CN111209570B - Method for creating safe closed loop process based on MITER ATT & CK - Google Patents
Method for creating safe closed loop process based on MITER ATT & CK Download PDFInfo
- Publication number
- CN111209570B CN111209570B CN201911401807.5A CN201911401807A CN111209570B CN 111209570 B CN111209570 B CN 111209570B CN 201911401807 A CN201911401807 A CN 201911401807A CN 111209570 B CN111209570 B CN 111209570B
- Authority
- CN
- China
- Prior art keywords
- attack
- plan
- simulation
- simulated
- att
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Abstract
The invention provides a method for creating a safe closed loop process based on an MITRE ATT & CK, which comprises the following steps: 1) Obtaining data to obtain a MITREATT & CK framework: 2) Obtaining an opponent attack plan; 3) Simulating the attack according to the adversary attack plan to obtain a result determined by the simulated attack; 4) And constructing an improvement plan according to the result determined by the simulated attack. MITRE ATT & CK provides a framework for the study and analysis of the structure for attacks. The threat modeling method and the model suite of the matrix for each stage of the hand life cycle comprise changes of several main operating systems such as Windows, macOS and Linux. It can provide context for describing the attack and help in identification. A chain of attacks with context is created in a realistic simulation environment between the available data sources, the MITREATT & CK matrix and the analyst's workflow to understand the defense capability gap.
Description
Technical Field
The invention relates to a method for creating a safe closed loop, in particular to a method for creating a safe closed loop process based on an MITER ATT & CK.
Background
Effective iterative defense is implemented on opponents, defense situations and safety operation of the industry, and the environment is visualized and the workload of a safety team is reduced by filling up the blank in the aspect of defense. Obtaining valuable example inputs, adversary simulation plans, attack simulation, search and report forms, and alarm maintenance priorities are all solid foundations for building defense systems. Knowledge of the technology, tactics and procedures likely to be used by an adversary, simulation planning guidelines, and the associations between the adversary's groups to achieve an integrated, productive security policy.
When the behavior of an attacker cannot be seen and an attack alarm is not generated, the environments of defense and alarm can be formulated through a simulation attack framework, so that any leak in defense can be quickly analyzed and filled. This increases visibility into the environment and may help reduce the load on the security team by filling in defense holes before an attacker reaches the attacker.
The existing threat intelligence model detects malicious network connections and malicious files through open source IOC (threat indicator) and YARA rules, but lacks a general detection method capable of detecting specific events from log events. People need to build a search method and rules for log data when collecting the log data for analysis. There is no standardized format, so people cannot share their own work with others. The analysis efficiency is low, and certain errors also exist in the accuracy of artificial judgment.
Therefore, improvements in the prior art are needed.
Disclosure of Invention
The invention aims to provide an efficient method for creating a safe closed-loop process based on MITER ATT & CK.
In order to solve the technical problem, the invention provides a method for creating a safe closed loop process based on MITRE ATT & CK, which comprises the following steps:
1) And obtaining data to obtain a framework of MITEATT & CK:
2) Obtaining an opponent attack plan;
3) Simulating the attack according to the adversary attack plan to obtain a result determined by the simulated attack;
4) And constructing an improvement plan according to the result determined by the simulated attack.
As an improvement of the method for creating the safe closed-loop process based on the MITRE ATT & CK of the invention:
in step 1, data is obtained by big data mining.
As a further improvement of the method for creating the safe closed-loop process based on the MITER ATT & CK of the invention:
in step 2, the opponent's ownership and attack tactics are determined in the MITREATT & CK framework.
As a further improvement of the method for creating the safe closed-loop process based on the MITER ATT & CK of the invention:
in step 3, the attack is simulated based on the opponent's ownership and tactics of the attack.
As a further improvement of the method for creating the safe closed-loop process based on the MITER ATT & CK of the invention:
in step 3, an attack simulation is constructed either from the adversary's ownership internal or external attack simulation, following a simulated attack plan, or with an automated adversary simulation tool.
As a further improvement of the method for creating the safe closed-loop process based on the MITER ATT & CK, the method comprises the following steps:
the automatic adversary simulation tool is CALDERA.
As a further improvement of the method for creating the safe closed-loop process based on the MITER ATT & CK of the invention:
in step 4, obtaining the TTP of the result of the simulated attack determination, and if the correct TTP is obtained, artificially constructing an improvement plan; and if the correct TTP is not obtained, detecting the malicious activity, and collecting logs to obtain the attack technical knowledge of the attacker.
