1 Introduction
- presenting an easily expandable, time-enabled attacker/defender meta model for depicting and assessing advanced persistent threats;
- developing a set of dynamic, non-cooperative roleplaying game (RPG) rules representing APT campaigns with all their assets, actors, and actions;
- providing a link between various standards and formats, such as STIX-defined data observables, CAPEC attack patterns, as well as operational risk assessment and mitigation planning within a gamified setting;
- introducing a mapping mechanism for correlating attacker behavior to opposing security and privacy controls listed in the NIST SP 800-53 standard;
- presenting and evaluating a physical game prototype ready for deployment in higher education and awareness training;
- paving the way towards automated attacker and defender strategy inference as well as threat simulation.
2 Related work
2.1 Threat modeling
2.2 Game theory and serious games
3 Attacker/defender model
3.1 Base model
3.1.1 Service layer
3.1.2 Information layer
3.1.3 Event layer
E(sequence, operation, argument)
\(=\)(1, create-file, dropped.exe)
, followed by the event (2, start-process, dropped.exe)
, which results in an IDS anomaly A with a specific value denoting its deviation from a set baseline: (A(deviation, threshold)
\(=\)(22.4, 10)
). This occurrence would affect the confidentiality of knowledge that is associated to the modeled service of e.g. browser.exe
, thereby changing the confidentiality status of the service to ‘compromised’.E
\(\texttt {=}\)(1, change-configuration, htaccess)
caused by the purposeful alteration of a web server’s security settings would affect the configuration on an integrity level, changing the service’s integrity status to ‘compromised’ and altering the information controlling the service in the process.3.2 Game model
3.2.1 Actions
3.2.2 Actors
ThreatActorType
vocabulary schema of the STIX threat information language [1]. Each actor is described as a unique class with their own motivation, primary attributes that represent an actor’s skill, motivation, and financial resources, as well as operational resources such as time and knowledge about the opponent.Motivation
vocabulary and encompass various ideological goals. The actor creation routine of PenQuest provides percentages defining likely actor/goal combinations (see Sect. 4).3.2.3 Equipment
3.2.4 Meta information
3.3 Rule model
3.3.1 Game principles
- Non-cooperative nonzero-sum game: Opposition between players is an integral part of the design: Player 1 (attacker) always combats Player 2 (defender) and tries to achieve adverse goals by stealing information, manipulating the integrity of data or systems, or by shutting them down entirely. Even though actions are not typically assigned points that are symmetrically gained/lost (making it nonzero-sum), it can be argued that the mechanism of asset compromise is in fact a zero-sum game, where the defender loses points describing integrity and status, while the attacker gains a corresponding advantage. In other situations, win/loss is represented by an increase or decrease of attributes or action success and detection chance. These bonuses are one-sided, yet always shift the balance between the players away from equilibrium.
- Asymmetric strategy: The strategy sets of the two players are not identical – the attacker draws from a different pool of actions than the defender. This stems from the difference in goal and purpose: Attackers will attempt to penetrate a system using malware or by exploiting vulnerabilities, while a defender tries to counter these actions by implementing technical and organizational controls.
- Dynamic/extensive game with static elements [46]: While the game uses sequential moves characteristic for dynamic games, the second player typically remains unaware of the first player’s actions, making the model bear some resemblance to a strategic setting where players act simultaneously and in secret. At its core, PenQuest remains dynamic – emphasized by its multi-stage nature.
- Imperfect, incomplete information: As stated above, Player 1 does not necessarily know the moves previously made by the attacker, and vice versa. It is in fact vital to players’ success that performed actions remain secret, thereby potentially causing the other party to make imperfect decisions. At the same time, the general set of strategies is known to both sides. The exact payoff in a certain situation, however, is not, due to the lack of information about past activity and their impact on success and detection chances (incomplete information).
- Bayesian formulation of static elements: In PenQuest, players have incomplete information on the other players, especially when it comes to actions and strategies, which are derived from the attacker’s type and ultimate objective. There is, however, a fixed probability that players, being one of n available classes, need to conduct/defend against one of three kinds of attacks on a finite set of assets in order to win the game.
- Finite & discrete: While some action combinations are continuous in nature, the general action/reaction game follows a discontinuous sequence. The number of game turns is limited by an exhaustible resource – Initiative (i.e. time efficiency).
- A is a set of strategies of Player 1 (attacker),
- D is a set of Player 2 (defender) strategies, and
- L is, for select game principles (see below), a real-valued function \(A \times D\). Therefore, L(a, d) is a real number for every \(a \in A\) and \(d \in D\).
