The University of Southampton
×
Filter your search:
University of Southampton Institutional Repository

MITRE open CTI contribution to cyber situational awareness

MITRE open CTI contribution to cyber situational awareness
MITRE open CTI contribution to cyber situational awareness
A cyber-attack is executed through a series of steps to compromise the security of a target’s cyber assets. Due to the ever-increasing reliance on computer and network systems to implement critical government and commercial operations, cyber-attacks have become significant threats with potentially severe consequences. Within existing research there is a constant and still outstanding issue around the lack of openly available data to use while testing attack detection algorithms. This is particularly true regarding sources of data describing real attacks in terms of the sequencing (the series of steps) of the Tactics and Techniques employed. These sequences can provide analysts with additional specific information about the behaviour of attackers over and above just a list of the techniques that they use. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that includes descriptions for over 100 significant APTs and the Tactics, Techniques, Tools, and Procedures (TTPs) that they use. This does not, however, include any knowledge about the sequencing of specific attacks. This thesis provides a proposal to address this lack of available attack sequence intelligence and so increase the contribution that it can make to cyber situational awareness. It presents a model that can be used to record data representing a sequence of MITRE ATT&CK TTPs (an ordered set of Tactic and Techniques) observed during attacks. The model also allows the analyst to record relative timings of the steps taken and to associate each step with a kill chain model view of a cyber-attack. The population of this model is exercised using a representative set of open-source attack reports and several example applications are presented.
MITRE, ATT&CK, Cyber Situational Awareness,, Kill Chain, TTP, Cyber Attack Model
University of Southampton
Maidens, Christopher John
b4261f09-e070-4d6d-9573-dc783345d334
Maidens, Christopher John
b4261f09-e070-4d6d-9573-dc783345d334
Sassone, vladi
df7d3c83-2aa0-4571-be94-9473b07b03e7
Aniello, Leonardo
9846e2e4-1303-4b8b-9092-5d8e9bb514c3

Maidens, Christopher John (2024) MITRE open CTI contribution to cyber situational awareness. University of Southampton, Doctoral Thesis, 374pp.

Record type: Thesis (Doctoral)

Abstract

A cyber-attack is executed through a series of steps to compromise the security of a target’s cyber assets. Due to the ever-increasing reliance on computer and network systems to implement critical government and commercial operations, cyber-attacks have become significant threats with potentially severe consequences. Within existing research there is a constant and still outstanding issue around the lack of openly available data to use while testing attack detection algorithms. This is particularly true regarding sources of data describing real attacks in terms of the sequencing (the series of steps) of the Tactics and Techniques employed. These sequences can provide analysts with additional specific information about the behaviour of attackers over and above just a list of the techniques that they use. MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a knowledge base that includes descriptions for over 100 significant APTs and the Tactics, Techniques, Tools, and Procedures (TTPs) that they use. This does not, however, include any knowledge about the sequencing of specific attacks. This thesis provides a proposal to address this lack of available attack sequence intelligence and so increase the contribution that it can make to cyber situational awareness. It presents a model that can be used to record data representing a sequence of MITRE ATT&CK TTPs (an ordered set of Tactic and Techniques) observed during attacks. The model also allows the analyst to record relative timings of the steps taken and to associate each step with a kill chain model view of a cyber-attack. The population of this model is exercised using a representative set of open-source attack reports and several example applications are presented.

Text
20305966_Thesis_UPD_v1_0_RESP_10_RESP_1_FINAL - Version of Record
Available under License University of Southampton Thesis Licence.
Download (10MB)
Text
Final-thesis-submission-Examination-Mr-Christopher-Maidens
Restricted to Repository staff only

More information

Published date: 2024
Related URLs:
Keywords: MITRE, ATT&CK, Cyber Situational Awareness,, Kill Chain, TTP, Cyber Attack Model
Learn more about School of Electronics and Computer Science research

Identifiers

Local EPrints ID: 493512
URI: http://eprints.soton.ac.uk/id/eprint/493512
PURE UUID: a3c52b24-9e1b-4c80-98de-95c416fbb946
ORCID for Christopher John Maidens: ORCID iD orcid.org/0000-0002-4385-7202
ORCID for vladi Sassone: ORCID iD orcid.org/0000-0002-6432-1482
ORCID for Leonardo Aniello: ORCID iD orcid.org/0000-0003-2886-8445

Catalogue record

Date deposited: 04 Sep 2024 16:52
Last modified: 13 Nov 2024 02:54

Export record

Contributors

Author: Christopher John Maidens ORCID iD
Thesis advisor: vladi Sassone ORCID iD
Thesis advisor: Leonardo Aniello ORCID iD

Download statistics

Downloads from ePrints over the past year. Other digital versions may also be available to download e.g. from the publisher's website.

View more statistics

Library staff additional information
Atom RSS 1.0 RSS 2.0

Contact ePrints Soton: eprints@soton.ac.uk

ePrints Soton supports OAI 2.0 with a base URL of http://eprints.soton.ac.uk/cgi/oai2

This repository has been built using EPrints software, developed at the University of Southampton, but available to everyone to use.

We use cookies to ensure that we give you the best experience on our website. If you continue without changing your settings, we will assume that you are happy to receive cookies on the University of Southampton website.

×