pattern discovery in intrusion chains and adversarial movement · •group dynamics/ social network...
TRANSCRIPT
1
Pattern Discovery in Intrusion Chains and Adversarial Movement
IEEE Cyber Science 2019 Conference
Nima Asadi1, Aunshul Rege2, Zoran Obradovic1
1 Department of Computer and Information Sciences
2 Department of Criminal Justice
2
Paradigm shift in cybersecurity
• Average cost of cybercrime (Accenture Security 2019)
• US: $ 27.4 million
• Current state of affairs (IBM & Ponemon Institute, 2018)
• Mean time to identify (MTTI): 197 days
• Mean time to contain (MTTC): 69 days
• Detection & recovery activities for organization: $4.43 million
• Reactive → Proactive
• Anticipatory/Predictive
EAGER Award # 1742747
3
Objectives
1. Provide a quantitative framework for temporal analysis of the cyberattack processes
• Employ data science methods on the proposed framework to analyze the cyberattack process
2. Propose a social network framework to capture the movement during cybercrime
(Dell, 2012)
4
Research setting, methods & analytical framework
• Two Collegiate Penetration Testing Competitions (CPTC)
• Regional (October 2017) & National (November 2017)
• Team 1 from the regional CPTC, 7 members
• Team 2 from the national CPTC, 6 members
• Six-hour competition each; a simulated environment
• Observed and interviewed before, during, and after the exercise
5
From observations to preliminary temporal analysis
6
From observations to preliminary temporal analysis
7
Objective 1: Time series generation
8
Objective 1 (ctd): Temporal assessment of adversarial movements
9
Objective 1 (ctd): Conclusions
• Similarities between the duration of focus of the two teams
• Intrusion stages 3 (build and acquire tools) and 4 (research target infrastructure/employees), as well as intrusion stages 10 (strengthen foothold) and 11 (exfiltrate data)
• Difference between the time allocation of two teams:
• Higher similarity among intrusion stage 9 with stages 10 and 11 for team 1, which is not observed in team 2
10
Objective 1 (ctd): Comparison of the two teams
11
Objective 2: Social network framework
• Maximum path length
• The maximum number of edges between two nodes in the graph
• Captures the linearity level of movement (existence of loops, etc)
• Edge to node ratio
• Captures the frequency of shifts between various intrusion stages by the team member
12
Objective 2 (ctd): Social network analysis
13
Objective 2 (ctd): Conclusions
• Adversarial movements are not linear
• Team members shifted their focus to the intrusion chain stages they performed previously, therefore creating a movement that was not sequential (possible reasons: failure in progress, differences of the objectives among the team members, or the possibility of the subjects being involved in multiple stages, etc)
• Adversarial movements are not homogeneous
• Overall decision making of the adversarial team throughout the exercise is rather individual than based on a unified process
14
Methodological innovation
-Time-series analysis
-Social network analysis
• Methodology
• Convert qualitative observational data to quantitative time series and graph data
• Multidisciplinary methodologies
• Newer insights into adversarial movement & behavior?
15
Other multidisciplinary efforts
• Group dynamics/ Social network analysisAsadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group Dynamics During Cyber Crime Through Temporal Network Topology”. Proceedings of the 10th International Conference on Social Computing, Behavioral-Cultural Modeling & Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS).
• Prediction/ Machine learningRege, A., Obradovic, Z., Asadi, N., Parker, E., Pandit, R., Masceri, N., Singer, B. (2018) “Predicting Adversarial Cyber Intrusion Stages Using Autoregressive Neural Networks,” IEEE Intelligent Systems PP(99):1-1.
• Refine temporal metric & measurement
• Add more case studies
16
Pattern Discovery in Intrusion Chains and Adversarial Movement
Thank you. Comments/Questions?
Nima Asadi1, Aunshul Rege2, Zoran Obradovic1
1 Department of Computer and Information Sciences
2 Department of Criminal Justice