Nothing Special   »   [go: up one dir, main page]

Skip to content
Licensed Unlicensed Requires Authentication Published by De Gruyter Oldenbourg February 18, 2022

Extracting network based attack narratives through use of the cyber kill chain: A replication study

  • Aaron Weathersby

    Aaron Weathersby is a doctoral student at Marymount University and D. Sc. Cybersecurity candidate. He previously obtained a master’s in Industrial Tech from California State University Los Angeles and a bachelor’s in Computer Science from the University of Southern California. He currently works as the Chief Information Officer for Charles R. Drew University. He has obtained numerous cyber security certifications including Offensive Security Certified Professional (OSCP), Certified Security System Professional (CISSP), Certified Cisco Network Professional (CCNP), Security +, Security Linux Assembly Expert 32 Bit (SLAE – 32) and has identified several CVEs. Aaron’s dissertation topic is on Discerning the Relative Threat of Network Based Cyber-attacks, A Study of Motivation, Attribution and Anonymity of Hackers. His research interests include network security, attribution, and cyber threat intelligence.

    ORCID logo EMAIL logo
    and Mark Washington

    Mark Washington is a doctoral student at Marymount University and D. Sc. Cybersecurity candidate. As an adjunct instructor for Johns Hopkins University Krieger School of Arts & Sciences, Advanced Academic Programs for the Master of Science in Geographic Information Systems (GIS) Program, he teaches GIS for Infrastructure Management. Mark has a B. B. A. from the University of Pennsylvania, Wharton School of Business, and an M. S. from Rutgers University, School of Communication and Information. He previously instructed students as an adjunct faculty member at Mercer County Community College in New Jersey, teaching core courses in the Information Technology Department for more than 6 years.Mark is currently the Senior Manager of Information Systems for Johns Hopkins University Facilities and Real Estate Organization and is the architect of the Johns Hopkins Geographic Information System for infrastructure and utility management, supporting all university constituents. He is responsible for the management and maintenance of enterprise software applications and information technology systems, while leading staff to gather, store and render all geographic and related data for major stakeholders at Johns Hopkins University & Medicine. Ove the past two decades, Mark has led enterprise information technology initiatives at the University of Pennsylvania, Rutgers University and Princeton University.

    ORCID logo

Abstract

The defense of a computer network requires defenders to both understand when an attack is taking place and understand the larger strategic goals of their attackers. In this paper we explore this topic through the replication of a prior study “Extracting Attack Narratives from Traffic Datasets” by Mireles et al. [Athanasiades, N., et al., Intrusion detection testing and benchmarking methodologies, in First IEEE International Workshop on Information Assurance. 2003, IEEE: Darmstadt, Germany]. In their original research Mireles et al. proposed a framework linking a particular cyber-attack model (the Mandiant Life Cycle Model) and identification of individual attack signatures into a process as to provide a higher-level insight of an attacker in what they termed as attack narratives. In our study we both replicate the original authors work while also moving the research forward by integrating many of the suggestions Mireles et al. provided that would have improved their study. Through our analysis, we confirm the concept that attack narratives can provide additional insight beyond the review of individual cyber-attacks. We also built upon one of their suggested areas by exploring their framework through the lens of Lockheed Martin Cyber Kill Chain. While we found the concept to be novel and potentially useful, we found challenges replicating the clarity Mireles et al. described. In our research we identify the need for additional research into describing additional components of an attack narrative including the nonlinear nature of cyber-attacks and issues of identity and attribution.

ACM CCS:

Funding statement: Support for the Center for Infrastructure Assurance and Security NCCDC_logs-20150424 is provided by the U. S. Department of Homeland Security, Science and Technology Directorate, IMPACT program.

About the authors

Aaron Weathersby

Aaron Weathersby is a doctoral student at Marymount University and D. Sc. Cybersecurity candidate. He previously obtained a master’s in Industrial Tech from California State University Los Angeles and a bachelor’s in Computer Science from the University of Southern California. He currently works as the Chief Information Officer for Charles R. Drew University. He has obtained numerous cyber security certifications including Offensive Security Certified Professional (OSCP), Certified Security System Professional (CISSP), Certified Cisco Network Professional (CCNP), Security +, Security Linux Assembly Expert 32 Bit (SLAE – 32) and has identified several CVEs. Aaron’s dissertation topic is on Discerning the Relative Threat of Network Based Cyber-attacks, A Study of Motivation, Attribution and Anonymity of Hackers. His research interests include network security, attribution, and cyber threat intelligence.

