The landscape of cyber threats grows more complex by the day. Advanced Persistent Threats carry out systematic attack campaigns against which cybersecurity practitioners must defend. Examples of such organized attacks are operations Dream Job, Wocao, WannaCry or the SolarWinds Compromise. To evaluate which risks are most threatening, and which campaigns to prioritize against when defending, cybersecurity experts must be equipped with the right toolbox. In particular, they must be able to (a) obtain likelihood values for each attack campaign recorded in the wild and (b) reliably and transparently operationalize these values to carry out quantitative comparisons among campaigns. This will allow security experts to perform quantitatively-informed decision making that is transparent and accountable. In this paper we construct such a framework by: (1) quantifying the likelihood of attack campaigns via data-driven procedures on the MITRE knowledge base and (2) introducing a methodology for automatic modelling of MITRE intelligence data: this is complete in the sense that it captures any attack campaign via template attack tree models. (3) We further propose a computational framework to carry out this comparisons based on the cATM formal logic, and implement this into an open-source Python tool. Finally, we validate our approach by quantifying the likelihood of all MITRE campaigns, and comparing the likelihood of the Wocao and Dream Job MITRE campaigns -- generated with our proposed approach -- against "ad hoc" traditionally-built attack tree models, demonstrating how our methodology is substantially lighter in modelling effort, and still capable of capturing all the quantitative relevant data.
翻译:网络威胁态势日益复杂。高级持续性威胁(APT)实施系统性的攻击活动,网络安全从业者必须对此进行防御。此类有组织攻击的实例包括Dream Job、Wocao、WannaCry等行动以及SolarWinds供应链攻击事件。为评估最具威胁性的风险并确定防御优先级,网络安全专家需要配备合适的分析工具。具体而言,他们必须能够:(a)获取现实世界中记录的各攻击活动的可能性数值;(b)以可靠且透明的方式运用这些数值,实现攻击活动之间的量化比较。这将使安全专家能够进行透明、可追溯的量化决策。本文通过以下方式构建该框架:(1)基于MITRE知识库的数据驱动流程量化攻击活动可能性;(2)提出MITRE情报数据自动建模方法:该方法通过模板化攻击树模型完整捕获任意攻击活动;(3)进一步提出基于cATM形式逻辑的计算框架以执行量化比较,并实现为开源Python工具。最后,我们通过量化所有MITRE攻击活动的可能性进行方法验证,并将Wocao与Dream Job攻击活动的可能性结果(基于本文方法生成)与传统构建的"临时"攻击树模型进行对比,证明所提方法能显著降低建模工作量,同时完整保留所有量化相关数据。