Mapping the Security Events to the MITRE ATT&CK Attack Patterns to Forecast Attack Propagation (Extended Abstract)

Modern information systems generate a lot of events. Analysis of the events allows detecting malicious activity within the system. There are a lot of event correlation techniques intended for the detection of cyber security incidents and different types of cyber attacks, as well as there are a lot of techniques for multi-step attack modeling. At the same time, most modern security event management solutions do not allow mapping the detected security incidents to the specific stage of the targeted multi-step cyber attack, forecasting the next steps of the cyber attack, and selecting the proactive responses automatically. In this paper the technique to map the detected incidents to the stages of the targeted cyber attacks is proposed. The technique is based on the set of correlation rules "Emerging Threats" for events correlation to get cyber security incidents and on the set of "Targeted Attack Analyzer (Indicators Of Attack)" rules describing security incidents (signatures) using Sigma language and integrated with the MITRE ATT&CK database. The developed technique allows mapping the events detected in the system under analysis to the MITRE ATT&CK attack patterns and in prospect forecasting the targeted cyber attack development and automatically responding against the detected cyber security incidents. The technique is implemented using Python language and tested to demonstrate mapping of the detected incidents to the known attack patterns using the deployed test environment.