Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

From MITRE ATT&CKcon Power Hour January 2021

By Valentine Mairet, Security Researcher, McAfee

The MITRE ATT&CK framework is the industry standard to dissect cyberattacks into used techniques. At McAfee, all attack information is disseminated into different categories, including ATT&CK techniques. What results from this exercise is an extensive repository of techniques used in cyberattacks that goes back many years. Much can be learned from looking at historical attack data, but how can we piece all this information together to identify new relationships between threats and attacks? In her recent efforts, Valentine has embraced analyzing ATT&CK data in graphical representations. One lesson learned is that it is not just about merely mapping out attacks and techniques used into graphs, but the strength lies in applying different algorithms to answer specific questions. In this presentation, Valentine will showcase the results and techniques obtained from her research journey using graph and graph algorithms.

  • Be the first to comment

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

  1. 1. Building Graphs for Threat Intelligence ATT&CKers Think in Graphs Valentine Mairet & Samantha Gottlieb
  2. 2. McAfee ATR At McAfee Advanced Threat Research (McAfee ATR), our goal is to identify and illuminate a broad spectrum of threats in today's complex landscape. Valentine McAfee ATR since May 2020 Red Team and Blue Team WICCA Interests: Writing, cats, D&D Twitter: @vm00z Who
  3. 3. A tale of MISP triage Cyber threats and attack data are analyzed and dissected into: ▪ MITRE ATT&CK techniques ▪ Target country information ▪ Threat Actor ▪ Sector ▪ Tools used ▪ etc Threat Intelligence
  4. 4. Research Goal • How can we connect all this information? • Can we quickly visualize connections between events? • Can we identify patterns between threats and attacks? • Can we identify trends in the data? • What are we missing? Questions and challenges
  5. 5. Graphs
  6. 6. Based on our data… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
  7. 7. Initial Representation • Dense, highly connected graph • Sparse sector and country data, offers little differentiation Event-centric Representation • Useful for questions of about frequency Actor-centric Representation • Useful for questions about actor behavioral patterns Different Graphs for Different Questions
  8. 8. Event-centric Graph
  9. 9. Actor-centric Graph
  10. 10. Which techniques are observed most often? Event-centric graph + Degree analysis
  11. 11. Which techniques the most common across actors? Actor-centric graph + Centrality algorithms
  12. 12. Important to try various algorithms Actor-centric graph + Community detection algorithms Can we identify groups of actors using the same techniques?
  13. 13. Based on our data… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
  14. 14. Add in Kill Chain Information
  15. 15. Are actors using techniques in the same way?
  16. 16. Data Representation • MISP's granularity level might not be good enough if we're only using MITRE metadata to differentiate threat actors • MISP allow us to associate MITRE techniques with an event, but not to specify which kill chain step the technique was used for in the context of the event • Overall, recorded threat actors seem to be using the same techniques • Desired mapping (actor) - [uses] -> (technique:step) Remaining Issues
  17. 17. Conclusion • Helps us visualize data instantly • Helps us make sense of the data we see • Helps us connect cyber threats and attacks • Can do much more… Building graphs the right* way…
  18. 18. Conclusion • How can we add more granularity? • Is the data we receive complete enough? • Are there additional data sources to incorporate? A few questions that remain:
  19. 19. Thank you. Any questions?

×