nach oben

Erschienen in:

2019 | OriginalPaper | Buchkapitel

Closing the Gap with APTs Through Semantic Clusters and Automated Cybergames

verfasst von : Steven Gianvecchio, Christopher Burkhalter, Hongying Lan, Andrew Sillers, Ken Smith

Erschienen in: Security and Privacy in Communication Networks

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

Defenders spend significant time interpreting low-level events while attackers, especially Advanced Persistent Threats (APTs), think and plan their activities at a higher strategic level. In this paper, we close this semantic gap by making the attackers’ strategy an explicit machine-readable component of intrusion detection. We introduce the concept of semantic clusters, which combine high-level technique and tactic annotations with a set of events providing evidence for those annotations. We then use a fully automated cybergaming environment, in which a red team is programmed to emulate APT behavior, to assess and improve defensive posture. Semantic clusters both provide the basis of scoring these cybergames and highlight promising defensive improvements. In a set of experiments, we demonstrate effective defensive adjustments which can be made using this higher-level information about adversarial strategy.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Obfusifier: Obfuscation-Resistant Android Malware Detection System

Nächstes Kapitel Stochastic ADMM Based Distributed Machine Learning with Differential Privacy

https://attack.mitre.org/wiki/Main_Page.

Ancillary techniques are used due to some semantic overlap in ATT&CK. For example, using a powershell command to dump credentials (T1003) could also be correctly labeled as an instance of execution via powershell (T1086).

Note that blue can report on the same red activity more than once if multiple sensors detect different aspects of the same red action. In this case, we only count one true positive.

We can apply the blue bot repeatedly to the same red activity because the blue bot does not alter the gameboard.

ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge. https://attack.mitre.org. Accessed 24 Apr 2019

CAPEC: Common Attack Enumeration and Classification. https://capec.mitre.org. Accessed 24 Apr 2019

CASCADE. https://github.com/mitre/cascade-server. Accessed 30 Apr 2019

Cyber Analytics Repository. https://car.mitre.org/data_model/. Accessed 24 Apr 2019

Endgame RTA: Red Team Automation. https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation. Accessed 24 Apr 2019

First Round of MITRE ATT&CK Product Evaluations Released. https://medium.com/mitre-attack/first-round-of-mitre-att-ck-evaluations-released-15db64ea970d. Accessed 24 Apr 2019

MANDIANT: Exposing One of China’s Cyber Espionage Units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed 24 Apr 2019

NSA/CSS Technical Cyber Threat Framework v2. https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf. Accessed 24 Apr 2019

Red Canary ATT&CKs (Part 1): Why We’re Using ATT&CK Across Red Canary. https://redcanary.com/blog/red-canary-and-mitre-attack/. Accessed 24 Apr 2019

10.

Swift On Security - Sysmon Config. https://github.com/SwiftOnSecurity/sysmon-config. Accessed 24 Apr 2019

11.

Sysmon 9.0. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon. Accessed 24 Apr 2019

12.

The Elasticsearch Common Schema. https://github.com/elastic/ecs/tree/master/schemas. Accessed 24 Apr 2019

13.

The Pyramid of Pain. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html. Accessed 24 Apr 2019

14.

The SOC Gets a Makeover. https://www.darkreading.com/risk/the-soc-gets-a-makeover/d/d-id/1332744/. Accessed 24 Apr 2019

15.

Applebaum, A., Miller, D., Strom, B., Foster, H., Thomas, C.: Analysis of automated adversary emulation techniques. In: Summer Simulation Multi-Conference, p. 16 (2017)

16.

Applebaum, A., Miller, D., Strom, B., Korban, C., Wolf, R.: Intelligent, automated red team emulation. In: 32nd Annual Conference on Computer Security Applications, pp. 363–373. ACM (2016)

17.

Bodeau, D., McCollum, C., Fox, D.: Cyber threat modeling: survey, assessment, and representative framework. Tech. Rep. 16-J-00184-01, The MITRE Corporation: Homeland Security Systems Engineering and Development Institute (April 2018)

18.

Ferguson, B., Tall, A., Olsen, D.: National cyber range overview. In: Military Communications Conference (MILCOM), 2014 IEEE, pp. 123–128. IEEE (2014)

19.

