Severity-Based Triage of Possible Incidents Using Kill Chain Attack Graphs: Supplementary Materials

This repository contains proof-of-concept implementation of an approach from paper Severity-Based Triage of Possible Incidents Using Kill Chain Attack Graphs.

If you use or further modify this implementation, please use the following reference to cite the original work:

SADLEK, Lukáš; YAMIN, Muhammad Mudassar; ČELEDA, Pavel; KATT, Basel. Severity-Based Triage of Possible Incidents Using Kill Chain Attack Graphs. 2023.

The installation guide was inspired by our previous work.

Structure of repository

The repository is structured into several folders.

Folder inputs contains input CSV files from the SIEM server.
- File wazuh-alerts.csv contains content of the wazuh-alerts index used for the evaluation.
- File wazuh-archives.csv contains content of the wazuh-archives index used for the evaluation.
Folder outputs contains important files present in the MulVAL working directory after execution of this implementation.
- File input_file.P contains input for the MulVAL generator.
- File output_dictionary.json contains compressed evidence paths for IP addresses.
- Files AttackGraph.pdf contains visualized attack graph.
- Files AttackGraph.txt and AttackGraph.xml provide two forms of attack graph representation for parsing.
- Files VERTICES.CSV and ARCS.CSV contain vertices and edges from the attack graph.
Folder rules contains the ruleset created using the KCAG methodology described in the paper.

Implementation of the method

The proof-of-concept implementation contains several files:

custom_detection.py contains custom detection of T1486 - Data Encrypted for Impact technique.
evidence_path.py contains functionality that processes data from the SIEM server and identifies sequences of attack techniques.
final_report.py determines the final evaluation of the severity levels for IP addresses and sequences of attack techniques.
generator.py contains procedure for generating the attack graph.
input_convertor.py converts input CSV files into input files for MulVAL.
output_postprocessing.py processes the attack graph generated by MulVAL. It adds kill chain phases and labels for vertices. It also determines strategic phases, techniques, and countermeasures.
run_mulval.py contains utility that runs MulVAL from command line.
utils.py contains utilities that return set of phases and mapping function of techniques. They also check kill chain phases.

How to use

First, it is necessary to create input files for MulVAL. If your system contains created directory /tmp/mulval_dir, you can execute the following commands. Otherwise, create the folder with name /tmp/mulval_dir before executing the following commands.

from input_convertor import convert_input
convert_input('/tmp/mulval_dir/input_file.P')

The next step is to generate the KCAG. The following commands will output its attack paths, strategic techniques, and strategic countermeasures.

from generator import generate_kcag
generate_kcag()

As the last step, it is necessary to process data from the SIEM server and determine the severity levels. This functionality is provided by the following commands.

from evidence_path import process_restricted_files
process_restricted_files()

Installation

The implementation uses MulVAL. The installation guide was tested with:

openjdk-8-jdk (works with the dom4j dependency),
Ubuntu 20.04 (Ubuntu 22.04 may use a too new version of the c++ compiler).

It is necessary to install MulVAL:

$ wget -P /opt https://people.cs.ksu.edu/~xou/argus/software/mulval/mulval_1_1.tar.gz
$ cd /opt
$ tar -xzf mulval_1_1.tar.gz
$ rm mulval_1_1.tar.gz

MulVAL also requires XSB as installation prerequisite:

$ wget -P /opt http://xsb.sourceforge.net/downloads/XSB.tar.gz
$ tar -xzf XSB.tar.gz
$ rm XSB.tar.gz

Then you need to set environment variables for MulVAL and XSB. PATH must contain paths to MulVAL and XSB.

$ export MULVALROOT=/opt/mulval
$ export XSBROOT=/opt/XSB
$ export PATH=$PATH:$MULVALROOT/bin:$MULVALROOT/utils:$XSBROOT/bin:$XSBROOT/build

It is necessary to compile XSB and MULVAL. Install C++ compiler, Java, and bison and flex in you system. For C++ compiler, bison and flex:

$ apt-get install build-essential
$ apt-get install bison flex

You may also have to install make and g++ if you don't have them already. (apt-get).

Now, you need to make XSB using these commands:

$ cd XSB/build
$ ./configure
$ ./makexsb

After that you can test your XSB installation using

$ /opt/XSB/bin/xsb

and type halt. to exit XSB (with dot at the end).

Now, you need to compile MULVAL:

$ cd /opt/mulval
$ make

If output of make command contains javac: Command not found it means that you don't have Java installed in your system or Java is not in your PATH. Note: you need JDK and in it javac command. Add to PATH the directory which contains javac command.

Open JDK may also require dom4j JAR package. Switch to folder for external java packages, which has usually form of /usr/lib/jvm/<name of java>/jre/lib/ext and then download the required JAR using:

wget -P . https://github.com/dom4j/dom4j/releases/download/dom4j_1_6_1/dom4j-1.6.1.jar

After successful make of MULVAL you can run testing command (in MULVALROOT directory)

$ cd testcases/3host/
$ graph_gen.sh input.P -l -p

Configuration file

You need to set variables in conf.ini before running the generator.

Set mulval_root/xsb_root variables to the same path you used when installing MULVAL / XSB.
Variable mulval_dir should contain location of directory in which the files necessary for AG generation will be created.
Variable interaction_rules_file points to rules/ruleset.P file. Change its value only in a case you want to rename this file and rename the file appropriately.

Requirements

Necessary requirements are listed in file requirements.txt. Functionality was tested with Python 3.9. Install with pip3 install -r requiremets.txt. (requires pip3 to be installed)