High-risk asset discovery and network attack tracing method based on TTP

Abstract

The invention provides a high-risk asset discovery and network attack tracing method based on TTP. The method comprises the following steps that process tree tracing is conducted on processes triggering TTP related rules, whether TTP threats are also detected by other processes on a process tree or not is inquired, and then all detected TTP information is displayed on the corresponding processes on the process tree; each attack technology Techniques is detected through an alarm rule model, each technology corresponds to one Techniques number (TTP number) after the technology Techniques is detected, and besides the Techniques number, tactical Tactics numbers are further included; when the attack technology Techniques is detected, the process tree of the attack process is traced; whether a plurality of attack technologies Techniques are covered on the process tree or not is analyzed; it is envisaged that when only one attack technology Techniques is detected on one process tree, it is possible to misreport a detection rule; and if multiple attack technologies Techniques are detected on one process tree, the probability that the equipment sinks and is controlled by an attacker is large, and multiple malicious attack behaviors are carried out.

Description

technical field [0001] The invention relates to a source tracing method, in particular to a TTP-based high-risk asset discovery and network attack source tracing method. Background technique [0002] In today's network, there are all kinds of hackers with different purposes to carry out network attacks on other individuals or enterprises on the Internet, in order to achieve their purposes of gaining benefits, improving reputation, political intentions and so on. However, in previous security incidents, enterprises had problems with the perception of compromised hosts in the network, and were often unable to detect attacks in the network in the first place. Hackers lurk within the organization for a long time, collecting information, stealing sensitive data or even destroying it. [0003] Before TTP was introduced into the field of network security, the problem found on the host could only be a threat point, and it was impossible to know the context of this threat point as c...

AI Technical Summary

Problems solved by technology

[0007] 1. Most of the current terminal detection security alarms are only alarms for abnormal behaviors themselves. The alarms cannot directly see the attacker's purpose and attack technology. The attacker's purpose and attack technology are described by mapping the alarm to the TTP number

[0008] 2. At present, the terminal can only alarm for malicious features, but many attacks will use Windows official tools to launch attacks, and some terminal detection products will be bypassed at this time

[0009] 3. At present, the alarms triggered by terminal detection are independent, and there is no overall perspective to connect the attacker's behavior. We draw the process tree according to the process of the compromised host, and attach relevant TTP information, which can clearly describe the malicious process on the machine. operating process and attack techniques

Images