Closing the Cyber Attack Gap with AI

The standard method for representing a semantic graph is Resource Description Framework or RDF—a directed graph described as triplets. A triplet in an RDF graph has three components: a node for the subject, a node for the object, and an arc with the predicate linking the subject to the object. (Figure 1 on next page) provides an example of a semantic graph that describes the IT concepts relevant to attackers and defenders. This simple and flexible data model has a lot of expressive power. It can represent complex situations and relationships, while also being abstract. RDF is considered one of the fundamental technologies of the Semantic Web. Reasoning systems excel in the ability to explain the “thought” process that led to the conclusion (explainability)—an ability that is lacking in most machine learning systems. Semantic graph technologies also make it possible to combine different types, formats, and sources of information into a common language that enables semantic and logical action capability on the integrated information.

This has great value in the cyber world. A semantic graph for cyber threats can be produced by using information and concepts found in standard information sources, such as MITRE ATT&CK and NVD CVE. Attack techniques can be analyzed to define the “requirements” of the attackers. By combining a semantic graph of cyber threats with a graph describing features of an organization’s IT systems, the reasoning system can deduce what information is needed to enable the technique and build a “virtual attacker” that can explain how, in principle, to attack an organization. This tells the organization how and where they are open to attack—without the need for other, often manual means of uncovering cyber exposures, such as penetration testing.

Once there is an accurate description of the IT systems of an organization, the connectivity between the systems and the description of the system’s identity and access information, the reasoning system can build specific attack scenarios for that organization—just as a real attacker would. If we then add to the system semantic information about defenses (mitigations) as they are defined by MITRE D3f3nd, the system can suggest ways to reduce the risks from those attacks.

Figure 1: A simple semantic graph describing basic concepts from the IT relevant to attackers and defenders

For these reasons, machine reasoning is particularly suitable as a system for assessing an attacker’s ability to succeed in attacking the organization without conducting the attack. It also enables the assessment of organizational resilience to prevent or minimize the loss from cyber attacks.