cyber kill chain based threat taxonomy and its application ... · cyber kill chain based threat...
TRANSCRIPT
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational PictureSungyoung Cho, Insung Han, Hyunsook Jeong, Jinsoo Kim, Sungmo Koo, Haengrok Oh and Moosung ParkAgency for Defense Development, Republic of Korea
International Conference on Cyber Situational Awareness, Data Analytics, and Assessment (Cyber SA 2018)
11-12. June. 2018 / Glasgow, Scotland, United Kingdom
Outline
▪ Introduction
▪ Related Work
▪ Current Cyber Kill Chain Models
▪ Current Cyber Taxonomies
▪ Proposed Attack Chain Model and Taxonomy
▪ Visualization of Cyber Situations on CyCOP
▪ CyCOP Architecture
▪ Visualization of Cyber Threat with Kill Chain Model
▪ Conclusion and Future Work
6/22/2018Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 2
Introduction
▪ Various attacks in Republic of Korea (S. Korea)
▪ DDoS Attack (2009.7.7, 2011.3.4, 2013.6.25, …)
▪ APT (Advanced Persistent Threat) ((2011.4.12, Finance), (2014.12.9, Power Supply), …)
▪ Regarded as Cyber Warfare
▪ Especially against N. Korea
▪ Importance on Cyber Situation Awareness
▪ Our paper proposes…
▪ Cyber Kill Chain Model, and corresponding cyber attack (threat) taxonomy
▪ Application to Cyber Common Operational Picture (CyCOP)
▪ As fundamentals for supporting decision-making in cyber warfare
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 3
If you know your enemy and yourself,
you can win every battle.
Related Work
Current Cyber Kill Chain Models
▪ Various Cyber Kill Chain Models
▪ Lockheed Martin’s Cyber Kill Chain®
▪ Describe the attackers’ behavior at multiple attack phase
▪ Limitation
▪ Most are conceptually described
▪ Differently described each other
▪ Post-exploitation phases
▪ Information asymmetry between attackers and CERT team
Current Cyber Threat Taxonomies
▪ Existing Attack Taxonomies
▪ MITRE CAPEC▪ Categorized by attack mechanism
▪ MITREATT&CK▪ Categorized by attack tactics
▪ Limitation
▪ These are not exclusive, interrelated
▪ Categorized by different criteria
▪ Cannot understand the flow/context of attacks
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 4
Proposed Attack Chain Model and Taxonomy
▪ Idea
▪ Propose a cyber kill chain model
▪ Map each attack phase to attack techniques listed in CAPEC and ATT&CK
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 5
Proposed cyber kill chain model and corresponding taxonomy
will give Unified and consistent cyber threat information to military organizations.
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command and Control
Actions on Objective
Reconnaissance
Delivery
Exploitation(Exploitation +
Installation)
Command and Control
Actions on Objective
Proposed Attack Chain Model and TaxonomyKill Chain Model and Tactics
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 6
Reconnaissance Delivery Exploitation Command and Control Actions on Objective
Technical information
gathering
Launch
(Code Injection)
Exploitation of
vulnerabilitiesCredential Access Exfiltration
Launch
(Login Attempt)
Launch(Malicious Code Delivery)
Launch
(Pharming)
Persistence
Privilege Escalation
Defense Evasion
Denial of ServiceLateral Movement
Discovery
Collection
Command and Control
Visualization of Cyber Situations on CyCOPOverview
▪ Cyber Common Operational Picture
▪ A tool for situational awareness in cyberspace
▪ Common Operational Picture
▪ A tool for situation awareness in kinetic warfare
▪ C4I (Command, Control, Communication, Computer & Intelligence System) in military field
▪ Endsley’s Situation Awareness Model
6/22/2018Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 7
Perception Comprehension Projection
• Recognize the current state of assets
and the cyber threat situation
• Comprehend the detail of cyber threat
• Assess the damage to the related
assets and impact on the mission
related to assets
• Predict the threat based on the
analysis of the threat scenario and
attack graph
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 8
CyCOP visualization
Assets Identification/Management
Friendly network
Assets DB
Asset information gathering
Asset information visualization
SIEM
(Security Information & Event Management)
Cyber attack sensing
Cyber Threat
Taxonomy
Correlated alert visualization
Alert DB
• System Event Logs
• Web Logs
• Anti-Malware Events
• Security Solutions Events
• Active Remote Asset Detection
• Passive Remote Asset Detection
• SNMP-based Asset Information Gathering
• Local agent-based Asset Information Gathering
Cyber attack visualization
framework
Correlation rule-set
framework
CyCOP System Architecture
Visualization of Cyber Threats on CyCOPCommon Screen Structure
▪ General use case
▪ Can identify high level alerts generated by SIEM which correlates the low level event data
▪ Can identify attack scenario analysis result in “Attack Scenario List”
▪ Can identify the threatened assets or corresponding organization (unit) on the main area
▪ Can verify detailed alert information when selects the threatened assets or unit
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 9
Geographic perspective view
Organization perspective view
Network topology view
Designated by
• National Intelligence Service (NIS)
• Cyber Command (ROK CC)
Severity of identified attack
Inner: Symbol of attack phase
Round: Response status
Attack name
Corresponding unit
Visualization of Cyber Threats on CyCOPCyber Kill Chain view
▪ Use case
▪ Can understand the flow/context of attack (attack scenario)
▪ Can discover the uncertainty between attacks
▪ Can direct the analysts to investigate undetected attacks
▪ Can predict the next attack phase
▪ In terms of attack phase and characteristics
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 10
Attack scenario analysis result
Automatic analysis
Manual analysis
Related nodes (IP)
in a scenario Description
Attack scenario
list
A hyper-alert generated by SIEM.
Each correlation rule is mapped to
each attack listed in attack
taxonomy.
Five attack phases
Visualization of Cyber Threats on CyCOPGeographic Perspective view (Main view)
▪ As the main view for commander
▪ Use case
▪ Can identify cyber threats (attacks)
▪ by attack itself (high level alert) or
▪ by threatened asset and corresponding organization or unit on the map
▪ Can verify detailed information
▪ Alert information when selects the threatened unit
▪ Threatened asset(s) and its (their) information when selects the threatened unit
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 11
Location of organizations and
their networked connection on the map Alert list
Attack
scenario
list
Notification for newly identified alert or threat information
※ For security reasons, the location and connections are modified, and described as “Major Cities” and
“Highways”
Visualization of Cyber Threats on CyCOP
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 12
Router/Network Device
Network Security Device
Switch
Server / Endpoint
Layer of node
Network topology that
hierarchically positioned for specified network
Alert list
Attack
scenario
list
Legend of networks
Legend of nodes
Network topology that hierarchically positioned within a specific organization
Router/Network Device
Network Security Device
Switch
Server / Endpoint
Layer of node
Organization Perspective view Network Topology view
Conclusion
▪ Cyber kill chain model and corresponding cyber attack taxonomy
▪ Analyze existing cyber kill chain models
▪ Reconstruct the attackers’ behavior as the cyber kill chain model
▪ Classify attack TTPs for each attack phase by using CAPEC, ATT&CK (Pre-ATT&CK)
▪ Application to Cyber Common Operational Picture (CyCOP)
▪ CyCOP system architecture, and a role of attack taxonomy model
▪ Use case of several views related to cyber kill chain model
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 13
Thank you!
Q&A
Cyber Kill Chain based Threat Taxonomy and its Application on Cyber Common Operational Picture 6/22/2018 14