Log In Sign Up

Framework to Describe Intentions of a Cyber Attack Action

by   Stephen Moskal, et al.
Rochester Institute of Technology

The techniques and tactics used by cyber adversaries are becoming more sophisticated, ironically, as defense getting stronger and the cost of a breach continuing to rise. Understanding the thought processes and behaviors of adversaries is extremely challenging as high profile or even amateur attackers have no incentive to share the trades associated with their illegal activities. One opportunity to observe the actions the adversaries perform is through the use of Intrusion Detection Systems (IDS) which generate alerts in the event that suspicious behavior was detected. The alerts raised by these systems typically describe the suspicious actions via the form of attack 'signature', which do not necessarily reveal the true intent of the attacker performing the action. Meanwhile, several high level frameworks exist to describe the sequence or chain of action types an adversary might perform. These frameworks, however, do not connect the action types to observables of standard intrusion detection systems, nor describing the plausible intents of the adversarial actions. To address these gaps, this work proposes the Action-Intent Framework (AIF) to complement existing Cyber Attack Kill Chains and Attack Taxonomies. The AIF defines a set of Action-Intent States (AIS) at two levels of description: the Macro-AIS describes 'what' the attacker is trying to achieve and the Micro-AIS describes "how" the intended goal is achieved. A full description of both the Macro is provided along with a set of guiding principals of how the AIS is derived and added to the framework.


Cyberattack Action-Intent-Framework for Mapping Intrusion Observables

The techniques and tactics used by cyber adversaries are becoming more s...

Intrusion Detection for Industrial Control Systems: Evaluation Analysis and Adversarial Attacks

Neural networks are increasingly used in security applications for intru...

Active Deception using Factored Interactive POMDPs to Recognize Cyber Attacker's Intent

This paper presents an intelligent and adaptive agent that employs decep...

Augmenting Zero Trust Architecture to Endpoints Using Blockchain: A Systematic Review

With the purpose of defending against lateral movement in todays borderl...

Probabilistic Modeling and Inference for Obfuscated Cyber Attack Sequences

A key element in defending computer networks is to recognize the types o...

ProblemChild: Discovering Anomalous Patterns based on Parent-Child Process Relationships

It is becoming more common that adversary attacks consist of more than a...

Investigating co-occurrences of MITRE ATT&CK Techniques

Cyberattacks use adversarial techniques to bypass system defenses, persi...

I Introduction

A necessary component to next generation cyber attack detection or prediction algorithms is understanding the tactics and the techniques that adversaries use to learn about the network, compromise assets, and eventually achieve their end-objective (stealing information, disrupting services, etc.). Behaviors of cyber attackers are extremely diverse due to differences in skill level and/or situational behaviors given the target’s network configuration. It is unlikely that two attackers will share the exact same attack processes. Efficient extraction and comprehension of attack actions and the corresponding behaviors can enable rapid response or even application to similar network assets for proactive cyber defense. A common framework that describes a process of attacker actions is the Cyber Attack Kill Chain which describes the attack process as a chain of action types. Cyber defense may detect intrusion in the earlier stage of the kill chain and ‘cut the chain’ to stop the attacker from performing the later, more critical kill chain stages. Since the introduction of the Cyber Attack Kill Chain by Lockheed Martin in 2011 [KC_Lockheed], organizations have adapted the concept of a Kill Chain for specific attack types such as Advanced Persistent Threats (APT), insider threats, etc [KC_Dell]

. Typical kill chains summarize the entire attack sequence typically in less than 10 stages creating a concise and easy to understand attacker description for both security professionals and the average person. However, when it comes to generally classifying attack actions, most kill chain descriptions are not well suited to differentiate the different tactics and techniques that an adversary may use as they are intended to represent milestones in the attack sequence but not the individual actions. Moskal

[moskal2016knowledge] gave a comparative study of the different kill chains and summarized the various attack stages into reconnaissance, exploitation, and exfiltration categories. Table I shows the number of classes for some of the most popular kill chains.

Year Type # of Classes
MTIRE CAPEC [barnum2008common] 2007 Attack Patterns 517
Lockheed Martin [KC_Lockheed] 2011 Kill Chain 7
STIX [KC_Stix] 2012 Attack Descriptor 9
MITRE Kill Chain 2013 Kill Chain 7
MTIRE Att&ck [mitreattk] 2013 Attack Techniques 295
Varonis [KC_Varonis] 2018 Kill Chain 8
MITRE Unified Kill Chain [strom2018mitre] 2018 Kill Chain 20
TABLE I: Attack stage classifications by various organizations.

