ABSTRACT
Cyberattacks aimed at critical infrastructures are a tangible threat. Malicious actors can execute sequences of adversarial tactics, aiming to steal sensitive medical data or cause significant damage. The detection of such actions requires a thorough analysis of adversary behaviour and constant validation of security controls and mechanisms. Those can be achieved through realistic adversary emulations in safe testbed environments. This research paper proposes A-DEMO, a framework aimed at researchers and security analysts, that provides a structured methodology for the proper analysis, documentation and emulation of real-world cyberattacks along with mitigation actions. As a case study for validation of A-DEMO, a rootkit attack emulation against a replicated healthcare infrastructure is implemented and documented.
- Rawan Al-Shaer, Jonathan M Spring, and Eliana Christou. 2020. Learning the Associations of MITRE ATT & CK Adversarial Techniques. In 2020 IEEE Conference on Communications and Network Security (CNS). IEEE, 1–9. https://doi.org/10.1109/CNS48642.2020.9162207Google Scholar
- Adel Alshamrani, Sowmya Myneni, Ankur Chowdhary, and Dijiang Huang. 2019. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities. IEEE Communications Surveys & Tutorials 21, 2 (2019), 1851–1877. https://doi.org/10.1109/COMST.2019.2891891Google ScholarCross Ref
- Riham AlTawy and Amr M Youssef. 2016. Security tradeoffs in cyber physical systems: A case study survey on implantable medical devices. IEEE Access 4(2016), 959–979. https://doi.org/10.1109/ACCESS.2016.2521727Google ScholarCross Ref
- Attacksim. 2021. Rootkit r-77: An example of A-DEMO. Retrieved September 30, 2021 from https://github.com/attacksim/A-demo/wiki/UC3-rootkitGoogle Scholar
- Bytecode. 2021. r77rootkit - Fileless ring 3 rootkit. Retrieved September 10, 2021 from https://github.com/bytecode77/r77-rootkitGoogle Scholar
- Caldera. 2021. CALDERA - Scalable Automated Adversary Emulation Platform. Retrieved September 13, 2021 from https://github.com/mitre/calderaGoogle Scholar
- Nestoras Chouliaras, George Kittes, Ioanna Kantzavelou, Leandros Maglaras, Grammati Pantziou, and Mohamed Amine Ferrag. 2021. Cyber ranges and testbeds for education, training, and research. Applied Sciences 11, 4 (2021), 1809. https://doi.org/10.3390/app11041809Google ScholarCross Ref
- Diana Arulkumar. 2019. Prediction of Adversary’s TTP using Caldera. International Journal of Innovative Technology and Exploring Engineering 9, 2S2 (2019), 758–765. https://doi.org/10.35940/ijitee.b1115.1292s219Google ScholarCross Ref
- Simon Yusuf Enoch, Zhibin Huang, Chun Yong Moon, Donghwan Lee, Myung Kil Ahn, and Dong Seong Kim. 2020. HARMer: Cyber-attacks automation and evaluation. IEEE Access 8(2020), 129397–129414. https://doi.org/10.1109/ACCESS.2020.3009748Google ScholarCross Ref
- Simon Hacks, Ismail Butun, Robert Lagerström, Andrei Buhaiu, Anna Georgiadou, and Ariadni Michalitsi Psarrou. 2021. Integrating Security Behavior into Attack Simulations. In The 16th International Conference on Availability, Reliability and Security. 1–13. https://doi.org/10.1145/3465481.3470475Google ScholarDigital Library
- Kristin E Heckman, Michael J Walsh, Frank J Stech, Todd A O’boyle, Stephen R DiCato, and Audra F Herber. 2013. Active cyber defense with denial and deception: A cyber-wargame experiment. computers & security 37(2013), 72–77. https://doi.org/10.1016/j.cose.2013.03.015Google ScholarDigital Library
- Ghaith Husari, Ehab Al-Shaer, Bill Chu, and Ruhani Faiheem Rahman. 2019. Learning APT chains from cyber threat intelligence. In Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security. 1–2. https://doi.org/10.1145/3314058.3317728Google ScholarDigital Library
- InfectionMonkey. 2021. Infection Monkey - An automated pentest tool. Retrieved September 28, 2021 from https://github.com/guardicore/monkeyGoogle Scholar
- KALI. 2021. KALI Linux. Retrieved November 14, 2021 from https://www.kali.org/Google Scholar
- Keysight. 2021. Threat Simulator: Breach and Attack Simulation | Keysight. Retrieved September 28, 2021 from https://www.keysight.com/Google Scholar
- Muhammad Salman Khan, Sana Siddiqui, and Ken Ferens. 2018. A cognitive and concurrent cyber kill chain model. In Computer and Network Security Essentials. Springer, 585–602. https://doi.org/10.1007/978-3-319-58424-9_34Google Scholar
- Aditya Kuppa, Lamine Aouad, and Nhien-An Le-Khac. 2021. Linking CVE’s to MITRE ATT&CK Techniques. In The 16th International Conference on Availability, Reliability and Security. 1–12. https://doi.org/10.1145/3465481.3465758Google ScholarDigital Library
- David Levin. 2003. Lessons learned in using live red teams in IA experiments. In Proceedings DARPA Information Survivability Conference and Exposition, Vol. 1. IEEE, 110–119. https://doi.org/10.1109/DISCEX.2003.1194877Google ScholarCross Ref
- Doug Miller, Ron Alford, Andy Applebaum, Henry Foster, Caleb Little, and Blake Strom. 2018. Automated adversary emulation: A case for planning and acting with unknowns. Technical Report. MITRE CORP MCLEAN VA MCLEAN.Google Scholar
- MITRE. 2021. ATT&CK Framework. Retrieved September 10, 2021 from https://attack.mitre.org/Google Scholar
