Predicting and Visualizing Lateral Movements Based on ATT&CK and Quantification Theory Type 3

Predicting and Visualizing Lateral Movements Based on ATT&CK and Quantification Theory Type 3

Satoshi Okada, Yosuke Katano, Yukihiro Kozai, Takuho Mitsunaga
Copyright: © 2024 |Pages: 14
DOI: 10.4018/JCIT.340722
Article PDF Download
Open access articles are freely available for download

Abstract

When a cyber incident occurs, organizations need to identify the attack's impacts. They have to investigate potentially infected devices as well as certainly infected devices. However, as an organization's network expands, it is difficult to investigate all devices. In addition, the cybersecurity workforce shortage has risen, so organizations need to respond to incidents efficiently with limited human resources. To solve this problem, this paper proposes a tool to assist an incident response team. It can visualize ATT&CK techniques attacker used and, furthermore, detect lateral movements efficiently. The tool consists of two parts: a web application that extracts ATT&CK techniques from logs and a lateral movement detection system. The web application was implemented and could map the collected logs obtained from an actual Windows device to the ATT&CK matrix. Furthermore, actual lateral movements were performed in an experimental environment that imitated an organizational network, and the proposed detection system could detect them.
Article Preview
Top

Introduction

The1*number of cyberattacks continues to increase in the United States. The Internet Crime Complaint Center (IC3), managed by the FBI, serves as a central hub for reporting cybercrime and welcomes reports from anyone who believes they have been a victim of internet crime, including individuals, businesses, and other organizations. It reported that 847,376 complaints about cyberattacks were reported by members of the American public in 2021, regardless of their organizational affiliation and the type of cyberattack. The number of complaints has increased approximately 2.8 times compared to five years ago (Internet Crime Complaint Center, 2022). In addition, cyberattack techniques are also becoming more sophisticated. Therefore, it has become challenging to prevent all cyberattacks completely. Given this trend, it is very important to detect cyberattacks quickly and take countermeasures to minimize the damage. (Prompt detection and countermeasures are termed “incident response”).

When it is clear that cyber-incidents have happened in organizations, the incident response team has to conduct an initial analysis to confirm the extent of the incident. This includes determining which networks, systems, or applications are affected, what is the source of the incident, and how the incident is being carried out (e.g., the attack techniques and tools being used and the vulnerabilities being exploited; Scarfone et al., 2008). However, it is inefficient and even impossible for the team to analyze all devices, systems, and services in the organization, because organizations' internal networks are getting larger and more complex. Furthermore, it is also pointed out that the cybersecurity industry now faces a critical shortage of skilled workers. This means that incident response teams are forced to conduct efficient incident responses with limited human resources.

Our Contribution

In order to solve the above problems, this paper proposes an automation tool to help organizations' incident response teams conduct more efficient incident responses. The proposed tool consists of two parts. The first is a web application to extract ATT&CK techniques from Sysmon log data. It can also visualize the ATT&CK techniques the attacker used by mapping the techniques to the ATT&CK matrix. The second part is an automatic lateral movement detection system based on the similarity scores between the initially compromised devices and other devices. The scores are calculated by using the techniques extracted by quantification theory type 3.

We implemented a web application to realize our proposed method. We also prepared an experimental environment simulating an organizational network, simulated actual attacks, and confirmed that mapping Sysmon logs obtained from Windows terminals to ATT&CK enabled us to visualize attackers' movements. In addition, we confirmed the usefulness of a method to find undetected infected terminals by quantifying the similarity of these ATT&CK techniques. In the following discussion, the main contributions of this paper are summarized:

  • Proposal of a method to automatically extract ATT&CK Techniques from collected Sysmon logs.

  • Proposal of a method to efficiently find which devices are infected, by lateral movement based on similarity to initially infected devices using quantification theory type 3.

  • Development of a web application to realize the proposed methods and confirm their effectiveness.

Complete Article List

Search this Journal:
Reset
Volume 26: 1 Issue (2024)
Volume 25: 1 Issue (2023)
Volume 24: 5 Issues (2022)
Volume 23: 4 Issues (2021)
Volume 22: 4 Issues (2020)
Volume 21: 4 Issues (2019)
Volume 20: 4 Issues (2018)
Volume 19: 4 Issues (2017)
Volume 18: 4 Issues (2016)
Volume 17: 4 Issues (2015)
Volume 16: 4 Issues (2014)
Volume 15: 4 Issues (2013)
Volume 14: 4 Issues (2012)
Volume 13: 4 Issues (2011)
Volume 12: 4 Issues (2010)
Volume 11: 4 Issues (2009)
Volume 10: 4 Issues (2008)
Volume 9: 4 Issues (2007)
Volume 8: 4 Issues (2006)
Volume 7: 4 Issues (2005)
Volume 6: 1 Issue (2004)
Volume 5: 1 Issue (2003)
Volume 4: 1 Issue (2002)
Volume 3: 1 Issue (2001)
Volume 2: 1 Issue (2000)
Volume 1: 1 Issue (1999)
View Complete Journal Contents Listing