Mark Washington

Mark Washington is a doctoral student at Marymount University and D. Sc. Cybersecurity candidate. As an adjunct instructor for Johns Hopkins University Krieger School of Arts & Sciences, Advanced Academic Programs for the Master of Science in Geographic Information Systems (GIS) Program, he teaches GIS for Infrastructure Management. Mark has a B. B. A. from the University of Pennsylvania, Wharton School of Business, and an M. S. from Rutgers University, School of Communication and Information. He previously instructed students as an adjunct faculty member at Mercer County Community College in New Jersey, teaching core courses in the Information Technology Department for more than 6 years.Mark is currently the Senior Manager of Information Systems for Johns Hopkins University Facilities and Real Estate Organization and is the architect of the Johns Hopkins Geographic Information System for infrastructure and utility management, supporting all university constituents. He is responsible for the management and maintenance of enterprise software applications and information technology systems, while leading staff to gather, store and render all geographic and related data for major stakeholders at Johns Hopkins University & Medicine. Ove the past two decades, Mark has led enterprise information technology initiatives at the University of Pennsylvania, Rutgers University and Princeton University.

Acknowledgment

We would like to thank the Cyber Impact project and the Center for Infrastructure Assurance and Security for providing access to this dataset. We would also like to formally thank the original authors Mireles et al. for conducting their novel study which ultimately provided us the opportunity to confirm, critique and build on their work.

References

1. Athanasiades, N., et al., Intrusion detection testing and benchmarking methodologies, in First IEEE International Workshop on Information Assurance. 2003, IEEE: Darmstadt, Germany.10.1109/IWIAS.2003.1192459Search in Google Scholar

2. Kaloroumakis, P.E. and M.J. Smith, Toward a Knowledge Graph of Cybersecurity Countermeasures, M. Corporation, Editor. 2021.Search in Google Scholar

3. Alexander, O., M. Belisle, and J. Steele, MITRE ATT&CK® for industrial control systems: Design and philosophy. The MITRE Corporation: Bedford, MA, USA, 2020.Search in Google Scholar

4. Hutchins, E.M., M.J. Cloppert, and R.M. Amin. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. in Proceedings of the 6th International Conference on Information Warfare and Security. 2011.Search in Google Scholar

5. Mireles, J.D., J.-H. Cho, and S. Xu. Extracting attack narratives from traffic datasets. in 2016 International Conference on Cyber Conflict (CyCon US). 2016. IEEE.10.1109/CYCONUS.2016.7836624Search in Google Scholar

6. Moayedi, B.Z. and M.A. Azgomi, A Game Theoretic Approach for Quantitative Evaluation of Security by Considering Hackers with Diverse Behaviors, in 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing. 2009, IEEE: Chengdu, China.10.1109/DASC.2009.157Search in Google Scholar

7. Moayedi, B.Z. and M.A. Azgomi, A Game Theoretic Approach for Quantitative Evaluation of Strategic Interactions between Hacker’s Motivations, in 2009 Third UKSim European Symposium on Computer Modeling and Simulation. 2009, IEEE: Athens, Greece.10.1109/EMS.2009.101Search in Google Scholar

8. Ju, A., Y. Guo, and T. Li, MCKC: a modified cyber kill chain model for cognitive APTs analysis within Enterprise multimedia network. Multimedia Tools and Applications, 2020. 79(39): p. 29923–29949.10.1007/s11042-020-09444-xSearch in Google Scholar

9. Chakrabarti, S., M. Chakraborty, and I. Mukhopadhyay, Study of snort-based IDS, in Proceedings of the International Conference and Workshop on Emerging Trends in Technology. 2010, Association for Computing Machinery: Mumbai, Maharashtra, India. p. 43–47.10.1145/1741906.1741914Search in Google Scholar

10. Raiyn, J., A survey of Cyber Attack Detection Strategies. International Journal of Security and Its Applications, 2014. 8(1): p. 247–256.10.14257/ijsia.2014.8.1.23Search in Google Scholar

