LINKS OF THE WEEK

My Best Finds

☁️🔐 More Cybersecurity Links

• Propuesta de un modelo de caracterización de ciberataques para entornos de conciencia cibersituacional (Sánchez Zas, C.).

• MITRE ATT&CK® Framework (MITRE).

• Unsupervised learning techniques for an intrusion detection system (Stefano Zanero & Sergio M. Savaresi).

• Ontology in Cybersecurity and Risk Management (Pietro Romano).

• Zero Trust Security Model Overview (SecurityScorecard).

DEEP DIVE

Toward Intelligent, Context-Aware Cyber Defense Architectures

The rising complexity of cyber threats—driven by zero-day exploits, polymorphic malware, and the growing sophistication of adversaries—has rendered traditional perimeter security and rule-based detection approaches insufficient. In this evolving landscape, cyber situational awareness (CSA) emerges not only as a technological capability but as a strategic imperative. Carmen Sánchez Zas’s doctoral thesis, "Propuesta de un modelo de caracterización de ciberataques para entornos de conciencia cibersituacional" (UPM, 2024), proposes a comprehensive framework that integrates unsupervised AI models, real-time attack characterization via MITRE ATT&CK, and semantic risk governance—pushing CSA from theoretical ideal to practical design.

Expanding the Detection Horizon: Multisource, Behavior-Centric Intrusion Detection

The first component of the proposed model is a cyber-physical Intrusion Detection System (IDS) grounded in unsupervised machine learning. Unlike traditional network-based IDS that rely on signature detection, this model processes heterogeneous data sources to establish behavioral baselines across both physical and logical layers.

The data sources include:

• Communication channels (Wi-Fi, Bluetooth, radio frequency, mobile networks)

• Infrastructure logs (firewalls, SIEM systems)

• Behavioral telemetry (UEBA metrics from activity monitors, network flows, document usage, process execution)

Clustering algorithms such as K-Means and dimensionality reduction methods (e.g., PCA, UMAP, t-SNE) are employed to learn normal patterns and detect outliers. Each anomaly is timestamped and contextualized to facilitate correlation across sensor types. The resulting system provides an attack detection mechanism that spans beyond conventional network visibility, aligning with current industry moves toward Zero Trust architectures, where every connection, identity, and behavior is continuously verified.

MITRE ATT&CK-Centric Characterization of Adversarial Behavior

Beyond anomaly detection, Zas’s thesis introduces a system for automated cyberattack characterization using supervised learning models—namely Decision Trees, Random Forest, and XGBoost—to classify events within the MITRE ATT&CK framework.

Key capabilities include:

• Identification of tactics, techniques, and procedures (TTPs) from network traffic and system logs

• Mapping of observed events to MITRE ATT&CK IDs and CAPEC patterns

• Recommendation of mitigations based on ATT&CK countermeasures

By correlating observed anomalies with ATT&CK techniques (e.g., T1046: Network Service Scanning, T1210: Exploitation of Remote Services), the model infers adversary objectives and progression stages. It goes beyond static classification, creating a feedback loop between detection, analysis, and mitigation—much like what is seen in modern threat intelligence-enabled MDR platforms, such as CrowdStrike Falcon and Microsoft Defender for Endpoint.

The training process includes rigorous data preprocessing (feature extraction, normalization, label encoding), and the thesis demonstrates model accuracy through confusion matrices, ROC curves, and execution time evaluations. The use of the UWF-ZeekDataFall22 dataset enhances real-world relevance, and synthetic data generation (e.g., with SMOTE) addresses class imbalance to improve generalization.

Ontology-Driven Risk Governance and Interoperability

The third pillar of the framework is a semantic ontology for dynamic risk management. It acts as a unifying layer for integrating detection outputs, contextual threat intelligence, and mitigation strategies into a coherent risk posture. The ontology is designed to be interoperable with various risk management frameworks, including ITSRM, MAGERIT, MONARC, and EBIOS.

Core features include:

• A formalized knowledge model incorporating assets, threats, vulnerabilities, and mitigations

• Inter-framework translation and comparison (e.g., MAGERIT’s asset taxonomy vs. MONARC’s scenario modeling)

• Real-time risk calculation and visualization using heat maps and scenario-based simulations

• Decision support based on historical attack-response mappings

This approach builds a knowledge graph that supports semantic reasoning, using OWL (Ontology Web Language), SWRL rules, and semantic reasoners. It also accommodates input from external threat intelligence sources and legacy risk assessments, ensuring continuity across governance layers.

The ontology supports use cases such as:

• Scenario 1: Translating MONARC risk metrics to ITSRM standards

• Scenario 2: Dynamically assessing residual risk after applying ATT&CK-recommended mitigations

• Scenario 3: Visualizing the impact of polymorphic malware detection on organizational assets

This layer plays a critical role in supporting strategic decisions, enabling alignment between operational detections and executive-level risk insights.

Implications for Zero Trust, MDR, and Cloud-Scale Defense

The model proposed by Sánchez Zas reflects a practical evolution of the Zero Trust paradigm. Rather than assuming known infrastructure or static user roles, it emphasizes:

• Least privilege enforcement through behavioral modeling

• Continuous authentication and verification across layers

• Granular segmentation of data and access pathways based on risk scoring

The integration of MITRE ATT&CK characterization and ontology-based reasoning also marks a shift in how MDR services can be operationalized. By automating detection-to-response pipelines, and grounding decisions in formal risk ontologies, security teams can move from reactive investigation to proactive, adaptive defense.

This has direct implications for AI-powered MDR platforms, such as those developed by Expel (in partnership with Wiz for cloud security telemetry), TCS's Cyber Defense Suite, and Google Cloud’s Chronicle. These platforms are increasingly leveraging contextual models to reduce alert fatigue and enhance the precision of incident response.

Strategic Takeaways

• AI + CSA = Contextualized Defense: AI models must be integrated with situational context to yield actionable insights. Zas’s model demonstrates how unsupervised and supervised learning can be fused to detect and classify attacks beyond signature limitations.

• TTPs over IOCs: Focusing on adversary behaviors—rather than static indicators—enhances resilience against novel or polymorphic threats.

• Ontological Risk Models Enable Governance: Ontologies can unify detection, classification, and risk mitigation into an interpretable, standards-based framework.

• Zero Trust Ready: Behavioral analytics, sensor fusion, and continuous verification align seamlessly with Zero Trust principles, offering a path forward for cloud-native organizations.

Final Thought

Carmen Sánchez Zas’s thesis offers a forward-looking blueprint for a cybersecurity architecture that is not only reactive but anticipatory. By weaving together detection, threat characterization, and risk-informed response under a unified, interoperable model, it reflects a mature vision of cyber situational awareness fit for modern enterprise defense.

In a time when security teams are expected to operate across increasingly complex hybrid and cloud environments, such integrated, AI-enabled frameworks will be critical in sustaining resilience and ensuring that security is not just maintained, but understood.

📘 Read the full research: Sánchez Zas, C. (2024). Propuesta de un modelo de caracterización de ciberataques para entornos de conciencia cibersituacional. [Doctoral Thesis, Universidad Politécnica de Madrid].

That’s all for this week’s edition of CloudSec Weekly—stay vigilant and stay secure!

Before You Go

Become the Cloud Security Expert with 5 Minutes a Week

Sign up to get instant access to cloud security tactics, implementations, thoughts, and industry news delivered to your inbox.

Join for free.