Attacker-Parametrised Attack Graphs

Computer network attackers chain system exploits together to achieve their goals, which range from stealing data to corrupting systems. Attack graphs represent these paths through the network, and provide the basis for calculating many security metrics. In this paper, we seek to extend graph-based analysis from the consideration of single graphs to the consideration of multiple. By performing analysis on many graphs at once, we consider the range of threats faced and avoid the downsides of several current techniques, which focus purely on known and expected attackers. In particular, we propose a novel method of generating a set of attack graphs, parametrised by attacker profiles. Our technique would enable security analysts to consider the security of their network from the perspective of many attackers simultaneously. This contrasts with existing techniques, which typically analyse attacker-independent graphs or graphs constructed around predefined attacker profiles. We analyse the resulting set of graphs first through deterministic methods and then using a probability measure

Deception in network defences using unpredictability

In this article, we propose a novel method that aims to improve upon existing moving-target defences by making them unpredictably reactive using probabilistic decision-making. We postulate that unpredictability can improve network defences in two key capacities: (1) by re-configuring the network in direct response to detected threats, tailored to the current threat and a security posture, and (2) by deceiving adversaries using pseudo-random decision-making (selected from a set of acceptable set of responses), potentially leading to adversary delay and failure. Decisions are performed automatically, based on reported events (e.g., Intrusion Detection System (IDS) alerts), security posture, mission processes, and states of assets. Using this codified form of situational awareness, our system can respond differently to threats each time attacker activity is observed, acting as a barrier to further attacker activities. We demonstrate feasibility with both anomaly-and misuse-based detection alerts, for a historical dataset (playback), and a real-time network simulation where asset-to-mission mappings are known. Our findings suggest that unpredictability yields promise as a new approach to deception in laboratory settings. Further research will be necessary to explore unpredictability in production environments

Practitioners' Views on Cybersecurity Control Adoption and Effectiveness

Cybersecurity practitioners working in organisations implement risk controls aiming to improve the security of their systems. Determining prioritisation of the deployment of controls and understanding their likely impact on overall cybersecurity posture is challenging, yet without this understanding there is a risk of implementing inefficient or even harmful security practices. There is a critical need to comprehend the value of controls in reducing cyberrisk exposure in various organisational contexts, and the factors affecting their usage. Such information is important for research into cybersecurity risk and defences, for supporting cybersecurity decisions within organisations, and for external parties guiding cybersecurity practice such as standards bodies and cyber-insurance companies. Cybersecurity practitioners possess a wealth of field knowledge in this area, yet there has been little academic work collecting and synthesising their views. In an attempt to highlights trends and a range of wider organisational factors that impact on a control's effectiveness and deployment, we conduct a set of interviews exploring practitioners' perceptions. We compare alignment with the recommendations of security standards and requirements of cyberinsurance policies to validate findings. Although still exploratory, we believe this methodology would help in identifying points of improvement in cybersecurity investment, describing specific potential benefits

Stereoscopic cyber security visualisations

Text-based tools are the primary tools of cyber-analysts, despite the potential visual tools have in this field [1]. Currently, analysts rely on command line tools which are favoured for their interoperability and flexibility. While many visualisations for cyber security data exist, they suffer from lack of adoption, due to not fitting in with the workflow of their users [2]. Some of the key challenges for security analysis are well-suited for visual solutions. Security analysts are commonly presented with large quantities of data to process, from many distinct data sources [3]. Using this data, analysts must obtain situational awareness of their networks in order to spot anomalous patterns as they occur. With this in mind, the aim of this project was to explore new techniques that could have applications in cyber security visualisations. Specifically, the project aimed to explore the use of stereoscopic displays in cyber visualisation. It was hoped that visualisations based on stereoscopic technology would solve many problems for analysts, enabling a greater variety of techniques and putting them in a position where data can be easily presented to them. First, an examination of existing work on stereoscopic visualisation was undertaken. Second, a collection of techniques was identified that could be utilised in a cyber visualisation. Third, a cyber dashboard proof-of-concept was built, consisting of a number of visualisations that explored the use of the identified techniques. Finally, a short pilot study was conducted to explore what potential the techniques could have in the future. Despite problems with current hardware and with the designed visualisations, pilot study participants were broadly positive of their experience with the developed system and all felt that the techniques have potential.</p

Generation and analysis of attack graphs on computer networks

The complexity of computer network attacks requires a sophisticated understanding of network security. Attackers combine seemingly inconsequential vulnerabilities into damaging attacks. Attack graphs compactly represent the possible ways exploits can be combined in the network by attackers. Armed with an accurate, up-to-date and sufficiently-detailed attack graph model, network defenders could straightforwardly select the most critical vulnerabilities and weaknesses in their network, allowing them to perform the necessary actions to optimally mitigate the threat. But attack graphs suffer from a number of problems that stand in the way. They rely heavily on data sources that were not intended to be used for this purpose, and have not been demonstrated to be reliable enough. Graphical models frequently suffer from complexity problems, and attack graphs are no exception. Once an attack graph is constructed, it requires analysis methods that are hard to verify, making any conclusions hard to justify. In this thesis, I address each of these problems through a variety of theoretical methods. I begin by establishing a clear definition of attack graph, based on template-matching methods. This is used to provide a set of comparisons by which attack graph analysis techniques can be verified theoretically, demonstrating that some common analysis methods perform unreasonable assessments. From this basis, I examine the assumptions that underlie attack graph models, and propose two novel assumptions, the single-precondition assumption and the partitioned-preconditioned assumption. I also provide a motivating smart home example, together with a dataset of vulnerabilities. I provide two independent contributions towards the generation and analysis of attack graphs; the first is a method to construct attack graphs without vulnerability data, making them easier to construct and allowing them to model zero-day vulnerabilities. The second is a method to parametrise attack graphs, enabling analysis to incorporate characteristics of the attacker and decisions of the defender, so that analysis can be performed across the full spectrum of possible attackers and defender decisions. Finally, these techniques are combined and presented with a collection of possible analysis methods, and applied to the smart home use case through a software implementation