Abstract
Lateral movement of advanced persistent threats has posed a severe security challenge. Due to the stealthy and persistent nature of the lateral movement, defenders need to consider time and spatial locations holistically to discover latent attack paths across a large time-scale and achieve long-term security for the target assets. In this work, we propose a time-expanded random network to model the stochastic service links in the user-host enterprise network and the adversarial lateral movement. We design cognitive honeypots at idle production nodes and disguise honey links as service links to detect and deter the adversarial lateral movement. The location of the honeypot changes randomly at different times and increases the honeypots’ stealthiness. Since the defender does not know whether, when, and where the initial intrusion and the lateral movement occur, the honeypot policy aims to reduce the target assets’ Long-Term Vulnerability (LTV) for proactive and persistent protection. We further characterize three tradeoffs, i.e., the probability of interference, the stealthiness level, and the roaming cost. To counter the curse of multiple attack paths, we propose an iterative algorithm and approximate the LTV with the union bound for computationally efficient deployment of cognitive honeypots. The results of the vulnerability analysis illustrate the bounds, trends, and a residue of LTV when the adversarial lateral movement has infinite duration. Besides honeypot policies, we obtain a critical threshold of compromisability to guide the design and modification of the current system parameters for a higher level of long-term security. We show that the target node can achieve zero vulnerability under infinite stages of lateral movement if the probability of movement deterrence is not less than the threshold.
Q. Zhu—This research is partially supported by awards ECCS-1847056, CNS-1544782, CNS-2027884, and SES-1541164 from National Science of Foundation (NSF), and grant W911NF-19-1-0041 from Army Research Office (ARO).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
For example, we can use the user-computer authentication dataset from the Los Alamos National Laboratory enterprise network [29] to estimate the probability of user-host service links over a long period. The dataset is available at https://csr.lanl.gov/data/auth/.
- 2.
The defender would avoid configuring honey links from the target node to the honeypot. If the attacker has not compromised the target node H3 as shown in stage \(k_0+1\), the honeypot cannot capture the attacker. If the attacker has compromised the target node as shown in stage \(k_0+3\), then the late detection cannot reduce the loss that has already been made.
- 3.
Since we can compute \(g_{j_0}(\{n_i\} \cup v,\gamma ,\varDelta k-1)\) explicitly when v is empty, we can obtain a tighter upper bound by using the inequality \( g_{j_0}(\{n_i\}\cup v,\gamma , \varDelta k)\le 1, \forall v\in \mathscr {V}_{i,j_0}\setminus \emptyset \).
References
Corporation, T.M.: Enterprise matrix (2020). https://attack.mitre.org/matrices/enterprise/
Zhu, Q., Rass, S.: On multi-phase and multi-stage game-theoretic modeling of advanced persistent threats. IEEE Access 6, 13:958–13:971 (2018)
Legezo, D.: LuckyMouse hits national data center to organize country-level waterholing campaign, June 13, 2018. https://securelist.com/luckymouse-hits-national-data-center/86083/
Spitzner, L.: Honeypots: Tracking Hackers. Addison-Wesley Reading, Boston (2003)
Krawetz, N.: Anti-honeypot technology. IEEE Secur. Priv. 2(1), 76–79 (2004)
Mitola, J., Maguire, G.Q.: Cognitive radio: making software radios more personal. IEEE Pers. Commun. 6(4), 13–18 (1999)
Khattab, S.M., Sangpachatanaruk, C., Mossé, D., Melhem, R., Znati, T.: Roaming honeypots for mitigating service-level denial-of-service attacks. In: Proceedings of the 24th International Conference on Distributed Computing Systems 2004, pp. 328–337. IEEE (2004)
Casteigts, A., Flocchini, P., Quattrociocchi, W., Santoro, N.: Time-varying graphs and dynamic networks. Int. J. Parallel Emergent Distrib. Syst. 27(5), 387–408 (2012)
Liu, Q., Stokes, J.W., Mead, R., Burrell, T., Hellen, I., Lambert, J., Marochko, A., Cui, W.: Latte: Large-scale lateral movement detection. In: MILCOM 2018–2018 IEEE Military Communications Conference (MILCOM), pp. 1–6. IEEE (2018)
Tian, Z., Shi, W., Wang, Y., Zhu, C., Du, X., Su, S., Sun, Y., Guizani, N.: Real-time lateral movement detection based on evidence reasoning network for edge computing environment. IEEE Trans. Indust. Inform. 15(7), 4285–4294 (2019)
