Hacking your company: how hard can it be?

What is it about?

Your cybersecurity team (yes, your company has one) wades through daily reports of hacker attacks, or even campaigns -- ever heard of WannaCry and Wocao? These involve multi-step tactics that use a rich catalogue of hacking techniques, making for complex reports published in MITRE ATT&CK and similar knowledge bases. Something missing, though, is a good answer to a simple question: Which attacks are truly more likely to happen, and how should we decide where to put our limited defenses first? To answer that question, the paper turns qualitative attack knowledge into something measurable, with numbers instead of gut feelings. While frameworks like MITRE ATT&CK are crucial to know what hackers do, they cannot tell which of two attacks is more likely. Your cybersecurity team can see that a recent campaign involves a dozen attack techniques, but they still do not know: Is this campaign common? Hard? Easy? The paper answers these questions via a multi-step, data-driven approach: 1. Turn historical data into likelihoods The MITRE ATT&CK knowledge base records how often certain techniques were used in observed attacks to achieve a specific tactical goal, e.g. exfiltrate classified data. The authors extract this information to assign a probability-like value that represents how often each attack method shows up in real world campaigns. That gives each technique a "likelihood score" based on known evidence. 2. Build structured models of campaigns The research uses attack trees as mathematical model of complex attacks -- something like family trees but for cyber attacks. At the top sits the main attack goal, e.g. stealing confidential data, and the branches below represent combinations of techniques that the attackers might use to achieve that goal. Building such hierarchical models lets experts see exactly what steps make up a campaign, and how they relate to one another (and sometimes how to stop them). These models are enriched with the probabilities obtained in step 1. 3. Introduce a logic for reasoning about likelihoods The paper does not just label parts of an attack with numbers -- it also provides a logic called cATM that can operate on those numbers. With cATM, you can ask questions like "Which campaign has a higher overall likelihood of success?" or "How does changing the likelihood of one technique affect the whole picture?" This logic turns the attack trees and data into actionable comparisons. 4. Automate the process Finally, the authors package the proposed method into a tool that can automatically turn any campaign in MITRE ATT&CK into one of these quantified models. This automation means that analysts will not have to build every tree manually, thus saving time and avoiding errors. In practical terms, this research brings to the cybersecurity community a framework to quantify and compare threats. Instead of simply listing potential attacks, defenders now have a way to: - assign numerical likelihoods to cyberattack techniques and campaigns, - model the structure of attack campaigns in a transparent way, - perform data-informed comparisons of different threats, - and make defensible decisions about where to allocate effort and resources.

Featured Image

Photo by Glen Carrie on Unsplash

Photo by Glen Carrie on Unsplash

Why is it important?

With these tools, if, say, three hacker campaigns are on your radar but only one of them is the most probable, your time-constrained cybersecurity team can now choose which ones to focus on with white-box numerical justifications based on SotA cyber-intelligence data.