Visible to the public A Quantitative Framework to Model Reconnaissance by Stealthy Attackers and Support Deception-Based Defenses

TitleA Quantitative Framework to Model Reconnaissance by Stealthy Attackers and Support Deception-Based Defenses
Publication TypeConference Paper
Year of Publication2020
AuthorsPham, L. H., Albanese, M., Chadha, R., Chiang, C.-Y. J., Venkatesan, S., Kamhoua, C., Leslie, N.
Date PublishedJune 2020
ISBN Number978-1-7281-4760-4
Keywordsadvanced adversaries, Adversary Models, Computer crime, computer network security, Computer worms, critical capability, cyber deception, deception-based defenses, defensive capabilities, Electronic mail, foothold, Human Behavior, Knowledge engineering, Metrics, military computing, model reconnaissance, Network reconnaissance, network reconnaissance capabilities, Organizations, passive reconnaissance techniques, persistent cyber adversaries, pubcrawl, quantitative framework, Reconnaissance, resilience, Resiliency, Scalability, stealthy attackers, Tools

In recent years, persistent cyber adversaries have developed increasingly sophisticated techniques to evade detection. Once adversaries have established a foothold within the target network, using seemingly-limited passive reconnaissance techniques, they can develop significant network reconnaissance capabilities. Cyber deception has been recognized as a critical capability to defend against such adversaries, but, without an accurate model of the adversary's reconnaissance behavior, current approaches are ineffective against advanced adversaries. To address this gap, we propose a novel model to capture how advanced, stealthy adversaries acquire knowledge about the target network and establish and expand their foothold within the system. This model quantifies the cost and reward, from the adversary's perspective, of compromising and maintaining control over target nodes. We evaluate our model through simulations in the CyberVAN testbed, and indicate how it can guide the development and deployment of future defensive capabilities, including high-interaction honeypots, so as to influence the behavior of adversaries and steer them away from critical resources.

Citation Keypham_quantitative_2020