The method for creating the safe closed-loop process based on the MITRE ATT & CK has the technical advantages that:
MITRE ATT & CK provides a framework for the study and analysis of the structure for attacks. The threat modeling method and the model suite of the matrix for each stage of the hand life cycle comprise changes of several main operating systems such as Windows, macOS and Linux. It can provide context for describing the attack and help in identification. A chain of attacks with context is created in a realistic simulation environment between the available data sources, the MITREATT & CK matrix and the analyst's workflow to understand the defense capability gap.
There are several security frameworks before MITRE ATT & CK, but they all lack one key component: a complete interpretation of the tactics of a simulated attack. This makes mitree ATT & CK a strategic complement of unknown attacks by teams, using AEPS, mitree ATT & CK allows for the creation of real-world attack simulations fused with TTPs. It may be performed on the infrastructure in a red team simulation to determine which attacks to identify, which alerts to send, and what goals to achieve. This provides valuable visibility to the system to build a closed loop improvement cycle for safe operation.
Drawings
The following describes embodiments of the present invention in further detail with reference to the accompanying drawings.
Fig. 1 is a schematic structural diagram of a method for creating a safe closed loop process based on MITRE ATT & CK according to the present invention.
Detailed Description
The invention will be further described with reference to specific examples, but the scope of the invention is not limited thereto.
Embodiment 1, a method for creating a safe closed loop process based on MITRE ATT & CK, as shown in fig. 1, includes the following steps:
1) And a first stage:
when creating an effective search, alarm and response improvement cycle, first an input, the cycle can be notified with data conventionally to more effectively decide on alarms and defenses. The input content comprises big data mining to obtain data, IOC according to indexes, threat intelligence, big data mining and the like.
ATT & CK is a tactic to obtain a representation of an attack from threat intelligence by targeting a particular industry or a particular organization.
Threat intelligence:
external threat intelligence is two key reasons to be useful: new attack TTP and attack verification and identification. Threat intelligence may be used to create a one-time attack simulation based on recent attacks, such as the campaign executed by APT39, or even more deterministic attacks. Such as NotPetya or WannaCry. Alternatively, it can be used to verify information in the MITREATT & CK group list, or pinpoint when a particular malicious group performs a previously known or new activity.
IOC:
And obtaining malicious organization from data obtained by big data mining according to the index IOC. The Index (IOC) can identify the invasion of various groups, has a certain reference value, can add the escape index IOCs such as domain name and file hash to AEPs, attack marks related to the group such as the domain name controlled by a command and the hash value characteristics of the file, and contact context attack tactics, and is used for identifying malicious organizations and enhancing the security from the perspective of static signatures. For example, a unique hash associated with a particular team tool can be tagged to add context to a static alert.
Data mining:
data mining is a very useful tool for hunters and defenders in identifying new attack patterns. Due to infrastructure limitations, this type of deep data mining can be made very successful using Splunk, elasticisarch, hadoop, etc. tools and can play a significant role in hunting and threat identification efforts.
2) And a second stage: simulating an adversary attack plan;
all the opponent groups determined in the MITREATT & CK framework, as shown in table 1, are continuously tested by performing continuous attack drilling against a plan formulated by a specific industry and organization, so that the technical coverage is continuously expanded, and the gap between the opponent groups and an attacker is continuously reduced.
There are many specific industries and table 1 exemplifies these several industries. The planning is obtained in a knowledge base of ATT & CK according to the attack tactics and means commonly used by APT organizations, and each organization has own specific attack tactics in the ATT & CK.
Table 1: framework of MITEATT & CK
Plan description:
01. file: the TTP has been correctly recorded for the opponent group.
02. Code: TTP has been coded as a practical development for red teams.
03. And (3) encoding: the TTP executes successfully.
04. Success/failure: the TTP execution completes or fails to complete its target.
05. Delete/not delete: TTP execution is successful, either detected or not detected.
As the plan progresses, more context and information is added to this layout. A timeline, hierarchy, TTP type, comments, and more details are added as needed.
3) And the third stage: simulating an attack;
internal or external attack simulation, following a simulated attack plan. Or an automatic adversary simulation tool, such as CALDERA by MITRE, is used to construct the attack simulation. The part of the test can be done automatically without the need for human effort.