11. Ben-Asher, N. and C. Gonzalez, Effects of cyber security knowledge on attack detection. Computers in Human Behavior, 2015. 48: p. 51–61.10.1016/j.chb.2015.01.039Search in Google Scholar

12. Kim, K., F.A. Alfouzan, and H. Kim, Cyber-Attack Scoring Model Based on the Offensive Cybersecurity Framework. Applied Sciences, 2021. 11(16): p. 7738.10.3390/app11167738Search in Google Scholar

13. Giura, P. and W. Wei. A Context-Based Detection Framework for Advanced Persistent Threats. IEEE.Search in Google Scholar

14. Bou-Harb, E., M. Debbabi, and C. Assi, Cyber Scanning: A Comprehensive Survey. IEEE Communications surveys and tutorials, 2014. 16(3): p. 1496–1519.10.1109/SURV.2013.102913.00020Search in Google Scholar

15. Strom, B.E., et al., Mitre att&ck: Design and philosophy. Mitre Product Mp, 2018: p. 18–0944.Search in Google Scholar

16. Mandiant, Mandiant APT1 Report: Exposing One of China’s Cyber Espionage Units. 2020. 89–95.Search in Google Scholar

17. Corporation, M., ATT&CK Matrix for Enterprise.Search in Google Scholar

18. Corporation, M., D3FEND Matrix for Enterprise.Search in Google Scholar

19. Mironeanu, C., et al., Experimental Cyber Attack Detection Framework. Electronics, 2021. 10(14): p. 1682.10.3390/electronics10141682Search in Google Scholar

20. Binde, B.E., R. McRee, and T.J. O Connor, Assessing Outbound Traffic to Uncover Advanced Persistent Threat. 2011, Unpublished.Search in Google Scholar

21. Yılmaz, E.N. and S. Gönen, Attack detection/prevention system against cyber attack in industrial control systems. Computers & Security, 2018. 77: p. 94–105.10.1016/j.cose.2018.04.004Search in Google Scholar

22. Gove, R. Automatic Narrative Summarization for Visualizing Cyber Security Logs and Incident Reports. in 2021 IEEE Symposium on Visualization for Cyber Security (VizSec). 2021.10.1109/VizSec53666.2021.00005Search in Google Scholar

23. Segel, E. and J. Heer, Narrative Visualization: Telling Stories with Data. IEEE Transactions on Visualization and Computer Graphics, 2010. 16(6): p. 1139–1148.10.1109/TVCG.2010.179Search in Google Scholar

24. NCCDC_logs-20150424, in 2015 NC Cyber Defense Competition, C.f.I.A.a. Security, Editor. 2015: www.impactcybertrust.org.Search in Google Scholar

25. Cisco, SNORT Users Manual. 2020, Cisco Systems.Search in Google Scholar

26. Henderson, S. Websnort Documentation. 2015 [cited 2021]; Available from: https://websnort.readthedocs.io/en/latest/index.html.Search in Google Scholar

27. Cisco. Snort FAQ. What are Community Rules? 2021 [cited 2021]; Available from: https://www.snort.org/faq/what-are-community-rules.Search in Google Scholar

28. Tarnowski, I., How to use cyber kill chain model to build cybersecurity? European Journal of Higher Education IT, 2017.Search in Google Scholar

29. Lockheed Martin, Seven Ways to Apply the Cyber Kill Chain with a Threat Intelligence Platform. Lockheed Martin Corporation (2015). 2019, Lockheed Martin.Search in Google Scholar

30. Czosseck, C., G. Klein, and F. Leder, On the arms race around botnets – Setting up and taking down botnets, in 2011 3rd International Conference on Cyber Conflict. 2011, IEEE: Tallinn, Estonia.10.1016/S1353-4858(11)70051-4Search in Google Scholar

Received: 2021-11-14
Revised: 2022-01-25
Accepted: 2022-02-01
Published Online: 2022-02-18
Published in Print: 2022-04-26

© 2022 Walter de Gruyter GmbH, Berlin/Boston

Downloaded on 13.12.2024 from https://www.degruyter.com/document/doi/10.1515/itit-2021-0059/html
Scroll to top button