By Stephen Moskal1, Shanchieh Jay Yang1, and Michael E Kuhl2
Existing research on cyber threat assessment focuses on analyzing the network vulnerabilities and producing possible attack graphs. Cyber attacks in real-world enterprise networks, however, vary significantly due to not only network and system configurations, but also the attacker’s strategies. This work proposes a cyber-based attacker behavior model (ABM) in conjunction with the Cyber Attack Scenario and Network Defense Simulator to model the interaction between the network and the attackers. The ABM leverages a knowledge-based design and factors in the capability, opportunity, intent, preference, and Cyber Attack Kill Chain integration to model various types of attackers. By varying the types of attackers and the network configurations, and simulating their interactions, we present a method to measure the overall network security against cyber attackers under different scenarios. Simulation results based on four attacker types on two network configurations are shown to demonstrate how different attacker behaviors may lead to different ways to penetrate a network, and how a single misconfiguration may impact network security.
As the impact and prevalence of cyber attacks have grown, businesses have taken action toward network security by employing staff, tools, and services to better protect their business, data, and customers. Despite the billions of dollars spent on the prevention of cyber attacks, high-profile data breaches are becoming more common, affecting not only the businesses but also the millions of innocent customers of these businesses. Cyber defense strategies, such as intrusion detection systems (IDSs), strict firewall policies, and access controls, are common defense approaches. However, the implementation of these methods requires expertise and extensive configuration of complex rules.1 Ginter2 indicates that firewall configurations contain on average 793 rules for a typical enterprise network and this rule set is often modified multiple times a month. The misconfiguration of the firewall rules of a router was identified as a key cause of the 2015 United Airlines outage that resulted in the grounding of all flights for almost 2 hours and a tremendous amount of negative publicity.3
The dependence on the stability and security of computer networks is driving the demand for pre-emptive cyber analytics to aid in the discovery of potential cyber threats or vulnerabilities rather than relying solely on threat detection (or in some cases cyber forensic analysis.) Cyber analytics, such as firewall policy analysis,4,5 penetration tests, and physical cyber attack simulations (white-hat hackers actually attack the network to discover vulnerabilities),6 may be conducted to increase the defense’s preparedness for cyber attacks. Currently there is no established method for measuring the effectiveness or risk of defense strategies.7 Although penetration tests and live simulations may be effective at providing insight into network vulnerabilities, they are impractical to conduct every time there is a defense policy change. Penetration tests typically measure the risk or severity of policies by the ease of exploiting vulnerabilities and potential breaches,8 but only represent the capability of the tester and what he/she is able to identify, which may not be complete.9 With the diverse set of attacker types and skill levels that have been identified,10 as well as attackers and attacker behaviors that are yet to be identified (now or in the future), a methodology is needed that can take into consideration a full range of hacker behaviors when assessing the network’s security and risks.
Live simulations and penetration tests typically provide a limited but detailed set of cyber attack scenario data for one network and specific behaviors. Synthesizing this data over alternative network configurations and attacker types/behaviors could provide more accurate and robust security assessments due to the capability of understanding how the vulnerabilities could be realized. However, accurately modeling and representing a full range of cyber attacks and cyber attack behaviors is complex and daunting task due to the sheer number of network possibilities and choices an attacker has to make. This work reduces the complexity of the description of cyber attackers by employing a set of cyber-based contextual models representing the stages of cyber attacks, vulnerability modeling, and a portrayal of the attacker’s knowledge of the target network to generate representative cyber attack scenario data in a realistic and efficient manner. We propose a framework to represent cyber attacker behaviors and apply the methodology to an existing cyber attack simulator to measure the effects network configurations and cyber attacker behaviors might have on the overall network security. The contributions of this work are as follows:
- define an attacker behavior model (ABM) using a capability, opportunity, intent (COI) model with additional preferences to differentiate among attacker types;
- incorporate the notion of a developing knowledge base for the attacker to determine the next attack action; and
- investigate the effects network configuration has on attacker behavior by simulating multiple networks and attacker behaviors.
The remainder of this paper is structured as follows: Section 2 contains related work to cyber attack behavior modeling and simulations. Section 3 gives a brief overview of the context models needed to simulate cyber attacks. Section 4 gives a detailed description of the ABM and its process flow. Section 5 describes the simulation setup and experiments that are conducted, where the results of the experiments are shown in Section 6. Lastly, conclusions and future work are discussed in Section 7.
2 Related Work
The cyber analytics research field currently has two primary focus areas: attack detection and attack prevention. Attack detection methods range from common tools, such virus scanners or IDSs,11 to more experimental research, including network behavior profiling and analytics.12 Attack detection techniques are generally used as a defense method to mitigate damages, which requires observing malicious behaviors indicating potential attacks. Due to the importance and reliance of computer services and certain assets (e.g., customer data), prevention of cyber attacks is equally as critical as detection. This work focuses on pre-emptive analysis strategies. Our goal is to emulate the processes and data a real attack would produce for the purpose of analyzing a network’s security from cyber attacks.
