Inside the Matrix: CTI Frameworks as Partial Abstractions of Complex Threats

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

3 Downloads (Pure)


The Cyber Threat Intelligence (CTI) field has evolved rapidly and most of its reporting is now fairly stan-dardized. Where the Cyber Kill Chain was its sole reference framework 5 years ago, today ATT&CK is the de facto standard for reporting adversary tactics, techniques and procedures (TTPs). CTI frameworks are effectively abstraction layers of malicious behavior and thus effective CTI dissemination hinges on their ability to accurately represent this behavior. We argue that this is an area with significant opportunity for improvement. The aforementioned models are attacker- and intrusion-centric, while much of the CTI reporting currently is artifact- and malware-centric. In other words, most analysis is performed using artifacts of adversary tools, while in-the-wild evidence of adversary techniques and procedures is limited or lacking. Applying an intrusion model to artifact-based analysis leads to information loss, affecting and potentially misleading CTI-based decision-making. Intelligence analysis naturally builds on imperfect information, but CTI frameworks should be oriented more towards this key premise. In this conceptual work we compare the intrusion-centric ATT&CK with Malware Behavior Catalog (MBC), which is malware-centric. We compare how their application affects reporting of analysis outcomes. For this we reverse a piece of APT malware, replicating how many CTI reports are produced. We find that compared to ATT&CK, the abstraction offered by MBC enhances the information density of our reporting. While currently in most industry malware reports ATT&CK is applied, our analysis shows that on these occasions using MBC, potentially in tandem with ATT&CK, improves reporting. With the daily amount of new malware samples only increasing, accurate behavior labeling is key to the success of CTI sharing and dissemination.
Original languageEnglish
Title of host publication2021 IEEE International Conference on Big Data (Big Data)
Subtitle of host publicationProceedings
Place of PublicationPiscataway
Number of pages8
ISBN (Electronic)978-1-6654-3902-2
ISBN (Print)978-1-6654-4599-3
Publication statusPublished - 2021
Event2021 IEEE International Conference on Big Data (Big Data) - Virtual at Orlando, United States
Duration: 15 Dec 202118 Dec 2021


Conference2021 IEEE International Conference on Big Data (Big Data)
CountryUnited States
CityVirtual at Orlando

Bibliographical note

Accepted author manuscript


  • malware analysis
  • cyber threat intelligence
  • Mal-ware Behavior Catalog (MBC)
  • ATT&CK
  • reverse engineering


Dive into the research topics of 'Inside the Matrix: CTI Frameworks as Partial Abstractions of Complex Threats'. Together they form a unique fingerprint.

Cite this