Netidee Blog Bild
An ATT&CK-KG for Linking CybersecurityAttacks to Adversary Tactics and Techniques (ISWC P&D 2021)
Poster Paper @ISWC 2021 (29.08.2021)
Förderjahr 2017 / Science Call #1 / ProjektID: / Projekt: SEPSES

We are happy to announce that our poster paper title “An ATT&CK-KG for Linking Cybersecurity Attacks to Adversary Tactics and Techniques” has been accepted at the ISWC conference 2021.

The paper discusses an extension of our prior work namely Cybersecurity Knowledge Graph (CSKG) with adversary tactics and techniques to support analysts in connecting log events to higher-level attack steps.

For this purpose, we developed a vocabulary to represent rich threat intelligence instance data from MITRE ATT&CK in a knowledge graph as visualized in the following excerpt:

ATT&CK Ontology

To demonstrate this method, we also introduced a method to translate community-based threat detection rules from sources such as Sigma, into SPARQL queries and link the alerts they produce to adversarial tactics and techniques defined in ATT&CK.

The following figure visualizes an example of threat detection based on translated Sigma rules on RDF Log graphs. Once detected, the respected alerts will be automatically linked to the ATT&CK knowledge graph. For example, node (“/tmp/vUgefal”) is detected as an alert and automatically linked to the attack technique T1204.002.

Sigma - Rule Based Threat detection with ATT&CK

The constructed ATT&CK knowledge graph makes it possible to explore and integrate additional information from the cybersecurity knowledge graph (e.g. via SPARQL Query federation) such as attack tactics, mitigations, adversary group, and attack patterns (CAPEC).

Tags:

MITRE ATT&CK Sigma Rule semantics Attack Construction
CAPTCHA
Diese Frage dient der Überprüfung, ob Sie ein menschlicher Besucher sind und um automatisierten SPAM zu verhindern.

    Weitere Blogbeiträge

    Datenschutzinformation
    Der datenschutzrechtliche Verantwortliche (Internet Privatstiftung Austria - Internet Foundation Austria, Österreich) würde gerne mit folgenden Diensten Ihre personenbezogenen Daten verarbeiten. Dies ist für die Nutzung der Website nicht notwendig, ermöglicht aber eine noch engere Interaktion mit Ihnen. Falls gewünscht, treffen Sie bitte eine Auswahl: