Research and Application of Ontology for ATT&CK in Cyber Security

The topic "Research and Application of Ontology for ATT&CK in Cyber Security" was formed with the main purpose of creating a comprehensive understanding of threats and attack tactics in Cyber Security. The key point of this project is the development of Ontology, a conceptual system, to model ATT&CK and create a common and organized information structure about attack models. We have referenced the idea from the paper "The Design of an Ontology for ATT&CK and its Application to Cybersecurity" [1].

This topic is the capstone project that has been taken by IAP491_G6 team in the semester Fall 2023 at FPT Hanoi University. The team members include Do Xuan Thien (HE160083, team leader), Bui Van An (HE150476), Nguyen Duc Viet (HE151351), Pham Huy Nhat (HE150227) and Hoang Huy Thuan (HE150665) under the supervision of Hoang Manh Duc (duchm29@fe.edu.vn).

The Milestone Plan Chart and Gantt Chart of The Capstone Project

 Why ATT&CK?

Attack Attribution

After the extent of the cyberattack has been assessed and evidence collected and preserved, incident response can move to identifying the source of the attack. As we know, a wide range of threat actors exist, ranging from disgruntled individuals, hackers, cybercriminals and criminal gangs, or nation states. Some criminals act from inside the network, while others can be on the other side of world. Sophistication of cybercrime varies as well. Nation states may employ large groups of highly-trained individuals to carry out an attack and hide their tracks, while other threat actors may openly brag about their criminal activities.

Threat attribution refers to the act of determining the individual, organization, or nation responsible for a successful intrusion or attack incident.

Identifying responsible threat actors should occur through the principled and systematic investigation of the evidence. While it may be useful to also speculate as to the identity of threat actors by identifying potential motivations for an incident, it is important not to let this bias the investigation. For example, attributing an attack to a commercial competitor may lead the investigation away from the possibility that a criminal gang or nation state was responsible.

In an evidence-based investigation, the incident response team correlates Tactics, Techniques, and Procedures (TTP) that were used in the incident with other known exploits. Cybercriminals, much like other criminals, have specific traits that are common to most of their crimes. Threat intelligence sources can help to map the TTP identified by an investigation to known sources of similar attacks. However, this highlights a problem with threat attribution. Evidence of cybercrime is seldom direct evidence. Identifying commonalities between TTPs for known and unknown threat actors is circumstantial evidence.

Some aspects of a threat that can aid in attribution are the location of originating hosts or domains, features of the code used in malware, the tools used, and other techniques. Sometimes, at the national security level, threats cannot be openly attributed because doing so would expose methods and capabilities that need to be protected.

For internal threats, asset management plays a major role. Uncovering the devices from which an attack was launched can lead directly to the threat actor. IP addresses, MAC addresses, and DHCP logs can help track the addresses used in the attack back to a specific device. AAA logs are very useful in this regard, as they track who accessed what network resources at what time [2].

The MITRE ATT&CK Framework

One way to attribute an attack is to model threat actor behavior. The MITRE Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) Framework enables the ability to detect attacker tactics, techniques, and procedures (TTP) as part of threat defense and attack attribution. This is done by mapping the steps in an attack to a matrix of generalized tactics and describing the techniques that are used in each tactic. Tactics consist of the technical goals that an attacker must accomplish in order to execute an attack and techniques are the means by which the tactics are accomplished. Finally, procedures are the specific actions taken by threat actors in the techniques that have been identified. Procedures are the documented real-world use of techniques by threat actors.

MITRE ATT&CK® is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. The ATT&CK knowledge base is used as a foundation for the development of specific threat models and methodologies in the private sector, in government, and in the cybersecurity product and service community.

With the creation of ATT&CK, MITRE is fulfilling its mission to solve problems for a safer world — by bringing communities together to develop more effective cybersecurity. ATT&CK is open and available to any person or organization for use at no charge [3].

D3FEND

D3FEND establishes a fine-grained semantic model of countermeasures, their properties, relationships, and history of development. Provide a Cyber Security framework, focusing on bolstering Detection, Denial, and Disruption strategies for Network Defense. Its primary objective is to address vulnerabilities within an organization’s security infrastructure, ranging from fundamental system enhancements to advanced detection methodologies. Developed by the MITRE Corporation, the D3FEND Matrix provides a systematic approach to understanding and implementing defensive measures against cyber threats. This framework complements the well-established MITRE ATT&CK framework, which outlines adversarial TTPs. Together, these frameworks offer a comprehensive and cohesive strategy for organizations to fortify their Cyber Security defenses and respond effectively to a diverse range of cyber threats [4].

CVE, CWE and CAPEC

CVE stands for Common Vulnerabilities and Exposures, which is a list of publicly disclosed weaknesses. Each of them is assigned an unique ID. CVE is managed and updated by MITRE corporation and sponsored by the Cybersecurity and Infrastructure Security Agency (CISA). Each CVE contains information such as its ID, vulnerability description and miscellaneous metadata. To prevent mass exploitation and security instability, its status is withheld from the general public until a fix is found or a security update is published [5].

Common Weakness Enumeration, often referred as CWE, is a openly contributed list of popular weaknesses concerning the security aspect of technology. A “weakness”, as described in the CWE site is “a condition in a software, firmware, hardware or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities” [6].

Common Attack Pattern Enumeration and Classification, abbreviated as CAPEC, is a public catalog of hardware or software adjacent exploit patterns that helps users understand how weaknesses are targeted and attacked. An attack pattern includes frequent, recurring details and approaches utilized by threat actors to exploit vulnerabilities. These attributes help categorizing and systemizing on how to solve the adversaries they might face. Attack patterns are created by applying tried-and-true software design patterns for a negative intention opposed to its original constructive purpose [7].

Develop An Ontology for ATT&CK

Protégé 

Protégé version 5.6.3, a free and open-source ontology editor and framework, plays a pivotal role in the research and deployment of ontologies related to ATT&CK, a key framework in the field of Cyber security. Designed as a user-friendly and flexible environment, Protégé facilitates the development of coherent and structured ontologies, offering invaluable support to researchers and developers. In this project, Protégé serves as a robust tool for crafting a comprehensive ontology of ATT&CK, enabling a nuanced understanding of the intricate relationships between various elements such as techniques, attack strategies, and other Cyber Security components. The versatility of Protégé is evident in its support for popular Ontology languages, including OWL, RDF, and XML. This flexibility empowers the project to harness the expressive power of these languages for describing and organizing knowledge pertaining to ATT&CK and its associated concepts [8].

Constructing Ontology 

In constructing the ontology, our team will follow the 7-step process outlined by the research team at Stanford University [9].

• Step 1: Define the Scope and Purpose of the Ontology.

• Step 2: Review and Reuse Existing Ontologies.

• Step 3: List Key Terms in the Ontology.

• Step 4: Identify Classes and Class Hierarchies.

• Step 5: Determine Class Attributes.

• Step 6: Define Attribute Constraints.

• Step 7: Create Instances/Entities.

Offensive techniques from ATT&CK by CVE IDs search page 

In the current landscape of modern information security, where network threats are becoming increasingly sophisticated and diverse, the essential need for comprehension of attack techniques and the ability to exploit security vulnerabilities has arisen. Therefore, we introduce to you a website that utilizes ontology for its search functionality, serving not only as an information source but also as a crucial tool for delving into the intricacies of how attack techniques can exploit specific CVE vulnerabilities. 

The main goal of this web application is to focus on researching and analyzing attack techniques identified in the ATT&CK framework, as well as incorporate the use of ontology into real-life scenarios to contrive a complete view and deep understanding. 

 References

[1] Khandakar Ashrafi Akbar, Sadaf Md Halim, Anoop Singhal, Basel Abdeen, Latifur Khan, Bhavani Thuraisingham. The Design of an Ontology for ATT&CK and its Application to Cybersecurity, 24 April 2023. https://doi.org/10.1145/3577923.3585051

[2] Cisco Academy, CyberOps Associate Curriculum, https://netacad.com

[3] MITRE ATT&CK, https://attack.mitre.org/

[4] MITRE (2023), D3FEND Matrix, https://d3fend.mitre.org

[5] Red Hat (2021, November 25), What is a CVE?, https://www.redhat.com/en/topics/security/what-is-cve

[6] MITRE (2023, June 6), About CWE - Common Weakness Enumeration, https://cwe.mitre.org/about/

[7] MITRE (2019, April 4), About CAPEC™, https://capec.mitre.org/about/index.html

[8] Musen, M. A (2015, June),The Protégé project: A look back and a look forward, https://doi.org/110.1145/2557001.25757003

[9] Noy, N. F., & McGuinness, D. L. (2001). Ontology development 101: A guide to creating your first ontology. https://Protege.stanford.edu/publications/ontology_development/ontology101.pdf