3.3.2 Core mechanics
4 Game rules
4.1 Actor creation
4.1.1 Class and motivation
ThreatActorType
vocabulary schema of STIX [1]. Third party eCrime actors such as money laundering services and malware developers are not modeled, since we want to focus on active factions that are likely to directly target the assets of a victim. The available classes (STIX name) are:TH | EX | RO | RA | CR | OP | IN | PR | |
---|---|---|---|---|---|---|---|---|
Ideological | 0–10 | 0–25 | 0–16 | 0–10 | 0–40 | 0–10 | 0–15 | 0–30 |
Ego | 11–29 | 24–45 | 17–32 | 11–20 | 41–50 | 11–15 | 16–35 | 31–50 |
Financial | 30–65 | 46–55 | 33–49 | 21–50 | 51–55 | 16–40 | 36–55 | 51–70 |
Military | 66–70 | 56–60 | 50–66 | 51–65 | 56–60 | 41–65 | 56–60 | 71–75 |
Opportunistic | 71–90 | 61–80 | 67–83 | 66–80 | 61–70 | 66–75 | 61–90 | 76–90 |
Political | 91–100 | 81–100 | 84–100 | 81–100 | 71–100 | 76–100 | 91–100 | 91–100 |
Motivation
vocabulary that is part of STIX as well as the Motivation class of our attacker/defender model. Possible motivations \(\langle AttackActor \langle Motivation \rangle \rangle \) are:- Ideological (id): The actor acts out of their ideological belief in a cause, such as anti-corruption, anti-establishment, environmental, ethnic/nationalist, information freedom, religious, security awareness, or human rights.
- Ego (eg): The attacker wants to prove a point to others or herself.
- Financial or Economic (fi): The attack is motivated by financial goals.
- Military (mi): The actors wants to achieve a military victory or gain an strategic/tactical advantage.
- Opportunistic (op): The attacker ceases an unexpected opportunity to strike against a target.
- Political (po): The adversary acts out of political motivation.
Victim Targeting by Sector
, which leverages the external CIQ (Customer Information Quality) standard published by OASIS.5 However, there is no exhaustive Industry Type
list provided by STIX. We therefore compiled our own list of target actor types:4.1.2 Attributes
TH | EX | RO | RA | CR | OP | IN | PR | CP | CM | CS | IF | MI | SA | ED | PI | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
SO | \(+\)1 | \(+\)1 | −1 | \(+\)1 | \(+\)1 | \(+\)1 | ||||||||||
DE | \(+\)1 | \(+\)2 | \(+\)1 | \(+\)1 | −1 | \(+\)1 | \(+\)1 | |||||||||
WE | \(+\)1 | −1 | −2 | \(+\)1 | −1 | \(+\)1 | \(+\)1 | \(+\)2 | \(+\)1 | −1 | −2 | |||||
INI | −1 | \(+\)1 | \(+\)1 | −1 | \(+\)1 | −1 | −1 | \(+\)1 | \(+\)2 | |||||||
INS | \(+\)1 | \(+\)1 | \(+\)2 | −1 | −1 | \(+\)2 |
ThreatActorSophi
stication
. We have opted to use the following levels of Sophistication: Aspirants (1) show little to no technical capabilities and are usually accidental perpetrators (attacker) or common users (defender). Novices (2) have basic computer skills. Practitioners (3) are versed in using automated tools. Defending practitioners have a workable knowledge of the best practices and utilize pre-configured security solutions. Experts (4) have in-depth knowledge about system internals and operational security. Innovators (5) are masters of their field and create their own tailored tools and solutions.4.1.3 Resource pools
4.2 Equipment
4.2.1 Disablers
- Prevention solutions (Pre) – increase the difficulty of successfully attacking an asset by assigning a penalty to the action’s success chance (decSC). See Sect. 4.5 for more information on action success.
- Detection measures (Det) – boost the defender’s ability to identify hostile actions by directly increasing the defender’s detection chance (incDC).
- Delay solutions (Del) – increase the amount of time and effort required by the attacker to perform the hostile action. In game terms, delay systems increase the Initiative cost of the respective attack (incINI).
- Recovery solutions (Rec) – decrease the impact of hostile attacks after the fact. Specifically, recovery solutions can reduce the level of compromise of C, I, or A attacks (decIMP.*).
- Countermeasures (Cnt) – describe generic technical solutions that improve the defender’s ability to counter hostile attacks. Countermeasures provide a flat boost to the defending actor’s Sophistication attribute in specific scenarios (incSO.*).
