Automated Attacker Behaviour Classification Using Threat Intelligence Insights

Automated Attacker Behaviour Classification Using Threat Intelligence Insights

연구 분야: Safety

학회: International Symposium on Foundations and Practice of Security

As the sophistication and occurrence of cyberattacks continues to rise, it is increasingly crucial for organizations to invest in threat intelligence. In this research, we propose a way to automate some part of the threat intelligence process by leveraging the MITRE ATT &CK knowledge base of attackers to correlate and attribute attackers to a specific threat group. We propose a proof of work algorithm that does not aim to completely replace network administrators, but would rather help them by giving guidance, to expedite the attribution process. We show how this algorithm can be used to give insights on attackers by using it on real-world data gathered from a honeypot made publicly available on the Internet, over a two months period. We demonstrate how we are able to first discover the different techniques used by the attackers. Then, we identify various modi operandi of different threat groups collected from the MITRE ATT &CK framework and leverage that information to expose the behaviour of attackers targeting our Honeypot. By correlating the attackers together, we manage to reconstruct more complex attack vectors and are finally able to find higher similarities between the observed attackers and the knowledge base.