Predicting and Visualizing Lateral Movements Based on ATT&CK and Quantification Theory Type 3

Abstract

When a cyber incident occurs, organizations need to identify the attack's impacts. They have to investigate potentially infected devices as well as certainly infected devices. However, as an organization's network expands, it is difficult to investigate all devices. In addition, the cybersecurity workforce shortage has risen, so organizations need to respond to incidents efficiently with limited human resources. To solve this problem, this paper proposes a tool to assist an incident response team. It can visualize ATT&CK techniques attacker used and, furthermore, detect lateral movements efficiently. The tool consists of two parts: a web application that extracts ATT&CK techniques from logs and a lateral movement detection system. The web application was implemented and could map the collected logs obtained from an actual Windows device to the ATT&CK matrix. Furthermore, actual lateral movements were performed in an experimental environment that imitated an organizational network, and the proposed detection system could detect them.