Inside the Matrix: CTI Frameworks as Partial Abstractions of Complex Threats

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

1 Citation (Scopus)
136 Downloads (Pure)

Abstract

The Cyber Threat Intelligence (CTI) field has evolved rapidly and most of its reporting is now fairly stan-dardized. Where the Cyber Kill Chain was its sole reference framework 5 years ago, today ATT&CK is the de facto standard for reporting adversary tactics, techniques and procedures (TTPs). CTI frameworks are effectively abstraction layers of malicious behavior and thus effective CTI dissemination hinges on their ability to accurately represent this behavior. We argue that this is an area with significant opportunity for improvement. The aforementioned models are attacker- and intrusion-centric, while much of the CTI reporting currently is artifact- and malware-centric. In other words, most analysis is performed using artifacts of adversary tools, while in-the-wild evidence of adversary techniques and procedures is limited or lacking. Applying an intrusion model to artifact-based analysis leads to information loss, affecting and potentially misleading CTI-based decision-making. Intelligence analysis naturally builds on imperfect information, but CTI frameworks should be oriented more towards this key premise. In this conceptual work we compare the intrusion-centric ATT&CK with Malware Behavior Catalog (MBC), which is malware-centric. We compare how their application affects reporting of analysis outcomes. For this we reverse a piece of APT malware, replicating how many CTI reports are produced. We find that compared to ATT&CK, the abstraction offered by MBC enhances the information density of our reporting. While currently in most industry malware reports ATT&CK is applied, our analysis shows that on these occasions using MBC, potentially in tandem with ATT&CK, improves reporting. With the daily amount of new malware samples only increasing, accurate behavior labeling is key to the success of CTI sharing and dissemination.
Original languageEnglish
Title of host publication2021 IEEE International Conference on Big Data (Big Data)
Subtitle of host publicationProceedings
Place of PublicationPiscataway
PublisherIEEE
Pages2136-2143
Number of pages8
ISBN (Electronic)978-1-6654-3902-2
ISBN (Print)978-1-6654-4599-3
DOIs
Publication statusPublished - 2021
Event2021 IEEE International Conference on Big Data (Big Data) - Virtual at Orlando, United States
Duration: 15 Dec 202118 Dec 2021

Conference

Conference2021 IEEE International Conference on Big Data (Big Data)
Country/TerritoryUnited States
CityVirtual at Orlando
Period15/12/2118/12/21

Bibliographical note

Accepted author manuscript

Keywords

  • malware analysis
  • cyber threat intelligence
  • Mal-ware Behavior Catalog (MBC)
  • ATT&CK
  • reverse engineering

Fingerprint

Dive into the research topics of 'Inside the Matrix: CTI Frameworks as Partial Abstractions of Complex Threats'. Together they form a unique fingerprint.

Cite this