Lah, A.A.A., Dziyauddin, R.A., Azmi, M.H.: Proposed framework for network lateral movement detection based on user risk scoring in siem. In: 2018 2nd International Conference on Telematics and Future Generation Networks (TAFGEN), pp. 149–154. IEEE (2018)
Noureddine, M.A., Fawaz, A., Sanders, W.H., Başar, T.: A game-theoretic approach to respond to attacker lateral movement. In: Zhu, Q., Alpcan, T., Panaousis, E., Tambe, M., Casey, W. (eds.) GameSec 2016. LNCS, vol. 9996, pp. 294–313. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-47413-7_17
Purvine, E., Johnson, J.R., Lo, C.: A graph-based impact metric for mitigating lateral movement cyber attacks. In: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense, pp. 45–52 (2016)
Huang, L., Zhu, Q.: A dynamic games approach to proactive defense strategies against advanced persistent threats in cyber-physical systems. Comput. Secur. 89, 101660 (2020)
Huang, L., Zhu, Q.: Adaptive strategic cyber defense for advanced persistent threats in critical infrastructure networks. ACM SIGMETRICS Perform. Eval. Rev. (2018)
Alsaleh, M.N., Al-Shaer, E., Duan, Q.: Verifying the enforcement and effectiveness of network lateral movement resistance techniques (2018)
Shi, Y., Chang, X., RodrĂguez, R.J., Zhang, Z., Trivedi, K.S.: Quantitative security analysis of a dynamic network system under lateral movement-based attacks. Reliab. Eng. Syst. Safety 183, 213–225 (2019)
Pawlick, J., Nguyen, T.T.H., Colbert, E., Zhu, Q.: Optimal timing in dynamic and robust attacker engagement during advanced persistent threats. In: 2019 International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOPT), pp. 1-8. IEEE (2019)
Huang, L., Zhu, Q.: Adaptive honeypot engagement through reinforcement learning of semi-Markov decision processes. In: Alpcan, T., Vorobeychik, Y., Baras, J.S., Dán, G. (eds.) GameSec 2019. LNCS, vol. 11836, pp. 196–216. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-32430-8_13
Huang, L., Zhu, Q.: Analysis and computation of adaptive defense strategies against advanced persistent threats for cyber-physical systems. In: Bushnell, L., Poovendran, R., Başar, T. (eds.) GameSec 2018. LNCS, vol. 11199, pp. 205–226. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-01554-1_12
Huang, L., Zhu, Q.: Game of duplicity: a proactive automated defense mechanism by deception design (2020). arXiv preprint arXiv:2006.07942
Goldberg, I., Kozloski, J.R., Pickover, C.A., Sondhi, N., Vukovic, M.: Cognitive honeypot. 31 Jan 2017, uS Patent 9,560,075
Horák, K., Bošanskỳ, B., Tomášek, P., Kiekintveld, C., Kamhoua, C.: Optimizing honeypot strategies against dynamic lateral movement using partially observable stochastic games. Comput. Secur. 87, 101579 (2019)
Wang, S., Lin, W., Yang, Y., Xiao, X., Zhou, S.: Efficient route planning on public transportation networks: a labelling approach. In: Proceedings of the 2015 ACM SIGMOD International Conference on Management of Data, pp. 967–982 (2015)
Jiang, C., Zhu, X.: Reinforcement learning based capacity management in multi-layer satellite networks. IEEE Trans. Wirel. Commun. (2020)
Xu, S.: Cybersecurity dynamics: a foundation for the science of cybersecurity. In: Wang, C., Lu, Z. (eds.) Proactive and Dynamic Network Defense. Advances in Information Security, vol. 74, pp. 1–31. Springer, Cham (2019)
Kaynar, K.: A taxonomy for attack graph generation and usage in network security. J. Inform. Secur. Appl. 29, 27–56 (2016)
Chen, P.-Y., Choudhury, S., Rodriguez, L., Hero, A., Ray, I.: Enterprise cyber resiliency against lateral movement: a graph theoretic approach (2019). arXiv preprint arXiv:1905.01002
Hagberg, A., Kent, A., Lemons, N., Neil, J.: Credential hopping in authentication graphs. In: 2014 International Conference on Signal-Image Technology Internet-Based Systems (SITIS). IEEE Computer Society (2014)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)
Nawrocki, M., Wählisch, M., Schmidt, T.C., Keil, C., Schönfelder, J.: A survey on honeypot software and data analysis (2016). arXiv preprint arXiv:1608.06249
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Huang, L., Zhu, Q. (2020). Farsighted Risk Mitigation of Lateral Movement Using Dynamic Cognitive Honeypots. In: Zhu, Q., Baras, J.S., Poovendran, R., Chen, J. (eds) Decision and Game Theory for Security. GameSec 2020. Lecture Notes in Computer Science(), vol 12513. Springer, Cham. https://doi.org/10.1007/978-3-030-64793-3_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-64793-3_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64792-6
Online ISBN: 978-3-030-64793-3
eBook Packages: Computer ScienceComputer Science (R0)