Elsevier

Computers & Security

Volume 61, August 2016, Pages 19-31
Computers & Security

Cyber resilience recovery model to combat zero-day malware attacks

https://doi.org/10.1016/j.cose.2016.05.001Get rights and content

Abstract

This paper presents the implementation of an epidemiological model to combat a zero-day outbreak within a closed network. The proposed dynamic Cyber Resilience Recovery Model (CRRM) is used to combat the simulated outbreak and minimize disruptions to business operations. CRRM combines the National Institute of Standards and Technology Special Publication 800-61 incident response life cycle and Susceptible-Infected-Quarantined-Recovered epidemiological model. It provides insights into the strengths and weaknesses of current recovery processes and presents possible solutions for addressing changing cybersecurity threats. Evaluation results demonstrate that CRRM accurately simulates malware outbreaks on a network and has the potential to serve as a valuable tool for supporting decision-making and technological investments that improve cyber resilience.

Introduction

An increase in malware attacks in recent years has imposed serious threats to mission-critical systems and capabilities. Sophisticated zero-day malware is capable of penetrating a network and recursively replicating new signatures of itself. In this manner, the malware quickly spreads through the network, interrupting business operations and degrading system capabilities.

Organizations implement various approaches to defending and protecting their digital intellectual property. Some organizations invest most of their resources on perimeter security systems, such as firewalls and intrusion detection systems (IDSs), while others use resources to mitigate incidents. To resist zero-day attacks, a perimeter security system alone is inadequate; rather, it requires advanced zero-day detection techniques and a well-defined incident response and recovery process that implements the proper software and hardware tools. Because zero-day malware has an unknown signature and is a serious threat to information security, there are many ongoing efforts to build defensive strategies to detect and mitigate the harm they cause (Wierman and Marchette, 2004). The ultimate goal is to detect zero-day malware, contain and remove it, and prevent future recurrences (Mitropoulos et al., 2006).

In this paper, the case of a phishing attack containing zero-day malware and its outbreak within a closed computer network is presented. In addition, the dynamic Cyber Resilience Recovery Model (CRRM) is proposed to assess the impact of technology investments on incident handling. Several simulation scenarios that can reduce the incident rate and improve the recovery rate are conducted. The simulations compare three different approaches to security awareness training, intrusion detection, quarantining, and eradication and restoration. By implementing CRRM, the most effective option within each area under analysis is determined.

The remainder of this paper is organized as follows. In Section 2, previous work in the areas of cybersecurity, incident response and recovery frameworks, zero-day malware, and epidemiological models is described. In Section 3, the present methodology, CRRM modeling, and data collection and analyses are presented. In Section 4, the simulation results are provided. In Section 5, research conclusions are given and a direction for future research is highlighted.

Section snippets

Incident response and recovery frameworks

An effective incident response and recovery process can strengthen the resilience of a system or network. It must withstand malware attacks, adapt quickly to change, and evolve into an improved process. A viable incident response and recovery framework must have a business role within an organization. It must be efficient, cost-effective, and repeatable to mitigate risk and invoke continuous process improvement (Van Wyk and Forno, 2001). In recent years, organizations have established computer

Methodology

The goal of this study was to develop CRRM for reducing cyber risks and increasing resilience. The methodological steps for this research are outlined below.

  • The NIST SP-800-61 standard was selected as the baseline framework.

  • CRRM, an SD model, was developed by combining the Susceptible-Infected-Quarantined-Recovered (SIQR) model (Sterman, 2000) with the NIST SP 800-61 framework.

  • AHP was implemented to collect and analyze the responses from cybersecurity experts. Data analyses yielded

Simulations, results, and discussion

From a cyber operations perspective, organizations should strive to maintain their networks and computers in a malware-free state. The incident rate is used to measure the performance of different security awareness training frequencies, intrusion detection methods, and quarantine methods; the eradication and restoration rate is used to measure the effectiveness of eradication and restoration methods.

Conclusions and future research

Increasing connectivity in cyberspace has resulted in the need for a strong cyber defense system. It is often users themselves who inadvertently introduce harm to a network by executing malicious e-mail attachments. Traditional cyber defense strategies, such as firewalls and IDSs, are no longer adequate. Organizations must plan for a robust resilience framework that provides the ability to operate under persistent phishing attack conditions. The simulation results and data analyses presented in

Acknowledgements

This research is in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Systems Engineering at The George Washington University. The authors would like to sincerely thank the Department of Engineering Management and Systems Engineering for their support and the cybersecurity experts from both the public and private sectors who provided modeling suggestions and the data to make this research possible. The authors would also like to thank the anonymous reviewers from

Hiep Tran is a Lead Systems Engineer at the MITRE Corporation, McLean, Virginia where he supports various Department of Defense Cybersecurity enterprise architecture developments. He received his B.Sc. in Electrical and Computer Engineering and B.Sc. in Applied Mathematics from Old Dominion University, Virginia. He obtained his M.Sc. in Engineering Management from The George Washington University, Washington, D.C. Currently, he is a Ph.D. candidate in the Department of Engineering Management

References (19)

There are more references available in the full text version of this article.

Cited by (0)

Hiep Tran is a Lead Systems Engineer at the MITRE Corporation, McLean, Virginia where he supports various Department of Defense Cybersecurity enterprise architecture developments. He received his B.Sc. in Electrical and Computer Engineering and B.Sc. in Applied Mathematics from Old Dominion University, Virginia. He obtained his M.Sc. in Engineering Management from The George Washington University, Washington, D.C. Currently, he is a Ph.D. candidate in the Department of Engineering Management and Systems Engineering at The George Washington University. His research interests are focused in the areas of cybersecurity, intrusion detection, zero-day malware behavior, incident handling and response, modeling and simulation, and system dynamics.

Enrique Campos-Nanez is a Senior Software Engineer at The Epsilon Group, an Alere Inc. company, Charlottesville, Virginia, where he is in charge of development of modeling and simulation software for pharmacokinetics. He lectures on system dynamics, modeling, and optimization for The George Washington University, Washington, D.C. He holds a B.Sc. in Mathematics from the Universidad Nacional Autónoma de México (UNAM), Mexico, an M.Sc. in Operations Research from Stanford University, Stanford, California, and a Ph.D. in Systems and Information Engineering from the University of Virginia, Charlottesville. His research interests include healthcare analytics, mathematical modeling, and systems and software engineering.

Pavel Fomin is an Aerospace Engineer with the United States Air Force, where he is responsible for technology development, demonstration, and capability transition. Dr. Fomin holds a B.Sc. in Systems Engineering from the University of Virginia, Charlottesville, and an M.Sc. and Ph.D. in Systems Engineering from The George Washington University, Washington, D.C. His research interests include technology maturity and insertion, capability transition, and systems modeling.

James Wasek is a Senior Enterprise Architect and the Regional Director of Operations with eScience & Technology Solutions, Inc. in Stafford and Quantico, VA. He provides technical, systems engineering, and operational and systems architecture support for numerous U.S. Marine Corps Command and Control (C2) and Radar systems. Dr. Wasek has significant expertise in the areas of systems engineering, enterprise architecture, testing and evaluation, systems analysis, acquisitions, and program management. Since 2006, he has been an Adjunct Professor with The George Washington University, Washington, D.C., where he instructs graduate students in systems engineering, engineering management, and program management.

View full text
© 2016 Elsevier Ltd. All rights reserved.