基于 ATT&CK 和量化理论的侧向移动预测和可视化 3 型

IF 0.7 Q4 COMPUTER SCIENCE, INFORMATION SYSTEMS

Journal of Cases on Information Technology Pub Date : 2024-03-20 DOI:10.4018/jcit.340722

Satoshi Okada, Yosuke Katano, Yukihiro Kozai, Takuho Mitsunaga

{"title":"基于 ATT&CK 和量化理论的侧向移动预测和可视化 3 型","authors":"Satoshi Okada, Yosuke Katano, Yukihiro Kozai, Takuho Mitsunaga","doi":"10.4018/jcit.340722","DOIUrl":null,"url":null,"abstract":"When a cyber incident occurs, organizations need to identify the attack's impacts. They have to investigate potentially infected devices as well as certainly infected devices. However, as an organization's network expands, it is difficult to investigate all devices. In addition, the cybersecurity workforce shortage has risen, so organizations need to respond to incidents efficiently with limited human resources. To solve this problem, this paper proposes a tool to assist an incident response team. It can visualize ATT&CK techniques attacker used and, furthermore, detect lateral movements efficiently. The tool consists of two parts: a web application that extracts ATT&CK techniques from logs and a lateral movement detection system. The web application was implemented and could map the collected logs obtained from an actual Windows device to the ATT&CK matrix. Furthermore, actual lateral movements were performed in an experimental environment that imitated an organizational network, and the proposed detection system could detect them.","PeriodicalId":43384,"journal":{"name":"Journal of Cases on Information Technology","volume":null,"pages":null},"PeriodicalIF":0.7000,"publicationDate":"2024-03-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Predicting and Visualizing Lateral Movements Based on ATT&CK and Quantification Theory Type 3\",\"authors\":\"Satoshi Okada, Yosuke Katano, Yukihiro Kozai, Takuho Mitsunaga\",\"doi\":\"10.4018/jcit.340722\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"When a cyber incident occurs, organizations need to identify the attack's impacts. They have to investigate potentially infected devices as well as certainly infected devices. However, as an organization's network expands, it is difficult to investigate all devices. In addition, the cybersecurity workforce shortage has risen, so organizations need to respond to incidents efficiently with limited human resources. To solve this problem, this paper proposes a tool to assist an incident response team. It can visualize ATT&CK techniques attacker used and, furthermore, detect lateral movements efficiently. The tool consists of two parts: a web application that extracts ATT&CK techniques from logs and a lateral movement detection system. The web application was implemented and could map the collected logs obtained from an actual Windows device to the ATT&CK matrix. Furthermore, actual lateral movements were performed in an experimental environment that imitated an organizational network, and the proposed detection system could detect them.\",\"PeriodicalId\":43384,\"journal\":{\"name\":\"Journal of Cases on Information Technology\",\"volume\":null,\"pages\":null},\"PeriodicalIF\":0.7000,\"publicationDate\":\"2024-03-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Journal of Cases on Information Technology\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.4018/jcit.340722\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q4\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Cases on Information Technology","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.4018/jcit.340722","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

发生网络事件时，企业需要确定攻击的影响。他们必须调查可能受感染的设备和肯定受感染的设备。然而，随着企业网络的扩展，很难对所有设备进行调查。此外，网络安全人才短缺的问题日益突出，因此企业需要利用有限的人力资源高效地应对突发事件。为解决这一问题，本文提出了一种协助事件响应团队的工具。它可以直观地显示攻击者使用的 ATT&CK 技术，并能有效地检测横向移动。该工具由两部分组成：从日志中提取 ATT&CK 技术的网络应用程序和横向移动检测系统。网络应用程序已经完成，可以将从实际 Windows 设备中收集到的日志映射到 ATT&CK 矩阵。此外，还在模仿组织网络的实验环境中进行了实际的横向移动，所提议的检测系统可以检测到这些横向移动。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Predicting and Visualizing Lateral Movements Based on ATT&CK and Quantification Theory Type 3

When a cyber incident occurs, organizations need to identify the attack's impacts. They have to investigate potentially infected devices as well as certainly infected devices. However, as an organization's network expands, it is difficult to investigate all devices. In addition, the cybersecurity workforce shortage has risen, so organizations need to respond to incidents efficiently with limited human resources. To solve this problem, this paper proposes a tool to assist an incident response team. It can visualize ATT&CK techniques attacker used and, furthermore, detect lateral movements efficiently. The tool consists of two parts: a web application that extracts ATT&CK techniques from logs and a lateral movement detection system. The web application was implemented and could map the collected logs obtained from an actual Windows device to the ATT&CK matrix. Furthermore, actual lateral movements were performed in an experimental environment that imitated an organizational network, and the proposed detection system could detect them.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Journal of Cases on Information Technology COMPUTER SCIENCE, INFORMATION SYSTEMS-

CiteScore

2.60

自引率

0.00%

发文量

期刊介绍： JCIT documents comprehensive, real-life cases based on individual, organizational and societal experiences related to the utilization and management of information technology. Cases published in JCIT deal with a wide variety of organizations such as businesses, government organizations, educational institutions, libraries, non-profit organizations. Additionally, cases published in JCIT report not only successful utilization of IT applications, but also failures and mismanagement of IT resources and applications.