×

You are using an outdated browser Internet Explorer. It does not support some functions of the site.

Recommend that you install one of the following browsers: Firefox, Opera or Chrome.

Contacts:

+7 961 270-60-01
ivdon3@bk.ru

Method of normalization of fields of external sources of the MITRE CTI cyberattack data repository

Abstract

Method of normalization of fields of external sources of the MITRE CTI cyberattack data repository

Borisov V.I., Fedorchenko E.V.

Incoming article date: 18.04.2023

The growing complexity of industrial systems significantly increases the surface of possible cyber attacks, and therefore requires reliable methods for assessing the security of infrastructure. Modern methods of security assessment rely on working with a large amount of data, the presentation of which is often not standardized. One of these sources is the MITRE ATT&CK knowledge base, which contains information about attacking techniques in a format that allows you to interact with it programmatically. This work is aimed at solving the problem of normalizing the fields of external sources describing the attacking technique in order to increase the efficiency of working with the repository described above. The method proposed in this paper is based on the possibility of the specification of the STIX language used to describe the data presented in MITRE ATT&CK to expand and use open dictionaries. The development of the proposed method was based on data on the attacking techniques of the Enterprise matrix, as the most complete among all domains of the ATT&CK knowledge base, however, the proposed method is independent and does not depend on a specific domain.

Keywords: threat analysis, knowledge base, information security, MITRE ATT&CK, standardization