Adversarial Technique Validation & Defense Selection Using Attack Graph & ATT&CK Matrix

Abstract

Today cyber adversaries utilize advanced techniques to victimize target assets. To tackle the adversaries, it is of utmost importance to understand potential techniques they may use to exploit network vulnerabilities. Attack graph has always been a crucial tool for network vulnerability analysis. However, the current state-of-the-art attack graph can not predict adversarial techniques. To overcome the gap, we utilize the MITRE ATT&CK matrix in this work and map the techniques with the attack graph node descriptions. We first formulate a comprehensive dataset from ATT&CK consisting of all the adversarial strategies, subtechniques, associated tactics, and mitigation for the enterprise network. We then capture the attack graph node descriptions and apply the term frequency-inverse document frequency (TF-IDF) algorithm to map the attack techniques with the available node descriptions. Next, we generate the cosine similarity to determine an adversary’s top methods to attack a network. We then map those techniques with the associated tactics and mitigation strategies as enumerated in the ATT&CK matrix. Finally, we illustrate the analysis using a networked system’s attack graph. This proposed method would help identify and validate adversarial techniques and guide in selecting mitigation mechanisms for security enhancement.