Written by James Ross.

Describing adversarial behaviors in the form of tactics, techniques, and procedures (TTPs) using MITRE ATT&CK® revolutionized detection and response. Focusing on TTPs creates an opportunity for high-fidelity detection of adversaries. If we can detect a behavior, the adversary will need to change behaviors — increasing cost and risk for the adversary.

Detecting adversary behaviors is challenging. There are often many approaches to implementing a single behavior and adversaries commonly use native capabilities (living off the land), making it difficult to differentiate adversary activity from normal user activity.

Adversary TTPs occur in sequences. Understanding these sequences creates an opportunity to improve detection. If we know that Phishing is followed by Process Injection and then Hijack Execution Flow, we can begin looking for this pattern of TTPs. This sounds good in theory, but how does a defender know which behaviors are likely to have occurred together?

The Technique Inference Engine (TIE) uses a machine learning model trained on cyber threat intelligence to recommend likely TTPs based on a known input TTP. TIE will help analysts quickly understand what is likely to have happened next based on a broad corpus of threat intelligence. In collaboration with experts from Citigroup, Cyber Threat Alliance, Fortinet, Google Cloud, HCA Healthcare, IBM Security, Lloyds Banking Group, Tenable, and Verizon Business, we have built TIE to be a practical resource with immediate benefit for all security teams and designed it to easily enable further research and innovation.

Technique Inference Engine Landing Page

The right dataset is critical for prediction

Having the right dataset is critical to the predictive nature of the model. We identified four key attributes of our dataset to assure our model delivers relevant results.

The data is based on real-world observations of adversary activity.The data represents sets of techniques that have occurred as part of the same activity.The data contains multiple implementations covered by each technique. The model has sufficiently many TTP examples to discover trends in activity and avoid bias towards predicting the most common or popular techniques.We exclude contrived or speculative data. For our purposes, we did not augment the data set with artificial data to prevent introducing non-existent associations between techniques.

Cyber threat intelligence (CTI) reports meet all the above criteria as they are crafted through expert analysis of cyber intrusions and observed adversary activity. By combining data used in previous Center research projects, CTI repositories, and contributions from our research partners we generated over 6,200 reports, covering 96% of the techniques in ATT&CK.

A common challenge among machine learning and threat-informed defense research is obtaining sufficient data to develop effective models. To support future research, we published our training data, which includes attributes such as campaigns, CTI references, and technique frequency to encourage researchers to build new models and discover novel associations.

The Model

Our recommender model uses a simple and powerful method to characterize each technique in the training data. This approach delivers technique predictions in a fraction of a second and is written in a way that is easily interpreted by security teams and machine learning experts alike. Advanced users can launch our code in a Jupyter notebook to adjust model parameters, retrain the model with a custom data set, and more.

Technique Inference Engine

Context is crucial in information fusion. Security teams require more than just a list of techniques to respond to incidents, emulate the adversary, or derive actionable threat intelligence. To make our predictions accessible to the broadest possible audience, we integrated TIE directly into your browser.

Technique Inference Engine Web Interface

The web tool is the most accessible way to get a complete picture of the adversary. TIE uses on-device machine learning to predict related techniques — no information is sent over the network or stored. The predicted techniques can be organized by technique name, rank, or tactic. Filter results based on inference score, threat actor, campaign, or platform. Use TIE to visualize results through ATT&CK navigator to add emphasis via a heatmap or compare to other reports in a common format.

TIE Supports ATT&CK Navigator Export

We’re delighted to provide the community with a tool that gives defenders a way to identify what you don’t detect. Our documentation walks through each step of our research and has examples of how TIE augments new lead generation for SOC teams, improves post-mortem incident analysis by filling in potential reporting gaps, and can create more comprehensive adversary emulation plans.

Community involvement makes us better!

Building solutions that improve threat-informed defense is a community effort. Here are a few ways to stay involved:

Use our inference engine and share your feedback. Github issues are the best way to send questions, bug reports, and feature requests.Retrain the model for better results. When you share new training data with us, our automation retrains the model and publishes an updated version of the site.If you create a model that bests our Technique Inference Engine — we’d love to hear about it!

Email us at [email protected] for more general inquiries

About the Center for Threat-Informed Defense

The Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.

© 2024 MITRE Engenuity. Approved for Public Release. Document number CT0124.

Know your Adversary’s next move with TIE was originally published in MITRE-Engenuity on Medium, where people are continuing the conversation by highlighting and responding to this story.

