Enriching Attack Models with Cyber Threat Intelligence

Abstract: As cyber threats continue to grow and expertise resources are limited, organisationsneed to find ways to evaluate their resilience efficiently and takeproactive measures against an attack from a specific adversary before it occurs.Threat modelling is an excellent method of assessing the resilience of ICT systems,forming Attack (Defense) Graphs (ADGs) that illustrates an adversary’sattack vectors, allowing analysts to identify weaknesses in the systems.Cyber Threat Intelligence (CTI) is information that helps us understand thecurrent cyber threats we are facing, but have little integration with ADGs. Thisthesis attempts to resolve that by evaluating how CTI feeds of known ThreatActors can be used to enrich Attack (Defense) Graphs in a threat modellingtool securiCAD. The purpose of this is to allow security administrators to takeproactive measures and strengthen their ICT systems against current methodsused by any Threat Actor that is believed to pose a threat to them. This isalso a part of a larger EU project SOCCRATES, to which this thesis is a partof.This resulted in a tool that generates an Attacker Profile, which is based ona Threat Actor’s capabilities and techniques. Techniques are methods for accomplishingspecific attack steps. The Attacker Profile is then integrated withsecuriCAD to tweak the underlying parameters of securiCAD’s attack steps toasses the security of a model with respect to the specified adversary.In securiCAD, simulations run against a model of the infrastructure with asequence of attack steps, determined by probability, to form possible attackvectors by the attacker. We saw evidence that the generated Attacker Profileaccurately represented the Threat Actor’s commonly used Tactics, Techniquesand Procedures (TTPs) and adjusted the attack vectors accordingly when runningthe simulation. A proof of concept of integrating CTI feeds with threatmodelling was thereby established, helping security analysts asses weaknessesin the systems if they were to be attacked by a specific Threat Actor.