Industry standard frameworks are now widespread for labeling the high-level stages and granular actions of attacker and defender behavior in cyberspace. While these labels are used for atomic actions, and to some extent for sequences of actions, there remains a need for labeled data from realistic full-scale attacks. This data is valuable for better understanding human actors' decisions, behaviors, and individual attributes. The analysis could lead to more effective attribution and disruption of attackers. We present a methodological approach and exploratory case study for systematically analyzing human behavior during a cyber offense/defense capture-the-flag (CTF) game. We describe the data collection and analysis to derive a metric called keystroke accuracy. After collecting players' commands, we label them using the MITRE ATT&CK framework using a new tool called Pathfinder. We present results from preliminary analysis of participants' keystroke accuracy and its relation to score outcome in CTF games. We describe frequency of action classification within the MITRE ATT&CK framework and discuss some of the mathematical trends suggested by our observations. We conclude with a discussion of extensions for the methodology, including performance evaluation during games and the potential use of this methodology for training artificial intelligence.

翻译：行业标准框架现已广泛用于标注网络空间中攻击者和防御者行为的高级阶段及细粒度动作。尽管这些标注用于原子动作，并在一定程度上用于动作序列，但针对现实全规模攻击的标注数据仍存在需求。此类数据对于更深入地理解人类行为者的决策、行为及个体属性具有重要价值，其分析可能有助于更有效地追溯和干扰攻击者。我们提出一种方法论框架和探索性案例研究，用于系统分析网络攻防夺旗（CTF）游戏中的人类行为。我们描述了数据收集和分析过程，以推导出称为按键准确度的指标。在收集玩家命令后，我们使用新工具Pathfinder基于MITRE ATT&CK框架对其进行标注。我们展示了参与者按键准确度及其与CTF游戏得分结果关系的初步分析结果。我们描述了在MITRE ATT&CK框架内动作分类的频率，并讨论了观察结果所揭示的数学趋势。最后，我们探讨了该方法论的扩展方向，包括游戏过程中的性能评估以及将该方法论用于人工智能训练的潜在可能性。