Defender Policy Evaluation and Resource Allocation Using MITRE ATT&CK Evaluations Data

TL;DR

This paper introduces a game-theoretic methodology for analyzing and optimizing defender resource allocation against multi-step cyber attacks using MITRE ATT&CK data, modeling interactions as Markov processes.

Contribution

It presents a novel approach to evaluate and improve defender policies and resource allocation strategies through probabilistic modeling of attack-defense interactions.

Findings

Effective defender strategies can be identified through Markov process modeling.

Resource allocation impacts attack success probabilities significantly.

The methodology enables comparison of different defense strategies under uncertainty.

Abstract

Protecting against multi-step attacks of uncertain duration and timing forces defenders into an indefinite, always ongoing, resource-intensive response. To effectively allocate resources, a defender must be able to analyze multi-step attacks under assumption of constantly allocating resources against an uncertain stream of potentially undetected attacks. To achieve this goal, we present a novel methodology that applies a game-theoretic approach to the attack, attacker, and defender data derived from MITRE's ATT&CK Framework. Time to complete attack steps is drawn from a probability distribution determined by attacker and defender strategies and capabilities. This constraints attack success parameters and enables comparing different defender resource allocation strategies. By approximating attacker-defender games as Markov processes, we represent the attacker-defender interaction, estimate the attack success parameters, determine the effects of attacker and defender strategies, and maximize opportunities for defender strategy improvements against an uncertain stream of attacks. This novel representation and analysis of multi-step attacks enables defender policy optimization and resource allocation, which we illustrate using the data from MITRE's APT3 ATT&CK Evaluations.