Article Link: Predict adversary activity with machine learning | MITRE-Engenuity

1 post – 1 participant

Read full topic

​Written by James Ross.Describing adversarial behaviors in the form of tactics, techniques, and procedures (TTPs) using MITRE ATT&CK® revolutionized detection and response. Focusing on TTPs creates an opportunity for high-fidelity detection of adversaries. If we can detect a behavior, the adversary will need to change behaviors — increasing cost and risk for the adversary.Detecting adversary behaviors is challenging. There are often many approaches to implementing a single behavior and adversaries commonly use native capabilities (living off the land), making it difficult to differentiate adversary activity from normal user activity.Adversary TTPs occur in sequences. Understanding these sequences creates an opportunity to improve detection. If we know that Phishing is followed by Process Injection and then Hijack Execution Flow, we can begin looking for this pattern of TTPs. This sounds good in theory, but how does a defender know which behaviors are likely to have occurred together?The Technique Inference Engine (TIE) uses a machine learning model trained on cyber threat intelligence to recommend likely TTPs based on a known input TTP. TIE will help analysts quickly understand what is likely to have happened next based on a broad corpus of threat intelligence. In collaboration with experts from Citigroup, Cyber Threat Alliance, Fortinet, Google Cloud, HCA Healthcare, IBM Security, Lloyds Banking Group, Tenable, and Verizon Business, we have built TIE to be a practical resource with immediate benefit for all security teams and designed it to easily enable further research and innovation.Technique Inference Engine Landing PageThe right dataset is critical for predictionHaving the right dataset is critical to the predictive nature of the model. We identified four key attributes of our dataset to assure our model delivers relevant results.The data is based on real-world observations of adversary activity.The data represents sets of techniques that have occurred as part of the same activity.The data contains multiple implementations covered by each technique. The model has sufficiently many TTP examples to discover trends in activity and avoid bias towards predicting the most common or popular techniques.We exclude contrived or speculative data. For our purposes, we did not augment the data set with artificial data to prevent introducing non-existent associations between techniques.Cyber threat intelligence (CTI) reports meet all the above criteria as they are crafted through expert analysis of cyber intrusions and observed adversary activity. By combining data used in previous Center research projects, CTI repositories, and contributions from our research partners we generated over 6,200 reports, covering 96% of the techniques in ATT&CK.A common challenge among machine learning and threat-informed defense research is obtaining sufficient data to develop effective models. To support future research, we published our training data, which includes attributes such as campaigns, CTI references, and technique frequency to encourage researchers to build new models and discover novel associations.The ModelOur recommender model uses a simple and powerful method to characterize each technique in the training data. This approach delivers technique predictions in a fraction of a second and is written in a way that is easily interpreted by security teams and machine learning experts alike. Advanced users can launch our code in a Jupyter notebook to adjust model parameters, retrain the model with a custom data set, and more.Technique Inference EngineContext is crucial in information fusion. Security teams require more than just a list of techniques to respond to incidents, emulate the adversary, or derive actionable threat intelligence. To make our predictions accessible to the broadest possible audience, we integrated TIE directly into your browser.Technique Inference Engine Web InterfaceThe web tool is the most accessible way to get a complete picture of the adversary. TIE uses on-device machine learning to predict related techniques — no information is sent over the network or stored. The predicted techniques can be organized by technique name, rank, or tactic. Filter results based on inference score, threat actor, campaign, or platform. Use TIE to visualize results through ATT&CK navigator to add emphasis via a heatmap or compare to other reports in a common format.TIE Supports ATT&CK Navigator ExportWe’re delighted to provide the community with a tool that gives defenders a way to identify what you don’t detect. Our documentation walks through each step of our research and has examples of how TIE augments new lead generation for SOC teams, improves post-mortem incident analysis by filling in potential reporting gaps, and can create more comprehensive adversary emulation plans.Community involvement makes us better!Building solutions that improve threat-informed defense is a community effort. Here are a few ways to stay involved:Use our inference engine and share your feedback. Github issues are the best way to send questions, bug reports, and feature requests.Retrain the model for better results. When you share new training data with us, our automation retrains the model and publishes an updated version of the site.If you create a model that bests our Technique Inference Engine — we’d love to hear about it!Email us at [email protected] for more general inquiriesAbout the Center for Threat-Informed DefenseThe Center is a non-profit, privately funded research and development organization operated by MITRE Engenuity. The Center’s mission is to advance the state of the art and the state of the practice in threat-informed defense globally. Comprised of participant organizations from around the globe with highly sophisticated security teams, the Center builds on MITRE ATT&CK®, an important foundation for threat-informed defense used by security teams and vendors in their enterprise security operations. Because the Center operates for the public good, outputs of its research and development are available publicly and for the benefit of all.© 2024 MITRE Engenuity. Approved for Public Release. Document number CT0124.Know your Adversary’s next move with TIE was originally published in MITRE-Engenuity on Medium, where people are continuing the conversation by highlighting and responding to this story.
Article Link: Predict adversary activity with machine learning | MITRE-Engenuity
1 post – 1 participant
Read full topic