Knowledge-based Decision Making for Simulating Cyber Attack Behaviors

Transcription

1 Knowledge-based Decision Making for Simulating Cyber Attack Behaviors Stephen Moskal Dr. Michael Kuhl, Dr. Shanchieh Jay Yang Rochester Institute of Technology Department of Computer Engineering Networking and Information Processing Lab (NetIP) 2/16/2017

2 The Significance of Cyber Security Problems Cybercrime and cyber-espionage cost the world over $400 billion in 2015 & projected to reach $2.1 trillion by Forbes.com In 2015, the average cost per company in the US due to cyber crime was $15M (19% increase from 2014). - Ponemon Institute In 2015, there were 54 reported zero day attacks, record setting 9 mega-breaches, and 3/4 of web sites have vulnerabilities. - Symantec Small Business Technology Survey Symantec Internet Security Threat Report

3 The Challenges Cyber attacks are diverse, fast-evolving, and can come from anywhere & anyone. Observables are large-volume, diverse, noisy, incomplete, and deceptive. Not enough scenarios for the community to build knowledge & solutions. 3

4 Cyber Attacks a dependent act of network & attacker 4 Cyber Attacker Learn information about the target network and found a attack vector Exploit this attack vector Use this access to learn about a larger security hole Exfiltrate information, affect operations, etc. Challenges: Dependent Network Configuration External facing services User account setup Internal services and policies Defense technologies and personnel (investment) Legacy systems, subcontracts, etc. Network needs to be modeled with sufficient detail to allow the modeling of attacker gaining knowledge for next actions. We are not likely to know all hackers decision processes. What fundamental factors can help simulate a variety of hacker behaviors?

5 Cyber attack simulation works in early days Cohen s Works - [Cohen1998] [Cohen1999] Pioneering work based on cause-effect model, with 37 threat profiles (behaviors), 94 attacks (physical and cyber), and 140 defense mechanisms. Simulation outputs include attack durations and outcomes. Some data can be found via SECUSIM - Hangkong University, Korea [Park2001] Goal of the simulator was to be able to specify attack mechanisms, verify defense mechanisms, and analyze the consequences. Mentions the use of an attacker model that can be chosen for the simulation. Multiple modes (Basic, Intermediate, Advanced, etc.) allowing users of different expertise to operate. Attack Simulator - St.-Petersburg Institute for Informatics and Automation, Russia [Kotenko2003] Multi-Agent-Based Simulator which generates results from an attackers perspective. Uses State Machine Diagrams to guide the simulation and generalized 5 high level attack steps.

6 Cyber simulators in more recent years CORE Insight TM - by CORE Security TM Network scanning to develop a network map of all devices. Runs a simulation to generate attack paths to a goal machine. The simulated attack paths are generated from a list of device vulnerabilities. Provides outputs describing each attack path, and 6 vulnerable assets within the network. NeSSi 2 - by DAI-Laboratory, Germany Open source packet level simulation (agent-based modeling) programmed in Java. Purpose is to provide a testbed for detection algorithms. Capable of simulating applications as well as static and dynamic routing protocols. Able to simulate DDoS attacks and worm propagation. Simulation outputs the times at which a packet was sent and received for every device.

7 Related Works (Attack Graphs) Attack Graphs - [Jajodia2010] CAPEC-Based Generator of Attack Scenarios - [Kotenko2015] 7

8 Related Works (Behavior Models) Game Theory - [Wang2010] & [Chung2016] Knowledge-based AI with CycSecure [Shepard2015] 8

9 CASCADES Cyber Attack Scenario and Network Defense Simulator 9

10 Cyber Attack Scenario and Network Defense Simulator (CASCADES) Efficiently generate variations of cyber attack sequences by modeling attacker s intent, opportunity, capability, and preference, as well as network system and defense configurations. 10

11 CASCADES an architectural view 11

12 CASCADES Methodology Overview 12

13 Attacker Behavioral Model Making of a Cyber Attacker Capabilities, Opportunity, Intent, Preferences Developing the attacker s knowledge Using the Knowledge (Opportunity) Fuzzy logic to decide attack stage leading to final goal/intent Attacker s Skill Set (Capabilities) Attacker s Preferences Choosing an Action 13

14 Developing The Knowledge-Base Define the base set of variables that most attackers use to perform an attack Case 1: Nmap (Network Map) Discovers hosts, performs operating system fingerprinting, port scans, and service scans Case 2: Metasploit Requires at a minimum: target IP(s), the target port, and a service to exploit with the correct OS installed The correct vulnerability must also be known Minimum knowledge needed for an attack: Source IP, Target IP, Port, and Service (with correct OS) 14