4) And a fourth stage: hunting and reporting;
all resources used by the red team to simulate the attack (simulated attack step 3) are recorded and any successful detections (attack signatures detected) should be recorded for evaluation at the end of the attack simulation. In the hunting framework, the optimal use of AEPS and attack simulation is dual, and the simulated attack technique should be combined with the actual path of the attack and trap process, and both techniques should be combined to form the best attack chain tactics. First and foremost, hunting operations are notified so that real-world techniques can be found on a daily basis (man-made mining attack techniques and this feature is used as the method of acquisition as input to step 1 of the present invention, big data mining). Second, AEP provides a roadmap to automatically identify attacks with a high degree of fidelity. This is only possible if the correct TTP can be detected.
If TTP cannot be detected, this is an opportunity to investigate new tools or data collection methods. TTP is the process of attack and trap, the detection of malicious activities, through collecting logs and attack technical knowledge of attackers, if the improvement of the alarm process and the adoption of error remedy can not be detected, the method for acquiring data is readjusted according to technical characteristics.
Reporting:
each simulation (simulated attack on various tissue types) was scored quantitatively, including hunting results, based on the number of TTPs used (number of methods of attack techniques and procedures) for the number of TTPs detected. All TTPs detected or not detected need to be classified according to MITREATT & CK framework and the general detection method is most suitable based on the tissue internal architecture. Reports on red team activity need to include remedial actions to be taken on executed attack plans, attack outcomes, and the like to close any gaps. Each attack should be adequately recorded in the report with the specific techniques used, the activities recorded, detected and prevented in the report, and any methods that should be used to improve detection.
General detection methods can use: a rule-based detection method for APT attack behaviors. The detection method of the rule-based APT attack behavior comprises the following steps: establishing an APT attack scene rule, and constructing an APT attack scene knowledge base; the analysis module calls a rule analysis module to analyze and load APT attack scene rules; the acquisition module acquires full flow of an application layer protocol to obtain flow data; carrying out data screening; analyzing important alarms; identifying a behavior; and constructing the processing of failure of the APT attack behavior. For the attack behaviors such as APT, when a simulation attack is carried out, the attack process and the technology which can be subjected to attack trapping are recorded, the existing detection mode is improved, and a detection method is improved before an APT organization is not subjected to attack trapping. The ability to promote defense always has a plurality of attack exposure points in the whole attack process)
5) And a fifth stage: alarm management;
according to the result of the red team simulated attack determination and the TTP, an improved plan of alarm detection is made for the original detection which is not covered and the attack process or the detection with the false alarm and the attack process, wherein the improved plan comprises a detection means and a prevention method. In order to track alarm management related to attack execution, a remediation tracking table (as shown in table 3) is added to the reporting table. This may include information of the system to be modified, the modification state and its owner.
The first phase may then be re-executed.
The process of creating the secure closed loop includes:
1. the method comprises the steps of inputting, threatening information, IOC indexes and creating data mining;
2. the adversary attack plan, all groups identified in the MITRE ATT & CK framework, is modeled by a plan made for a particular industry and organization.
3. Follow the simulated attack plan. Or an attack simulation is constructed with an automated adversary simulation tool.
All resources used by the red team to simulate the attack are recorded, any successful detection is recorded, and a red team report is output, wherein the executed attack plan, the attack result and the remedial action to be taken are required to be included
4. And alarm management, namely constructing a process and technology improvement plan according to the result determined by the red team simulated attack and the TTPs.
The following is a specific implementation procedure: as shown in FIG. 1: firstly, inputting ATT & ck technical means, threat intelligence, IOC indexes, data mining, then making a simulated attack plan, carrying out simulated attack according to the attack plan, outputting executed attack plan, result and report of remedial measures to be taken, and finally carrying out alarm management process construction and plan improvement plan on the result determined by the attack.
Table 2: antagonism simulation plan instance and its status quo
Table 3:
| modified system | Modified state | Owner name |
| Linux1 | Temporarily unpainted | Owner 1 |
| Centos1 | Upgraded component patch | Owner 2 |
Finally, it is also noted that the above-mentioned lists merely illustrate a few specific embodiments of the invention. It is obvious that the invention is not limited to the above embodiments, but that many variations are possible. All modifications which can be derived or suggested by the person skilled in the art from the present disclosure are to be considered within the scope of the present invention.
