Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs: Supplementary Materials

This repository contains proof-of-concept implementation of an approach from paper Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs.

If you use or further modify this implementation, please use the following reference to cite the original work:

• SADLEK, Lukáš; YAMIN, Muhammad Mudassar; ČELEDA, Pavel; KATT, Basel. Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs. 2024.

The installation guide was inspired by our previous work.

Structure of repository

The repository is structured into several folders.

• Folder alerts contains Wazuh data captured during six days. Files should be decompressed.
• Folder evaluation contains files related to the evaluation.
  • File analysis.py contains functionality for computing evaluation results presented in the paper.
  • File ground_truth.py contains ground truth and related constants.
  • File scenarios.md contains description of attack procedures used during attack scenarios.
• Folder outputs contains important files present in the MulVAL working directory after execution of this implementation.
  • File input_file.P contains input for the MulVAL generator.
  • Files VERTICES.CSV and ARCS.CSV contain vertices and edges from the attack graph.
  • File attack_paths.zip contains attack paths used during evaluation.
  • File KCAG.zip contains kill chain attack graph generated during evaluation.
  • Files results.txt and results_threshold05.txt are results for individual days of evaluation when no threshold and 0.5 threshold were used.
  • File roc_jisa_final.pdf contains ROC curve for the approach.
  • File sequences_sorted.json contains evidence paths generated during the evaluation.
  • Files with suffix with_ports are variants containing port numbers.
• Folder rules contains the ruleset created using the KCAG methodology described in the paper.

Implementation of the method

The proof-of-concept implementation contains several files:

• custom_detection.py contains custom detection of several attack techniques.
• evidence_path.py contains functionality that processes data from the SIEM server and identifies sequences of attack techniques.
• final_report.py determines the final evaluation of the severity levels for IP addresses and sequences of attack techniques.
• generator.py contains procedure for generating the attack graph.
• input_convertor.py converts input JSON files into input files for MulVAL.
• output_postprocessing.py processes the attack graph generated by MulVAL. It adds kill chain phases and labels for vertices. It also determines strategic phases, techniques, and countermeasures.
• run_mulval.py contains utility that runs MulVAL from command line.
• utils.py contains utilities that return set of phases and mapping function of techniques. They also check kill chain phases.

Mapping of Modules

Mapping of names from the CTS Analyzer architecture to filenames used in supplementary materials:

Name in the Paper	Python Module(s)
Input converter	input_convertor.py
MulVAL attack graph generator	generator.py, run_mulval.py
Attack graph post-processing	output_postprocessing.py
Custom detection	custom_detection.py
Evidence path constructor	evidence_path.py
Reporting tool	final_report.py
—	utils.py

Evaluation

Testing Subnet

Evaluation was accomplished in a testbed that contained two copies of identical /16 subnet. The first one with range 10.11.0.0/16 was used for testing purposes. The second one with range 10.12.0.0/16 was used for executing attack scenarios listed in the paper. Even though we aimed to limit the influence of testing subnet on the published data, some data from the subnet can appear in the published data mainly for DNS and active directory servers. However, they should not influence results from the evaluation.

Mapping of Hostnames, IP Addresses, and Operating Systems

Hostname	IP Address	Operating System
internal-m-1	10.12.1.10	Microsoft Windows Server 2022 Standard
internal-m-2	10.12.1.20	Microsoft Windows Server 2022 Standard
web-machine-1	10.12.2.10	Ubuntu 20.4 LTS
web-machine-2	10.12.2.20	Ubuntu 20.4 LTS
dmz-machine-1	10.12.3.10	Ubuntu 20.4 LTS
dmz-machine-2	10.12.3.20	Ubuntu 20.4 LTS
ad-server	10.77.77.77	Microsoft Windows Server 2022 Standard
dns-server	10.10.10.10	Ubuntu 20.4 LTS

How to use

First, it is necessary to create input files for MulVAL. If your system contains created directory /tmp/mulval_dir, you can execute the following commands. Otherwise, create the folder with name /tmp/mulval_dir before executing the following commands.

from input_convertor import convert_input
convert_input('/tmp/mulval_dir/input_file.P')

The next step is to generate the KCAG. The following commands will output its attack paths, strategic techniques, and strategic countermeasures.

from generator import generate_kcag
generate_kcag()

As the last step, it is necessary to process data from the SIEM server and determine the severity levels. This functionality is provided by the following commands.

from evidence_path import process_restricted_files
process_restricted_files()

Functionality from evaluation/analysis.py can be executed to obtain results from the evaluation.

Installation

The implementation uses MulVAL. The installation guide was tested with:

• openjdk-8-jdk (works with the dom4j dependency),
• Ubuntu 20.04 (Ubuntu 22.04 may use a too new version of the c++ compiler).

It is necessary to install MulVAL:

$ wget -P /opt https://people.cs.ksu.edu/~xou/argus/software/mulval/mulval_1_1.tar.gz
$ cd /opt
$ tar -xzf mulval_1_1.tar.gz
$ rm mulval_1_1.tar.gz

MulVAL also requires XSB as installation prerequisite:

$ wget -P /opt http://xsb.sourceforge.net/downloads/XSB.tar.gz
$ tar -xzf XSB.tar.gz
$ rm XSB.tar.gz

Then you need to set environment variables for MulVAL and XSB. PATH must contain paths to MulVAL and XSB.

$ export MULVALROOT=/opt/mulval
$ export XSBROOT=/opt/XSB
$ export PATH=$PATH:$MULVALROOT/bin:$MULVALROOT/utils:$XSBROOT/bin:$XSBROOT/build

It is necessary to compile XSB and MULVAL. Install C++ compiler, Java, and bison and flex in you system. For C++ compiler, bison and flex:

$ apt-get install build-essential
$ apt-get install bison flex

You may also have to install make and g++ if you don't have them already. (apt-get).

Now, you need to make XSB using these commands:

$ cd XSB/build
$ ./configure
$ ./makexsb

After that you can test your XSB installation using

$ /opt/XSB/bin/xsb

and type halt. to exit XSB (with dot at the end).

Now, you need to compile MULVAL:

$ cd /opt/mulval
$ make

If output of make command contains javac: Command not found it means that you don't have Java installed in your system or Java is not in your PATH. Note: you need JDK and in it javac command. Add to PATH the directory which contains javac command.

Open JDK may also require dom4j JAR package. Switch to folder for external java packages, which has usually form of /usr/lib/jvm/<name of java>/jre/lib/ext and then download the required JAR using:

wget -P . https://github.com/dom4j/dom4j/releases/download/dom4j_1_6_1/dom4j-1.6.1.jar

After successful make of MULVAL you can run testing command (in MULVALROOT directory)

$ cd testcases/3host/
$ graph_gen.sh input.P -l -p

Configuration file

You need to set variables in conf.ini before running the generator.

• Set mulval_root/xsb_root variables to the same path you used when installing MULVAL / XSB.
• Variable mulval_dir should contain location of directory in which the files necessary for AG generation will be created.
• Variable interaction_rules_file points to rules/ruleset.P file. Change its value only in a case you want to rename this file and rename the file appropriately.

Requirements

Necessary requirements are listed in file requirements.txt. Functionality was tested with Python 3.9 and 3.10. Install with pip3 install -r requiremets.txt. (requires pip3 to be installed)