\(\langle Type \rangle \) | \(\langle Name \rangle \) | \(\langle Effect \rangle \) | \(\langle EV \rangle \) | \(\langle ET \rangle \) | Cost |
---|---|---|---|---|---|
Pre | Host-based IPS I | decSC | 5 | H (all) | 1 |
Pre | Network-based IPS II | decSC | 10 | N (all) | 2 |
Pre | Content-based IPS I | decSC(D.D) | 15 | H (all) | 0.5 |
Pre | Rate-based IPS II | decSC(A.A) | 30 | N (all) | 1 |
Pre | Web application firewall I | decSC(R.S,D.I) | 15 | Web | 0.5 |
Det | Host-based IDS II | incDC | 10 | H (all) | 2 |
Det | Network behavior analysis system I | incINS | 1 | N | 0.5 |
Det | Log analysis system II | incDC | 10 | H | 1 |
Del | Sandbox I | incINI | 1 | H | 0.5 |
Rec | Failover network II | decIMP(A) | 2 | N | 2 |
Cnt | Stateful firewall I | incSO | 1 | all | 2 |
\(\langle Type \rangle \) | \(\langle Name \rangle \) | \(\langle Effect \rangle \) | \(\langle EV \rangle \) | \(\langle ET \rangle \) | SO | Cost |
---|---|---|---|---|---|---|
MPT | Host exploit kit I | incSC | 5 | H (all) | 1 | 1 |
MPT | Pentesting software II | incSO | 2 | all | 2 | 4 |
Sca | Mobile OS scanner I | decDC | 5 | M (all) | - | 0.5 |
Sca | ICS analysis tool II | decDC | 10 | I (all) | - | 1 |
VSc | Cloud vuln. scanner I | reduces VUL.cpx | low | T (all) | - | 1 |
NSc | Network mapper | incINS | 1 | N (all) | - | 1 |
Pwd | Password cracker II | incSC(D.I) | 10 | H,N,I,M,T | - | 1 |
Mal | Rootkit I | decDC | 5 | H,N,I,M,T | 1 | 0.5 |
Mal | Ransomware II | incCR | 4 | H | 2 | 1 |
Mal | Spambot I | decINI(D.D) | 1 | H | 1 | 0.5 |
- Access control (AC-1): Combines access control systems, policies, and session control mechanisms.
- Awareness & training (AT-1): Increases defender Sophistication by implementing organization-wide awareness and training measures.
- Audit & accountability (AU-1): Relates to audit-based non-repudiation measures.
- Security assessment & authorization (CA-1): Evaluation of controls and their adherence to e.g. external standards.
- Configuration management (CM-1): Encompasses establishing and maintaining performance and functionality of systems throughout their life cycle.
- Contingency planning (CP-1): Describes contingency plans such as fail-overs to alternate storage or processing sites.
- Identification & authentication (IA-1): Manages session control and (cryptographic) identification and authentication measures.
- Incident response (IR-1): Encompasses procedures, handling, monitoring, and reporting of incidents as well as their follow-up response.
- Maintenance (MA-1): General maintenance of systems, such as update policies and downtime schedules, are part of this policy.
- Media protection (MP-1): Subsumes access, designation, storage, transportation, sanitization, use, and downgrading of physical media containing relevant data.
- Physical & environmental protection (PE-1): Physical access control and environmental protection enforcement.
- Planning (PL-1): Meta-policy for the design of information security architecture, secure operation, and central management.
- Personnel security (PS-1): Manages personnel screening, transfer, tracking, and termination.
- Risk assessment (RA-1): Policy for the risk assessment and vulnerability scanning process.
- System & services acquisition (SA-1): Revolves around the system development life cycle, the allocation of resources, as well as the procurement of (third-party) systems and services.
- System & communications protection (SC-1): Manages defense measures related to DDoS protection, shared network resources, crypto policies, VoIP, wireless link protection, I/O device assess and usage restrictions as well as numerous other factors contributing to secure (inter-)system communication.
- System & information integrity (SI-1): Includes countermeasures to malware, system monitoring, alerts, function validations, error handling, and other, primarily remediation-centered information protection activities.
4.2.2 Enablers
- Multi purpose tool (MPT): These hacking tool-sets allow the attacker to automatically probe and exploit known vulnerabilities without purchasing a specific attack. If the attacking actor operates such a tool, they can decide to use the tool’s Sophistication attribute for related actions instead of their own. The specific capabilities (actions that can be automated) differ from tool to tool and range from an increase in success chance (incSC) to an increase in Insight (incINS) or Sophistication (incSO).
- System scanner (Sca): Specific to each class of equipment (see Table 4), these tools increase the knowledge about a system (incINS) or aid via a reduction of the detection chance (decDC), thereby enabling more complex attacks. There are scanners for every type of asset that need to be coded or procured individually for each \(\langle EffectTarget \rangle \) category.
- Vulnerability scanner (VSc): Vulnerability scanners determine the existence of weaknesses in host-based systems. In game terms, they reduce the complexity requirements of vulnerability-based attacks performed by the attacker. See Sect. 4.2.3 for more information on vulnerabilities and exploits.
- Network scanners (NSc): Tools in this category (packet sniffers, port scanners) intercept network traffic and thereby grant insight into the network environment and its connected systems (incINS). They additionally expose security solutions installed within the network context.