Claims (3)
1. The method for creating the safe closed-loop process based on the MITER ATT & CK is characterized by comprising the following steps of:
1) Obtaining data to obtain a MITREATT & CK framework:
when creating an effective search, alarm and response improvement cycle, first an input, the cycle can be notified with data conventionally to more effectively decide on alarms and defenses; the input content comprises big data mining to obtain data, and big data mining according to the index IOC, threat intelligence;
2) Obtaining an opponent attack plan;
determining all groups of the opponents and attack tactics in a MITEATT & CK framework;
continuously attacking and practicing tests are carried out on all the groups of the opponents determined in the MITEATT & CK framework according to a plan formulated by specific industries and organizations, the technical coverage is continuously expanded, and the gap between the groups and an attacker is continuously reduced;
3) Simulating the attack according to the adversary attack plan to obtain a result determined by the simulated attack;
simulating attack according to all the groups of the opponents and the attack tactics;
internal or external attack simulation, following a simulation attack plan; or an automatic adversary simulation tool is used for constructing attack simulation; the part of the test can be done automatically without the need for human effort;
4) Constructing an improvement plan according to the result determined by the simulated attack;
hunting and reporting:
recording all resources used during simulation attack, and recording any successful detection so as to evaluate when the simulation of the attack is finished; in the hunting framework, the optimal use of AEPS and attack simulation is dual, and the simulated attack method is combined with the actual route of the attack and trap process, and the simulated attack method are combined into the best attack chain tactics;
first and foremost, hunting operations are notified so that technology can be found in the real world on a daily basis;
second, AEP provides a roadmap to automatically identify attacks with high fidelity; this is only possible if the correct TTP can be detected;
if TTP cannot be detected, this is an opportunity to study new tools or data collection methods; TTP is the process of attack and trap, the detection of malicious activity, through collecting the log, attacker's attack technical knowledge, if can't detect improve the warning process and take and remedy the mistake, readjust the method of gathering the data according to the technical feature;
alarm management;
according to the result of the simulated attack determination and the TTP, an improved plan of alarm detection is made for the original detection which is not covered and the attack process or the detection with the false alarm and the detection of the attack process, wherein the improved plan comprises a detection means and a prevention method; in order to track alarm management related to attack execution, a remediation tracking table is added in a report table; this may include information of the system to be modified, the modification state and its owner;
the first phase may then be re-executed;
the process of creating the secure closed loop includes:
1. the creation of input, threat information, IOC indexes and data mining;
2. simulating an adversary attack plan, wherein all groups determined in the framework of MITER ATT & CK pass through a plan formulated for a specific industry and organization;
3. following a simulated attack plan; or an attack simulation is constructed by using an automatic adversary simulation tool;
recording all resources used during simulation of the attack, recording any successful detection, and outputting a report which needs to include executed attack plans, attack results and remedial measures to be taken;
4. and alarm management, namely constructing a process and technology improvement plan according to the result determined by the simulated attack and the TTPs.
2. The method for creating a secure closed-loop process based on MITRE ATT & CK according to claim 1, characterized in that:
the automatic adversary simulation tool is CALDERA.
3. The method for creating a secure closed-loop process based on MITRE ATT & CK according to claim 2, characterized in that:
in step 4, obtaining the TTP of the result of the simulated attack determination, and if the correct TTP is obtained, artificially constructing an improvement plan; and if the correct TTP is not obtained, detecting the malicious activity, and collecting logs to obtain the attack technical knowledge of the attacker.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911401807.5A CN111209570B (en) | 2019-12-31 | 2019-12-31 | Method for creating safe closed loop process based on MITER ATT & CK |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911401807.5A CN111209570B (en) | 2019-12-31 | 2019-12-31 | Method for creating safe closed loop process based on MITER ATT & CK |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111209570A CN111209570A (en) | 2020-05-29 |
| CN111209570B true CN111209570B (en) | 2022-10-21 |
Family
ID=70784172
