Automated Kill-Chain Extraction for Enhanced Cyber Defense
PROBLEM STATEMENT
In cybersecurity, understanding the tactics, techniques, and procedures (TTPs) of attackers is crucial for effective defense. Attackers often exploit a series of vulnerabilities, known as the kill chain, to infiltrate and compromise systems. Analyzing PCAP (Packet Capture) traffic files provides valuable insights into these attacks. However, manually extracting the sequence of actions taken by an attacker from these files is time-consuming and error-prone. Therefore, there is a need for automated methods to accurately identify and extract the kill-chain from PCAP traffic files.
Task
The task is to develop an automated approach for extracting an attacker's series of actions, encompassing all stages of the kill chain, from a PCAP traffic file. This involves identifying and analyzing network traffic patterns indicative of attacker behavior, such as reconnaissance, weaponization, delivery, exploitation, installation, command and control, and exfiltration. The automated solution should be able to differentiate between normal and malicious activities and accurately reconstruct the chronological order of events within the kill chain.
WORK
The PCAP file is given. It is described in the following article:
Container Orchestration Honeypot: Observing Attacks in the Wild (acm.org)
Steps:
- Literature Review: Reviewing existing techniques for extracting information from PCAP files and reconstructing the steps taken by attackers during cyberattacks reveals a diverse landscape of methodologies and tools employed by cybersecurity researchers and practitioners.
- Data Preparation: Organize and preprocess the captured PCAP traffic files to ensure consistency and compatibility across the dataset. This involves cleaning the data, extracting relevant information, and structuring it in a format suitable for analysis.
- Feature Identification: Identify key features within the PCAP traffic data that can help distinguish between normal network activities and potentially malicious behavior. This may include analyzing packet headers, payload content, timing information, and traffic patterns.
- Sequence Reconstruction: Implement algorithms to reconstruct the chronological sequence of attacker actions based on the identified features and detected patterns within the PCAP traffic. This involves linking related network events and assembling them into coherent attack chains.
- Tool Development: Develop a user-friendly tool or script that automates extracting attacker kill chains from PCAP traffic files. The tool should provide capabilities for easy input of PCAP files, execution of the analysis algorithms, and output of the extracted kill chain information in a human-readable format.
Contact:
Stefano Simonetto (s.simonetto@utwente.nl)