A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK

IF 4.8 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2024-10-10 DOI:10.1016/j.cose.2024.104144

Marco Zambianco , Claudio Facchinetti , Domenico Siracusa

{"title":"A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK","authors":"Marco Zambianco , Claudio Facchinetti , Domenico Siracusa","doi":"10.1016/j.cose.2024.104144","DOIUrl":null,"url":null,"abstract":"<div><div>Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modeling language using MITRE ATT&CK© framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":null,"pages":null},"PeriodicalIF":4.8000,"publicationDate":"2024-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404824004498","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modeling language using MITRE ATT&CK© framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.

查看原文本刊更多论文

使用 MITRE ATT&CK 的网络欺骗主动诱饵选择方案

网络欺骗可以弥补防御者对攻击者不断变化的战术、技术和程序（TTPs）的反应迟缓。这种主动防御策略采用与合法系统组件相似的诱饵，在防御者环境中引诱隐蔽的攻击者，减缓和/或阻止他们实现目标。在这方面，选择能暴露恶意用户所使用技术的诱饵对激励他们参与起着核心作用。然而，这在实践中是很难实现的，因为这需要对攻击者的能力及其可能的目标进行准确而现实的建模。在这项工作中，我们应对了这一挑战，并设计了一种诱饵选择方案，该方案由基于现实世界攻击者经验观察的对抗建模提供支持。我们利用 MITRE ATT&CK© 框架的特定领域威胁建模语言作为攻击者针对企业系统的 TTPs 的来源。具体来说，我们提取了每种技术的执行前提条件及其对环境可能产生的影响等信息，生成了模拟对手能力的攻击图。在此基础上，我们提出了一个图分割问题，该问题可最大限度地减少在针对特定目标的各种攻击路径中检测到相应数量技术的诱饵数量。我们将基于优化的诱饵选择方法与几种忽略不同攻击步骤之间先决条件的基准方案进行了比较。结果表明，所提出的方案使用最低数量的诱饵提供了最高的攻击路径拦截率。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.