I Introduction
A necessary component to next generation cyber attack detection or prediction algorithms is understanding the tactics and the techniques that adversaries use to learn about the network, compromise assets, and eventually achieve their end-objective (stealing information, disrupting services, etc.). Behaviors of cyber attackers are extremely diverse due to differences in skill level and/or situational behaviors given the target’s network configuration. It is unlikely that two attackers will share the exact same attack processes. Efficient extraction and comprehension of attack actions and the corresponding behaviors can enable rapid response or even application to similar network assets for proactive cyber defense. A common framework that describes a process of attacker actions is the Cyber Attack Kill Chain which describes the attack process as a chain of action types. Cyber defense may detect intrusion in the earlier stage of the kill chain and ‘cut the chain’ to stop the attacker from performing the later, more critical kill chain stages. Since the introduction of the Cyber Attack Kill Chain by Lockheed Martin in 2011 [KC_Lockheed], organizations have adapted the concept of a Kill Chain for specific attack types such as Advanced Persistent Threats (APT), insider threats, etc [KC_Dell]
. Typical kill chains summarize the entire attack sequence typically in less than 10 stages creating a concise and easy to understand attacker description for both security professionals and the average person. However, when it comes to generally classifying attack actions, most kill chain descriptions are not well suited to differentiate the different tactics and techniques that an adversary may use as they are intended to represent milestones in the attack sequence but not the individual actions. Moskal
[moskal2016knowledge] gave a comparative study of the different kill chains and summarized the various attack stages into reconnaissance, exploitation, and exfiltration categories. Table I shows the number of classes for some of the most popular kill chains.Year | Type | # of Classes | |
---|---|---|---|
MTIRE CAPEC [barnum2008common] | 2007 | Attack Patterns | 517 |
Lockheed Martin [KC_Lockheed] | 2011 | Kill Chain | 7 |
STIX [KC_Stix] | 2012 | Attack Descriptor | 9 |
MITRE Kill Chain | 2013 | Kill Chain | 7 |
MTIRE Att&ck [mitreattk] | 2013 | Attack Techniques | 295 |
Varonis [KC_Varonis] | 2018 | Kill Chain | 8 |
MITRE Unified Kill Chain [strom2018mitre] | 2018 | Kill Chain | 20 |
MITRE ATT&CK [strom2018mitre] uses 12 tactics to classify 295 attack technique classes and is an industry-leading and comprehensive attack-type description. However, it only considers the ‘right’ side of the kill chain: exploitation and exfiltration and the 295 techniques can be too detailed to explicitly map to intrusion observables (e.g., IDS alerts, access logs, attack traces, etc.). This limitation inhibits the modeling and discovery of adversary behaviors and processes. Some attack techniques in ATT&CK are specific to the target network, where the adversary chose the technique because it was easily accessible in that network. In a different network, the same attacker may exercise the same thought process, come to a similar attack action with the same intended outcome, yet it leads to a different ATT&CK technique.
Observing the attacker’s actions is extremely challenging as it is unlikely that the attacker will cooperate to resolve their intentions and thought processes. Instead, we turn to the most common and abundant sources of attacker’s actions, Intrusion Detection System (IDS) logs, where network traffic passing though a sensor is analyzed against known signatures of specific behaviors raising alerts to the administrators when suspicious actions are performed on the network. IDS’s are not yet able to resolve the observed actions to the ATT&CK techniques due to the complexity of IDS rules. Instead, we propose the Action-Intent Framework (AIF) containing a set of Action-Intent States (AIS) that is designed to resolve the essence of ‘what’ the attacker was trying to achieve and ‘how’ they achieved it in reference to open-source IDS (
e.g., Suricata and Snort) signatures. To capture ‘what’ the attacker has achieved, we define the concept of Macro-AIS as a high level description of the outcome of the action such as privilege escalation or data destruction. The Macro-AIS’s are similar to the higher-level tactics described in ATT&CK but also includes reconnaissance stages and zero-day attack stages. For each Macro-AIS, we define a set of Micro-AIS’s that describe ‘how’ the adversary achieves the Macro-AIS. The Micro-AIS’s are similar to the techniques defined by ATT&CK but with a focus on action-types that are observable by an IDS and not specific to any service, operating system, or network configuration.Ii Action-Intent State Selection Methodology
Kill Chains as a part of their description imply an order of the stages to progress towards a goal and typically are specific to a type of attack/attacker. Figure 1 shows the relevant stages for an attacker depends on the type of attacker or skill level and the cyclical visualization implies that the adversary needs to go through multiple iterations to achieve their end goal. Our end objective is to use our defined attack stages to discover how the attack stages are used and relate to previous attack stages and upcoming attack stages and because of this we do not define a specific order of stages. It is this order is what we want to discover and analyze the reasoning the attacker chose these stages and why the particular order is chosen.