- Password cracker (Pwd): Primarily used to bypass account security, password crackers either brute-force passwords or attempt to login using a prepared list of likely secrets. Using them increases the success chance (incSC.D.I) of Intrusion type (D.I) attacks. See Sect. 4.5.1 for more information about attack phases.
- Malware (Mal): Malware summarizes all software that mirrors the harmful intent of an attacker in an automated fashion. In PenQuest, malware is ‘attached’ to a successful Delivery action (D.*). We differentiate Rootkits (decrease detection chance of a subsequent attack, decDC), Backdoors (increase chance of success and decrease detection risk (incSC, decDC)), Ransomware (generate credits (incCR)), Trojans (similar to multi purpose tools and some scanners), as well as Botnet Zombies (reduce Initiative costs for certain kill chain phases (decINI.req). Like some multi purpose tools, malware has its own Sophistication level for determining its success. With the exception of backdoors, all malware can only be used once and expires after it has been triggered.
4.2.3 Exploits and fixes
Attack Complexity
cpx (high or low) determines the actor Sophistication requirements, Privileges Required
prv (true or false) additionally decide the need for pre-existing user privileges, User Interaction
usr (none or required) define whether the vulnerability can exist stand-alone without an accompanying action, and CIA Impact
\(imp.*\) represents bonuses (high (\(+\)2), low (\(+\)1), or none (\(+\)0) for each triad factor) that determine the modifier to the accompanying attack’s effect. Each vulnerability is additionally rated in accordance with its Exploit Code Maturity
mat, which determines a one-time Sophistication SO bonus and monetary cost of the exploit. Vulnerabilities without user interaction are assigned an SO value of their own, as hinted at by the Temporal Metric Group of CVSS. This directly affects the success chance of exploiting the respective vulnerability. In short, vulnerabilities also come with a Sophistication attribute or modifier that is derived from their CVSS score, which is linked in turn to the CAPEC attack pattern via their entry in the Common Weakness Enumeration (CWE) database [34]. See Sect. 5 for more information about model mappings.Remediation
metric of CVSS: Official Fix, Temporary Fix, and Workaround. Official fixes (high SO, restore integrity from ‘compromised’ to ‘nominal’ (3 increments, incINT)) and workarounds (low SO, restore from ‘compromised’ to ‘affected’ or ‘highly affected’ to ‘nominal’ (1 increment)) are effective indefinitely but are not able to counter zero-day exploits. Temporary fixes (medium SO, restore by 2 increments) are only effective for one game turn and might come with side effects. Workarounds generally come with a lower chance of success, conditional on their Sophistication. See Sect. 4.3.1 for more information about compromise levels.
4.3 Assets and topology
CP | CM | CS | IF | MI | SA | ED | PI | |
---|---|---|---|---|---|---|---|---|
Application server (App*) | \(\checkmark \) | o | \(\checkmark \) | o | o | \(\checkmark \) | \(\checkmark \) | ❈ |
Database server (DB*) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | |
Network segment (Net) | o | o | o | o | o | o | o | o |
Web server (Web) | ❈ | \(\checkmark \) | o | \(\checkmark \) | o | \(\checkmark \) | ||
Communication system (Com) | o | o | o | o | o | o | o | o |
Communication system (Com*) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | ||
Industrial control system (ICS*) | \(\checkmark \) | \(\checkmark \) | \(\checkmark \) | ❈ | ||||
Industrial safety system (ISS*) | ❈ | ❈ | \(\checkmark \) | ❈ | ||||
Mobile system (Mob) | \(\checkmark \) | ❈ | \(\checkmark \) | \(\checkmark \) | ❈ | o | ||
Third party service (3Pa) | \(\checkmark \) | ❈ | \(\checkmark \) | \(\checkmark \) | ||||
Workstation (WS*) | o | o | o | o | o | o | o | o |
SystemType
vocabulary of STIX’ VictimTargetingType
TPP schema to model individual assets (denoted in brackets):- Application server (App, internal, H) (Enterprise Systems–Application Layer): Generic server running an organization-relevant application.
- Database server (DB, internal, H) (Enterprise Systems–Database Layer): Generic data and/or configuration store.
- Network (Net, internal and exposed, N) (Enterprise Systems–Network Systems, Enterprise Systems–Networking Devices): Underlying network connecting all other assets. We differentiate an exposed demilitarized zone (DMZ), a local area network (LAN), and an industrial network (subsumed under the term ‘SCADA’). A dedicated internal network is optional for the PI defender class.
- Web server (Web, exposed, H) (Enterprise Systems–Web Layer): Server hosting the public web presence of an organization or individual.
- Communication system (Com, internal and exposed, H) (Enterprise Systems–VoIP, Enterprise Systems–Web Layer): Communications infrastructure including, but not limited to, telephony, e-mail, and instant messaging.
