Attack Hypothesis Generation

In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATT&CK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.