Temporal attack modeling methods
Hi all! Daniil Neiman from the department for developing community initiatives in information security at Positive Technologies is in touch again. In the previous article I talked about one of the main problems that a specialist faces when analyzing cyber attacks, namely the complexity of analysis without the use of standardized attack modeling methods to break down and visually represent the different stages of a cyber attack.
We have reviewed methods for modeling attacks based on use cases, now let’s talk about temporal modeling methods (emphasis on chronological order and sequence of events in a cyber attack).
A distinctive feature of these methods is the presentation of a cyber attack from a temporal perspective. They allow you to model and analyze the development of an attack over time, taking into account the dynamics of changes in the state of a system or network, as well as time dependencies between the actions of the attacker.
Riskit
Let's start with the Riskit method proposed by in 1997 for risk management in software development. Its creation was due to the lack of specific definitions for risks and formal models for their description at that time.
Within the method, risk is the possibility of loss, the loss itself, or any characteristic, object or action that is associated with this possibility.
To analyze certain risks, this approach defines risk analysis graphwhich, using the elements below, describes all aspects of the risks in the diagram.
Let's imagine an example describing a phishing attack followed by dumping the accounts that were discussed in the previous article, adding an additional step with creating a reverse shell.
In this method, factors and risk events themselves, modeled taking into account the causes, consequences and probability of risk depending on time, serve as conditions for possible subsequent actions of the attacker, on which a countermeasure can be imposed and describe what effects and losses will occur if the risk event occurs.
In addition, the method provides a formal model for identifying and analyzing risks, which is called risk management cycle.
Where are interconnected information flows (arrows) formal processes (in the form of circles). The squares represent external processes associated with the cycle.
Advantages of the method:
An extensive number of elements that allows you to highlight not only the actions carried out by the attacker, but also their impact on the attacked infrastructure with a description of the resulting consequences.
Disadvantages of the method:
Separating results and prerequisites as separate events increases the complexity of the circuit.
The connection logic is too simple, due to which the diagram can be interpreted in different ways.
Cyber kill chain
This method was introduced in 2011 by Lockheed Martin researchers as an adaptation of the military concept of a kill chain, which defines the structure of a possible attack along the following “links” of the chain:
goal definition,
directing forces towards the goal,
starting an attack on the target,
destruction of the target.
“Breaking” such an enemy chain will be a method of defense or a preemptive action.
The authors of the article chose this approach for adaptation, since the response methods used at that time did not assume or did not formally describe the possibility of responding at different stages of the attack, which made them ineffective for responding to persistent serious threats (APT) are targeted covert cyber attacks on a computer network in which attackers gain unauthorized access to the target and remain undetected for a long time.
The resulting model consists of the following phases:
Intelligence — research, identification and selection of targets.
Armament — selection or creation of malicious tools (malware) that will be used to attack the selected target.
Delivery – a variety of penetration methods that an attacker can use to send malicious information to the victim (for example, via email or other means).
Infection — launching malicious code using system functions or by the victim itself.
Installation — installation of malware to become embedded in the infrastructure (installation of a Trojan or creation of a backdoor).
Taking control — creation by an attacker of a control channel to remotely control their internal resources.
Performing Actions — steps taken by the attacker to achieve his real goals inside the victim’s network. This is a difficult stage of an active attack, preparation for which can last several months.
Let's simulate the previously discussed example of a phishing attack.
In this case, using the previously discussed phases, we create a chain of actions for an attacker who uses phishing to send a malicious attachment that will give him access to the victim’s workstation through a reverse shell, followed by downloading mimikatz to dump authentication data or dump LSA secrets.
The model also provides possible countermeasures, adapted from the doctrine on information operations:
detection,
refusal,
breakdown,
weakening,
deception,
destruction.
They are presented in the form action plan matrix.
Let's look at the action plan matrix based on a simulated example.
Thus, using the matrix, it is possible to highlight the already implemented and described response actions and preventive measures, as well as highlight potentially vulnerable areas that require additional attention.