MITRE ATT&CK [strom2018mitre] uses 12 tactics to classify 295 attack technique classes and is an industry-leading and comprehensive attack-type description. However, it only considers the ‘right’ side of the kill chain: exploitation and exfiltration and the 295 techniques can be too detailed to explicitly map to intrusion observables (e.g., IDS alerts, access logs, attack traces, etc.). This limitation inhibits the modeling and discovery of adversary behaviors and processes. Some attack techniques in ATT&CK are specific to the target network, where the adversary chose the technique because it was easily accessible in that network. In a different network, the same attacker may exercise the same thought process, come to a similar attack action with the same intended outcome, yet it leads to a different ATT&CK technique.

Observing the attacker’s actions is extremely challenging as it is unlikely that the attacker will cooperate to resolve their intentions and thought processes. Instead, we turn to the most common and abundant sources of attacker’s actions, Intrusion Detection System (IDS) logs, where network traffic passing though a sensor is analyzed against known signatures of specific behaviors raising alerts to the administrators when suspicious actions are performed on the network. IDS’s are not yet able to resolve the observed actions to the ATT&CK techniques due to the complexity of IDS rules. Instead, we propose the Action-Intent Framework (AIF) containing a set of Action-Intent States (AIS) that is designed to resolve the essence of ‘what’ the attacker was trying to achieve and ‘how’ they achieved it in reference to open-source IDS (

e.g., Suricata and Snort) signatures. To capture ‘what’ the attacker has achieved, we define the concept of Macro-AIS as a high level description of the outcome of the action such as privilege escalation or data destruction. The Macro-AIS’s are similar to the higher-level tactics described in ATT&CK but also includes reconnaissance stages and zero-day attack stages. For each Macro-AIS, we define a set of Micro-AIS’s that describe ‘how’ the adversary achieves the Macro-AIS. The Micro-AIS’s are similar to the techniques defined by ATT&CK but with a focus on action-types that are observable by an IDS and not specific to any service, operating system, or network configuration.

Ii Action-Intent State Selection Methodology

Kill Chains as a part of their description imply an order of the stages to progress towards a goal and typically are specific to a type of attack/attacker. Figure 1 shows the relevant stages for an attacker depends on the type of attacker or skill level and the cyclical visualization implies that the adversary needs to go through multiple iterations to achieve their end goal. Our end objective is to use our defined attack stages to discover how the attack stages are used and relate to previous attack stages and upcoming attack stages and because of this we do not define a specific order of stages. It is this order is what we want to discover and analyze the reasoning the attacker chose these stages and why the particular order is chosen.

Fig. 1: Dell Secureworks Advanced Persistent Threat kill chain stage description

Taking inspiration from MITRE Att&ck where the “techniques” are classified under a high-level description called a “tactic”, we employ a similar two-tier structure with a more restrictive and specialized criteria to better capture the intent of the action performed. Our Macro AIS definitions contains commonalities to the Att&ck Tactics but the Macro AIS focuses on resolving action-intents from the defense’s perspective where tactics such as “persistence” or “defense evasion” describes intentions that may not be possible to definitively determine with just IDS logs. The Micro AIS definition also has similarities to the Att&ck Techniques however a key difference is that the Micro AIS does not include techniques that are specific to any one system such as Kerberoasting or very specialized techniques such as exfiltration though “Audio Capture”. With these restrictions, we propose a framework to define a set of AIS so that a sequence of AIS derived from IDS observables describes the type of actions specific attacker takes that is general to a network configuration.

To develop the AIF we define a set of guiding principals that dictate when an action or action type is added to the AIF with a corresponding macro or micro AIS. We intend that the AIF will evolve over time (as with MITRE Att&ck) and changes to the criteria or additional states may be defined in the future.

Ii-a Macro Action-Intent States

Table II contains the currently defined Macro AIS and their descriptions. Each of these Macro AIS describes a high level description of “what” the attacker has performed but does not describe a specific method of to achieve the state. Our guiding principals for defining an Macro AIS is as follows:

  1. The stage describes the impact or end goal of the action,

  2. the stage does not describe a specific means of achieving a goal, and

    • For example, there are multiple methods to achieve “privilege escalation” which has a specific impact.

