Modeling and Analyzing Cyber Adaptations and Attack Narratives
Anyone who has ever spent time trying to implement a security solution to mitigate or prevent the threat of cyber attacks knows that defending a network is hard, overwhelming, and difficult for humans to do well. As such we are dependent upon tools and automation to implement, manage, and monitor defenses on our behalf. But this automation is not without cost. Defenders are inundated with large amounts of logs and alerts from the very systems they set up to help them implement their defenses. This leaves defenders asking if their solutions are actually working, to what extent, and how they make sense of all the noise their solutions are producing towards ultimately resolving these problems. The present Thesis makes two contributions.
The first contribution is a security metrics framework that measures the degree of dynamic adaptations by attackers and defenders in cyberspace. The security metric framework is generic in the sense that it is applicable to any quantitative security metric, including the existing measurements of measuring the quality of detection mechanisms (e.g., false positives or false negatives) as well as the measurements of the adaptation degrees which have not been captured by existing metrics. To validate the usefulness of the proposed framework, we conducted a case study by measuring the degree of adaptation made by attackers and defenders using real datasets where a system is equipped with a Snort intrusion detection mechanism.
The second contribution is a framework for extracting attack narratives to help understand attacker behaviors. Within this framework, we propose the re-examination of packet grepping for attack signatures in network traffic as a viable, fast, and effective means to extract attack narratives from large amounts of network traffic. By combining attack signature packet grepping with Mandiant's Attack Lifecycle Model, we increase the effectiveness of packet grepping and create a methodology that is simple and powerful for constructing attack narratives. In order to show the effectiveness of the framework, we conduct a case study by using the 2015 National Collegiate Cyber Defense Competition (NCCDC) network traffic. Our preliminary results show that the framework is promising.