Pros of the model:
Dividing the attack into successive phases allows us to better describe the actions of attackers.
Building a chain allows you to understand what proactive defense methods need to be implemented to prevent an attack in the early phases.
Disadvantages of the model:
It was originally developed for military purposes and does not cover all aspects of modern cyber attacks (for example, it does not take into account threats emanating from within the organization).
One chain describes only one variation of an attack.
Attack flow
Attack flow is both a method and a tool for visual modeling and analysis of cyber attacks, which is developed by Miter Corporation and has direct integration with the matrix MITER AT&CK (a knowledge base describing the tactics and techniques of attackers during cyber attacks).
Attack flow also uses the format STIX (Structured Threat Information Expression), which is used to serialize various objects involved in the attack and their relationships with each other. Let's look at a small example object:
{
"type": "malware",
"spec_version": "2.1",
"id": "malware--fdd60b30-b67c-41e3-b0b9-f01faf20d111",
"created": "2014-02-20T09:16:08.989Z",
"modified": "2014-02-20T09:16:08.989Z",
"name": "Poison Ivy",
"malware_types": [
"remote-access-trojan"
],
"is_family": false
}
STIX uses JSON schemas to describe objects and the relationships between them. In our case, STIX is used to describe the Poison Ivy virus, which is assigned the remote-access-trojan type and the “is_family”: false flag, indicating that this is not a virus family.
Different types of objects have their own lists of possible keys. You can get acquainted with them in the official STIX documentation.
Next, let's look at the main elements of Attack flow:
Action — a specific action performed by an attacker, such as exploiting a vulnerability, moving on a network, or installing malware. Each action is accompanied by the following details:
tactics and techniques from MITER ATT&CK (fields Tactical ID And Technique ID);
start and end times of the action (fields Execution Start And End);
information about the level of confidence of the action (field Confidence) – how confident the author is that the action is described correctly.
AND and OR operators to model logical connections between attack actions.
Asset – a certain result or impact on the world. Actions can indicate assets as the objects that were affected, as well as which objects are used in subsequent methods.
Condition – some condition that determines the further course of the attack depending on its fulfillment.
STIX objects in the form of two lists of entities:
STIX Domain Objects is a more general term that covers a wide range of structured data about cyber threats (for example, groups, malware, tools).
STIX Cyber-observable Objects – represents specific observable events or objects in the context of a cyber threat (e.g., account, file, IP address).
Let's look at an example based on the previously presented scenario.
The temporality of Attack flow is due to the use of this method to represent how an attack can develop over time. To do this, it is divided into individual actions and sequences of actions that the attacker performs to achieve his goals. As an example, the chart displays the start and end times of specific actions.
The editor can also save diagrams in the following form:
{"version":"2.2.7","id":"b400fb0e-d365-4e0f-8230-1031e55fa45e","objects":[{"id":"b400fb0e-d365-4e0f-8230-1031e55fa45e","x":-140,"y":1091,"attrs":0,"template":"flow","children":["4abecec8-0e6b-4899-8ba5-fb9501600ced" ...
The dictionary view makes it easy to integrate the model with a variety of tools to detect and respond to cyberattacks.
Pros of the model:
Integration with MITER ATT&CK and STIX standardizes the description of various attack elements and their relationships to attack tactics and techniques, simplifying the eventual implementation of this method in tools.
Attack flow visually displays the possible sequence of actions of an attacker using its main elements, implementing decision-making logic both through Conditionand through the logical operators AND and OR.
Disadvantages of the model:
For optimal use of Attack flow, a deep understanding of both the method itself and MITER ATT&CK and STIX is required.
When modeling multipart attacks, diagrams can quickly become cluttered and difficult to interpret.
Diamond model
This model was proposed in 2013 to analyze intrusions by breaking them down into basic atomic elements − eventswhich in turn consist of four main components. This:
Intruder – An entity or organization that takes advantage of an opportunity to attack a victim.