- Industrial control system (ICS, internal, I) (Equipment Under Control, Operations Management, Supervisory Control): System controlling industrial equipment such as manufacturing plants.
- Industrial safety system (ISS, internal, I) (Industrial Control Systems–Safety, Protection and Local Control). Safety systems for prevention and mitigation of disadvantageous scenarios affecting human health.
- Mobile system (Mob, exposed, M) (Mobile Operating Systems, Near Field Communications, Mobile Devices): Mobile devices and (individual) short-range communications tools.
- Third-Party service (3Pa, exposed, T) (Application Stores, Cloud Services, Security Vendors, Social Media, Software Update): Services such as cloud storage, outsourced web services, and supplier systems.
- User workstation (WS, exposed for actor PI, otherwise internal, H) (Application And Software, Workstation, Removable Media): Physical or virtual machine operated by the end-user.
4.3.1 Asset compromise
- Confidentiality attacks with a rating of ‘high’ (3) increase the attacker’s Insight pool (incINS), but have no further effect on system integrity or status. The effect is cumulative over time: Three successful ‘low’-rated (1) attacks or one ‘medium’ (2) plus one ‘low’-rated attack accumulate to the same effect. A successful ‘high’ (3) level confidentiality attack is necessary to win a game with a data theft (confidentiality) scenario.
- Integrity attacks of ‘low’ (1) and ‘medium’ (2) rating set the targeted service’s integrity (decINT) to ‘affected’ or ‘highly affected’, respectively. An attack rated ‘high’ (3) will change integrity to ‘compromised’, which is required to progress along the attack vector and to win sabotage scenarios. The effect is again cumulative.
- Availability attacks target the victim’s status (\(\langle Victim \langle Status \rangle \rangle \)): One or several successful attacks (again dependent on the rating) set the target’s status to ‘stopped’ (\(\langle Enabler \langle Effect \rangle \rangle \) = decSTA), representing a system that is no longer operational.
4.3.2 Attack vector
4.3.3 Asset dependency
4.3.4 Victim selection
4.4 Game phases
4.5 Actions
4.5.1 Action categories
-
Reconnaissance (R.*): Research into the target and scanning of related assets for information. Subcategories include Research (R.R) using public search engines, Identification (R.I) of systems through e.g. fingerprinting, and Scan (R.S), where a victim system is actively scanned for weaknesses and topological properties. Successful reconnaissance enables the procurement of vulnerabilities.
-
Weaponization (W.*): Preparing exploits and weaponizing code. Weaponization mostly takes place at the attacker’s premises and is therefore nigh impossible to detect. Its subcategories are Preparation (W.P), which includes exploit searches and targeted research, the Coding (W.C) of exploits and tools, as well as Embedding (W.E) the prepared or purchased malware in websites, mail messages, or other, ostensibly harmless media.
-
Delivery (D.*): Delivery actions describe the process of gaining access to or smuggling payload into the victim’s perimeter. Specifically, we differentiate Deception (D.D) attacks that use logical or physical social engineering to fool the victim, and straightforward Intrusion (D.I): Here, the attacker actively tries to penetrate the target’s system using technical means.
-
Exploitation (E.*): In this stage, a payload or attack code is actively executed on the system. During Initialization (E.I), malware or an exploit is prepared for launch by abusing a system weakness. Launch (E.L) describes worker processes, threads, services, or modules that are being started, marking the point in time where malicious code commences operation. The Evasion (E.E) subcategory encompasses techniques that hinder or prevent the analysis of an ongoing attack.
-
Installation (I.*): This stage covers Propagation (I.Pr), which is all about spreading malware infections and the vertical traversal towards the target. Persistence (I.Pe) attacks, on the other hand, attempt to establish a permanent foothold in a system.
-
Command and Control (C.*): The C2 channel of an APT is responsible for communication between the victim and the malicious controller. This stage consists of the Download (C.Do) category, which includes patching and update mechanisms that alter or expand the original function of malware or exploits, the Directive (C.Di) category, which subsumes commands sent via the C2 channel that potentially alter an attack’s original purpose, and the Exfiltration (C.E) aspect, which includes smuggling out of e.g. previously stolen information.
-
Actions on Objective (A.*): These actions encompass the actual victim attack task performed after going through some or all of the above kill chain stages. They again correspond to the CIA triangle of information security, which is also referred to as C, I, and A impact. Every attack action with a suitable CIA impact other than ‘none’ can be used as \(A.*\) action.
4.5.2 Attack actions
Mechanisms of Attack
described in the CAPEC classification. These mechanisms encompass several levels of hierarchy and a description of possible countermeasures – subsequently translated to the defender’s arsenal via the NIST Security and Privacy controls (SP 800-53) standard ([17], see Sect. 4.5.3 below). In our game model, this mapping links the APT stages with their base detection and success chances to an existing database of usable attacks as well as numerous possible countermeasures. All actions, with their classification into confidentiality, integrity, and availability attacks, are linked directly to the individual mechanisms of attack through the CIA Impact Rating
provided by the CAPEC standard. Similarly, the mapping between TAON’s APT kill chain subcategories and our primary classes of attack is done partly via CAPEC’s Purpose
information: Attack patterns are separated into reconnaissance, penetration, and exploitation categories, which directly map to the kill chain’s Reconnaissance, Delivery–Intrusion, and Exploitation stages. The remainder of links (also see Fig. 8) is assigned manually.- Information GatheringIG [Reconnaissance–Identification, Scan] (Analysis): These attacks include interception, finger- and footprinting and various reverse engineering and buffer manipulation tasks aiming at generating a better understanding of a target system.
- InjectionIN [Exploitation–Initialization, Launch]: Injections control or disrupt the behavior of a target or enable the installation and execution of malicious code.
- Social EngineeringSE [Delivery–Deception]: These actions increase the trust in the malicious entity by spoofing legit content or identities through social engineering.
- State AttackSA [Exploitation–Initialization, Launch] (Time and State): State attacks try to illegally change the state or timing of an application to gain access to otherwise protected resources.
- Function AbuseFA [Exploitation–Initialization] (API Abuse): The abuse of existing API and protocol functionality typically aims at information exposure, vandalism, degrading or denial of service, or the execution of arbitrary code on the target.
- Brute ForceBF [Delivery–Intrusion, Installation–Propagation, Persistence]: These techniques explore and overcome security measures of the target by e.g. brute-forcing passwords.
- Illegal AccessIA [Delivery–Intrusion, Installation–Propagation] (Subvert Access Control, Spoofing): In this large class of attacks the adversary attempts to bypass access control mechanisms to gain control over a system or data store.
- Data ManipulationDM [Delivery–Intrusion, Exploitation–All] (Modification of Resources, Protocol Manipulation): Attack actions of this category exploit the characteristics of data structures to gain illegal access or to interfere with the secure operation of a system. They may also alter the system’s integrity by manipulating software, files, or otherwise interfere with the operation of an infrastructure.
- PreparationPR [Weaponization–All]: These attacks describe actions performed on the premises of the attacker to prepare attack tools, research information about the chosen target, and other preparatory tasks invisible to the defender. In the game, weaponization is typically used to generate Insight or reduce the costs of equipment by spending time on e.g. malware coding.
- CommunicationCO [Command and Control–All]: C2 traffic is generated whenever a piece of resident malware receives new commands from its malicious operator. PenQuest uses C2 actions to e.g. allow the attacker to change a previously triggered attack action with a reduced risk of detection. See APT kill chain above for more details.
Attacker
Knowledge Required
information as identified in CAPEC. The attacker can reduce this prerequisite by employing exploits (see Sect. 4.2.3).
4.5.3 Defense actions
- Organization level: Controls that target the organization level apply to all assets and security solutions currently in play. The NIST standard [17] contains 167 organization-level controls, including policies. To losslessly reduce this amount to a more manageable number, we categorize them into primary controls and defense actions, both of which can be found below. Organization level controls are designed to cost an increased amount of Initiative (time) to implement.
- Information system level: If a control specifically relates to an information system, they can only be applied to one system of the defender’s choice once an attack on that system has been spotted (successful detection). There are 57 information system controls in NIST SP 800-53. In the game’s context, we support three modes for information system controls derived from the NIST standard:1.Abstracted controls: With a focus on accessibility, this mode of PenQuest implements an information system version of each of the below primary (organization level) controls. For example, the Account Management (ACM) primary control can simply be used as organization-wide or information system variant.2.Related controls: For increased modeling accuracy, we can utilize NIST’s
Related Controls
associated to below primary categories as system-level equivalent. See the Account management (ACM) primary control for an exemplary list.3.Control enhancements: Players can also opt to use NISTControl Enhancements
for each of the primary controls as information system-level defense measure, provided the primary control is not already an information system control (marked by an asterisk). This mode can be adapted to have control enhancements serve as sole defender action set, omitting organization level controls (except policies) entirely. PenQuest was implemented and tested using this mode.
- Information Leakage ProtectionIL (counters IG): This primary control prevents information leakage through diligent configuration and data protection. It is associated with NIST’s Configuration Settings (COS), Boundary Protection (BOP), and Cryptographic Protection (CRP) defense actions (see below).
- Context ProtectionCP (counters IN): As control against injection attacks, this category protects from undesired functionality that lets the attacker break out of the current system, communications channel, or application. Associations: Security Engineering Principles (SEP), Malicious Code Protection (MCP), and Information System Monitoring (ISM).
- AwarenessAW (counters SE): This group of controls helps the defending organization to raise awareness for social engineering attacks of any kind, including spear phishing and physical intrusion attempts. Association: Role-based Security Training RST.
