Extracting network based attack narratives through use of the cyber kill chain: A replication study

Abstract

Abstract The defense of a computer network requires defenders to both understand when an attack is taking place and understand the larger strategic goals of their attackers. In this paper we explore this topic through the replication of a prior study “Extracting Attack Narratives from Traffic Datasets” by Mireles et al. [Athanasiades, N., et al., Intrusion detection testing and benchmarking methodologies, in First IEEE International Workshop on Information Assurance. 2003, IEEE: Darmstadt, Germany]. In their original research Mireles et al. proposed a framework linking a particular cyber-attack model (the Mandiant Life Cycle Model) and identification of individual attack signatures into a process as to provide a higher-level insight of an attacker in what they termed as attack narratives. In our study we both replicate the original authors work while also moving the research forward by integrating many of the suggestions Mireles et al. provided that would have improved their study. Through our analysis, we confirm the concept that attack narratives can provide additional insight beyond the review of individual cyber-attacks. We also built upon one of their suggested areas by exploring their framework through the lens of Lockheed Martin Cyber Kill Chain. While we found the concept to be novel and potentially useful, we found challenges replicating the clarity Mireles et al. described. In our research we identify the need for additional research into describing additional components of an attack narrative including the nonlinear nature of cyber-attacks and issues of identity and attribution.