15 Intent Modeling Describes the goal(s) of the attacker Steal customer data, DoS 5 machines, etc. The intent is comprised of set of sub-goals within, which also may have sub-goals Modeled by a set of actions that if performed the intent is satisfied 15

16 Typical Cyber Attack Stages The Cyber Attack Kill Chain developed by Lockheed Martin describes the various steps an attacker must take to successfully complete an attack scenario. These 3 stages are defined as the Minimum Viable Kill Chain (MVKC) 16

17 Choosing a Kill Chain Stage (Opportunities) Each Kill Chain Stage has a particular set of attack actions that describes the sub-objective of the stage Recon Only actions that uncover/reveal information about the target Breach Compromising actions not pertaining to intent Exfiltration Actions that satisfy the intent Selection of a kill chain stage is based on the attacker s rules/intuition/experience and knowledge Develop statistics based off the knowledge for the attacker to make decisions on Machines known or scanned, time at which actions performed, machines with intent, uncompromised machines, etc. However the selection of stage is not always obvious to the attacker 17

18 Choosing A Kill Chain Stage (Con t) Each attacker has different criteria for when they select a recon action, breach action, or exfiltration action Some attackers may be unclear at the exact point of when to choose a stage Rule Based if then cases, does not allow for uncertainty Probablisitc Difficult to define, realism relies on how well developed the probablistic model is Fuzzy Determines membership by evaulating how well a set of variables satisfies a rule Fuzzy logic inherently deals with the uncertainty that attackers may have when deciding their next action 18

19 Examples: Fuzzy Logic to Determine Kill-Chain Stage Attacker with no knowledge: RECON Attacker has not scanned enough known machines: RECON Attacker recently service scanned machines : BREACH Attacker discovered target corresponding with intent: EXFILTRATION 19

20 Attacker s Capabilities Describes the types of skills the attacker employs tools, methods, vulnerabilities, etc. Describes the possible actions that an attacker can perform Finite set, does not develop over the course of a scenario An attacker can only perform an attack they are aware of It is assumed that if an action is defined in this model, the attacker is capable of performing it Reduces complexity and is clearer to understand the impact (as opposed to a skill level parameter for example) 20

21 Choosing An Attack Action Attackers choose a source, target, and action based off the normalized probabilities determined in the preferences. 21

22 CASCADES Simulation Setup & Results 22

23 CASCADES Sample Simulation Results Experiment Setup: Four different types of attackers will be examined: Amateur Limited capabilities with minimal intuition of direction Expert High skill with methodical direction and tailored preferences Comprehensive Exhaustively attack the network Random Randomly try actions Two different networks: baseline, and a misconfigured network Intent static for all simulations Compromise the backup server of the network 23

24 Attacker Description and Configuration Attacker Behavior Parameters: Attacker Preferences: 24

25 Network Topology Baseline Intent Machine Machines with access to intent Entry Point 25

26 Metrics and Setup For each experiment, 1000 independent simulations were conduced for each attacker To examine the behaviors, four metrics will be examined: Total number of actions the attacker took to achieve their goal Failure Rate Attack type frequency Exploited services frequency 26

27 Base Line Network Attack Steps Amature Expert Comprehensive Random Average Steps Minimum Maximum Failure Rate

28 Baseline Network Kill Chain Stages 28

29 Intent 29

30 Network Topology Misconfiguration 30

31 Misconfigured Network Attack Steps Amateur Expert Comprehensive Random Average Steps Minimum Maximum Failure Rate % change

32 Misconfigured Network Kill Chain Stages 32

33 % change on RedHat Amature Expert 384 Comprehensive 33.7 Random

34 CASCADES Conclusions and Future Work 34

35 Conclusions Defined a baseline of the basic knowledge needed for attackers to make decisions upon Decisions backed by information used by actual attackers The combination of a rule based kill chain logic and probabilistic attack selection enforces realistic attack scenarios while still giving variation between simulations Measures the effects of a wide variety of types of attackers along with being able to show the differences between configurations of networks 35

36 Future Work Knowledge Modeling What other more detailed information may an attacker use? Subnet awareness of the attacker Asset modeling data, important server, etc. Live Attack Prediction using Simulation Predict attacker s next steps with observables CASCADES Upgrades More attack types DoS, privilege escalation, local attacks, etc. Collaborative attackers Moving Target Defense 36

37 Thank you! 37