A process mining-based method for attacker profiling using the MITRE ATT&CK taxonomy

Cybersecurity intelligence involves gathering and analyzing data to understand cyber adversaries’ capabilities, intentions, and behaviors to establish adequate security measures. The MITRE ATT&CK framework is valuable for gaining insight into cyber threats since it details attacker tactics,...

Full description

Bibliographic Details
Authors: Rodríguez, Marcelo, Betarte, Gustavo, Calegari, Daniel
Format: article
Status:Published version
Publication Date:2024
Country:Brasil
Institution:Sociedade Brasileira de Computação (SBC)
Repository:Journal of internet services and applications (Internet)
Language:English
OAI Identifier:oai:journals-sol.sbc.org.br:article/3902
Online Access:https://journals-sol.sbc.org.br/index.php/jisa/article/view/3902
Access Level:Open access
Keyword:Cybersecurity, process mining, attacker behavior, threat intelligence, MITRE ATT&CK Framework
Description
Summary:Cybersecurity intelligence involves gathering and analyzing data to understand cyber adversaries’ capabilities, intentions, and behaviors to establish adequate security measures. The MITRE ATT&CK framework is valuable for gaining insight into cyber threats since it details attacker tactics, techniques, and procedures. However, to fully understand an attacker’s behavior, it is necessary to connect individual tactics. In this context, Process Mining (PM) can be used to analyze runtime events from information systems, thereby discovering causal relations between those events. This article presents a novel approach combining Process Mining with the MITRE ATT&CK framework to discover process models of different attack strategies. Our approach involves mapping low-level system events to corresponding event labels from the MITRE ATT&CK taxonomy, increasing the abstraction level for attacker profiling. We demonstrate the effectiveness of our approach using real datasets of human and automated (malware) behavior. This exploration helps to develop more efficient and adaptable security strategies to combat current cyber threats and provides valuable guidelines for future research.