Infrastructure – physical or logical structures used by the attacker to implement capabilities and obtain results (for example, IP addresses, email addresses, infected USB drive)).
Opportunity – enemy tools and techniques used during the event.
Victim – the attacker's target against which vulnerabilities and related capabilities are exploited.
Properties describe how attacker uses possibilities some infrastructure against victims. The connections between the components form a diamond – this is what gave the method its name.
In addition to the main components, the model also contains additional ones:
Timestamp – the time when the event occurred.
Attack phase – division into phases helps to analyze and group events (phases are taken from the Cyber kill chain model).
Result – the results obtained by the attacker, which he can use in subsequent events.
Direction – The direction of the event is important when considering prevention options and identifying means to detect attacks (e.g., victim to infrastructure, infrastructure to victim).
Methodology – describes a general class of event (eg, phishing attack, port scan).
Resources – contains a list of resources that are required for the successful implementation of the event.
These components are mainly used to determine the relationships between different events, which will help build the overall attack scenario that will be described later.
In addition, the model defines an extended event.
Where:
Technologies – infrastructure pair – a capability that connects the infrastructure and ensures its operation and communication (for example, if malware uses the HTTP protocol, then the following technologies are used: Internet Protocol (IP), Hypertext Transport Protocol (HTTP), Domain Name System (DNS)).
Socio-political properties — an attacker-victim pair, which is supported by the socio-political needs and aspirations of the attacker (for example, he strives to generate income, recognition in the hacker community, and increase business profits).
Formally, an event is represented as a tuple E, which stores the properties described above with one additional one – level of trust. Its definition depends on the needs and specifications of the infrastructure.
The event is analyzed by transitions along the diamond bonds. Usually the analysis begins with the victim.
This approach is used to build connections and identify new entities in an event through its consistent analysis and addition. Moreover, depending on the needs, the analysis can begin with any component of the diamond, and not just with the victim.
After analysis, related events can be combined into action flow to build a possible attack scenario. The scenario phases are taken from the previously discussed Cyber kill chain model.
Using kill chain phases also allows you to deduce possible countermeasures to an attack using action plan matrixdescribed in the Cyber kill chain technique.
The various streams of actions can in turn be connected into an attack activity graph.
It highlights both actual and hypothetical attack scenarios that an attacker could implement.
In addition, the method formally defines the function of grouping various events and action flows by matching properties (for example, by IP address, application MD5, action pattern matching) into activity groups.
In contrast to the action flow:
Activity groups contain both events and action flows.
Events and threads in an activity group are not related by execution sequence, but by common characteristics.
The process of creating activity groups is divided into six steps:
Step 1. A specific analytical problem is identified that must be solved using grouping. For example:
What events and flows are most likely to be carried out by the same adversary?
What are the attacker's intentions?
Step 2. The event and relationship properties used to form the basis of classification and clustering are selected:
Various basic and additional properties are selected by which grouping occurs (for example, IP address, MD5).
Similar sequences of events are selected (in the example above A → B → C).
Step 3. Based on the selected properties and sequence of events, activity groups are created.
Step 4. As new events arrive, they are classified into activity groups.
Step 5. A group of activities is analyzed to solve the analytical problems identified in the first step.
Step 6. Refinement and change of activity group if necessary.
Advantages of the method:
A formal description of activity graphs, action flows and individual events within them, which allows you to build detailed connections.
Description of the event, taking into account all parties and possible connections between them.
A formally described function for grouping similar events and activity flows.
Disadvantages of the method:
To fully compile a model, a large amount of data is required about each component of the event, which requires time-consuming processing and filling.
Effective analysis of individual events requires detailed knowledge of the method and extensive experience on the part of the analyst.
Thus, we have considered all temporal attack modeling methods. The main difference between these methods and those previously discussed based on use cases is the lack of dependence on the Unified Modeling Language (UML), as well as the ability to build sequential connections between specific events in order to see the chronology of their execution.
In the next article, we will look at the broadest and most popular category of attack modeling methods, namely graph-based methods.