Modelling Indicators of Behaviour for Cyber Threat Hunting via Sysmon

Hunting for threats is of capital importance for security teams. Establishing multifaceted contexts around the evolving behaviours of threat actors is paramount for enabling threat hunting teams to tell the malicious from the benign. The MITRE ATT&CK framework is the state-of-art knowledge base for referencing how threat actors conduct their tactics, techniques and procedures. Despite the abstract concepts of techniques being well defined, it is challenging to hunt from an abstract technique concept to security event data. In this work, we develop a data driven knowledge base of threat actor behaviours called Indicators of Behaviour, that use semantic reasoning to infer threat actor behaviours. Unlike generalised techniques in MITRE ATT&CK, these behaviours can be queried from a low level indicator and the behaviour itself. We use MITRE's Caldera platform to emulate threat actor behaviours and Sysmon for capturing security events and defining the knowledge base's semantics. By utilising this approach, the semantic reasoner aids threat hunting teams by inferring threat actor behaviour chains from individual interconnected events.