Defending Against Chained Cyber-Attacks by Adversarial Agents

Abstract

Cyber adversaries employ a variety of malware and exploit to attack computer systems. Despite the prevalence of markets for malware and exploit kits, existing paradigms that model such cyber-adversarial behaviour do not account for sequential application or ``chaining'' of attacks, that take advantage of the complex and interdependent nature of exploits and vulnerabilities. As a result, it is challenging for security professionals to develop defensive-strategies against threats of this nature. This chapter takes the first steps toward addressing this need, based on a framework that allows for the modelling of sequential cyber-attacks on computer systems, taking into account complex interdependencies between vulnerabilities and exploits. The framework identifies the overall set of capabilities gained by an attacker through the convergence of a simple fixed-point operator. We then turn our attention to the problem of determining the optimal/most effective strategy (with respect to this model) that the defender can use to block the attacker from gaining certain capabilities and find it to be an NP-complete problem. To address this complexity, we utilize an A*-based approach and develop an admissible heuristic. We provide an implementation and show through a suite of experiments using actual vulnerability data that this method performs well in practice for identifying defensive courses of action in this domain.