Twin Based Continuous Patching To Minimize Cyber Risk

AbstractDigital twins are virtual replicas to simulate the behavior of physical devices before they are built and to support their maintenance. We extend this technology to cybersecurity and integrate it with adversary emulation to define a remediation policy that selects and schedules patches for the vulnerabilities of an information and communication infrastructure before threat actors can exploit them. Distinct twins model, respectively, the infrastructure and threat actors. The former twin describes the infrastructure modules, their vulnerabilities, and the elementary attacks actors can implement. The attributes of the twin of a threat actor describe its attack surface, its goals, how it selects attacks, and it handles attack failures. The Haruspex software platform builds the twins of the infrastructure and those of the threat actors, and it automates the emulation of an actor. In this way, it can discover the attack paths the actor implements without disturbing the infrastructure. In each path, the actor composes elementary attacks to reach its goal. Multiple emulations can discover all the paths of an actor by covering stochastic factors such as attack success or failure. The knowledge of these paths enables the remediation policy to minimize the patches to deploy. Since new vulnerabilities continuously become public, new countermeasures are needed. A twin-based approach supports a continuous remediation process to handle changes in the infrastructure, new vulnerabilities, and new threat actors because the platform can update the twins and run adversary emulations. If new attack paths exist, the platform applies the remediation policy. Experimental data confirm the effectiveness of this approach

Selecting Countermeasures for ICT systems Before They are Attacked

A countermeasure is any change to a system to reduce the probability it is successfully attacked. We propose a model based approach that selects countermeasures through multiple simulations of the behaviors of an ICT system and of intelligent attackers that implement sequences of attacks. The simulations return information on the attacker sequences and the goals they reach we use to compute the statistics that drive the selection. Since attackers change their sequences as countermeasures are deployed, we have defined an iterative strategy where each iteration selects some countermeasures, updates the system models and runs the simulations to discover any new attacker sequence. The discovery of new sequences starts a new iteration. The Haruspex suite automates the proposed approach. Some of its tools acquire information on the target system and on the attackers and build the corresponding models. Another tool simulates the attacks through the models of the system and of the attackers. The tool to select countermeasures invokes the other ones to discover how countermeasures influence the attackers. We apply the whole suite to three systems and discuss how the connection topology influences the countermeasures to adop

Deploying Dynamic Countermeasures through S-Rules

We present a security information event management system to fire the deployment of dynamic countermeasures against privilege escalations. The system is rule based and each rule is a pair with a set of n-grams and a countermeasure. A n-gram describes n consecutive attacks in an escalation. A rule fires the deployment of a countermeasure as soon as the sequence of alerts from a sensor network matches all its n-grams. We discuss a procedure to compute a set of rules by exploiting at best the information on the escalations to stop and on the ones to neglect because they cannot reach a goal. We also evaluate how the false positive rate and false negative one of the sensor network affect the effectiveness of the security management and how to improve it using evidence of the attacks. We apply the tools in the Haruspex suite to forecast the attacker escalations and to select those to stop at run time. Lastly, we outline an experimental evaluations of the system effectiveness using data from an industrial control system

Cyber Security Challenges to Arctic Critical Infrastructures

The Arctic regions of the world have in recent years experienced an increase in human activity not seen before in modern times. Receding polar ice and climate change have contributed to the opening of new sea routes, creating opportunities in intercontinental shipping and tourism. Increased accessibility has enabled the extraction of natural gas and oil, metals, and other resources. The cold climate provides natural cooling for data centers and other computational facilities. Economic activities are coupled with the expansion of military and civilian infrastructure, including for telecommunications, scientific installations, ports, and other intermodal transportation facilities. Information technology promotes efficiency and technologies such as fiber optic cables, satellite communications, radio, and others enable accessibility to these infrastructures from locations outside the Arctic. However, the reliance on information and communication technology and the connectedness of most critical infrastructures (electricity, communications, information, financial and government services, etc.) result in new vulnerabilities exposed by natural disasters or environmental accidents and which adversarial agents can exploit. Cyber security and resilience play a central role in ensuring the safety and security of communities in this age of interconnectedness and big data. Due to their often remote and extreme conditions, Arctic regions face unique challenges of cyber security and resilience for their critical infrastructure. This chapter summarizes discussions and lessons learned from a working group at a NATO Advanced Research Workshop on Governance for Cyber Security and Resilience in the Arctic as it pertains to critical infrastructure, held in Rovaniemi, Finland on 27-30 January, 2019. It aims to provide perspectives on cyber security in the context of Arctic infrastructure from multiple disciplines, including engineering and computer science, international relations, social sciences, law, and governance. Each perspective identifies challenges and opportunities in cyber security and resilience, in particular ones characteristic to Arctic regions. This includes documenting available theory and methods, including analogous methods from other fields, and describing data availabilities and needs. Lessons are derived from past and ongoing scenarios and incidents and methods for forecasting emerging and future scenarios are reviewed. Recommendations for research and practice to increase the cyber security and resilience of infrastructure are provided

Using S-Rules to Fire Dynamic Countermeasure

We present a rule-based system to dynamically deploy countermeasures against privilege escalations where a rule includes some n-grams and a countermeasure. An n-gram consists of n consecutive attacks. A rule deploys the countermeasure as soon as all the attacks in its n-grams are detected. After discussing the discovery of escalations, we show how to compute the rules starting from the escalations to stop and those we may neglect because they cannot reach a goal. We also evaluate the false positive rate and false negative one of attack detection affect the proposed approach. Lastly, we describe a preliminary evaluation using data from an industrial control system