Instrumenting OpenCTI with a Capability for Attack Attribution Support
In addition to identifying and prosecuting cyber attackers, attack attribution activities can provide valuable information for guiding defenders’ security procedures and supporting incident response and remediation. However, the technical analysis involved in cyberattack attribution requires skills,...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2024-01-01
|
| Series: | Forensic Sciences |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2673-6756/4/1/2 |
| _version_ | 1797241046401286144 |
|---|---|
| author | Sami Ruohonen Alexey Kirichenko Dmitriy Komashinskiy Mariam Pogosova |
| author_facet | Sami Ruohonen Alexey Kirichenko Dmitriy Komashinskiy Mariam Pogosova |
| author_sort | Sami Ruohonen |
| collection | DOAJ |
| description | In addition to identifying and prosecuting cyber attackers, attack attribution activities can provide valuable information for guiding defenders’ security procedures and supporting incident response and remediation. However, the technical analysis involved in cyberattack attribution requires skills, experience, access to up-to-date Cyber Threat Intelligence, and significant investigator effort. Attribution results are not always reliable, and skillful attackers often work hard to hide or remove the traces of their operations and to mislead or confuse investigators. In this article, we translate the technical attack attribution problem to the supervised machine learning domain and present a tool designed to support technical attack attribution, implemented as a machine learning model extending the OpenCTI platform. We also discuss the tool’s performance in the investigation of recent cyberattacks, which shows its potential in increasing the effectiveness and efficiency of attribution operations. |
| first_indexed | 2024-04-24T18:17:06Z |
| format | Article |
| id | doaj.art-8d7c1a1162834d35b36d05a327c6f59c |
| institution | Directory Open Access Journal |
| issn | 2673-6756 |
| language | English |
| last_indexed | 2024-04-24T18:17:06Z |
| publishDate | 2024-01-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Forensic Sciences |
| spelling | doaj.art-8d7c1a1162834d35b36d05a327c6f59c2024-03-27T13:41:24ZengMDPI AGForensic Sciences2673-67562024-01-0141122310.3390/forensicsci4010002Instrumenting OpenCTI with a Capability for Attack Attribution SupportSami Ruohonen0Alexey Kirichenko1Dmitriy Komashinskiy2Mariam Pogosova3WithSecure Corporation, Tammasaarenkatu 7, 00180 Helsinki, FinlandFaculty of Information Technology, University of Jyväskylä, Seminaarinkatu 15, 40014 Jyväskylä, FinlandWithSecure Corporation, Tammasaarenkatu 7, 00180 Helsinki, FinlandWithSecure Corporation, Tammasaarenkatu 7, 00180 Helsinki, FinlandIn addition to identifying and prosecuting cyber attackers, attack attribution activities can provide valuable information for guiding defenders’ security procedures and supporting incident response and remediation. However, the technical analysis involved in cyberattack attribution requires skills, experience, access to up-to-date Cyber Threat Intelligence, and significant investigator effort. Attribution results are not always reliable, and skillful attackers often work hard to hide or remove the traces of their operations and to mislead or confuse investigators. In this article, we translate the technical attack attribution problem to the supervised machine learning domain and present a tool designed to support technical attack attribution, implemented as a machine learning model extending the OpenCTI platform. We also discuss the tool’s performance in the investigation of recent cyberattacks, which shows its potential in increasing the effectiveness and efficiency of attribution operations.https://www.mdpi.com/2673-6756/4/1/2cyberattacktechnical cyberattack attributiondigital forensicsmachine learningcyber threat intelligence |
| spellingShingle | Sami Ruohonen Alexey Kirichenko Dmitriy Komashinskiy Mariam Pogosova Instrumenting OpenCTI with a Capability for Attack Attribution Support Forensic Sciences cyberattack technical cyberattack attribution digital forensics machine learning cyber threat intelligence |
| title | Instrumenting OpenCTI with a Capability for Attack Attribution Support |
| title_full | Instrumenting OpenCTI with a Capability for Attack Attribution Support |
| title_fullStr | Instrumenting OpenCTI with a Capability for Attack Attribution Support |
| title_full_unstemmed | Instrumenting OpenCTI with a Capability for Attack Attribution Support |
| title_short | Instrumenting OpenCTI with a Capability for Attack Attribution Support |
| title_sort | instrumenting opencti with a capability for attack attribution support |
| topic | cyberattack technical cyberattack attribution digital forensics machine learning cyber threat intelligence |
| url | https://www.mdpi.com/2673-6756/4/1/2 |
| work_keys_str_mv | AT samiruohonen instrumentingopenctiwithacapabilityforattackattributionsupport AT alexeykirichenko instrumentingopenctiwithacapabilityforattackattributionsupport AT dmitriykomashinskiy instrumentingopenctiwithacapabilityforattackattributionsupport AT mariampogosova instrumentingopenctiwithacapabilityforattackattributionsupport |