1

Pattern Discovery in Intrusion Chains and Adversarial Movement

IEEE Cyber Science 2019 Conference

Nima Asadi1, Aunshul Rege2, Zoran Obradovic1

1 Department of Computer and Information Sciences

2 Department of Criminal Justice

2

Paradigm shift in cybersecurity

• Average cost of cybercrime (Accenture Security 2019)

• US: $ 27.4 million

• Current state of affairs (IBM & Ponemon Institute, 2018)

• Mean time to identify (MTTI): 197 days

• Mean time to contain (MTTC): 69 days

• Detection & recovery activities for organization: $4.43 million

• Reactive → Proactive

• Anticipatory/Predictive

EAGER Award # 1742747

3

Objectives

1. Provide a quantitative framework for temporal analysis of the cyberattack processes

• Employ data science methods on the proposed framework to analyze the cyberattack process

2. Propose a social network framework to capture the movement during cybercrime

(Dell, 2012)

4

Research setting, methods & analytical framework

• Two Collegiate Penetration Testing Competitions (CPTC)

• Regional (October 2017) & National (November 2017)

• Team 1 from the regional CPTC, 7 members

• Team 2 from the national CPTC, 6 members

• Six-hour competition each; a simulated environment

• Observed and interviewed before, during, and after the exercise

5

From observations to preliminary temporal analysis

6

From observations to preliminary temporal analysis

7

Objective 1: Time series generation

8

Objective 1 (ctd): Temporal assessment of adversarial movements

9

Objective 1 (ctd): Conclusions

• Similarities between the duration of focus of the two teams

• Intrusion stages 3 (build and acquire tools) and 4 (research target infrastructure/employees), as well as intrusion stages 10 (strengthen foothold) and 11 (exfiltrate data)

• Difference between the time allocation of two teams:

• Higher similarity among intrusion stage 9 with stages 10 and 11 for team 1, which is not observed in team 2

10

Objective 1 (ctd): Comparison of the two teams

11

Objective 2: Social network framework

• Maximum path length

• The maximum number of edges between two nodes in the graph

• Captures the linearity level of movement (existence of loops, etc)

• Edge to node ratio

• Captures the frequency of shifts between various intrusion stages by the team member

12

Objective 2 (ctd): Social network analysis

13

Objective 2 (ctd): Conclusions

• Adversarial movements are not linear

• Team members shifted their focus to the intrusion chain stages they performed previously, therefore creating a movement that was not sequential (possible reasons: failure in progress, differences of the objectives among the team members, or the possibility of the subjects being involved in multiple stages, etc)

• Adversarial movements are not homogeneous

• Overall decision making of the adversarial team throughout the exercise is rather individual than based on a unified process

14

Methodological innovation

-Time-series analysis

-Social network analysis

• Methodology

• Convert qualitative observational data to quantitative time series and graph data

• Multidisciplinary methodologies

• Newer insights into adversarial movement & behavior?

15

Other multidisciplinary efforts

• Group dynamics/ Social network analysisAsadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group Dynamics During Cyber Crime Through Temporal Network Topology”. Proceedings of the 10th International Conference on Social Computing, Behavioral-Cultural Modeling & Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS).

• Prediction/ Machine learningRege, A., Obradovic, Z., Asadi, N., Parker, E., Pandit, R., Masceri, N., Singer, B. (2018) “Predicting Adversarial Cyber Intrusion Stages Using Autoregressive Neural Networks,” IEEE Intelligent Systems PP(99):1-1.

• Refine temporal metric & measurement

• Add more case studies

16

Pattern Discovery in Intrusion Chains and Adversarial Movement

Thank you. Comments/Questions?

Nima Asadi1, Aunshul Rege2, Zoran Obradovic1

1 Department of Computer and Information Sciences

2 Department of Criminal Justice