MITRE - ATT&CKcon, profile picture
Uploaded byMITRE - ATT&CKcon
PDF, PPTX2,799 views

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

The document discusses the use of graphs for analyzing and visualizing cyber threats and attack data within the MITRE ATT&CK framework. It highlights various representation methods, such as event-centric and actor-centric graphs, to identify patterns and trends among threat actors and techniques. Key questions include the granularity of data, the completeness of received information, and potential additional data sources to enhance threat intelligence analysis.

Embed presentation

Download as PDF, PPTX
Building Graphs for Threat Intelligence ATT&CKers Think in Graphs Valentine Mairet & Samantha Gottlieb
McAfee ATR At McAfee Advanced Threat Research (McAfee ATR), our goal is to identify and illuminate a broad spectrum of threats in today's complex landscape. Valentine McAfee ATR since May 2020 Red Team and Blue Team WICCA Interests: Writing, cats, D&D Twitter: @vm00z Who
A tale of MISP triage Cyber threats and attack data are analyzed and dissected into: ▪ MITRE ATT&CK techniques ▪ Target country information ▪ Threat Actor ▪ Sector ▪ Tools used ▪ etc Threat Intelligence
Research Goal • How can we connect all this information? • Can we quickly visualize connections between events? • Can we identify patterns between threats and attacks? • Can we identify trends in the data? • What are we missing? Questions and challenges
Graphs
Based on our data… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
Initial Representation • Dense, highly connected graph • Sparse sector and country data, offers little differentiation Event-centric Representation • Useful for questions of about frequency Actor-centric Representation • Useful for questions about actor behavioral patterns Different Graphs for Different Questions
Event-centric Graph
Actor-centric Graph
Which techniques are observed most often? Event-centric graph + Degree analysis
Which techniques the most common across actors? Actor-centric graph + Centrality algorithms
Important to try various algorithms Actor-centric graph + Community detection algorithms Can we identify groups of actors using the same techniques?
Based on our data… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
Add in Kill Chain Information
Are actors using techniques in the same way?
Data Representation • MISP's granularity level might not be good enough if we're only using MITRE metadata to differentiate threat actors • MISP allow us to associate MITRE techniques with an event, but not to specify which kill chain step the technique was used for in the context of the event • Overall, recorded threat actors seem to be using the same techniques • Desired mapping (actor) - [uses] -> (technique:step) Remaining Issues
Conclusion • Helps us visualize data instantly • Helps us make sense of the data we see • Helps us connect cyber threats and attacks • Can do much more… Building graphs the right* way…
Conclusion • How can we add more granularity? • Is the data we receive complete enough? • Are there additional data sources to incorporate? A few questions that remain:
Thank you. Any questions?

More Related Content

PDF
Cyber threat intelligence ppt
byKumar Gaurav
 
PDF
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
PDF
Cyber Threat Intelligence
byZaiffiEhsan
 
PDF
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
PDF
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
PPTX
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
PDF
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CK Framework
byn|u - The Open Security Community
 
Cyber threat intelligence ppt
byKumar Gaurav
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
byMITRE - ATT&CKcon
 
Cyber Threat Intelligence
byZaiffiEhsan
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
byMITRE - ATT&CKcon
 
Proactive Threat Hunting: Game-Changing Endpoint Protection Beyond Alerting
byCrowdStrike
 
Cyber Threat Hunting Workshop
byDigit Oktavianto
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
byMITRE - ATT&CKcon
 
MITRE ATT&CK Framework
byn|u - The Open Security Community
 

What's hot

PDF
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
PDF
Threat Hunting
bySplunk
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PDF
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
PDF
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
PDF
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
PPTX
Soc
byMukesh Chaudhari
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PDF
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
PDF
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
PDF
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
PDF
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
PDF
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
PDF
State of the ATTACK
byMITRE - ATT&CKcon
 
PDF
Threat Intelligence 101 - Steve Lodin - Submitted
bySteve Lodin
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PDF
It's just a jump to the left (of boom): Prioritizing detection implementation...
byMITRE ATT&CK
 
PDF
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
PDF
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
byMITRE ATT&CK
 
Threat Hunting
bySplunk
 
Cyber Threat Intelligence
bymohamed nasri
 
Threat Intelligence
byDeepak Kumar (D3)
 
DTS Solution - Building a SOC (Security Operations Center)
byShah Sheikh
 
ATT&CKing the Red/Blue Divide
byMITRE ATT&CK
 
Mapping ATT&CK Techniques to ENGAGE Activities
byMITRE ATT&CK
 
Soc
byMukesh Chaudhari
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
How MITRE ATT&CK helps security operations
bySergey Soldatov
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
byMITRE ATT&CK
 
Using ATTACK to Create Cyber DBTS for Nuclear Power Plants
byMITRE - ATT&CKcon
 
FIRST CTI Symposium: Turning intelligence into action with MITRE ATT&CK™
byKatie Nickels
 
MITRE ATT&CKcon 2018: Helping Your Non-Security Executives Understand ATT&CK ...
byMITRE - ATT&CKcon
 
State of the ATTACK
byMITRE - ATT&CKcon
 
Threat Intelligence 101 - Steve Lodin - Submitted
bySteve Lodin
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
It's just a jump to the left (of boom): Prioritizing detection implementation...
byMITRE ATT&CK
 
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
ATT&CK Updates- ATT&CK's Open Source
byMITRE ATT&CK
 

Similar to ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

PDF
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
PDF
distinguishing-threat-actors-vectors-and-intelligence-sources-slides.pdf
byDoctorGarcia1
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
Graph Gurus Episode 22: Cybersecurity
byTigerGraph
 
PDF
Graph Gurus Episode 22: Guarding Against Cyber Security Threats with a Graph ...
byAmanda Morris
 
PDF
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
bySpeck&Tech
 
PDF
Top 6 Sources for Identifying Threat Actor TTPs
byRecorded Future
 
PDF
Visualization in the Age of Big Data
byRaffael Marty
 
PDF
A Picture is Worth 1,000 Rows
byNeo4j
 
PDF
Cyber security and attack analysis : how Cisco uses graph analytics
byLinkurious
 
PDF
(SACON) Wayne Tufek - chapter five - attacks
byPriyanka Aash
 
PDF
Burning Down the Haystack to Find the Needle: Security Analytics in Action
byJosh Sokol
 
PDF
AI4Cyber-SAGE-slides.pdf
byAhmed Mohamed
 
PDF
M43057580
byIJERA Editor
 
PDF
RED-TEAM_Conclave
byNSConclave
 
PDF
ScotSecure West Summit 2024 - Glasgow 11th Sept
byRay Bugg
 
PDF
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
PDF
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
byDevOps.com
 
PPTX
The Four Types of Threat Detection and Use Cases in Industrial Security
byDragos, Inc.
 
PDF
Creating Your Own Threat Intel Through Hunting & Visualization
byRaffael Marty
 
MITRE ATTACKcon Power Hour - January
byMITRE - ATT&CKcon
 
distinguishing-threat-actors-vectors-and-intelligence-sources-slides.pdf
byDoctorGarcia1
 
Detection Rules Coverage
bySunny Neo
 
Graph Gurus Episode 22: Cybersecurity
byTigerGraph
 
Graph Gurus Episode 22: Guarding Against Cyber Security Threats with a Graph ...
byAmanda Morris
 
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
bySpeck&Tech
 
Top 6 Sources for Identifying Threat Actor TTPs
byRecorded Future
 
Visualization in the Age of Big Data
byRaffael Marty
 
A Picture is Worth 1,000 Rows
byNeo4j
 
Cyber security and attack analysis : how Cisco uses graph analytics
byLinkurious
 
(SACON) Wayne Tufek - chapter five - attacks
byPriyanka Aash
 
Burning Down the Haystack to Find the Needle: Security Analytics in Action
byJosh Sokol
 
AI4Cyber-SAGE-slides.pdf
byAhmed Mohamed
 
M43057580
byIJERA Editor
 
RED-TEAM_Conclave
byNSConclave
 
ScotSecure West Summit 2024 - Glasgow 11th Sept
byRay Bugg
 
MITRE ATTACKCon Power Hour - December
byMITRE - ATT&CKcon
 
Protect Yourself from Cyber Attacks Through Proper Third-Party Risk Management
byDevOps.com
 
The Four Types of Threat Detection and Use Cases in Industrial Security
byDragos, Inc.
 
Creating Your Own Threat Intel Through Hunting & Visualization
byRaffael Marty
 

More from MITRE - ATT&CKcon

PDF
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
PDF
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
PDF
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
PDF
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
PDF
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
PDF
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
PDF
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
PDF
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
PDF
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
PDF
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
PDF
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
PDF
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
PDF
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
PDF
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
PDF
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 
ATTACK-Onomics: Attacking the Economics Behind Techniques Used by Adversaries
byMITRE - ATT&CKcon
 
Sharpening your Threat-Hunting Program with ATTACK Framework
byMITRE - ATT&CKcon
 
Helping Small Companies Leverage CTI with an Open Source Threat Mapping
byMITRE - ATT&CKcon
 
What's New with ATTACK for ICS?
byMITRE - ATT&CKcon
 
From Theory to Practice: How My ATTACK Perspectives Have Changed
byMITRE - ATT&CKcon
 
Putting the PRE into ATTACK
byMITRE - ATT&CKcon
 
What's a MITRE with your Security?
byMITRE - ATT&CKcon
 
ATTACKing the Cloud: Hopping Between the Matrices
byMITRE - ATT&CKcon
 
Mapping the EventBot Mobile Banking Trojan with MITRE ATTACK for Mobile
byMITRE - ATT&CKcon
 
Transforming Adversary Emulation Into a Data Analysis Question
byMITRE - ATT&CKcon
 
TA505: A Study of High End Big Game Hunting in 2020
byMITRE - ATT&CKcon
 
Using MITRE PRE-ATTACK and ATTACK in Cybercrime Education and Research
byMITRE - ATT&CKcon
 
What's New with ATTACK for Cloud?
byMITRE - ATT&CKcon
 
Starting Over with Sub-Techniques
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon Power Hour - November
byMITRE - ATT&CKcon
 
MITRE ATTACKcon Power Hour - October
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Lessons in Purple Team Testing with MITRE ATT&CK; Daniel...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
byMITRE - ATT&CKcon
 
MITRE ATT&CKcon 2.0: Keynote Address - The Friends We Made Along the Way; Ton...
byMITRE - ATT&CKcon
 

Recently uploaded

PDF
PPT Item # 12 - 2025 Racial Profiling Report
byahcitycouncil
 
PDF
EFOW Letter to the People of the World: Between Hope and Fear
byEnergy for One World
 
PDF
EFOW Letter- to Planet Earth_Version UPDATED
byEnergy for One World
 
PDF
Rapport du Congrès de novembre 2025 sur l'enrichissement personnel de Trump
bySociété Tripalio
 
PDF
Why I Named My Nonprofit ‘Maximum Difference Foundation’
byMichael Amin
 
PDF
PPT Item # 10 - May General Election Order & Designation
byahcitycouncil
 
PDF
Item # 6 - 518 Austin Hwy (ARB #1011F - Final Review)
byahcitycouncil
 
PDF
MSC 2026 : Under Destruction Munich Security Report 2026
byEnergy for One World
 
PDF
IEA Publication : Electricity Year 2026 Full Report
byEnergy for One World
 
PDF
PPT Item # 5 -- PPT 4820 Broadway Street
byahcitycouncil
 
PDF
The Budget and Economic Outlook for 2026 to 2036: Press Briefing Slides
byCongressional Budget Office
 
PPTX
International Longevity Centre UK's impact in 2025
byILCUK
 
PDF
Item # 9 - Legal Services Contract/Renewal
byahcitycouncil
 
PPTX
Devolution-of-functions-Internatiobest-practices-March-2024-Tinashe-Chigwata....
byandrewcmwale10
 
PDF
Item # 7 - Water & Wastewater Rate Study
byahcitycouncil
 
PDF
Item # 2a - January 12, 2026 CCM Minutes
byahcitycouncil
 
PDF
PPT Item # 3 -- Announcements Powerpoint
byahcitycouncil
 
PDF
PPT Item # 6 - PPT 518 Austin Highway final review
byahcitycouncil
 
PDF
Item # 5 - 4820 Broadway St (ARB #1004F - Final Review)
byahcitycouncil
 
PDF
EFOW Brief: Some Stories of Two- Choices we are invited to make
byEnergy for One World
 
PPT Item # 12 - 2025 Racial Profiling Report
byahcitycouncil
 
EFOW Letter to the People of the World: Between Hope and Fear
byEnergy for One World
 
