Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network...
Transcript of Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network...
![Page 1: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/1.jpg)
1
Pattern Discovery in Intrusion Chains and Adversarial Movement
IEEE Cyber Science 2019 Conference
Nima Asadi1, Aunshul Rege2, Zoran Obradovic1
1 Department of Computer and Information Sciences
2 Department of Criminal Justice
![Page 2: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/2.jpg)
2
Paradigm shift in cybersecurity
• Average cost of cybercrime (Accenture Security 2019)
• US: $ 27.4 million
• Current state of affairs (IBM & Ponemon Institute, 2018)
• Mean time to identify (MTTI): 197 days
• Mean time to contain (MTTC): 69 days
• Detection & recovery activities for organization: $4.43 million
• Reactive → Proactive
• Anticipatory/Predictive
EAGER Award # 1742747
![Page 3: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/3.jpg)
3
Objectives
1. Provide a quantitative framework for temporal analysis of the cyberattack processes
• Employ data science methods on the proposed framework to analyze the cyberattack process
2. Propose a social network framework to capture the movement during cybercrime
(Dell, 2012)
![Page 4: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/4.jpg)
4
Research setting, methods & analytical framework
• Two Collegiate Penetration Testing Competitions (CPTC)
• Regional (October 2017) & National (November 2017)
• Team 1 from the regional CPTC, 7 members
• Team 2 from the national CPTC, 6 members
• Six-hour competition each; a simulated environment
• Observed and interviewed before, during, and after the exercise
![Page 5: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/5.jpg)
5
From observations to preliminary temporal analysis
![Page 6: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/6.jpg)
6
From observations to preliminary temporal analysis
![Page 7: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/7.jpg)
7
Objective 1: Time series generation
![Page 8: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/8.jpg)
8
Objective 1 (ctd): Temporal assessment of adversarial movements
![Page 9: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/9.jpg)
9
Objective 1 (ctd): Conclusions
• Similarities between the duration of focus of the two teams
• Intrusion stages 3 (build and acquire tools) and 4 (research target infrastructure/employees), as well as intrusion stages 10 (strengthen foothold) and 11 (exfiltrate data)
• Difference between the time allocation of two teams:
• Higher similarity among intrusion stage 9 with stages 10 and 11 for team 1, which is not observed in team 2
![Page 10: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/10.jpg)
10
Objective 1 (ctd): Comparison of the two teams
![Page 11: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/11.jpg)
11
Objective 2: Social network framework
• Maximum path length
• The maximum number of edges between two nodes in the graph
• Captures the linearity level of movement (existence of loops, etc)
• Edge to node ratio
• Captures the frequency of shifts between various intrusion stages by the team member
![Page 12: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/12.jpg)
12
Objective 2 (ctd): Social network analysis
![Page 13: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/13.jpg)
13
Objective 2 (ctd): Conclusions
• Adversarial movements are not linear
• Team members shifted their focus to the intrusion chain stages they performed previously, therefore creating a movement that was not sequential (possible reasons: failure in progress, differences of the objectives among the team members, or the possibility of the subjects being involved in multiple stages, etc)
• Adversarial movements are not homogeneous
• Overall decision making of the adversarial team throughout the exercise is rather individual than based on a unified process
![Page 14: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/14.jpg)
14
Methodological innovation
-Time-series analysis
-Social network analysis
• Methodology
• Convert qualitative observational data to quantitative time series and graph data
• Multidisciplinary methodologies
• Newer insights into adversarial movement & behavior?
![Page 15: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/15.jpg)
15
Other multidisciplinary efforts
• Group dynamics/ Social network analysisAsadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group Dynamics During Cyber Crime Through Temporal Network Topology”. Proceedings of the 10th International Conference on Social Computing, Behavioral-Cultural Modeling & Prediction and Behavior Representation in Modeling and Simulation (SBP-BRiMS).
• Prediction/ Machine learningRege, A., Obradovic, Z., Asadi, N., Parker, E., Pandit, R., Masceri, N., Singer, B. (2018) “Predicting Adversarial Cyber Intrusion Stages Using Autoregressive Neural Networks,” IEEE Intelligent Systems PP(99):1-1.
• Refine temporal metric & measurement
• Add more case studies
![Page 16: Pattern Discovery in Intrusion Chains and Adversarial Movement · •Group dynamics/ Social network analysis Asadi, N. , Rege, A. & Obradovic, Z. (2018). “An Assessment of Group](https://reader033.fdocuments.in/reader033/viewer/2022042410/5f2783cd18ff1153220bf1ca/html5/thumbnails/16.jpg)
16
Pattern Discovery in Intrusion Chains and Adversarial Movement
Thank you. Comments/Questions?
Nima Asadi1, Aunshul Rege2, Zoran Obradovic1
1 Department of Computer and Information Sciences
2 Department of Criminal Justice