In the past few articles, we discussed how mapping ATT&CK techniques to CVE’s can help vulnerability management teams disrupt sequences of techniques taken by attackers. Today, we take a step back to look at how such sequences can be generated to begin with.
At CYR3CON, we conducted a pilot where we analyzed over 700 security reports that each described one or more adversarial techniques, and associated those reports with the corresponding techniques. Then, using information about the techniques, such as which MITRE ATT&CK tactics they are associated with, along with computing platform, and required privileges, we created a directed graph whereby two ATT&CK techniques are linked together with an arrow if the use of one was reported to proceed another. A subset of the resulting graph is shown in the figure below.
Visual depiction of some of the MITRE ATT&CK techniques mined from over 700 reports. Directional relationships are drawn between two techniques described in the same report.
With this type of information, we can now do a few things:
- If ATT&CK techniques are observed by the SOC, or if they are available to an attacker due to an un-mitigated vulnerability, the relationships shown in the above visualization can be instantiated to that situation, representing what hackers have previously had available to them.
- Upon instantiation for a specific situation, the above representation can be easily “unrolled” producing a list of possible sequences that the attacker can use. These, in turn, can further be analyzed through automated means for disruption.
In our next post, we will look at how such sequences of events can be disrupted.