Investigating Patterns of Adversarial Techniques for Cyberattack Forensics

<p dir="ltr">Sophisticated cyberattacks require the expertise of forensic investigators to examine massive volumes of log data and uncover the intricacies of interconnected adversarial techniques across different attack stages. Due to variations in adversarial techniques and fragmented information, investigators often struggle with limited visibility in reconstructing events along the cyber kill chain. We identify statistical correlations of adversarial techniques by modeling their co-occurrences in advanced persistent threats as weighted connections in a graph. Our automated solution includes weighted knowledge graph construction, extraction of adversarial patterns through graph traversal, and detection of adversarial techniques guided by these patterns. Through attack simulations in two case studies, we validate the effectiveness of this approach in detecting adversarial techniques, supporting the identification of attack vectors and the reconstruction of partial kill chains even when some techniques bypass forensic investigation. This research highlights the potential to systematically investigate adversarial patterns, suggesting that future work could improve knowledge graph construction and extraction methods using advanced machine learning techniques for even better results.</p>