Attack Chain Estimator (ACE)
AI-Powered Threat Intelligence Analysis for ICS/OT Environments
The Attack Chain Estimator (ACE) is a powerful application designed to assist analysts in dissecting the sequence of cyber attacks. By systematically ordering MITRE ATT&CK for ICS Tactics and Techniques, ACE constructs a detailed representation of attacks as they occur in operational environments. ACE excels at estimating what TTPs (Tactics, Techniques, and Procedures) are being described in threat reports and then predicting what TTPs are likely to occur next based on historical attack patterns.
Developed by Battelle Energy Alliance, LLC under contract with the United States Department of Energy, ACE leverages advanced machine learning techniques including natural language processing and Markov chain analysis to provide security analysts with powerful capabilities for understanding and anticipating adversary behavior in critical infrastructure environments.
ACE analyzes threat report text, classifies it according to the MITRE ATT&CK for ICS framework, and predicts the next likely tactics and techniques based on 14,000+ observables from real-world ICS attacks.
Benefits
The insights generated by ACE support multiple security operations and planning activities:
- Red Team Engineering: Design realistic attack scenarios based on historically observed attack progressions
- Threat Modeling: Understand potential attack paths and identify critical vulnerabilities in OT environments
- Threat Hunting: Proactively search for indicators of compromise based on predicted attack sequences
- OT SOC Operation Planning: Prepare defensive strategies and detection rules for likely attack progressions
- Modeling and Simulation: Accurately emulate adversary behavior for enhanced cyber defense preparedness
Features
Text Classifier
- Base Model: Microsoft DeBERTa-v3-base
- Training Data: CyOTE PAR observable dataset
- Function: Analyzes threat report text and identifies MITRE ATT&CK for ICS tactics/techniques
- Automatically extracts and classifies observable events from threat reports
Markov Chain Predictor
- Training Data: 27 CyOTE Precursor Analysis Reports
- Coverage: 14,000+ observables mapped to MITRE ATT&CK
- Function: Predicts next likely TTP based on historical attack transitions
- Provides probability scores for each potential next step
Interactive Attack Chain Builder
- Construct attack chains from ground-up
- Compare manual vs. AI-predicted chains
- Real-time classification and prediction
- Visual representation of attack progressions
Export Capabilities
- STIX JSON: Industry-standard threat intelligence format
- CSV: Tabular data for analysis
- Integration-ready outputs
- Support for downstream analysis tools
Resources
Upcoming Presentations
S4x26 Conference - Miami, Florida
- ACE will be showcased as part of presentations on operational technology security operations and active defense strategies.
Upcoming Publications
Active Defense with Intelligence: Securing Operational Technology Environments
Written by: Idaho National Laboratory (INL), Palo Alto Networks, and Siemens
- This collaborative report will feature ACE as a key tool for threat intelligence and active defense in OT environments.
Available Training
ACE is being used in real-world training and operational contexts to enhance OT security capabilities. For more information on ACE supports OT Threat Hunting in hands-on training scenarios, see INL ICS Cybersecurity Training – 311
ACE models are trained on the CyOTE PAR (Precursor Analysis Reports) observable dataset, which includes:
- 27 comprehensive Precursor Analysis Reports from real-world ICS incidents
- 14,000+ observable events mapped to MITRE ATT&CK for ICS framework
- Attack sequences spanning all stages of ICS-targeted campaigns
- Coverage of tactics from Initial Access through Impact