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911401807.5A Active CN111209570B (en) | 2019-12-31 | 2019-12-31 | Method for creating safe closed loop process based on MITER ATT & CK |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111209570B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113726803B (en) * | 2021-09-02 | 2023-02-07 | 重庆邮电大学 | Internet of things terminal threat detection method based on ATT & CK matrix mapping |
| CN113824736B (en) * | 2021-11-22 | 2022-02-25 | 杭州安恒信息技术股份有限公司 | Asset risk handling method, device, equipment and storage medium |
| CN114510714A (en) * | 2022-01-14 | 2022-05-17 | 麒麟软件有限公司 | Kysec safety mechanism testing method and system |
| CN115037523A (en) * | 2022-05-17 | 2022-09-09 | 浙江工业大学 | APT detection method for heterogeneous terminal log fusion |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014066500A1 (en) * | 2012-10-23 | 2014-05-01 | Hassell Suzanne P | Cyber analysis modeling evaluation for operations (cameo) simulation system |
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| WO2019222662A1 (en) * | 2018-05-18 | 2019-11-21 | Nehemiah Security, Llc | Methods and apparatuses to evaluate cyber security risk by establishing a probability of a cyber-attack being successful |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110022288A (en) * | 2018-01-10 | 2019-07-16 | 贵州电网有限责任公司遵义供电局 | A kind of APT threat recognition methods |
| CN109361534B (en) * | 2018-09-20 | 2021-10-01 | 中国航天系统科学与工程研究院 | Network security simulation system |
| CN109842632B (en) * | 2019-03-27 | 2021-11-19 | 深信服科技股份有限公司 | Vulnerability determination method and system of network system and related components |
| CN110430190B (en) * | 2019-08-05 | 2022-08-02 | 北京经纬信安科技有限公司 | Deception defense system based on ATT & CK, construction method and full link defense realization method |
-
2019
- 2019-12-31 CN CN201911401807.5A patent/CN111209570B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014066500A1 (en) * | 2012-10-23 | 2014-05-01 | Hassell Suzanne P | Cyber analysis modeling evaluation for operations (cameo) simulation system |
| CN107659543A (en) * | 2016-07-26 | 2018-02-02 | 北京计算机技术及应用研究所 | The means of defence of facing cloud platform APT attacks |
| WO2019222662A1 (en) * | 2018-05-18 | 2019-11-21 | Nehemiah Security, Llc | Methods and apparatuses to evaluate cyber security risk by establishing a probability of a cyber-attack being successful |
Non-Patent Citations (4)
| Title |
|---|
| 《MITRE ATT&CK:Design and Philosophy》;Blake E.Strom等;《MITRE PRODUCT》;20180731;全文 * |
| 《从ATT&CK开始——对手仿真和红队》;Threathunter;《https://www.jianshu.com/p/6cd5ec7d769c》;20191204;全文 * |
| 《实战化ATT&CK》;天御攻防实验室;《https://www.anquanke.com/post/id/185492》;20190902;全文 * |
| 基础电信运营商威胁情报能力提升方案研究;李乘宇等;《电信工程技术与标准化》;20191215(第12期);全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111209570A (en) | 2020-05-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111209570B (en) | Method for creating safe closed loop process based on MITER ATT & CK | |
| Wing | Trustworthy ai | |
| Mughal | Building and Securing the Modern Security Operations Center (SOC) | |
| CN108347430A (en) | Network invasion monitoring based on deep learning and vulnerability scanning method and device | |
| CN101699815B (en) | Network attack automatic execution/exhibition system and method | |
| CN108200030A (en) | Detection method, system, device and the computer readable storage medium of malicious traffic stream | |
| CN110035049A (en) | Earlier cyber-defence | |
| Aloraini et al. | An empirical study of security warnings from static application security testing tools | |
| Fonseca et al. | Vulnerability & attack injection for web applications | |
| Kotenko et al. | Attack Modelling and Security Evaluation for Security Information and Event Management. | |
| Nweke et al. | A review of asset-centric threat modelling approaches | |
| Specking et al. | Assessing engineering resilience for systems with multiple performance measures | |
| Baggili et al. | Founding the domain of AI forensics | |
| CN116405246A (en) | Vulnerability exploitation chain construction technology based on attack and defense combination | |
| CN115277127A (en) | Attack detection method and device for searching matching attack mode based on system tracing graph | |
| CN114398643A (en) | Penetration path planning method, device, computer and storage medium | |
| CN114036059A (en) | Automatic penetration testing system and method for power grid system and computer equipment | |
| CN109388949B (en) | Data security centralized management and control method and system | |
| Roy et al. | Sok: The mitre att&ck framework in research and practice | |
| Gegick et al. | Toward the use of automated static analysis alerts for early identification of vulnerability-and attack-prone components | |
| CN111625448B (en) | Protocol packet generation method, device, equipment and storage medium | |
| Hochgeschwender et al. | Arguing security of autonomous robots | |
| Kumar et al. | A quantitative security risk analysis framework for modelling and analyzing advanced persistent threats | |
| Bermúdez-Edo et al. | Proposals on assessment environments for anomaly-based network intrusion detection systems | |
| Khezami et al. | A systematic literature review on software maintenance for cyber-physical systems |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |