An Overview of Cybersecurity Knowledge Graphs Mapped to the MITRE ATT&CK Framework Domains

A large volume of cybersecurity-related data sets are generated daily from systems following disparate protocols and standards. It is humanly impossible for cybersecurity experts to manually sieve through these large data sets, with different schema and metadata, to determine potential attacks or issues. A myriad of applications and tool sets are offered to automate the analysis of large cyber data sets. Semantic Web's community has been studying the field of cybersecurity for over a decade and produced numerous knowledge graphs and frameworks. The Unified Cybersecurity Ontology (UCO) connected many of the leading knowledge representation frameworks, providing a holistic mapping of cyber data, beginning in 2016. MITRE ATT&CK is used by a wide variety of practitioners to understand how their current data and tooling prepare them to defend against both Advanced Persistent Threats (APTs) and less formal threat actors. The UCO and MITRE ATT&CK have provided researchers and practitioners, respectively, with tools to standardize data collection, correlation, and analysis. However, it is not apparent how current knowledge graphs and their applications in the cybersecurity domain utilize ATT&CK. In this paper, we present the results of our study on whether current cybersecurity knowledge graphs have mapped the main MITRE ATT&CK matrices.