Severity-Based Triage of Cybersecurity Incidents Using Kill Chain Attack Graphs

Warning

This publication doesn't include Institute of Computer Science. It includes Faculty of Informatics. Official publication website can be found on muni.cz.

Authors	SADLEK Lukáš YAMIN Muhammad Mudassar ČELEDA Pavel KATT Basel
Year of publication	2025
Type	Article in Periodical
Magazine / Source	Journal of Information Security and Applications
MU Faculty or unit	Faculty of Informatics
Citation
web	https://www.sciencedirect.com/science/article/pii/S2214212624002588
Doi	http://dx.doi.org/10.1016/j.jisa.2024.103956
Keywords	kill chain; attack graph; incident severity; incident triage; MITRE ATT&CK; cyber crisis
Attached files	2025_JISA_Severity_Based_Triage_Cybersecurity_Incidents_Using_KCAGs.pdf
Description	Security teams process a vast number of security events. Their security analysts spend considerable time triaging cybersecurity alerts. Many alerts reveal incidents that must be handled first and escalated to the more experienced staff to allow appropriate responses according to their severity. The current state requires an automated approach, considering contextual relationships among security events, especially detected attack tactics and techniques. In this paper, we propose a new graph-based approach for incident triage. First, it generates a kill chain attack graph from host and network data. Second, it creates sequences of detected alerts that could represent ongoing multi-step cyber attacks and matches them with the attack graph. Last, it assigns severity levels to the created sequences of alerts according to the most advanced kill chain phases that were used and the criticality of assets. We implemented the approach using the MulVAL attack graph generator and generation rules for MITRE ATT&CK techniques. The evaluation was accomplished in a testbed where multi-step attack scenarios were executed. Classification of sequences of alerts based on computed match scores obtained 0.95 area under the receiver operating characteristic curve in a feasible time. Moreover, a threshold exists for classifying 80% of positive sequences correctly and only a small percentage of negative sequences wrongly. Therefore, the approach selects malicious sequences of alerts and significantly improves incident triage.
Related projects:	Applied research at FI: Forensic aspects of critical infrastructures, applied cryptography, cybersecurity trainings, scheduling algorithms logistics and algorithms for physical sensors