Modeling Attack Activity for Integrated Analysis of Threat Information

Abstract: Cyber attacks targeting specific victims use multiple intrusion routes and various attack methods. In order to combat such diversified cyber attacks, Threat Intelligence is attracting attention. Attack activities, vulnerability information and other threat information are gathered, analyzed and organized in threat intelligence and it enables organizations to understand their risks. Integrated analysis of the threat information is needed to compose the threat intelligence. Threat information can be found in inc… Show more

“…Three models which are widely used by threat hunters are the Diamond model of intrusion analysis, cyber kill chain and MITRE ATT&CK Matrix [3,5,6,7]. While there are a few papers published in threat hunting in ICS networks [44,45], they did not investigate how Diamond models and MITRE ATT&CK Matrix can be deployed in threat hunting in ICS networks.…”

“…A Diamond model also uses meta-features to be able to model further details of an intrusion event. In a Diamond model created for a single intrusion event, each core feature is given a corresponding confidence value showing that how confident the analyst is that the feature is correct [3,6,7,22,23].…”

“…Although existing solutions have been proposed to facilitate the threat hunting process, there are three models which are widely used in the industry. These models are the Diamond model of intrusion analysis, cyber kill chain and MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) which can model attack behaviour and predict future threat actions [3,5,6,7]. Diamond models and the cyber kill chain model were used by some papers for threat hunting in IT and ICS networks [22,3,39].…”

A Threat Hunting Framework for Industrial Control Systems

“…Three models which are widely used by threat hunters are the Diamond model of intrusion analysis, cyber kill chain and MITRE ATT&CK Matrix [3,5,6,7]. While there are a few papers published in threat hunting in ICS networks [44,45], they did not investigate how Diamond models and MITRE ATT&CK Matrix can be deployed in threat hunting in ICS networks.…”

“…A Diamond model also uses meta-features to be able to model further details of an intrusion event. In a Diamond model created for a single intrusion event, each core feature is given a corresponding confidence value showing that how confident the analyst is that the feature is correct [3,6,7,22,23].…”

“…Although existing solutions have been proposed to facilitate the threat hunting process, there are three models which are widely used in the industry. These models are the Diamond model of intrusion analysis, cyber kill chain and MITRE's Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) which can model attack behaviour and predict future threat actions [3,5,6,7]. Diamond models and the cyber kill chain model were used by some papers for threat hunting in IT and ICS networks [22,3,39].…”

A Threat Hunting Framework for Industrial Control Systems

Threat Intelligence Framework for Vulnerability Identification and Patch Management for Virtual Environment

Paragraph-based Estimation of Cyber Kill Chain Phase from Threat Intelligence Reports