Abstract
Advanced persistent threats (APTs) have emerged as multi-stage attacks that have targeted nation-states and their associated entities, including private and corporate sectors. Cyber deception has emerged as a defense approach to secure our cyber infrastructure from APTs. Practical deployment of cyber deception relies on defenders' ability to place decoy nodes along the APT path optimally. This paper presents a cyber deception approach focused on predicting the most likely sequence of attack paths and deploying decoy nodes along the predicted path. Our proposed approach combines reactive (graph analysis) and proactive (cyber deception technology) defense to thwart the adversaries' lateral movement. The proposed approach is realized through two phases. The first phase predicts the most likely attack path based on Intrusion Detection System (IDS) alerts and network trace, and the second phase is determining optimal deployment of decoy nodes along the predicted path. We employ transition probabilities in a Hidden Markov Model to predict the path. In the second phase, we utilize the predicted attack path to deploy decoy nodes. However, it is likely that the attacker will not follow that predicted path to move laterally. To address this challenge, we employ a Partially Observable Monte-Carlo Planning (POMCP) framework. POMCP helps the defender assess several defense actions to block the attacker when it deviates from the predicted path. The evaluation results show that our approach can predict the most likely attack paths and thwarts the adversarial lateral movement.
Highlights
Given the growing spate of cyber attacks, it is very imperative to design resilient cyber infrastructure
Adversaries have lately resorted to using Advanced Persistent Threats (APT) to conduct cybercrime
This paper proposes a method to predict the most likely attack path for adversarial lateral movement and deter the adversarial lateral movement using a cyber deception approach
Summary
Given the growing spate of cyber attacks, it is very imperative to design resilient cyber infrastructure. In this paper, we use Hidden Markov Model (HMM) to identify the most likely attack path an attacker could take to reach the goal state. We present an approach to predict the most likely attack path for the adversarial lateral movement by leveraging HMM. This approach helps the defender understand the attacker’s strategies and aims and plays a vital role for the security team to take the necessary actions (deploying decoy) before the attacker progresses into the predicted path and reaches the goal state. Ussath et al [31] have discussed a 3 stage APT attack life cycle model focusing only on initial compromise, lateral movement, and command & control activity. For the illustrative example in the evaluation section, we assume that the attacker will move first and attempt an exploit
Sign-in/Register to view highlights & summary 
Published Version (
Free)
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call