  3. if an action type has technical or behavioral properties in-which other macro stages do not accurately describe the action’s outcome due to different means of observability

    • “Active reconnaissance” actions (e.g. network scanning) typically can be observed using an IDS where “passive reconnaissance” like social engineering cannot be observed by traditional technical methods and are used in different situations.

States such as passive and active reconnaissance describe actions where the primary goal is to gather information about the target whether its through publically accessible means (passive) or technical approaches using scanning tools for example (active). Privilege Escalation, Targeted Exploits, Ensure Access, and Zero-Day describe some sort of exploitation of the target to allow the attacker to gain access or ensure access to the target. Although Zero-days are by nature difficult to detect, these types of actions are included as the usage of zero days is a critical differentiator of attacker behaviors and certain types of sensors like anomaly detectors do have the capability to observe zero-days. States such as Disrupt, Distort, Destroy, Disclosure, and Delivery describes a specific end impact that an attacker may perform as either a sub-goal or end-goal of the overall attack. For example attackers may choose to disrupt specific machines as they are traversing the network to draw attention away from the action where crucial information such as customer data is disclosed to the attacker. Under each Macro AIS will be a set of Micro AIS which will describe “how” the attacker chose to achieve the behavior described in as Micro AIS in the following section.

Macro AIS Description
Passive Recon
An attempt to gain information about targeted computers
and networks without actively engaging with the systems
Active Recon
An intruder engages with the targeted system to gather information
about vulnerabilities
Privilege Escalation.
Act of exploiting a bug, design flaw or configuration oversight in an
operating system or software application to gain elevated access
Targeted Exploits
Exploits targeting a specific service, application, organizational entity,
or person
Ensure Access
Actions which expand preexisting access or circumvent active defense
Zero Day
Actions performed employing undocumented vulnerabilities or strategies
with unknown consequences where no patch exists at the time of the attack
Disrupt Disruption in services, usually from a Denial of Service.
Destruction of information, usually when an attack has caused a deletion of
files or removal of access.
Distort Distortion in information, usually when an attack has caused a modification of a file.
Disclosure of information, usually providing an attacker with a view of information
they would normally not have access to
Actions where the intent is to place/install/deliver data that could be in the form of
malware, backdoor, application, etc.
TABLE II: The Macro Action-Intent States currently defined in the framework.

Ii-B Micro Action-Intent States

The Micro AIS is similar to the MITRE Att&ck techniques but with the key difference is that we do not include techniques that are specific to any one service, operating system, or network. In the case of privilege escalation, MITRE Att&ck defines techniques like “Sudo” and “Bypass User Account Control” which are legitimate techniques to gain root access to Linux and Windows machines respectively however the choice of choosing these one of these techniques is situational depending on the network. The true intention of these techniques was to gain administrative access to the machine regardless of the network, thus our methodology is to combine these two techniques based on the intent creating the Micro Action-Intent state of “Root Privilege Escalation” and also “User Privilege Escalation”. These are two states with specific impacts to the target, used in different situations, and describes the intentions of the adversary without requiring information about the target network. Our currently defined Micro AIS is defined in Table III and our guiding principals for selecting new states for the Micro AIS is defined below:

  1. The state describes a specific and unique means of achieving an macro attack stage type,

    • Network sniffing credential access and brute force credential access can achieve privilege escalation however are used in different situations and are observed differently

  2. the state is service and platform agnostic,

  3. the state has a well defined impact on a type of target or yields different response from the target, and

    • For example, “End-point DoS” is used to target services where “Network DoS” targets a whole network which has significantly different impact

    • Attackers may use different types of reconnaissance actions to reveal different characteristics of the network, services, or vulnerabilities of a network

  4. if the state has observable characteristics that differentiates itself from other stages within the same macro attack stage.

    • The micro states for “End-Point DoS” and “Service Stop” both are disrupting the function of a single machine however end-point DoS implies disruption by exhausting system resources for example and service stop involves directly terminating the process.