Fletcher, T.A., Sharp, C., Raghavan, A.: Optimized common information model, US Patent App. 14/800,678 (2016)

20.

Fox, D., McCollum, C., Arnoth, E., Mak, D.: Cyber wargaming: framework for enhancing cyber wargaming with realistic business context. Tech. Rep. 16-J-00184-04, The MITRE Corporation: Homeland Security Systems Engineering and Development Institute, November 2018

21.

Goldis, P.D.: Questions and answers about tiger teams. EDPACS 17(4), 1–10 (1989)CrossRef

22.

Hoffmann, J.: Simulated penetration testing: from dijkstra to turing test++. In: 25th International Conference on Automated Planning and Scheduling (2015)

23.

Huang, X., Alleva, F., Hon, H.W., Hwang, M.Y., Lee, K.F., Rosenfeld, R.: The sphinx-ii speech recognition system: an overview. Comput. Speech & Lang. 7(2), 137–148 (1993)CrossRef

24.

Kewley, D.L., Bouchard, J.F.: Darpa information assurance program dynamic defense experiment summary. IEEE Trans. Syst., Man, Cybern. - Part A: Syst. Hum. 31(4), 331–336 (2001)CrossRef

25.

Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy, pp. 430–445. IEEE (2019)

26.

Niculae, S.: Reinforcement learning vs genetic algorithms in game-theoretic cyber-security, October 2018. thesiscommons.org/nxzep

27.

Oakley, J.: Improving cyber defensive stratagem through apt centric offensive security assessment. In: International Conference on Cyber Warfare and Security, pp. 552-XV. Academic Conferences International Limited (2018)

28.

Oltsik, J., Alexander, C., CISM, C.: The life and times of cybersecurity professionals. ESG and ISSA: Research Report (2017)

29.

Ošlejšek, R., Toth, D., Eichler, Z., Burská, K.: Towards a unified data storage and generic visualizations in cyber ranges. In: 16th European Conference on Cyber Warfare and Security. p. 298. Academic Conferences and publishing limited (2017)

30.

Passerini, Emanuele, Paleari, Roberto, Martignoni, Lorenzo: How good are malware detectors at remediating infected systems? In: Flegel, Ulrich, Bruschi, Danilo (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 21–37. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02918-9_2CrossRef

31.

Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)CrossRef

32.

Rossey, L.: Simspace cyber range. In: ACSAC 2015 Panel: Cyber Experimentation of the Future (CEF): Catalyzing a New Generation of Experimental Cyber-security Research (2015)

33.

Rossey, L.M., et al.: Lariat: lincoln adaptable real-time information assurance testbed. In: Aerospace Conference, vol. 6, pp. 6–6. IEEE (2002)

34.

Sarraute, C., Buffet, O., Hoffmann, J.: POMDPs make better hackers: accounting for uncertainty in penetration testing. In: 26th AAAI Conference on Artificial Intelligence (2012)

35.

Silver, D., et al.: Mastering the game of go with deep neural networks and tree search. Nature 529(7587), 484 (2016)CrossRef

36.

Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 305–316. IEEE (2010)

37.

Trinius, P., Willems, C., Holz, T., Rieck, K.: A malware instruction set for behavior-based analysis (2009)

38.

Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: Flipit: The game of “stealthy takeover". J. Cryptol. 26(4), 655–713 (2013)MathSciNetCrossRef

39.

Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security, pp. 255–264. ACM (2002)

40.

Wood, B.J., Duggan, R.A.: Red teaming of advanced information assurance concepts. In: DARPA Information Survivability Conference and Exposition, pp. 112–118. IEEE (2000)

Titel: Closing the Gap with APTs Through Semantic Clusters and Automated Cybergames
verfasst von: Steven Gianvecchio
Christopher Burkhalter
Hongying Lan
Andrew Sillers
Ken Smith
Verlag: Springer International Publishing
Buch: Security and Privacy in Communication Networks
Print ISBN: 978-3-030-37227-9

Electronic ISBN: 978-3-030-37228-6

Copyright-Jahr: 2019
DOI: https://doi.org/10.1007/978-3-030-37228-6_12

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner