Article Preview
TopIntroduction
The1*number of cyberattacks continues to increase in the United States. The Internet Crime Complaint Center (IC3), managed by the FBI, serves as a central hub for reporting cybercrime and welcomes reports from anyone who believes they have been a victim of internet crime, including individuals, businesses, and other organizations. It reported that 847,376 complaints about cyberattacks were reported by members of the American public in 2021, regardless of their organizational affiliation and the type of cyberattack. The number of complaints has increased approximately 2.8 times compared to five years ago (Internet Crime Complaint Center, 2022). In addition, cyberattack techniques are also becoming more sophisticated. Therefore, it has become challenging to prevent all cyberattacks completely. Given this trend, it is very important to detect cyberattacks quickly and take countermeasures to minimize the damage. (Prompt detection and countermeasures are termed “incident response”).
When it is clear that cyber-incidents have happened in organizations, the incident response team has to conduct an initial analysis to confirm the extent of the incident. This includes determining which networks, systems, or applications are affected, what is the source of the incident, and how the incident is being carried out (e.g., the attack techniques and tools being used and the vulnerabilities being exploited; Scarfone et al., 2008). However, it is inefficient and even impossible for the team to analyze all devices, systems, and services in the organization, because organizations' internal networks are getting larger and more complex. Furthermore, it is also pointed out that the cybersecurity industry now faces a critical shortage of skilled workers. This means that incident response teams are forced to conduct efficient incident responses with limited human resources.
Our Contribution
In order to solve the above problems, this paper proposes an automation tool to help organizations' incident response teams conduct more efficient incident responses. The proposed tool consists of two parts. The first is a web application to extract ATT&CK techniques from Sysmon log data. It can also visualize the ATT&CK techniques the attacker used by mapping the techniques to the ATT&CK matrix. The second part is an automatic lateral movement detection system based on the similarity scores between the initially compromised devices and other devices. The scores are calculated by using the techniques extracted by quantification theory type 3.
We implemented a web application to realize our proposed method. We also prepared an experimental environment simulating an organizational network, simulated actual attacks, and confirmed that mapping Sysmon logs obtained from Windows terminals to ATT&CK enabled us to visualize attackers' movements. In addition, we confirmed the usefulness of a method to find undetected infected terminals by quantifying the similarity of these ATT&CK techniques. In the following discussion, the main contributions of this paper are summarized:
- •
Proposal of a method to automatically extract ATT&CK Techniques from collected Sysmon logs.
- •
Proposal of a method to efficiently find which devices are infected, by lateral movement based on similarity to initially infected devices using quantification theory type 3.
- •
Development of a web application to realize the proposed methods and confirm their effectiveness.