- State ProtectionSP (counters SA): Protecting the state of an information system is a vital task spanning several groups of actions, ranging from backup systems to integrity protection measures and status monitoring. It is associated with Configuration Change Control CCC, Configuration Settings COS, Contingency Plan COP, Incident Handling INH, Nonlocal Maintenance NOM, and Information System Monitoring ISM actions.
- Function IntegrityFI (counters FA): Similarly, function integrity controls make sure that the available functionality (API, commands) of an application are not in any way abused. NIST associations include: Configuration Change Control CCC, Security Engineering Principles SEP, Malicious Code Protection MCP, and Information System Monitoring ISM.
- Authentication ProtectionAP (counters BF): This control group is primarily concerned with managing authenticators such as passwords and tokens. Associated controls: Remote Access REA, Authenticator Management AUM.
- Access ControlAC (counters IA): As a main countermeasure to a wide range of intrusion attacks, the access control family subsumes account management, enforcement strategies, and various access-related policies. Associated controls are: Account Management ACM, Access Enforcement ACE, Continuous Monitoring COM, Least Privilege LEP, and Remote Access REA.
- Data IntegrityDI (counters DM): Maintaining the integrity of data is one of main tasks of information security. In our gamified model, this primary controls includes: Contingency Plan COP, Incident Handling INH, Cryptographic Protection CRP, Malicious Code Protection MCP, and Information System Monitoring ISM.
- Security IntelligenceSI (counters PR): Preparation for an attacks works both ways: Potential victims use intelligence techniques to stay up-to-date with threats and prepare their systems for any eventuality.
- Communications SecurityCS (counters CO): The flow of information between internal and external system is a likely target for attack. In this group, we combine the following controls: Information Flow Enforcement IFE, Boundary Protection BOP, Continuous Monitoring COM, Cryptographic Protection CRP, and Information System Monitoring ISM.
Related Controls
property. The (official NIST control ID) and information system controls (*) are separately identified. Multiple mappings specify that several countermeasure classes and its related controls are effective in the respective scenario. The defense action listed below exemplarily includes related information system controls and control enhancements, which are finer-grained countermeasures within its context. Please refer to Appendix C for a full lost of control-to-action mappings.5 Data mapping
5.1 Actions to events
\(\langle ID \rangle \)* | Name* | Methods* | \(\langle PatternClass \rangle \) | \(\langle Stage \rangle \) | Kn.* | Purp.* | C* | I* | A* |
---|---|---|---|---|---|---|---|---|---|
100 | Overflow Buffers | Analysis; Injection | IG; IN | R.I; R.S; E.I; E.L | 1–3 | Pen.; Expl. | 3 | 3 | 3 |
103 | Clickjacking | Spoofing; Social Eng. | IA; SE | D.I; I.P | 3 | Expl. | 3 | 3 | 1 |
104 | Cross Zone Scripting | Analysis; Injection | IG; IN | R.I; R.S; E.I; E.L | 2 | Expl. | 3 | 3 | 3 |
105 | HTTP Request Splitting | Proto. Man.; Analysis; Injection | DM; IG; IN | D.I, E.*; R.I; R.S | 2 | Expl. | 2 | 2 | 1 |
ID* | Name* | \(\langle Cat. \rangle \)* |
\(\langle ControlClass \rangle \)
|
\(\langle ActionClass \rangle \)
| Related controls* | Control enh.* |
---|---|---|---|---|---|---|
AC-2 | Account management | Org. | AC | ACM | AC-10, AU-9, IA-2, IA-8 | AC-2 (1)..(13) |
AC-3 | Access enforcement | Sys. | AC | ACE | AU-9 | AC-3 (1)..(10) |
AC-3 (3) | Mandatory access control | Sys. | AC | ACE | AC-25, SC-11 | n/a |