Taking inspiration from MITRE Att&ck where the “techniques” are classified under a high-level description called a “tactic”, we employ a similar two-tier structure with a more restrictive and specialized criteria to better capture the intent of the action performed. Our Macro AIS definitions contains commonalities to the Att&ck Tactics but the Macro AIS focuses on resolving action-intents from the defense’s perspective where tactics such as “persistence” or “defense evasion” describes intentions that may not be possible to definitively determine with just IDS logs. The Micro AIS definition also has similarities to the Att&ck Techniques however a key difference is that the Micro AIS does not include techniques that are specific to any one system such as Kerberoasting or very specialized techniques such as exfiltration though “Audio Capture”. With these restrictions, we propose a framework to define a set of AIS so that a sequence of AIS derived from IDS observables describes the type of actions specific attacker takes that is general to a network configuration.
To develop the AIF we define a set of guiding principals that dictate when an action or action type is added to the AIF with a corresponding macro or micro AIS. We intend that the AIF will evolve over time (as with MITRE Att&ck) and changes to the criteria or additional states may be defined in the future.
Ii-a Macro Action-Intent States
Table II contains the currently defined Macro AIS and their descriptions. Each of these Macro AIS describes a high level description of “what” the attacker has performed but does not describe a specific method of to achieve the state. Our guiding principals for defining an Macro AIS is as follows:
-
The stage describes the impact or end goal of the action,
-
the stage does not describe a specific means of achieving a goal, and
-
For example, there are multiple methods to achieve “privilege escalation” which has a specific impact.
-
-
if an action type has technical or behavioral properties in-which other macro stages do not accurately describe the action’s outcome due to different means of observability
-
“Active reconnaissance” actions (e.g. network scanning) typically can be observed using an IDS where “passive reconnaissance” like social engineering cannot be observed by traditional technical methods and are used in different situations.
-
States such as passive and active reconnaissance describe actions where the primary goal is to gather information about the target whether its through publically accessible means (passive) or technical approaches using scanning tools for example (active). Privilege Escalation, Targeted Exploits, Ensure Access, and Zero-Day describe some sort of exploitation of the target to allow the attacker to gain access or ensure access to the target. Although Zero-days are by nature difficult to detect, these types of actions are included as the usage of zero days is a critical differentiator of attacker behaviors and certain types of sensors like anomaly detectors do have the capability to observe zero-days. States such as Disrupt, Distort, Destroy, Disclosure, and Delivery describes a specific end impact that an attacker may perform as either a sub-goal or end-goal of the overall attack. For example attackers may choose to disrupt specific machines as they are traversing the network to draw attention away from the action where crucial information such as customer data is disclosed to the attacker. Under each Macro AIS will be a set of Micro AIS which will describe “how” the attacker chose to achieve the behavior described in as Micro AIS in the following section.
Macro AIS | Description | ||
---|---|---|---|
Passive Recon |
|
||
Active Recon |
|
||
Privilege Escalation. |
|
||
Targeted Exploits |
|
||
Ensure Access |
|
||
Zero Day |
|
||
Disrupt | Disruption in services, usually from a Denial of Service. | ||
Destroy |
|
||
Distort | Distortion in information, usually when an attack has caused a modification of a file. | ||
Disclosure |
|
||
Delivery |
|
Ii-B Micro Action-Intent States
The Micro AIS is similar to the MITRE Att&ck techniques but with the key difference is that we do not include techniques that are specific to any one service, operating system, or network. In the case of privilege escalation, MITRE Att&ck defines techniques like “Sudo” and “Bypass User Account Control” which are legitimate techniques to gain root access to Linux and Windows machines respectively however the choice of choosing these one of these techniques is situational depending on the network. The true intention of these techniques was to gain administrative access to the machine regardless of the network, thus our methodology is to combine these two techniques based on the intent creating the Micro Action-Intent state of “Root Privilege Escalation” and also “User Privilege Escalation”. These are two states with specific impacts to the target, used in different situations, and describes the intentions of the adversary without requiring information about the target network. Our currently defined Micro AIS is defined in Table III and our guiding principals for selecting new states for the Micro AIS is defined below:
-
The state describes a specific and unique means of achieving an macro attack stage type,
-
Network sniffing credential access and brute force credential access can achieve privilege escalation however are used in different situations and are observed differently
-
-
the state is service and platform agnostic,
-
the state has a well defined impact on a type of target or yields different response from the target, and
-
For example, “End-point DoS” is used to target services where “Network DoS” targets a whole network which has significantly different impact
-
Attackers may use different types of reconnaissance actions to reveal different characteristics of the network, services, or vulnerabilities of a network
-
-
if the state has observable characteristics that differentiates itself from other stages within the same macro attack stage.
