TY - GEN
T1 - Farsighted Risk Mitigation of Lateral Movement Using Dynamic Cognitive Honeypots
AU - Huang, Linan
AU - Zhu, Quanyan
N1 - Funding Information:
Keywords: Advanced persistent threats · Lateral movement · Time-expanded network · Attack graph · Cognitive security · Long-term security · Risk analysis Q. Zhu—This research is partially supported by awards ECCS-1847056, CNS-1544782, CNS-2027884, and SES-1541164 from National Science of Foundation (NSF), and grant W911NF-19-1-0041 from Army Research Office (ARO).
Publisher Copyright:
© 2020, Springer Nature Switzerland AG.
PY - 2020
Y1 - 2020
N2 - Lateral movement of advanced persistent threats has posed a severe security challenge. Due to the stealthy and persistent nature of the lateral movement, defenders need to consider time and spatial locations holistically to discover latent attack paths across a large time-scale and achieve long-term security for the target assets. In this work, we propose a time-expanded random network to model the stochastic service links in the user-host enterprise network and the adversarial lateral movement. We design cognitive honeypots at idle production nodes and disguise honey links as service links to detect and deter the adversarial lateral movement. The location of the honeypot changes randomly at different times and increases the honeypots’ stealthiness. Since the defender does not know whether, when, and where the initial intrusion and the lateral movement occur, the honeypot policy aims to reduce the target assets’ Long-Term Vulnerability (LTV) for proactive and persistent protection. We further characterize three tradeoffs, i.e., the probability of interference, the stealthiness level, and the roaming cost. To counter the curse of multiple attack paths, we propose an iterative algorithm and approximate the LTV with the union bound for computationally efficient deployment of cognitive honeypots. The results of the vulnerability analysis illustrate the bounds, trends, and a residue of LTV when the adversarial lateral movement has infinite duration. Besides honeypot policies, we obtain a critical threshold of compromisability to guide the design and modification of the current system parameters for a higher level of long-term security. We show that the target node can achieve zero vulnerability under infinite stages of lateral movement if the probability of movement deterrence is not less than the threshold.
AB - Lateral movement of advanced persistent threats has posed a severe security challenge. Due to the stealthy and persistent nature of the lateral movement, defenders need to consider time and spatial locations holistically to discover latent attack paths across a large time-scale and achieve long-term security for the target assets. In this work, we propose a time-expanded random network to model the stochastic service links in the user-host enterprise network and the adversarial lateral movement. We design cognitive honeypots at idle production nodes and disguise honey links as service links to detect and deter the adversarial lateral movement. The location of the honeypot changes randomly at different times and increases the honeypots’ stealthiness. Since the defender does not know whether, when, and where the initial intrusion and the lateral movement occur, the honeypot policy aims to reduce the target assets’ Long-Term Vulnerability (LTV) for proactive and persistent protection. We further characterize three tradeoffs, i.e., the probability of interference, the stealthiness level, and the roaming cost. To counter the curse of multiple attack paths, we propose an iterative algorithm and approximate the LTV with the union bound for computationally efficient deployment of cognitive honeypots. The results of the vulnerability analysis illustrate the bounds, trends, and a residue of LTV when the adversarial lateral movement has infinite duration. Besides honeypot policies, we obtain a critical threshold of compromisability to guide the design and modification of the current system parameters for a higher level of long-term security. We show that the target node can achieve zero vulnerability under infinite stages of lateral movement if the probability of movement deterrence is not less than the threshold.
KW - Advanced persistent threats
KW - Attack graph
KW - Cognitive security
KW - Lateral movement
KW - Long-term security
KW - Risk analysis
KW - Time-expanded network
UR - http://www.scopus.com/inward/record.url?scp=85098273874&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85098273874&partnerID=8YFLogxK
U2 - 10.1007/978-3-030-64793-3_7
DO - 10.1007/978-3-030-64793-3_7
M3 - Conference contribution
AN - SCOPUS:85098273874
SN - 9783030647926
T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
SP - 125
EP - 146
BT - Decision and Game Theory for Security - 11th International Conference, GameSec 2020, Proceedings
A2 - Zhu, Quanyan
A2 - Baras, John S.
A2 - Poovendran, Radha
A2 - Chen, Juntao
PB - Springer Science and Business Media Deutschland GmbH
T2 - 11th Conference on Decision and Game Theory for Security, GameSec 2020
Y2 - 28 October 2020 through 30 October 2020
ER -