Advanced-Cyber-Analytics-for-Attack-Detection

This is a GitHub repository for collaboratively exploring and testing for our Cybersecurity Project as part of the Mathematics of Cybersecurity course at the University of Bristol.

Project Collaborators

Our group consists of four members: * Alex Caian * Gabriel Grant * Luke Hawley * Matt Corrie

We have worked collaboratively on this project but have each had our own personal folder for what we individually have been working on at any one time. These folders are clearly labelled with each of our names and can also be accessed by clicking our names above.

Project Outline

The brief we were supplied with for our project is as follows:

Cyber-attacks are becoming increasingly sophisticated, ranging from ransomware to advanced persistent threats (APTs). Their growing rate of success and damages inflicted to organisations are increasingly showing the limits of traditional cyber protection controls (e.g. based on firewalls, AV agents, IDS/IPS, etc.) and demand for innovative and advanced ways to detect and predict them, as a viable complementary approach. Various initiatives have been created in the past few years to assess cyber-attack processes, including Lockheed Martins Kill Chain and MITRE ATT&CK. The latter not only provides an analysis of attackers Techniques, Tactics and Processes (TTPs) but also assesses, for each TTP, some relevant detective cyber analytics and data sets. Threat Intelligence (TI), inclusive of Open Source Intelligence (OSINT), is also increasingly utilised by commercial and government organisations to provide insights and information about attacks, Indicators of Compromise (IoCs), attackers TTPs and well as potential detection signatures and rules. The objective is to increase accuracy of detected cyber threats and support analytical predictions. This project aims at investigating, building and applying (advanced) detection algorithms for threat detection i.e. cyber analytics. This might include use of AI/ML techniques. Identify and use cyber data sets accessible online. Use MITRE ATT&CK information about TTPs, analytics and data types as guidance. Investigate use of public TI feeds to improve threat & attack detection accuracy and reduce false positives. Discuss outcomes. Specifically, the project proposal consists of two parts:

Part 1: Set the context. Identify potential cyber analytic algorithms for threat detection along with suitable public data sets: * Use MITRE ATT&CK as a reference to explore attackers TTPs, detective analytics and required data sets.

• Identify suitable public data sets to support cyber (detective) analytics of relevance.

• Identify suitable OSINT data repositories and feeds.

• Shortlist a set of TTPs and types of cyber attacks to focus on, based on available data sets.

• Identify suitable set of cyber detection algorithms and techniques (e.g. based on rules, behaviour analytics, advanced AI/ML, etc.) driven by available data and previous steps.

Outcome: Written Report documenting findings and decisions

Part 2: R&D practical Lab work, consisting of building, experimenting and refining a set of cyber analytics for threat detections, based on selected attackers TTPs and identified data sets. This R&D work would include:

• Build cyber threat analytics (models and detectors) by using available data sets and targeted attackers TTPs. Potentially consider different analytical techniques for the same TTP (for comparative assessment), if supported by available data;
• Experiment with the built cyber analytics and review outcomes i.e. detective accuracy, impact of using related OSINT to improve true positive detection, etc;
• Iteratively refine and improve these cyber analytics and/or introduce new algorithms or variants, driven by available data and experimental outcomes. Summarise and present cyber detection results (e.g. with attack timelines, graphs showing attack dependencies, etc.).

Outcome: Cyber Analytics Prototypes and Written Report with findings