Conference:  Black Hat Asia 2023

Authors: Lorin Wu, Porot Mo, Jack Tang

2023-05-11

Nowadays, more and more security assessments will use BAS (Breach and Attack Simulation) solutions. However, two problems become important and difficult.1. How to grasp the TTPs (Tactics, Techniques, and Procedures) used by cyberattacks in the wild in a timely and highly automated manner.2. How to synthesize attack chains of TTPs which is adaptive to this enterprise's defense-in-depth system, in order to evaluate the target's defense capability.We proposed and created a novel TTP-Oriented knowledge-graph based method that can highly automate grasp TTP intelligence from threat intelligence information and reason adaptive attack chains for security evaluation. The solution contains 2 highlights:1. Construction of TTP-Oriented Knowledge Graph. In order to extract timely TTP entities for knowledge graph from unstructured intelligence sources, we use a distant supervised relation extraction model based on a deep residual convolutional neural network and attention mechanism. This method can be used for both English and Chinese information sources.2. We have constructed the reasoning ability of this knowledge graph so that it can synthesize adaptive attack chains of TTPs to evaluate the status of the enterprise's defense-in-depth system.