Iii Uses for the Action-Intent Framework

The AIF was designed with a few use cases in mind and may be adapted to a specific use case if needed. Given its focus on observable characteristics of an adversary, we believe the AIF can be used for adversarial sequence extraction from IDS alerts as shown by Moskal et al. [moskal2018isi]. Sequences of common alert type where developed and compared to other attackers to assess commonalities between attacker processes, however the alert signature type used was not reflective of the intentions of the adversary. We believe that this work can be used to enhance the contextual meaning of these sequences so that the intent of the adversarial actions are easily interpreted. This concept requires a method to classify alert signatures to the AIF which is not an easy task given the many different types of observables and the vast number of alert rules and architectures available; a future work will be presented on this topic at a later date. Once sequences of AIS are determined, we also believe that the extracted processes of attacker actions can be simulated where a cyber attack simulator can use the AIS as guidance to select an action that is both representative of the attacker action and what is possible on the target network [moskal2018cyber].

Macro AIS Micro AIS Description
Passive Recon Target Identification Determining the organizational/network target
Using legitimate methods (websites, public documents, etc) to obtain information
about the target
Social Engineering
Non-technical strategy cyber attackers use that relies heavily on human interaction
and often involves tricking people into breaking standard security practices
Active Recon Host Discovery Use of technical programs to uncover the location/IP of machines in the target network
Service Discovery Use of technical programs to uncover the services or applications employed on a machine
Vulnerability Discovery Techniques or programs to uncover vulnerabilities on machine with a specific application or OS
Information Discovery
Actions which reveal technical information such as system configurations, file system contents,
or information about the target/entity
Privledge Esc. User Privledge Esc. Action which results in the adversary gaining user privileges
Root Privledge Esc. Action which results in the adversary gaining root/admin privileges
Network Sniffing
Credential Access
Using the network interface on a system to monitor or capture information sent over a wired
or wireless connection
Brute Force
Credential Access
Brute force techniques to attempt access to accounts when passwords are unknown or when
password hashes are obtained
Account Manipulation
Modifying permissions, modifying credentials, adding or changing permission groups,
modifying account settings, or modifying how authentication is performed
Targeted Exploits Trusted Orginization Exploitation
Access through trusted third party relationship exploits an existing connection that may
not be protected or receives less scrutiny than standard mechanisms of gaining access to a network
Exploit Public Facing Application
Use of software, data, or commands to take advantage of a weakness in an Internet-facing computer
system or program in order to cause unintended or unanticipated behavior
Exploit Remote Services
Exploitation of remote services such as VPNs, Citrix, and other access mechanisms allow users to
connect to internal enterprise network resources from external locations
An email spoofing attack that targets a specific organization or individual, seeking unauthorized
access to sensitive information
Service-Specific Exploitation Use of a exploit/vulnerability specific to a system OS, application, and version
Arbitrary Code Execution control over an target by establishing a communication channel between adversary and target
Ensure Access Defense Evasion Techniques an adversary may use to evade detection or avoid other defenses
Command & Control Control over an target by establishing a communication channel between adversary and target
Lateral Movement
Techniques that enable an adversary to access and control remote systems on a network and could,
but does not necessarily, include execution of tools on remote systems
Zero Day Privledge Esc. Undocumented action that raises the privilege level of the adversary
Targeted Exploit Usage of a unpatched and possibly undocumented targeted exploit
Ensure Access Unknown method to evade detection or controlling method
Disrupt End Point DoS
Exhausting the system resources those services are hosted on or exploiting the system to cause
a persistent crash condition
Network DoS Exhaust the network bandwidth services rely on
Service Stop Stop or disable services on a system to render those services unavailable to legitimate users
Resource Hijacking
Leverage the resources of co-opted systems in order to solve resource intensive problems which
may impact system and/or hosted service availability
Destroy Data Destruction
Destroy data and files on specific systems or in large numbers on a network to interrupt
availability to systems, services, and network resources
Content Wipe
Erase the contents of storage devices on specific systems as well as large numbers of systems
in a network to interrupt availability to system and network resources
Distort Data Encryption
Encrypt data on target systems or on large numbers of systems in a network to interrupt
availability to system and network resources
Defacement Modify visual content available internally or externally to an enterprise network.
Data Manipulation Insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.
Disclosure Data Exfiltration
Techniques and attributes that result or aid in the adversary removing files and information from
a target network
Delivery Data Delivery Intent to place/install/deliver data that could be in the form of malware, backdoor, application, etc.
TABLE III: Descriptions of the Micro Action-Intent States in the current framework with corresponding Macro AIS.