Prediction of Attack Kill Chain Sequences in Use Case Management leveraging AI

Introduction

In today's rapidly evolving digital landscape, the sophistication and frequency of cyber threats have escalated, posing significant challenges to organizations worldwide. Traditional reactive cybersecurity measures are no longer sufficient; there is a pressing need for proactive strategies that anticipate and mitigate potential attacks before they materialize. This article delves into the integration of probabilistic modeling and frameworks like MITRE ATT&CK to predict cyber attack sequences, enhancing an organization's ability to stay ahead of adversaries.

The subsequent sections will explore methodologies for measuring attack sequence probabilities, the application of Hidden Markov Models (HMMs) in cybersecurity, and the utilization of the MITRE ATT&CK framework to map and predict adversary tactics and techniques. Through this approach, cybersecurity practitioners can enhance their predictive capabilities, transforming reactive defense mechanisms into proactive security postures.

As a result of my 13 yrs of experience and the combination nowadays of AI, I created my own GPT and assistant on a variety of tasks under this domain, one of those which I will explain here.

First thing first, allow me to describe the GPT in question:

ZentinelGPT: Advanced Cybersecurity Use Case Management AI

ZentinelGPT is a specialized AI model designed to assist cybersecurity professionals in defining, analyzing, and refining cybersecurity use cases. Its core capabilities focus on aligning security operations with MITRE ATT&CK, the Cyber Kill Chain, the Diamond Model, and the MAGMA Use Case Framework, ensuring organizations can proactively manage threats and optimize security monitoring.

Development

ZentinelGPT has been trained on a comprehensive set of cybersecurity frameworks, intelligence reports, and security analytics methodologies. Its development follows an intelligence-driven cybersecurity approach, incorporating structured data sources, adversary tactics, and advanced detection strategies.

Learning & Refinement Process

ZentinelGPT continuously evolves through:

• Supervised Learning from SOC Playbooks: Training on detection rules, threat intelligence reports, and SOC incident response strategies.
• Behavioral Analytics & Adversary Emulation: Mapping known attack techniques and predicting attack sequences based on probabilistic models.
• Human-in-the-Loop Feedback: Incorporating expert feedback from cyber analysts, security researchers, and CTI professionals to enhance detection logic.
• Cross-Framework Mapping: Establishing connections between MITRE ATT&CK, Cyber Kill Chain, and the Diamond Model for better adversary tracking.

Summary

ZentinelGPT is an AI-driven cybersecurity assistant designed to enhance predictive threat intelligence, optimize security operations, and improve use case management in SOC environments. By leveraging structured adversary models, probabilistic forecasting, and real-world attack intelligence, ZentinelGPT helps organizations shift from reactive security to proactive cyber defense.

DEMO:

Through an easy instruction the model is able to resolve the request focused on a cybersecurity trusted environment, lets see an example using Brute Force and the 3 possible attack sequences an adversary is more probable to follow for enterprise type of organizations:

Attack Chain Sequence 1: Credential Access to Lateral Movement & Exfiltration

Goal: The adversary aims to expand their foothold in the network and extract sensitive data.

Steps in the Sequence

1. Brute Force (T1110) – Credential Access: The attacker successfully gains credentials via dictionary attacks, password spraying, or credential stuffing.
2. Valid Accounts (T1078) – Initial Access / Privilege Escalation: Using compromised credentials, they authenticate and bypass security controls.
3. System Discovery (T1082) – Discovery: The attacker runs reconnaissance on active directory structures, user privileges, and network shares.
4. Pass the Hash (T1550.002) or Kerberoasting (T1558.003) – Privilege Escalation: The adversary leverages NTLM hash authentication or extracts Kerberos tickets to escalate privileges.
5. Remote Desktop Protocol (T1021.001) or SMB (T1021.002) – Lateral Movement: They pivot to additional systems using compromised administrator credentials.
6. File Collection (T1560) – Collection: The attacker gathers files containing sensitive data, credentials, or intellectual property.
7. Exfiltration Over Web Services (T1567.002) – Exfiltration: Data is encrypted and exfiltrated via cloud services like Dropbox, OneDrive, or Google Drive.

Attack Chain Sequence 2: Credential Access to Ransomware Deployment

Goal: The attacker seeks to maintain persistence and deploy ransomware.

Steps in the Sequence

1. Brute Force (T1110) – Credential Access: Attackers gain unauthorized access to critical servers or endpoints.
2. Remote System Discovery (T1018) – Discovery: The adversary scans for accessible machines and domain controllers.
3. Scheduled Task/Job (T1053.005) – Persistence: They establish persistence by creating scheduled tasks to reinitiate payloads.
4. Windows Service Execution (T1543.003) – Execution: Malicious payloads are executed via compromised Windows services.
5. Ransomware Deployment via PowerShell (T1059.001) – Impact: The attacker executes PowerShell scripts to deploy ransomware across the network.
6. Data Encrypted for Impact (T1486) – Impact: Files and backups are encrypted using AES/RSA encryption.
7. System Shutdown/Reboot (T1529) – Impact: The attacker forces a reboot to apply ransomware encryption fully.
8. Demand for Ransom (T1650) – Impact: The victim organization receives ransom notes and payment instructions.

Attack Chain Sequence 3: Credential Access to Account Takeover & Data Destruction

Goal: The adversary aims to compromise multiple accounts and destroy critical data.

Steps in the Sequence

1. Brute Force (T1110) – Credential Access: Attackers compromise user accounts with weak passwords.
2. Domain Trust Discovery (T1482) – Discovery: They identify trusted domains and lateral movement opportunities.
3. Create or Modify System Process (T1543) – Persistence: The attacker modifies system services to maintain access.
4. Impair Defenses: Disable Security Software (T1562.001) – Defense Evasion: Security tools such as antivirus and EDR are disabled.
5. Wiper Malware Deployment (T1561.001) – Impact: The attacker deploys wiper malware to erase critical files and logs.
6. Network Infrastructure Destruction (T1565.003) – Impact: Routers, switches, and domain controllers are corrupted.
7. Denial of Service via Resource Hijacking (T1499.003) – Impact: The network is flooded with requests, causing service disruption.

HOW ZentinelGPT THINKS?

If you keep reading until here, after seeing the results you might ask yourself, how the model actually got to this conclusions, allow me to explain that part to you:

1. Probabilistic Attack Sequence Modeling (Hidden Markov Model - HMM)

• ZentinelGPT used Hidden Markov Models (HMMs) to calculate transition probabilities between MITRE ATT&CK techniques.
• MITRE ATT&CK Techniques (Tactics & Procedures) were used as states in the HMM.
• The probabilities were estimated based on real-world adversary behaviors observed in attack reports and historical cyber incidents.

2. Data Sources Used to Compute Probabilities

I used the following sources to extract frequency data and infer probabilities:

3. How Transition Probabilities Were Estimated

I calculated the probability of transitioning from one MITRE ATT&CK technique to another by:

1. Analyzing real-world attack reports (DFIR case studies, threat intelligence).
2. Extracting frequency counts of techniques used by different APTs in MITRE ATT&CK adversary groups.
3. Applying probabilistic transition modeling:If technique T1 is observed before technique T2 in 80% of historical attacks, the probability of T1 → T2 is 0.8.If technique T2 follows multiple techniques (T1, T3, T4) in past cases, their transition probabilities sum to 1.Used Markov Chain Transitions to model multi-step attack paths.

4. Example: Probability Distribution for Brute Force (T1110) Attack Paths

The following probabilities were derived from case studies and modeled using Markov Chains.

• A Markov chain is a stochastic model created by Andrey Markov that outlines the probability associated with a sequence of events occurring based on the state in the previous event. It’s a very common and easy-to-understand model that’s frequently used in industries that deal with sequential data such as finance. Even Google’s page rank algorithm, which determines what links to show first in its search engine, is a type of Markov chain. Through mathematics, this model uses our observations to predict future events.
• The main goal of the Markov process is to identify the probability of transitioning from one state to another. One of the primary appeals to Markov is that the future state of a stochastic variable is only dependent on its present state. An informal definition of a stochastic variable is described as a variable whose values depend on the outcomes of random occurrences.

5. How ZentinelGPT Validated These Probabilities

To ensure accuracy, ZentinelGPT:

• Compared results with real-world attack case studies from CISA, MITRE, and DFIR reports.
• Checked consistency with known APT groups (Lazarus Group, APT29, FIN7, etc.).
• Used Markov Chains to test multiple variations of attack sequences.

Conclusion

The probabilities of each attack sequence are not random but derived from historical attack patterns, threat intelligence, and mathematical probability modeling using Markov Chains and the documentation provided to the GPT which enables the proper correlation and final prediction.