integrating defenders attackers into cyber security risk
play

Integrating Defenders & Attackers into Cyber Security Risk - PowerPoint PPT Presentation

Jul 19, 2023 •209 likes •537 views

Integrating Defenders & Attackers into Cyber Security Risk Models Varun Agarwal Diane Henshel, Alexander Alexeev, Mariana Cains SRA Annual Meeting, Arlington VA, 10-14 December 2017 Outline Motivation & Research Goals Technical

  1. Integrating Defenders & Attackers into Cyber Security Risk Models Varun Agarwal Diane Henshel, Alexander Alexeev, Mariana Cains SRA Annual Meeting, Arlington VA, 10-14 December 2017

  2. Outline • Motivation & Research Goals • Technical Approach & Conceptual Framework • Statistical Application • Preliminary Results • Conclusions & Future Work

  3. Motivation & Research Goals • Current cyber security risk modeling frameworks include only hardware and software • Importance of human factors is under-represented in major risk assessment frameworks So, we propose a model The goal is to: • Incorporate human factors (attackers & defenders) in cyber risk models • Model risk dynamically • Identify minimum number of necessary and sufficient variables that capture the dynamic system risk • Finally, evaluate cause of high-risk situations

  4. Technical Approach To achieve our goal • We use hybrid Bayesian network to build our risk model – Reason - Bayesian networks allow for causal inference – Graphical models are more suitable for assessing risk in complex systems • Presented model is built around modeling risk to a database server

  5. Conceptual Risk Framework Framework outputs risk associated with an Incoming Connection Request

  6. Step 1 - Incoming connection request detected

  7. Step 2 - Set evidence for inferences from connection request

  8. Attacker Skill – Distribution informed by prior experience

  9. Port – port through which connection request comes in (e.g. Port 80 for HTTP, Port 22 for SSH)

  10. Internal/External – Is origin of connection Request internal to server’s network?

  11. Malicious IP Database – Is IP listed in online malicious IP databases?

  12. Defender Skill – Can be measured through internal assessments of cyber security experts/defenders (Low skill, Medium skill, High skill)

  13. User Permission – Access level that the user possesses (Low, medium, high)

  14. Required Permission – Access Level required to communicate with server

  15. Country – Geographical origin of the connection request, as identified by IP

  16. Step 3 – Include country-specific lookups

  17. No. of attacks from country – Total logged attacks from a country in a year Malicious Saturation of Traffic - % of traffic which is malicious

  18. Hierarchical Organization of Attacker – Individual, Independent group, State Tolerated, State Funded attackers

  19. Type of Attack – Captures risk associated with type of attack (Botnets – low risk, Phishing – Medium Risk, APT – High Risk)

  20. Country Threat Index – Aggregates and measures risk due to country- specific metrics

  21. Connection Risk Prior to Defense – Aggregates risk from the connection metrics, before defender skill metric is accounted for

  22. Connection Risk After Defense – Aggregates risk after accounting for defender skill metric

  23. Potential Access – What is the potential that the query is successful?

  24. Final Step – Aggregate risk due to all the accounted metrics in final risk node

  25. Sources of Uncertainty • Skilled attackers can spoof IP address and appear to be on the internal network • First true origin of the connection request might be untraceable • Spoofing user permissions presents risk to the database • Specification bias in the model

  26. Statistical Application • Implemented conceptual framework as Bayesian Network • Directed edges represent dependencies • Figure shows marginal distribution for each node

  27. Statistical Application • Priors for Sensor inputs inducted from cyber reports • Conditional probability tables hypothesized by collaborating with experts in risk and cybersecurity

  28. Statistical Application • Risk to database calculated by conditional probability P(R|S) • S is the input state of the model – observed by setting evidence for sensor inputs and human skill indicators

  29. Results Variable State S 1 State S 2 Port (P) p80 (Medium risk) p22 (Very high risk) Attacker Skill Medium Skill (Medium to high Medium Skill (Medium to high • Evidence set for (AS) risk) risk) hypothetical Connection (C0) Internal, (Low risk) External, (High risk) Malicious IP Not listed, (Low risk) Malicious Listed IP, (High risk) scenarios Database (IP) • S 1 (Low – Medium P(L| Country = USA) = 0.203 P(L| Country = China) = 0.061 Country Threat P(M| Country = USA) = 0.457 P(M| Country = China) = 0.308 Risk) Index (CTI) P(H| Country = USA) = 0.289 P(H| Country = China) = 0.445 P(VH| Country = USA) = 0.051 P(VH| Country = China) = 0.185 • S 2 (High Risk) Defense (D) High Skill (Medium to low risk) High Skill (Medium to low risk) User Permission Low, (Low risk) High, (High risk) (UP) Required Access Low, (Low risk) High, (High risk) Level (RAL) P(L|S 1 ) = 0.383 P(L|S 2 ) = 0.098 Risk of P(M|S 1 ) = 0.376 P(M|S 2 ) = 0.215 Database P(H|S 1 ) = 0.161 P(H|S 2 ) = 0.508 Compromise (R) P(VH|S 1 ) = 0.08 P(VH|S 2 ) = 0.179