EFOW Letter- to Planet Earth_Version UPDATED
byEnergy for One World
 
Rapport du Congrès de novembre 2025 sur l'enrichissement personnel de Trump
bySociété Tripalio
 
Why I Named My Nonprofit ‘Maximum Difference Foundation’
byMichael Amin
 
PPT Item # 10 - May General Election Order & Designation
byahcitycouncil
 
Item # 6 - 518 Austin Hwy (ARB #1011F - Final Review)
byahcitycouncil
 
MSC 2026 : Under Destruction Munich Security Report 2026
byEnergy for One World
 
IEA Publication : Electricity Year 2026 Full Report
byEnergy for One World
 
PPT Item # 5 -- PPT 4820 Broadway Street
byahcitycouncil
 
The Budget and Economic Outlook for 2026 to 2036: Press Briefing Slides
byCongressional Budget Office
 
International Longevity Centre UK's impact in 2025
byILCUK
 
Item # 9 - Legal Services Contract/Renewal
byahcitycouncil
 
Devolution-of-functions-Internatiobest-practices-March-2024-Tinashe-Chigwata....
byandrewcmwale10
 
Item # 7 - Water & Wastewater Rate Study
byahcitycouncil
 
Item # 2a - January 12, 2026 CCM Minutes
byahcitycouncil
 
PPT Item # 3 -- Announcements Powerpoint
byahcitycouncil
 
PPT Item # 6 - PPT 518 Austin Highway final review
byahcitycouncil
 
Item # 5 - 4820 Broadway St (ARB #1004F - Final Review)
byahcitycouncil
 
EFOW Brief: Some Stories of Two- Choices we are invited to make
byEnergy for One World
 

ATTACKers Think in Graphs: Building Graphs for Threat Intelligence

  • 1.
    Building Graphs forThreat Intelligence ATT&CKers Think in Graphs Valentine Mairet & Samantha Gottlieb
  • 2.
    McAfee ATR At McAfeeAdvanced Threat Research (McAfee ATR), our goal is to identify and illuminate a broad spectrum of threats in today's complex landscape. Valentine McAfee ATR since May 2020 Red Team and Blue Team WICCA Interests: Writing, cats, D&D Twitter: @vm00z Who
  • 4.
    A tale ofMISP triage Cyber threats and attack data are analyzed and dissected into: ▪ MITRE ATT&CK techniques ▪ Target country information ▪ Threat Actor ▪ Sector ▪ Tools used ▪ etc Threat Intelligence
  • 5.
    Research Goal • Howcan we connect all this information? • Can we quickly visualize connections between events? • Can we identify patterns between threats and attacks? • Can we identify trends in the data? • What are we missing? Questions and challenges
  • 6.
  • 7.
    Based on ourdata… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
  • 9.
    Initial Representation • Dense,highly connected graph • Sparse sector and country data, offers little differentiation Event-centric Representation • Useful for questions of about frequency Actor-centric Representation • Useful for questions about actor behavioral patterns Different Graphs for Different Questions
  • 10.
  • 11.
  • 12.
    Which techniques areobserved most often? Event-centric graph + Degree analysis
  • 13.
    Which techniques themost common across actors? Actor-centric graph + Centrality algorithms
  • 14.
    Important to tryvarious algorithms Actor-centric graph + Community detection algorithms Can we identify groups of actors using the same techniques?
  • 15.
    Based on ourdata… Frequency • Which techniques are observed most often? • Which actors are the most active? Popularity • Which techniques are the most common across actors? Patterns • Can we identify groups of actors using the same techniques? • Are actors using techniques in the same way?
  • 16.
    Add in KillChain Information
  • 17.
    Are actors usingtechniques in the same way?
  • 18.
    Data Representation • MISP'sgranularity level might not be good enough if we're only using MITRE metadata to differentiate threat actors • MISP allow us to associate MITRE techniques with an event, but not to specify which kill chain step the technique was used for in the context of the event • Overall, recorded threat actors seem to be using the same techniques • Desired mapping (actor) - [uses] -> (technique:step) Remaining Issues
  • 19.
    Conclusion • Helps usvisualize data instantly • Helps us make sense of the data we see • Helps us connect cyber threats and attacks • Can do much more… Building graphs the right* way…
  • 20.
    Conclusion • How canwe add more granularity? • Is the data we receive complete enough? • Are there additional data sources to incorporate? A few questions that remain:
  • 21.