SI-3 | Malicious code protection | Org. | CP,SP, FI,DI | MCP | SC-26 | SI-3 (1)..(10) |
Start node (U) | End node (V) | Edge (E) |
---|---|---|
process-shell.exe | process-drop.exe | start (3) |
process-drop.exe | image-library.dll | load (1.5) |
process-drop.exe | registry-HKLM/Software/.../WindowsFirewall | open (0.25) |
process-drop.exe | registry-DWORD(EnableFirewall=0) | add (0.75) |
Purpose
information of CAPEC is then used to establish the link to our abstracted primary attacks, which is discussed below.5.2 Kill chain to attack patterns
Purpose
classes and assigned attacked patterns to kill chain categories. Figure 8 depicts the mapping.5.3 Attack patterns to vulnerabilities
Related Weaknesses
information provided by CAPEC to map each pattern to specific weaknesses represented by the Common Weakness Enumeration (CWE) list. CWE “provides a common language for describing security weaknesses in architecture, design, or code”.10 For example, CAPEC ID 1 (“Accessing Functionality Not Properly Constrained by ACLs”) is related to CWE ID 276, 285, 434, etc.).5.4 Primary controls to defense actions
6 Preliminary evaluation
6.1 Experimental setup
6.1.1 Prototype
6.1.2 Questionnaire
6.1.3 Expert interviews
6.1.4 IDS data
Qn | Int1 | Int2 | Pro1 | Pro2 | Pro3 | Exp1 | Exp2 | Exp3 | Exp4 | Mean | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
B | A | + | B | A | \(+\) | B | A | \(+\) | B | A | \(+\) | B | A | \(+\) | B | A | \(+\) | B | A | \(+\) | B | A | \(+\) | B | A | \(+\) | ||
Q1 | 1 | 2 | 1 | 1 | 2 | 1 | 2 | 2 | 0 | 2 | 2 | 0 | 2 | 2 | 0 | 3 | 3 | 0 | 2 | 3 | 1 | 2 | 2 | 0 | 2 | 2 | 0 | 0.33 |
Q2 | 0 | 2 | 2 | 0 | 1 | 1 | 2 | 3 | 1 | 1 | 2 | 1 | 1 | 2 | 1 | 2 | 2 | 0 | 2 | 3 | 1 | 3 | 3 | 0 | 1 | 2 | 1 | 0.89 |
Q3 | 0 | 0 | 0 | 0 | 1 | 1 | 2 | 2 | 0 | 0 | 1 | 1 | 1 | 2 | 1 | 1 | 1 | 0 | 1 | 0 | -1 | 2 | 2 | 0 | 3 | 3 | 0 | 0.22 |
Q4 | 0 | 1 | 1 | 0 | 1 | 1 | 2 | 2 | 0 | 3 | 3 | 0 | 2 | 2 | 0 | 3 | 3 | 0 | 3 | 3 | 0 | 2 | 3 | 1 | 3 | 3 | 0 | 0.33 |
Q4 | 0 | 2 | 2 | 0 | 1 | 1 | 1 | 2 | 1 | 1 | 1 | 0 | 1 | 2 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 2 | 3 | 1 | 2 | 2 | 0 | 0.67 |
Q5 | 0 | 1 | 1 | 0 | 1 | 1 | 2 | 2 | 0 | 2 | 2 | 0 | 3 | 3 | 0 | 1 | 1 | 0 | 0 | 0 | 0 | 3 | 3 | 0 | 1 | 2 | 1 | 0.33 |
Q6 | 1 | 2 | 1 | 1 | 2 | 1 | 2 | 2 | 0 | 3 | 3 | 0 | 3 | 3 | 0 | 3 | 3 | 0 | 2 | 3 | 1 | 3 | 3 | 0 | 2 | 2 | 0 | 0.33 |
Q7 | 0 | 2 | 2 | 0 | 1 | 1 | 2 | 2 | 0 | 3 | 3 | 0 | 2 | 2 | 0 | 3 | 3 | 0 | 2 | 3 | 1 | 2 | 2 | 0 | 3 | 3 | 0 | 0.44 |
Q8 | 2 | 3 | 1 | 1 | 2 | 1 | 2 | 2 | 0 | 2 | 2 | 0 | 2 | 2 | 0 | 3 | 3 | 0 | 2 | 3 | 1 | 3 | 3 | 0 | 3 | 3 | 0 | 0.33 |
Q9 | 0 | 1 | 1 | 0 | 1 | 1 | 2 | 2 | 0 | 1 | 1 | 0 | 1 | 2 | 1 | 3 | 3 | 0 | 2 | 3 | 1 | 2 | 2 | 0 | 3 | 3 | 0 | 0.44 |
Q10 | 1 | 1 | 0 | 0 | 1 | 1 | 2 | 2 | 0 | 2 | 2 | 0 | 2 | 2 | 0 | 3 | 3 | 0 | 2 | 2 | 0 | 3 | 3 | 0 | 3 | 3 | 0 | 0.11 |
Sum | 12 | 11 | 2 | 2 | 4 | 0 | 5 | 2 | 2 | 4.44 |
6.2 Quantitative results
6.2.1 Test games
6.2.2 Strategy set distribution
6.3 Qualitative results
6.3.1 Game
6.3.2 Model
6.3.3 Data mapping
7 Discussion
7.1 Features
VictimTargetingType
TPP schema – remains flexible as well. As long as a attack vectors and dependencies are maintained, game masters/designers can add or remove assets as they see fit. In simulation scenarios it is actually encouraged to model the topology after the real-world system chosen for assessment instead of using PenQuest’s default structure. While the process of creating a custom topology is not currently formalized in the rule system, it will be added in the near future to minimize human error.7.2 Limitations
Summary
and Example Instances
columns) can be parsed and assigned one of the equipment type categories used for assets (\(\langle EffectTarget \rangle \)).