Abstract
Advanced persistent threats (APTs) are different from other computer-based attacks in their target selection, attack technique, and malicious motive. Distinct from script kiddie attacks, these attacks target critical systems to inflict maximum damage, such as to stall critical industrial processes. Standard defenses against APT attack is to deploy security mechanisms that are typically reminiscent of enterprise defense systems such as firewalls, intrusion detection systems, etc. However, given the nature and attack potential of APT attacks, one cannot rely on these security mechanisms alone as they are susceptible to failure, false alarms, and interfere with usability. A yet another problem is to decide on which mechanisms to deploy and at which points to offer maximum coverage against attacks. We believe, given the unique characteristics of APT attacks, one needs a robust and layered defense to protect against APT by timely detection, prevention, mitigation, and emergency plan. One such objective way to determine the countermeasures’ efficacy is by modeling and simulating attack behaviour.
In this paper, we propose a two-layer framework to analyze the APT attacks. At the top is the domain model of the Enhanced cyber kill chain. We use it to capture the attack phases, techniques, and processes. The bottom layer is the analytic layer of stochastic timed automata derived from the domain model. Key metrics are obtained using a state-of-the-art statistical model - checking techniques. We argue that such a timed analysis can be used to improve the security posture by putting countermeasures at appropriate positions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Capec: Common attack pattern enumeration and classification http://capec.mitre.org/
Mitre att&ck
Agha, G., Palmskog, K.: A survey of statistical model checking. ACM Trans. Model. Comput. Simul. 28(1), 6:1–6:39 (2018)
Alshamrani, A., Myneni, S., Chowdhary, A., Huang, D.: A survey on advanced persistent threats: techniques, solutions, challenges, and research opportunities. IEEE Commun. Surv. Tutorials 21(2), 1851–1877 (2019)
Alur, R., Dill, D.L.: A theory of timed automata. Theor. Comput. Sci. 126(2), 183–235 (1994)
Arnold, F., Belinfante, A., Van der Berg, F., Guck, D., Stoelinga, M.: DFTCalc: a tool for efficient fault tree analysis. In: Bitsch, F., Guiochet, J., Kaâniche, M. (eds.) SAFECOMP 2013. LNCS, vol. 8153, pp. 293–301. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40793-2_27
Arnold, F., Guck, D., Kumar, R., Stoelinga, M.: Sequential and parallel attack tree modelling. In: Koornneef, F., van Gulijk, C. (eds.) SAFECOMP 2015. LNCS, vol. 9338, pp. 291–299. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-24249-1_25
Assante, M.J., Lee, R.: The industrial control system cyber kill chain, October 2015. https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297/
Clio, S., et al.: Cyber kill chain based threat taxonomy and its application on cyber common operational picture. In: International Conference on Cyber Situational Awareness, Data Analytics And Assessment, pp. 1–8. IEEE (2018)
David, A., Larsen, K.G., Legay, A., Mikucionis, M., Poulsen, D.B.: Uppaal SMC tutorial. Int. J. Softw. Tools Technol. Transf. 17(4), 397–415 (2015)
David, A., et al.: Statistical model checking for networks of priced timed automata. In: Fahrenberg, U., Tripakis, S. (eds.) FORMATS 2011. LNCS, vol. 6919, pp. 80–96. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24310-3_7
Falliere, N., Murchu, L.O., Chien, E.: W32 stuxnet dossier. White paper, Symantec Corp., Security Response, vol. 5, no. 6, p. 29 (2011)
Giura, P., Wang, W.: A context-based detection framework for advanced persistent threats. In: 2012 ASE International Conference on Cyber Security, pp. 69–74. IEEE Computer Society (2012)
Holm, H., Sommestad, T., Ekstedt, M., NordströM, L.: CySeMoL: a tool for cyber security analysis of enterprises. In: 22nd International Conference and Exhibition on Electricity Distribution (CIRED 2013), pp. 1–4. Institute of Engineering and Technology (2013)
Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains, vol. 1, pp. 80–106 (2011)
Kriaa, S., Bouissou, M., Piètre-Cambacédès, L.: Modeling the stuxnet attack with BDMP: towards more formal risk assessments. In: 2012 7th International Conference on Risks and Security of Internet and Systems, pp. 1–8. IEEE (2012)
Kumar, R.: A model-based safety-security risk analysis framework for interconnected critical infrastructures. ICCIP 2020. IAICT, vol. 596, pp. 283–306. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-62840-6_14
Kumar, R., Ruijters, E., Stoelinga, M.: Quantitative attack tree analysis via priced timed automata. In: Sankaranarayanan, S., Vicario, E. (eds.) FORMATS 2015. LNCS, vol. 9268, pp. 156–171. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22975-1_11
Kumar, R., Stoelinga, M.: Quantitative security and safety analysis with attack-fault trees. In: 2017 IEEE 18th International Symposium on High Assurance Systems Engineering (HASE), pp. 25–32 (2017)
Kumar, R.: Truth or dare: quantitative security risk analysis via attack trees. Ph.D. thesis, University of Twente, Netherlands, October 2018
Langner, R.: Stuxnet: dissecting a cyberwarfare weapon. IEEE Secur. Privacy 9(3), 49–51 (2011)
LeMay, E., Ford, M.D., Keefe, K., Sanders, W.H., Muehrcke, C.: Model-based security metrics using adversary view security evaluation (ADVISE). In: 8th International Conference on Quantitative Evaluation of Systems, QEST, pp. 191–200. IEEE Computer Society (2011)
Li, F., Lai, A., DDL: Evidence of advanced persistent threat: a case study of malware for political espionage. In: 6th International Conference on Malicious and Unwanted Software, MALWARE, pp. 102–109. IEEE Computer Society (2011)
Long, J.: Stuxnet: A digital staff ride, March 2019. https://mwi.usma.edu/stuxnet-digital-staff-ride/
Lund, M.S., Solhaug, B., Stølen, K.: The CORAS Risk Modelling Language, pp. 47–72. Springer, Berlin Heidelberg (2011). https://doi.org/10.1007/978-3-642-12323-8_4
Piètre-Cambacédès, L., Bouissou, M.: Beyond attack trees: dynamic security modeling with boolean logic driven Markov processes (BDMP). In: 2010 European Dependable Computing Conference, pp. 199–208 (2010)
Pols, P.: The unified kill chain: designing a unified kill chain for analyzing, comparing and defending against cyber attacks, Cyber Security Academy (2017). https://www.csacademy.nl/images/scripties/2018/Paul-Pols---The-Unified-Kill-Chain.pdf
Ross, R.: Managing enterprise security risk with nist standards 40(8), 88–91 (2007)
Shojaie, B., Federrath, H., Saberi, I.: Evaluating the effectiveness of ISO 27001: 2013 based on annex A, pp. 259–264 (2014)
Virvilis, N., Gritzalis, D.: The big four - what we did wrong in advanced persistent threat detection? In: 2013 International Conference on Availability, Reliability and Security, pp. 248–254 (2013)
Wideł, W., Audinot, M., Fila, B., Pinchinat, S.: Beyond 2014: formal methods for attack tree-based security modeling, vol. 52, no. 4 (2019)
Wolf, M.: Chapter 8 - cyber-physical systems. In: High-Performance Embedded Computing 2 edn. pp. 391–413 (2014)
Zhao, G., Xu, K., Xu, L., Wu, B.: Detecting APT malware infections based on malicious DNS and traffic analysis. IEEE Access 3, 1132–1142 (2015)
Zhao, W., Wang, P., Zhang, F.: Extended petri net-based advanced persistent threat analysis model. In: Wong, W.E., Zhu, T. (eds.) Computer Engineering and Networking. LNEE, vol. 277, pp. 1297–1305. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-01766-2_147
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Kumar, R., Singh, S., Kela, R. (2021). A Quantitative Security Risk Analysis Framework for Modelling and Analyzing Advanced Persistent Threats. In: Nicolescu, G., Tria, A., Fernandez, J.M., Marion, JY., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2020. Lecture Notes in Computer Science(), vol 12637. Springer, Cham. https://doi.org/10.1007/978-3-030-70881-8_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-70881-8_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-70880-1
Online ISBN: 978-3-030-70881-8
eBook Packages: Computer ScienceComputer Science (R0)