Predictive Analytics for Adversary Techniques in the MITRE ATT&CK Framework using Rule Mining
2024-10-25 , Europe - Main Room

In this presentation, Tristan Madani will delve into "Predictive Analytics for Adversary Techniques in the MITRE ATT&CK Framework using Rule Mining." This talk introduces a novel approach to predicting potential adversary techniques by leveraging historical attack data and applying association rule mining. Attendees will gain insights into how the MITRE ATT&CK framework can be utilized to enhance threat hunting and incident response capabilities. Key takeaways include understanding the methodology behind rule mining, the practical application of the Apriori and FP-Growth algorithms, and the implications of the findings for proactive cybersecurity measures. This presentation is essential for cybersecurity professionals looking to stay ahead of evolving threats by anticipating adversary actions.


Detailed Outline

  1. Introduction (3 minutes)
    - Greeting and Introduction
    - Brief introduction of Tristan Madani and his credentials.
    - Overview of the presentation’s objectives.

  2. Overview of MITRE ATT&CK Framework (5 minutes)
    - Introduction to MITRE ATT&CK
    - Explanation of the framework's purpose and structure.
    - Importance in the cybersecurity community.
    - Challenges Addressed
    - Discuss the vast number of TTPs and their evolution.
    - Need for prioritizing and predicting critical techniques.

  3. Methodology (7 minutes)
    - Data and Tools Used
    - Description of the dataset (version 13.1, May 2023) and STIX 2.1 format.
    - Tools used for data manipulation (Python).
    - Rule Mining Techniques
    - Explanation of Apriori and FP-Growth algorithms.
    - Definition of key parameters: min_support (0.2) and min_threshold (0.7).
    - Process
    - Conversion of TTP data into transactional data.
    - Generation of frequent itemsets and association rules using the Mlxtend library.
    - Filtering and sorting rules based on support, confidence, lift, and Zhang's metric.

  4. Key Findings (10 minutes)
    - Top Association Rules
    - Presentation of the top 5 rules using different metrics (confidence, lift, conviction, Zhang's metric).
    - Significant Associations
    - Brief discussion of notable associations:

    • T1204.001 (Malicious Link) with T1566.002 (Spearphishing Link).
    • T1059.005 (Visual Basic) with T1204.002 (Malicious File) and T1566.001 (Spearphishing Attachment).
    • T1203 (Exploitation for Client Execution) with T1566.001 and T1204.002.
    • Insights on Tactics
    • Key findings related to specific tactics like Initial Access, Execution, Command and Control.
    • Importance of associations involving PowerShell, Windows Command Shell, etc.
  5. Visual Representations (3 minutes)
    - Heat Maps and Parallel Coordinates
    - Explanation of these visual tools.
    - Brief examples to illustrate strong relationships and patterns.

  6. Conclusion (2 minutes)
    - Implications for Cybersecurity
    - Practical benefits of the predictive approach for threat hunting and proactive defense.
    - How organizations can prioritize security resources based on predictions.
    - Future Enhancements
    - Potential for enhancing the dataset with more comprehensive data.
    - Importance of ongoing research to keep up with evolving threats.

  7. Q&A (5 minutes)
    - Open the Floor for Questions
    - Encourage audience questions and discussion.

Total Time: 30 minutes

Tristan is a dedicated and motivated professional committed to delivering positive results and fostering continuous improvement in his work. Over the years, he has accumulated extensive experience in both Offensive (Red Teaming, Penetration Testing, Vulnerability Research) and Defensive Security (Threat Hunting, Incident Response, Digital Forensics, Malware Reverse Engineering), as well as systems and networks. Additionally, Tristan finds fulfillment in sharing his knowledge through Cyber Security Training, recognizing the value of collaboration and ongoing learning in this dynamic field.

This speaker also appears in: