Abstract
The Cyber Threat Intelligence (CTI) field has evolved rapidly and most of its reporting is now fairly stan-dardized. Where the Cyber Kill Chain was its sole reference framework 5 years ago, today ATT&CK is the de facto standard for reporting adversary tactics, techniques and procedures (TTPs). CTI frameworks are effectively abstraction layers of malicious behavior and thus effective CTI dissemination hinges on their ability to accurately represent this behavior. We argue that this is an area with significant opportunity for improvement. The aforementioned models are attacker- and intrusion-centric, while much of the CTI reporting currently is artifact- and malware-centric. In other words, most analysis is performed using artifacts of adversary tools, while in-the-wild evidence of adversary techniques and procedures is limited or lacking. Applying an intrusion model to artifact-based analysis leads to information loss, affecting and potentially misleading CTI-based decision-making. Intelligence analysis naturally builds on imperfect information, but CTI frameworks should be oriented more towards this key premise. In this conceptual work we compare the intrusion-centric ATT&CK with Malware Behavior Catalog (MBC), which is malware-centric. We compare how their application affects reporting of analysis outcomes. For this we reverse a piece of APT malware, replicating how many CTI reports are produced. We find that compared to ATT&CK, the abstraction offered by MBC enhances the information density of our reporting. While currently in most industry malware reports ATT&CK is applied, our analysis shows that on these occasions using MBC, potentially in tandem with ATT&CK, improves reporting. With the daily amount of new malware samples only increasing, accurate behavior labeling is key to the success of CTI sharing and dissemination.
Original language | English |
---|---|
Title of host publication | 2021 IEEE International Conference on Big Data (Big Data) |
Subtitle of host publication | Proceedings |
Place of Publication | Piscataway |
Publisher | IEEE |
Pages | 2136-2143 |
Number of pages | 8 |
ISBN (Electronic) | 978-1-6654-3902-2 |
ISBN (Print) | 978-1-6654-4599-3 |
DOIs | |
Publication status | Published - 2021 |
Event | 2021 IEEE International Conference on Big Data (Big Data) - Virtual at Orlando, United States Duration: 15 Dec 2021 → 18 Dec 2021 |
Conference
Conference | 2021 IEEE International Conference on Big Data (Big Data) |
---|---|
Country/Territory | United States |
City | Virtual at Orlando |
Period | 15/12/21 → 18/12/21 |
Bibliographical note
Accepted author manuscriptKeywords
- malware analysis
- cyber threat intelligence
- Mal-ware Behavior Catalog (MBC)
- ATT&CK
- reverse engineering