Cyber threat intelligence enabled automated attack incident response

2022 3rd International Conference on Next Generation Computing Applications (NextComp) Pub Date : 2022-10-06 DOI:10.1109/NextComp55567.2022.9932254

F. Kaiser, Leon J. Andris, Tim F. Tennig, Jonas M. Iser, M. Wiens, F. Schultmann

{"title":"Cyber threat intelligence enabled automated attack incident response","authors":"F. Kaiser, Leon J. Andris, Tim F. Tennig, Jonas M. Iser, M. Wiens, F. Schultmann","doi":"10.1109/NextComp55567.2022.9932254","DOIUrl":null,"url":null,"abstract":"Cyber attacks keep states, companies and individuals at bay, draining precious resources including time, money, and reputation. Attackers thereby seem to have a first mover advantage leading to a dynamic defender attacker game. Automated approaches taking advantage of Cyber Threat Intelligence on past attacks bear the potential to empower security professionals and hence increase cyber security. Consistently, there has been a lot of research on automated approaches in cyber risk management including works on predictive attack algorithms and threat hunting. Combining data on countermeasures from “MITRE Detection, Denial, and Disruption Framework Empowering Network Defense” and adversarial data from “MITRE Adversarial Tactics, Techniques and Common Knowledge” this work aims at developing methods that enable highly precise and efficient automatic incident response. We introduce Attack Incident Responder, a methodology working with simple heuristics to find the most efficient sets of counter-measures for hypothesized attacks. By doing so, the work contributes to narrowing the attackers first mover advantage. Experimental results are promising high average precisions in predicting effiective defenses when using the methodology. In addition, we compare the proposed defense measures against a static set of defensive techniques offering robust security against observed attacks. Furthermore, we combine the approach of automated incidence response to an approach for threat hunting enabling full automation of security operation centers. By this means, we define a threshold in the precision of attack hypothesis generation that must be met for predictive defense algorithms to outperform the baseline. The calculated threshold can be used to evaluate attack hypothesis generation algorithms. The presented methodology for automated incident response may be a valuable support for information security professionals. Last, the work elaborates on the combination of static base defense with adaptive incidence response for generating a bio-inspired artificial immune system for computerized networks.","PeriodicalId":422085,"journal":{"name":"2022 3rd International Conference on Next Generation Computing Applications (NextComp)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2022-10-06","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"2","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 3rd International Conference on Next Generation Computing Applications (NextComp)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/NextComp55567.2022.9932254","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 2

Abstract

Cyber attacks keep states, companies and individuals at bay, draining precious resources including time, money, and reputation. Attackers thereby seem to have a first mover advantage leading to a dynamic defender attacker game. Automated approaches taking advantage of Cyber Threat Intelligence on past attacks bear the potential to empower security professionals and hence increase cyber security. Consistently, there has been a lot of research on automated approaches in cyber risk management including works on predictive attack algorithms and threat hunting. Combining data on countermeasures from “MITRE Detection, Denial, and Disruption Framework Empowering Network Defense” and adversarial data from “MITRE Adversarial Tactics, Techniques and Common Knowledge” this work aims at developing methods that enable highly precise and efficient automatic incident response. We introduce Attack Incident Responder, a methodology working with simple heuristics to find the most efficient sets of counter-measures for hypothesized attacks. By doing so, the work contributes to narrowing the attackers first mover advantage. Experimental results are promising high average precisions in predicting effiective defenses when using the methodology. In addition, we compare the proposed defense measures against a static set of defensive techniques offering robust security against observed attacks. Furthermore, we combine the approach of automated incidence response to an approach for threat hunting enabling full automation of security operation centers. By this means, we define a threshold in the precision of attack hypothesis generation that must be met for predictive defense algorithms to outperform the baseline. The calculated threshold can be used to evaluate attack hypothesis generation algorithms. The presented methodology for automated incident response may be a valuable support for information security professionals. Last, the work elaborates on the combination of static base defense with adaptive incidence response for generating a bio-inspired artificial immune system for computerized networks.

查看原文本刊更多论文

网络威胁情报支持自动攻击事件响应

网络攻击使国家、公司和个人陷入困境，耗尽了宝贵的资源，包括时间、金钱和声誉。因此，进攻方似乎拥有先发优势，这导致了一场动态的防御攻击博弈。利用过去攻击的网络威胁情报的自动化方法有可能增强安全专业人员的能力，从而提高网络安全性。一直以来，人们对网络风险管理中的自动化方法进行了大量研究，包括预测攻击算法和威胁搜索。结合来自“增强网络防御的MITRE检测、拒绝和中断框架”的对策数据和来自“MITRE对抗战术、技术和常识”的对抗数据，这项工作旨在开发能够实现高精度和高效自动事件响应的方法。我们介绍了攻击事件响应器，这是一种使用简单的启发式方法来为假设的攻击找到最有效的对策集的方法。通过这样做，这项工作有助于缩小攻击者的先发优势。实验结果表明，该方法在预测有效防御方面具有较高的平均精度。此外，我们将建议的防御措施与一组静态防御技术进行比较，这些防御技术提供了针对观察到的攻击的健壮安全性。此外，我们将自动事件响应方法与威胁搜索方法相结合，从而实现安全操作中心的完全自动化。通过这种方法，我们定义了攻击假设生成精度的阈值，预测防御算法必须满足该阈值才能优于基线。计算得到的阈值可用于评估攻击假设生成算法。本文提出的自动事件响应方法可能对信息安全专业人员提供有价值的支持。最后，详细阐述了静态基础防御与自适应发生率反应的结合，为计算机网络生成仿生人工免疫系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 3rd International Conference on Next Generation Computing Applications (NextComp)

自引率

0.00%

发文量