-
The micro states for “End-Point DoS” and “Service Stop” both are disrupting the function of a single machine however end-point DoS implies disruption by exhausting system resources for example and service stop involves directly terminating the process.
-
Iii Uses for the Action-Intent Framework
The AIF was designed with a few use cases in mind and may be adapted to a specific use case if needed. Given its focus on observable characteristics of an adversary, we believe the AIF can be used for adversarial sequence extraction from IDS alerts as shown by Moskal et al. [moskal2018isi]. Sequences of common alert type where developed and compared to other attackers to assess commonalities between attacker processes, however the alert signature type used was not reflective of the intentions of the adversary. We believe that this work can be used to enhance the contextual meaning of these sequences so that the intent of the adversarial actions are easily interpreted. This concept requires a method to classify alert signatures to the AIF which is not an easy task given the many different types of observables and the vast number of alert rules and architectures available; a future work will be presented on this topic at a later date. Once sequences of AIS are determined, we also believe that the extracted processes of attacker actions can be simulated where a cyber attack simulator can use the AIS as guidance to select an action that is both representative of the attacker action and what is possible on the target network [moskal2018cyber].
Macro AIS | Micro AIS | Description | |||
---|---|---|---|---|---|
Passive Recon | Target Identification | Determining the organizational/network target | |||
Surfing |
|
||||
Social Engineering |
|
||||
Active Recon | Host Discovery | Use of technical programs to uncover the location/IP of machines in the target network | |||
Service Discovery | Use of technical programs to uncover the services or applications employed on a machine | ||||
Vulnerability Discovery | Techniques or programs to uncover vulnerabilities on machine with a specific application or OS | ||||
Information Discovery |
|
||||
Privledge Esc. | User Privledge Esc. | Action which results in the adversary gaining user privileges | |||
Root Privledge Esc. | Action which results in the adversary gaining root/admin privileges | ||||
|
|
||||
|
|
||||
Account Manipulation |
|
||||
Targeted Exploits | Trusted Orginization Exploitation |
|
|||
Exploit Public Facing Application |
|
||||
Exploit Remote Services |
|
||||
Spearphishing |
|
||||
Service-Specific Exploitation | Use of a exploit/vulnerability specific to a system OS, application, and version | ||||
Arbitrary Code Execution | control over an target by establishing a communication channel between adversary and target | ||||
Ensure Access | Defense Evasion | Techniques an adversary may use to evade detection or avoid other defenses | |||
Command & Control | Control over an target by establishing a communication channel between adversary and target | ||||
Lateral Movement |
|
||||
Zero Day | Privledge Esc. | Undocumented action that raises the privilege level of the adversary | |||
Targeted Exploit | Usage of a unpatched and possibly undocumented targeted exploit | ||||
Ensure Access | Unknown method to evade detection or controlling method | ||||
Disrupt | End Point DoS |
|
|||
Network DoS | Exhaust the network bandwidth services rely on | ||||
Service Stop | Stop or disable services on a system to render those services unavailable to legitimate users | ||||
Resource Hijacking |
|
||||
Destroy | Data Destruction |
|
|||
Content Wipe |
|
||||
Distort | Data Encryption |
|
|||
Defacement | Modify visual content available internally or externally to an enterprise network. | ||||
Data Manipulation | Insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity. | ||||
Disclosure | Data Exfiltration |
|
|||
Delivery | Data Delivery | Intent to place/install/deliver data that could be in the form of malware, backdoor, application, etc. |