Probabilistic Attack Sequence Generation and Execution Based on MITRE ATT&amp;CK for ICS Datasets

Choi, Seungoh; Yun, Jeong-Han; Min, Byung-Gil

doi:10.1145/3474718.3474722

Cited by 22 publications

(18 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…It allows distinguishing the attack procedures according to the attack pattern, the underlying architecture, and the attacker's intention. This understanding has already allowed Choi et al in [22] to propose an automatic generation method for various attack sequences. We think that it is necessary to go even further in the formalization.…”

Section: Apt-like Actors Observation On Dedicated Platformmentioning

confidence: 94%

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

Berady

Jaume²,

Tông

et al. 2022

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Identifying patterns in the modus operandi of attackers is an essential requirement in the study of Advanced Persistent Threats. Previous studies have been hampered by the lack of accurate, relevant, and representative datasets of current threats. System logs and network traffic captured during attacks on real companies' information systems are the best data sources to build such datasets. Unfortunately, for apparent reasons of companies' reputation, privacy, and security, such data is seldom available. This article proposes an alternative approach to such issues involved with collecting data. It first presents a formal model of an attacker's tactical progression during their network propagation phase. Such a progression is expressed according to the attacker's state, called muSE, which specifies their propagation area, collected secrets, and knowledge of the environment. The new model wields the operational semantics of attack techniques proposed in this article. The semantics formally define a transition relation between attackers' states. Hence, it can be used to describe an entire attack scenario. This formalization allows the ability to describe the PWNJUTSU experiment unequivocally. In this experiment, 22 Red Teamers attacked the vulnerable infrastructure to compromise machines and steal secret flags. Each Red Teamer operated on a dedicated instance. Sensors captured system logs and network traffic on each of these instances. This article's second contribution is the public release of the PWNJUTSU dataset.

show abstract

Section: Apt-like Actors Observation On Dedicated Platformmentioning

confidence: 94%

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

Berady

Jaume²,

Tông

et al. 2022

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…Another challenge is to defend against the APT-based threats that is usually performed over a longer period; a collection of indicators of compromise and real-time monitoring can be an effective way to counter such threats (see, e.g., [69]). Therefore, to motivate the understanding, researchers need to generate novel attacks in their papers, analyze the impact of such attacks on the control and physical systems, and identify the indicators of compromise (see, e.g., [18,75,91,113]).…”

Section: Lessons Learned: Summary and Insightsmentioning

confidence: 99%

“…More specifically, there are no publicly available datasets for complex cyber-physical attacks such as APT attacks, coordinated attacks, and cascading attacks; therefore, it is difficult to study the performance of detection systems against such attacks using ML and DL techniques. Therefore, one of lesson is to develop an environment to generate artificial attack sequences, based on frameworks like MITRE ATT&CK, to perform integrated monitoring, detection, and analysis study, as well as generate datasets based on different scenarios (see, e.g., [18,75,91,113]). Some related works [59,116] used MTD to detect stealthy attacks in the SG.…”

Section: Lessons Learned: Summary and Insightsmentioning

confidence: 99%

“…Future Directions: Recently, an initiative "MITRE'S ATT&CK framework," has dedicated its work towards collecting and categorizing techniques that are employed by the adversaries against the ICS. Therefore, one of future work is to generate sequences of complex cyber-attacks based on the data provided by this framework and as well as data from other threat intelligence systems such as Malware Information Sharing Platform (MISP) using a simulation tool in order to understand the nature and impact of such attacks on the cyber and physical operations of the SG (see, e.g., [18,75,113]). The experiments should also include identifying the Indicators of Compromise (IoC) in communication and power systems for all types of attacks.…”

Section: Understanding the Impact Of Complex Cyber-attacksmentioning

confidence: 99%

See 1 more Smart Citation

Smart Grid Cyber-Physical Situational Awareness of Complex Operational Technology Attacks: A Review

et al. 2023

View full text Add to dashboard Cite

The smart grid, regarded as the complex cyber-physical ecosystem of infrastructures, orchestrates advanced communication, computation, and control technologies to interact with the physical environment. Due to the high rewards that threats to the grid can realize, adversaries can mount complex cyber-attacks such as advanced persistent threats-based and coordinated attacks to cause operational malfunctions and power outages in the worst scenarios: The latter of which was reflected in the Ukrainian power grid attack. Despite widespread research on smart grid security, the impact of targeted attacks on control and power systems is anecdotal. This paper reviews the smart grid security from collaborative factors, emphasizing the situational awareness. Specifically, we propose a threat modeling framework and review the nature of cyber-physical attacks to understand their characteristics and impacts on the smart grid’s control and physical systems. We examine the existing threats detection and defense capabilities, such as intrusion detection systems, moving target defense, and co-simulation techniques, along with discussing the impact of attacks through situational awareness and power system metrics. We discuss the human factor aspects for power system operators in analyzing the impacts of cyber-attacks. Finally, we investigate the research challenges with key research gaps to shed light on future research directions.

show abstract

“….Manocha et al propose a security assessment rating framework using ATTA&CK(Manocha et al, 2021). Pell et al study a dynamic threat modeling for 5G networks using ATTA&CK(Pell et al, 2021).Choi et al show how ATT&CK can be used to generate random attack sequences against ICS datasets(Choi, Yun and Min, 2021). Georgiadou et al evaluate organizational/individual security culture and security vulnerabilities together and map them to adversaries using ATT&CK to develop a cybersecurity culture framework(Georgiadou, Mouzakitis and Askounis, 2021).Xiong et al propose a new threat modeling language for enterprise security based on the ATT&CK enterprise matrix…”

mentioning

confidence: 99%

Zero Trust and Advanced Persistent Threats: Who Will Win the War?

Karabacak¹,

Whittaker²

2022

iccws

View full text Add to dashboard Cite

Advanced Persistent Threats (APTs) are state-sponsored actors who break into computer networks for political or industrial espionage. Because of the nature of cyberspace and ever-changing sophisticated attack techniques, it is challenging to prevent and detect APT attacks. 2020 United States Federal Government data breach once again showed how difficult to protect networks from targeted attacks. Among many other solutions and techniques, zero trust is a promising security architecture that might effectively prevent the intrusion attempts of APT actors. In the zero trust model, no process insider or outside the network is trusted by default. Zero trust is also called perimeterless security to indicate that it changes the focus from network devices to assets. All processes are required to verify themselves to access the resources. In this paper, we focused on APT prevention. We sought an answer to the question: "could the 2020 United States Federal Government data breach have been prevented if the attacked networks used zero trust architecture?" To answer this question, we used MITRE's ATT&CK® framework to extract how the APT29 threat group techniques could be mitigated to prevent initial access to federal networks. Secondly, we listed basic constructs of the zero trust model using NIST Special Publication 800-207 and several other academic and industry resources. Finally, we analyzed how zero trust can prevent malicious APT activities. We found that zero trust has a strong potential of preventing APT attacks or mitigating them significantly. We also suggested that vulnerability scanning, application developer guidance, and training should not be neglected in zero trust implementations as they are not explicitly or strongly mentioned in NIST SP 800-207 and are among the mostly referred controls in academic and industry publications.

show abstract

Probabilistic Attack Sequence Generation and Execution Based on MITRE ATT&CK for ICS Datasets

Cited by 22 publications

References 5 publications

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

PWNJUTSU: A Dataset and a Semantics-Driven Approach to Retrace Attack Campaigns

Smart Grid Cyber-Physical Situational Awareness of Complex Operational Technology Attacks: A Review

Zero Trust and Advanced Persistent Threats: Who Will Win the War?

Contact Info

Product

Resources

About