Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK

Marco Zambianco, Claudio Facchinetti, Domenico Siracusa

TL;DR

This work designs a optimization-based decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers and takes advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems.

Abstract

Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.

A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK

TL;DR

This work designs a optimization-based decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers and takes advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems.

Abstract

Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.
Paper Structure (17 sections, 8 equations, 10 figures, 4 tables)

This paper contains 17 sections, 8 equations, 10 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Related work
  3. Background
  4. MITRE ATT&CK framework overview
  5. EnterpriseLang overview
  6. System Model
  7. Threat Model
  8. Defender Model
  9. Problem formulation
  10. Optimal decoy selection
  11. Decoy selection solution overview
  12. Performance evaluation
  13. Simulation Setup
  14. Decoy selection performance analysis
  15. Optimal Solution Analysis
  16. ...and 2 more sections

Figures (10)

  • Figure 1: Visual representation of the proposed threat model. The attacker capabilities are expressed as a subset of ATT&CK techniques (red squares) of the MITRE ATT&CK Enterprise matrix, where techniques within the same column belong to the same tactic. The considered techniques are combined according to their execution preconditions using Connection and Type information encoded within enterpriseLang. Similarly, the attack path representation is further augmented with the technique outcomes and possible defense mitigations using Attack Step and Defense mitigations information, respectively.
  • Figure 2: Example of attack path when AND nodes are included. Purple arrows represent OR preconditions. Orange arrows represent AND preconditions. Red dashed arrows indicate the attack path from node $v_s$ to node $v_t$.
  • Figure 3: Example of decoy selection solutions when AND nodes and OR nodes are both considered (AND+OR solution, yellow nodes) and when OR nodes only are considered (OR solution, purple nodes).
  • Figure 4: Ratio of attack paths intercepted by the decoys.
  • Figure 5: Number of selected decoys.
  • ...and 5 more figures