Abstract
As the sophistication and occurrence of cyberattacks continues to rise, it is increasingly crucial for organizations to invest in threat intelligence. In this research, we propose a way to automate some part of the threat intelligence process by leveraging the MITRE ATT &CK knowledge base of attackers to correlate and attribute attackers to a specific threat group. We propose a proof of work algorithm that does not aim to completely replace network administrators, but would rather help them by giving guidance, to expedite the attribution process. We show how this algorithm can be used to give insights on attackers by using it on real-world data gathered from a honeypot made publicly available on the Internet, over a two months period. We demonstrate how we are able to first discover the different techniques used by the attackers. Then, we identify various modi operandi of different threat groups collected from the MITRE ATT &CK framework and leverage that information to expose the behaviour of attackers targeting our Honeypot. By correlating the attackers together, we manage to reconstruct more complex attack vectors and are finally able to find higher similarities between the observed attackers and the knowledge base.
This research was supported by Thales Research and Technology (TRT) Canada.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bada, M., Nurse, J.R.: Profiling the cybercriminal: a systematic review of research. In: 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA). pp. 1–8. IEEE (2021)
Bar, A., Shapira, B., Rokach, L., Unger, M.: Identifying attack propagation patterns in honeypots using Markov chains modeling and complex networks analysis. In: 2016 IEEE International Conference on Software Science, Technology and Engineering (SWSTE 2016), pp. 28–36 (2016)
Bianco, D.J.: Pyramid of pain (2014). http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Caliński, T., Harabasz, J.: A dendrite method for cluster analysis. Commun. Stat. Theory Methods 3(1), 1–27 (1974)
Charan, P.S., Anand, P.M., Shukla, S.K.: Dmapt: study of data mining and machine learning techniques in advanced persistent threat attribution and detection. In: Data Mining-Concepts and Applications. IntechOpen (2021)
Deshmukh, S., Rade, R., Kazi, D., et al.: Attacker behaviour profiling using stochastic ensemble of hidden Markov models. arXiv preprint arXiv:1905.11824 (2019)
Djap, R., Lim, C., Silaen, K.E., Yusuf, A.: Xb-pot: revealing honeypot-based attacker’s behaviors. In: 2021 9th International Conference on Information and Communication Technology (ICoICT), pp. 550–555. IEEE (2021)
Doynikova, E., Novikova, E., Kotenko, I.: Attacker behaviour forecasting using methods of intelligent data analysis: a comparative review and prospects. Information 11(3) (2020)
Ester, M., Kriegel, H.P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Proceedings of the Second International Conference on Knowledge Discovery and Data Mining. KDD’96, pp. 226–231. AAAI Press (1996)
GhasemiGol, M., Ghaemi-Bafghi, A., Takabi, H.: A comprehensive approach for network attack forecasting. Comput. Secur. 58, 83–105 (2016)
Goutam, R.K.: The problem of attribution in cyber security. Int. J. Comput. Appl. 131(7), 34–36 (2015)
Karafili, E., Wang, L., Lupu, E.C.: An argumentation-based reasoner to assist digital investigation and attribution of cyber-attacks. Forensic Sci. Int. Digit. Invest. 32(S) (2020)
Kim, K., Shin, Y., Lee, J., Lee, K.: Automatically attributing mobile threat actors by vectorized ATT &CK matrix and paired indicator. Sensors 21(19), 6522 (2021)
Kotenko, I., Chechulin, A.: A cyber attack modeling and impact assessment framework. In: 2013 5th International Conference on Cyber Conflict (CYCON 2013), pp. 1–24. IEEE (2013)
Mallikarjunan, K.N., Shalinie, S.M., Preetha, G.: Real time attacker behavior pattern discovery and profiling using fuzzy rules. J. Internet Technol. 19(5), 1567–1575 (2018)
Mandiant: The Majority of Business Cyber Security Decisions are Made Without Insight into the Attacker (2023). https://www.mandiant.com/company/press-releases/mandiant-security-perspectives-report
MITRE ATT &CK: Putter panda. https://attack.mitre.org/groups/G0024/
MITRE ATT &CK, February 2023. https://attack.mitre.org/
Mokube, I., Adams, M.: Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference, pp. 321–326 (2007)
Nawrocki, M., Wählisch, M., Schmidt, T.C., Keil, C., Schönfelder, J.: A survey on honeypot software and data analysis. arXiv preprint arXiv:1608.06249 (2016)
Oosterhof, M.: Cowrie (2022). https://www.cowrie.org
Ryandy, Lim, C., Silaen, K.E.: Xt-pot: exposing threat category of honeypot-based attacks. In: Proceedings of the 2021 International Conference on Engineering and Information Technology for Sustainable Industry, pp. 1–6 (2020)
Shin, Y., Kim, K., Lee, J.J., Lee, K.: Art: automated reclassification for threat actors based on ATT &CK matrix similarity. In: 2021 World Automation Congress (WAC), pp. 15–20. IEEE (2021)
Soliman, H.M., Salmon, G., Sovilj, D., Rao, M.: Rank: AI-assisted end-to-end architecture for detecting persistent attacks in enterprise networks. arXiv preprint arXiv:2101.02573 (2021)
University of Cambridge: Clever Carl (2012). https://nrich.maths.org/2478
Warikoo, A.: The triangle model for cyber threat attribution. J. Cyber Secur. Technol. 5(3–4), 191–208 (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Crochelet, P., Neal, C., Boulahia Cuppens, N., Cuppens, F., Proulx, A. (2024). Automated Attacker Behaviour Classification Using Threat Intelligence Insights. In: Mosbah, M., Sèdes, F., Tawbi, N., Ahmed, T., Boulahia-Cuppens, N., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2023. Lecture Notes in Computer Science, vol 14551. Springer, Cham. https://doi.org/10.1007/978-3-031-57537-2_18
Download citation
DOI: https://doi.org/10.1007/978-3-031-57537-2_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-57536-5
Online ISBN: 978-3-031-57537-2
eBook Packages: Computer ScienceComputer Science (R0)