  30. Variable State S 1 State S 2 Port (P) p80 (Medium risk) p22 (Very high risk) Attacker Skill (AS) Medium Skill (Medium to high risk) Medium Skill (Medium to high risk) Connection (C0) Internal, (Low risk) External, (High risk) Malicious IP Database Not listed, (Low risk) Malicious Listed IP, (High risk) (IP) P(L| Country = USA) = 0.203 P(L| Country = China) = 0.061 P(M| Country = USA) = 0.457 P(M| Country = China) = 0.308 Country Threat Index (CTI) P(H| Country = USA) = 0.289 P(H| Country = China) = 0.445 P(VH| Country = USA) = 0.051 P(VH| Country = China) = 0.185 Defense (D) High Skill (Medium to low risk) High Skill (Medium to low risk) User Permission (UP) Low, (Low risk) High, (High risk) Required Access Level Low, (Low risk) High, (High risk) (RAL) P(Low Risk|S 1 ) = 0.383 P(Low Risk|S 2 ) = 0.098 P(Medium Risk|S 1 ) = 0.376 P(Medium Risk|S 2 ) = 0.215 Risk of Database Compromise (R) P(High Risk|S 1 ) = 0.161 P(High Risk|S 2 ) = 0.508 P(Very High|S 1 ) = 0.08 P(Very High Risk|S 2 ) = 0.179

  31. Conclusions and Future Tasks • Quantitatively integrated humans as risk factors in network risk calculations • Developed a metric to indicate relative risk by a country • Model provides a reasonable estimation of risk for different conditions of the network

  32. Future Tasks • Validation of analysis – Validate against DETER testbed with modelled attackers and defenders – Assess model performance dynamically Thank you! varagarw@indiana.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework

Cyber Security Risk Using the Cyber Security Measurement Framework Cyber Security Framework Reporting Objectives Executive Summary Information Assess Current Cyber Security Posture Measure Progress Toward Improvement Assess

634 views • 5 slides
Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze

Program Analysis Attackers: need to analyze our program to modify it! Defenders: need to analyze our program to protect it! Two kinds of analyses: 1 static analysis tools collect information about a program by studying its code; 2 dynamic

1.21k views • 41 slides
CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview

CYBER SECURITY Nick Kervin Partner, IT Advisory August 2017 Page 1 CYBER SECURITY Overview 1. What is at risk? 2. Global industry trends 3. BDO/AusCERT survey 4. Recent cyber case studies 5. Cyber risk mitigation strategies Page

481 views • 35 slides
Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan

Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan

Institute for Cyber Security Towards Provenance and Risk-Awareness in Social Computing Yuan Cheng, Dang Nguyen, Khalid Bijon, Ram Krishnan, Jaehong Park and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio September

256 views • 12 slides
Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael

Ground Truth Competency Assessment for Smart Grid Cyber Security TCIPG May 4, 2012 Michael Assante President, NBISE David H. Tobey, Ph.D. Director of Research The Need for Cyber Defenders "Everywhere I go, across the country, CEOs and

595 views • 27 slides
Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The

Demystifying Cyber Insurance European Legal Security Forum 2016 12 th July 2016 Agenda The Evolution of Cyber Insurance Is Cyber Risk Already Insured? Cyber And Data Protection Is Not Just An IT Issue Case Study Cyber Risk Stakeholders The

1.03k views • 8 slides
Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk

Data Driven Assessment of Cyber Risk: Challenges in Assessing and Mitigating Cyber Risk Challenges in Assessing and Mitigating Cyber Risk Mustaque Ahamad, Saby Mitra and Paul Royal Georgia Tech Information Security Center Georgia Tech

763 views • 16 slides
Communication in Power Grid Cyber Infrastructure to Mislead Cyber Attackers Hui Lin, Zbigniew

Communication in Power Grid Cyber Infrastructure to Mislead Cyber Attackers Hui Lin, Zbigniew

RAINCOAT: Randomize Network Communication in Power Grid Cyber Infrastructure to Mislead Cyber Attackers Hui Lin, Zbigniew Kalbarczyk , Ravishankar Iyer University of Illinois at Urbana-Champaign UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN |

309 views • 20 slides
Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial

ABB MINING USER CONFERENCE, MAY 02-05, 2017 Cyber Security in Mining Automation Ragnar Schierholz, Head of Cyber Security, Industrial Automation Division Agenda Why worry about cyber security? ABBs approach to cyber security Cyber security

1.07k views • 39 slides
Planes, Trains and Automobiles (and Ships & Spacecraft) Mobility Cyber Security Andy Davis,

Planes, Trains and Automobiles (and Ships & Spacecraft) Mobility Cyber Security Andy Davis,

Planes, Trains and Automobiles (and Ships & Spacecraft) Mobility Cyber Security Andy Davis, Transport Assurance Practice Director Global experts in cyber security & risk mitigation Agenda Size of the challenge Levels of cyber

824 views • 14 slides
Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers

Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers

CS 166: Information Security Malware Prof. Tom Austin San Jos State University Malware: The Cat & Mouse Game Attackers and Defenders Play 1971 "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU

1.11k views • 82 slides
Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The Homeland Security Systems Engineering and Development Institute (HSSEDI) is a trademark of the U.S. Department of Homeland Security (DHS). The HSSEDI

149 views • 13 slides
Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks

AUGUST 25, 2015 Cyber Insurance: Protect Your Wine Business Against Data Security Breaches and Other Cyber Risks Tyler Gerking, Partner David B. Smith, CPCU, ARM, Insurance & Risk Management Consultant What is Cyber Insurance?

368 views • 10 slides
Institute for Cyber Security A Framework for Risk-Aware Role Based Access Control Khalid Zaman

Institute for Cyber Security A Framework for Risk-Aware Role Based Access Control Khalid Zaman

Institute for Cyber Security A Framework for Risk-Aware Role Based Access Control Khalid Zaman Bijon, Ram Krishnan and Ravi Sandhu Institute for Cyber Security University of Texas at San Antonio October 16, 2013 SafeConfig 2013: IEEE 6th

227 views • 18 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
CYBER SECURITY - DE-RISKING THE USE OF CLOUD SERVICES Maritz Cloete, CISSP, M.CIIS 16 September

CYBER SECURITY - DE-RISKING THE USE OF CLOUD SERVICES Maritz Cloete, CISSP, M.CIIS 16 September

CYBER SECURITY - DE-RISKING THE USE OF CLOUD SERVICES Maritz Cloete, CISSP, M.CIIS 16 September 2020 INTRODUCTIONS Maritz Cloete Information/Cyber Security Consultant Background Cyber security risk management Implementing

549 views • 29 slides
Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential

Triaging Suspicious Artifacts Securit y Risk Advisors, Inc. Proprietary and Client Confidential About Us Jonas, GREM Security Risk Advisors (sra.io) Service lines: DFIR, CTA, A&E Clay (ttheveii0x), GREM Security Risk Advisors (sra.io)

723 views • 25 slides
Challenges in multi-modal transport planning Jochen Mundinger, Founder & Chairman, routeRANK

Challenges in multi-modal transport planning Jochen Mundinger, Founder & Chairman, routeRANK

Challenges in multi-modal transport planning Jochen Mundinger, Founder & Chairman, routeRANK routeRANK Ltd / Parc Scientifique EPFL / CH-1015 Lausanne Public Web: www.routerank.com / Email: info@routerank.com Introduction and context

914 views • 13 slides
SMT-based model checking techniques for formal software verification of synchronous dataflow

SMT-based model checking techniques for formal software verification of synchronous dataflow

An insight into SMT-based model checking techniques for formal software verification of synchronous dataflow programs Jonathan Laurent Ecole Normale Sup erieure, National Institute of Aerospace, NASA Langley Research Center August 11 th ,

1.01k views • 67 slides
x HE xdt5 L tz x Cti t t l I titsititz titts t's Ez t.tt more generally simply laced x Lt

x HE xdt5 L tz x Cti t t l I titsititz titts t's Ez t.tt more generally simply laced x Lt

Fibers of Meps to Non negative Totally Spaces Patricia Hersh North Carolina State University 1903.01420 joint work arXiv See with James Davis Ezra Miller A Key Calculation tittz titz Lt X xzLtz Coo f x 3 t z Il tits x HE xdt5 L tz x

444 views • 17 slides
Typing for a Minimal Aspect Language Peter Hui, James Riely DePaul CTI {phui,j riely}@

Typing for a Minimal Aspect Language Peter Hui, James Riely DePaul CTI {phui,j riely}@

Typing for a Minimal Aspect Language Peter Hui, James Riely DePaul CTI {phui,j riely}@ cs.depaul.edu ABC Minimal Aspect Calculus - First presented: Bruns, Jagadeesan, et. al (CONCUR 04) - First version of ABC - source/ target/

786 views • 43 slides
Research questions for Tor Part one: research questions, current and soon. Part two:

Research questions for Tor Part one: research questions, current and soon. Part two:

Research questions for Tor Part one: research questions, current and soon. Part two: research questions we need help on. Decentralizing the directory Server descriptors are self-signed, so get them anywhere. Each dirserver

529 views • 20 slides
INVARIANT Priese/Wimmel 2008 ANALYSIS Lautenbachs miracle - EXAMPLES

INVARIANT Priese/Wimmel 2008 ANALYSIS Lautenbachs miracle - EXAMPLES

dependability engineering & Petri nets November 2013 dependability engineering & Petri nets November 2013 I NDEX Starke 90, p.121 exponential number of invariants Starke 90, p. 111 CPI & CTI, but not live INVARIANT

605 views • 14 slides
Dynamics of Parallel Fibers and Purkinje Cells Computational Models of Neural Systems Lecture 2.5

Dynamics of Parallel Fibers and Purkinje Cells Computational Models of Neural Systems Lecture 2.5

Dynamics of Parallel Fibers and Purkinje Cells Computational Models of Neural Systems Lecture 2.5 David S. Touretzky September, 2015 The Beam Hypothesis (Eccles) Activation of granule cells should lead to activation of a beam of Purkinje

684 views • 35 slides

More recommend