT&CK framework-the proposed methods and models by academia map to one of four use cases listed above. For example, Outkin et al present a gametheoretic method that uses the MITRE ATTA&CK APT3 threat data to model attacker-defender interaction and enhance the defender strategies (Outkin et al, 2021) (Xiong et al, 2021).…”

Section: Mitre Attandckmentioning

confidence: 99%

Zero Trust and Advanced Persistent Threats: Who Will Win the War?

Karabacak¹,

Whittaker²

2022

iccws

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are state-sponsored actors who break into computer networks for political or industrial espionage. Because of the nature of cyberspace and ever-changing sophisticated attack techniques, it is challenging to prevent and detect APT attacks. 2020 United States Federal Government data breach once again showed how difficult to protect networks from targeted attacks. Among many other solutions and techniques, zero trust is a promising security architecture that might effectively prevent the intrusion attempts of APT actors. In the zero trust model, no process insider or outside the network is trusted by default. Zero trust is also called perimeterless security to indicate that it changes the focus from network devices to assets. All processes are required to verify themselves to access the resources. In this paper, we focused on APT prevention. We sought an answer to the question: "could the 2020 United States Federal Government data breach have been prevented if the attacked networks used zero trust architecture?" To answer this question, we used MITRE's ATT&CK® framework to extract how the APT29 threat group techniques could be mitigated to prevent initial access to federal networks. Secondly, we listed basic constructs of the zero trust model using NIST Special Publication 800-207 and several other academic and industry resources. Finally, we analyzed how zero trust can prevent malicious APT activities. We found that zero trust has a strong potential of preventing APT attacks or mitigating them significantly. We also suggested that vulnerability scanning, application developer guidance, and training should not be neglected in zero trust implementations as they are not explicitly or strongly mentioned in NIST SP 800-207 and are among the mostly referred controls in academic and industry publications.

show abstract

“…Process under Multiattack Behavior. After constructing the incidence matrix of data node state and the matrix model of the multiattack behavior in 3.1 and 3.2, respectively, the overall attack process is matrix-modeled [19], which is used to describe the attack path and attack process and provide further proof for judging the kind of the attack behavior. At the same time, the model can describe the state change of WSN data nodes after being attacked.…”

Section: Matrix Modeling and Analysis Of The Overall Attackmentioning

confidence: 99%

Mathematical Modeling of Multiattack Behavior Discrimination in the WSN Based on Incidence Matrix

Wang

2022

Complexity

View full text Add to dashboard Cite

The current WSN is vulnerable to a variety of malicious attacks, resulting in the decline of its comprehensive performance. Multihop routing involves a number of safety and privacy issues. Problems such as snooping, sinkhole, manipulation, cloning, wormhole, spoofing, and so on affect the integrity, availability, and confidentiality of the WSNs. Therefore, this paper mainly studies the mathematical modeling of WSN multiattack behavior discrimination based on the incidence matrix. The WSN node model is used to collect relevant data and mark and map the disguised data, so as to determine the characteristics of multiattack behavior and establish the WSN multiattack behavior discrimination model based on the incidence matrix. The experimental results show that the designed multiattack behavior discrimination model can distinguish the attack type according to the characteristics, has high recognition ability, can spend a short time to effectively distinguish the attack behavior, has a low false positive rate, and can effectively improve the antiattack ability of the WSN.

show abstract

Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix

Cited by 88 publications

References 54 publications

Identification of Attack Paths Using Kill Chain and Attack Graphs

Identification of Attack Paths Using Kill Chain and Attack Graphs

Zero Trust and Advanced Persistent Threats: Who Will Win the War?

Mathematical Modeling of Multiattack Behavior Discrimination in the WSN Based on Incidence Matrix

Contact Info

Product

Resources

About