- MITRE. 2021. ATT&CK®, FAQ | MITRE: What is the relationship between ATT&CK and the Lockheed Martin Cyber Kill Chain®?Retrieved September 28, 2021 from https://attack.mitre.org/resources/faq/Google Scholar
- Ncat. 2021. Ncat - Netcat for the 21st Century. Retrieved November 14, 2021 from https://nmap.org/ncat/Google Scholar
- Ngrok. 2021. Ngrok - Secure introspectable tunnels to localhost. Retrieved November 14, 2021 from https://ngrok.com/Google Scholar
- Kris Oosthoek and Christian Doerr. 2019. Sok: Att&ck techniques and trends in windows malware. In International Conference on Security and Privacy in Communication Systems. Springer, 406–425. https://doi.org/10.1007/978-3-030-37228-6_20Google ScholarCross Ref
- Maria Papathanasaki, Georgios Dimitriou, Leandros Maglaras, Ismini Vasileiou, and Helge Janicke. 2020. From Cyber Terrorism to Cyber Peacekeeping: Are we there yet?. In 24th Pan-Hellenic Conference on Informatics. 334–339. https://doi.org/10.1145/3437120.3437335Google ScholarDigital Library
- Proxychains. 2021. Proxychains - A Tool that forces any TCP connection made by any given application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy. Retrieved November 14, 2021 from http://proxychains.sourceforge.net/Google Scholar
- Rapid7. 2021. Metasploit Framework. Retrieved November 14, 2021 from https://github.com/rapid7/metasploit-frameworkGoogle Scholar
- Monica Ravishankar, D Vijay Rao, and CRS Kumar. 2018. A Game Theoretic Software Test-bed for Cyber Security Analysis of Critical Infrastructure.Defence Science Journal 68, 1 (2018).Google Scholar
- Social-Engineering-Toolkit. 2021. Social Engineering Toolkit. Retrieved November 14, 2021 from https://github.com/trustedsec/social-engineer-toolkitGoogle Scholar
- Emmanouil G Spanakis, Silvia Bonomi, Stelios Sfakianakis, Giuseppe Santucci, Simone Lenti, Mara Sorella, Florin D Tanasache, Alessia Palleschi, Claudio Ciccotelli, Vangelis Sakkalis, 2020. Cyber-attacks and threats for healthcare–a multi-layer thread analysis. In 2020 42nd Annual International Conference of the IEEE Engineering in Medicine & Biology Society (EMBC). IEEE, 5705–5708. https://doi.org/10.1109/EMBC44109.2020.9176698Google ScholarCross Ref
- Jeremy Straub. 2020. Modeling Attack, Defense and Threat Trees and the Cyber Kill Chain, ATT&CK and STRIDE Frameworks as Blackboard Architecture Networks. In 2020 IEEE International Conference on Smart Cloud (SmartCloud). IEEE, 148–153. https://doi.org/10.1109/SmartCloud49737.2020.00035Google ScholarCross Ref
- Blake E Strom, Andy Applebaum, Doug P Miller, Kathryn C Nickels, Adam G Pennington, and Cody B Thomas. 2018. Mitre att&ck: Design and philosophy. Mitre Product Mp (2018), 18–0944.Google Scholar
- Jeff Tully, Jordan Selzer, James P Phillips, Patrick O’Connor, and Christian Dameff. 2020. Healthcare Challenges in the Era of Cybersecurity. Health security 18, 3 (2020), 228–231. https://doi.org/10.1089/hs.2019.0123Google Scholar
- Wenjun Xiong, Emeline Legrand, Oscar Åberg, and Robert Lagerström. 2021. Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix. Software and Systems Modeling(2021), 1–21. https://doi.org/10.1007/s10270-021-00898-7Google ScholarDigital Library
- Jeong Do Yoo, Eunji Park, Gyungmin Lee, Myung Kil Ahn, Donghwa Kim, Seongyun Seo, and Huy Kang Kim. 2020. Cyber Attack and Defense Emulation Agents. Applied Sciences 10, 6 (2020), 2140. https://doi.org/10.3390/app10062140Google ScholarCross Ref
- Zenmap. 2021. Zenmap: The official Nmap Security Scanner GUI. Retrieved November 30, 2021 from https://nmap.org/zenmap/Google Scholar
- Qingtian Zou, Xiaoyan Sun, Peng Liu, and Anoop Singhal. 2020. An Approach for Detection of Advanced Persistent Threat Attacks. Computer 53, 12 (2020), 92–96. https://doi.ieeecomputersociety.org/10.1109/MC.2020.3021548Google ScholarDigital Library
Index Terms
- A-DEMO: ATT&CK Documentation, Emulation and Mitigation Operations: Deploying and Documenting Realistic Cyberattack Scenarios - A Rootkit Case Study
Recommendations
MITRE ATT&CK-driven Cyber Risk Assessment
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and SecurityAssessing the risk posed by Advanced Cyber Threats (APTs) is challenging without understanding the methods and tactics adversaries use to attack an organisation. The MITRE ATT&CK provides information on the motivation, capabilities, interests and ...
Probabilistic Attack Sequence Generation and Execution Based on MITRE ATT&CK for ICS Datasets
CSET '21: Proceedings of the 14th Cyber Security Experimentation and Test WorkshopTo practically leverage a dataset, various attack situations should be created according to the user’s objective and how realistic the generated attack sequence is should be expressed. However, there is a limit to manually generating various attack ...
Analysis of automated adversary emulation techniques
SummerSim '17: Proceedings of the Summer Simulation Multi-ConferenceAdversary emulation offers a concrete way to measure a network's resilience against an advanced attacker. Unfortunately, adversary emulation is typically a manual process, making it costly and hard to employ. Progress in automated adversary emulation ...
Comments