Intrusion prevention systems involve detecting vulnerabilities and exploits before an attack has occurred to inhibit or deter future cyber attackers. Core techniques, such as firewalls, access control, and vulnerability scanners,13 are common methods for preventing basic cyber attacks. For enterprise networks with complex access control schemes and critical assets, more rigorous and comprehensive analysis techniques, such as penetration tests and white-hat live attack simulations, are used. These two practices have the common goal of synthesizing data and offer the following benefits: penetration tests provide detailed insight of the overall resistance to attacks8 and live simulations demonstrate the behavior of attackers in a controlled environment that can be observed and analyzed.6
Overall security is demonstrated in attack graph research where single attack paths are generated using the relationship between the network configuration and the vulnerabilities on the network. Attack graphs allow for various degrees of detail, where the more attack features considered in the attack graph generally yields more realistic attack paths at the cost of computational complexity. Attack graph modeling ranges from considering only network connectivity and vulnerabilites, such as Jha et al.14 and Sheyner et al.,15 to dynamic risk assessments using asset and mitigation strategy models by Poolsappasit et al.16 In 2015, Kotenko and Doynikova17,18 extended this work by adding the CAPEC database to the attack graph structure to reflect realistic attack paths and scenarios to further increase the quality of the assessment.
To observe how and why an attacker performed certain actions (the main benefit of live simulations), two methods are used: game theory and, less commonly, simulation. Game theory is a useful technique for modeling the interaction between the red and blue teams. Wang et al.19 develop a method that seeks an optimal defense strategy using game theory. In addition, Chung et al.20 use Q-Learning to learn past behaviors and defense strategies to play the most effective defensive game. Game theory is a particularly strong application for cyber analytics because it describes detailed behaviors of both the red and blue teams, which enables analysis of the interactions between them.
Similar to game theory, the impacts of attacks and attackers can be realized through the use of configurable cyber attack simulation platforms. NeSSi2, an agent-based simulation platform by Grunewald et al.,21models a packet-level description of a network with the primary focus on simulating the effects of distributed denial of service (DDoS) attacks. NeSSi2 models the effects of various worm behaviors and how worms propagate through a network. This technique proves to be useful in other contexts, such as smart grid networks.22 The predecessor to this work by Moskal et al.23 introduced a cyber-context model-driven simulator called the Multistage Attack Scenario Simulator (MASS). The MASS develops a Virtual Terrain (VT) and an ABM to simulate the interactions between the network and attackers. Leveraging data from MITRE24and the National Vulnerability Database (NVD)25 to describe the network landscape and the attacker’s behavior in terms of configurable parameters, the MASS is able to simulate various cyber attack scenarios. The MASS also models dynamic defense strategies and IDSs to allow the capability of correlating the simulated ground truth data and other data that is typically observed as a result of real network attacks (e.g., IDS logs).
The attack graph literature provides a comprehensive analysis of the potential vulnerabilities and is expandable to account for many different scenarios at the cost of computational complexity as the model becomes more complex (see, for example, Poolsappasit et al.16). The game theoretic approaches provide detailed models of the interactions between the red and blue teams, resulting in realistic models of specific cyber attacks. The challenge is to comprehensively analyze the network’s security while realistically representing a diverse set of cyber attack scenarios with a reasonable computational complexity. We propose models that capture the essence of what is needed to simulate the interaction between the red and blue teams by leveraging industry accepted models and building on existing research while maintaining an acceptable run time and realistic results.
3 Simulating red team versus blue team
Simulating the interactions between the red team (attackers) versus the blue team (targeted network and network defense) requires the modeling of human versus network interactions (exploitation) and network versus human interactions (defense).20 The representation of a cyber attacker or a human requires modeling at many levels of detail. High-level cyber attack scenario descriptions can be used to describe an attacker18or specific behaviors can be modeled.19 Networks can also be modeled in various levels of detail: from complex packet-level descriptions21 to less detailed network terrain descriptions.23 To simplify these abstract models of humans and networks, an ensemble of cyber-based context models are used to narrow down the potential search space to cyber-specific details. This work uses the concept of previous research.23,26,27 to describe base context models that encompass the requirements of cyber attacks in general where each context model contains specific components to capture detailed functionality.
Illustrated in Figure 1 are the three basic building blocks to simulate network threats and attacks and how the models interact with one another. The two primary context models are the network and the attacker. The network model that represents the blue team is based on the VT of Moskal et al.23 and Wheeler,27 which describes network machines, services, vulnerabilities, and defense mechanisms at a high level. The VT avoids explicitly modeling some ancillary network features, such as packet routing and packet flow, while maintaining important cyber security-related features, including firewall configurations and system permissions. In the system architecture, the VT defines the network landscape and features the red team can target and exploit. Figure 1 depicts the dependence the red and blue teams have on one another, although teams are defined separately and function independently. We use the notion of information exchange between the component models to develop the basis of our methodology for representing the behaviors of the red team.
The three cyber-based context models and the knowledge flow between them. IDS: intrusion detection system.
The primary focus of this work is modeling the behaviors and actions of the red team. The red team consists of two parts: the attacker(s) and the intent of the attack. The objective of the attacker model is to represent the processes by which cyber attackers use information when selecting cyber attack actions (see Moskal28for a comprehensive analysis of tools and information used by cyber attackers). Intent defines the underlying purpose of the attack, including the attack mission objective, attack strategies, and targeted services. This aspect is important, as the intent of the attack on the network29 influences the attacker’s decision process.26Moskal28 describes the methodology behind the network knowledge, modus operandi, and and the definition of the intent, as described in Figure 1. The following section describes the methodology and process of selecting an attack using the cyber attacker context models given a network description and an intent.
[ For the full article and more images, click here. ]