Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.
Size: px
Start display at page:

Download "Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D."

Transcription

1 18th Annual Space & Missile Defense Symposium IAMD Evolution and Integration/Key Topic: Predictive Cyber Threat Analysis Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D. Development Work Supported Under Contract With USASMDC/ARSTRAT Technical Center Distribution A Unlimited 1 As is true of any threat to national security, entities that present a cyber-threat to military capabilities or critical infrastructure can and should be analyzed in terms of their capability, opportunity, and intent.

2 Volitional Entity Modeling A volitional entity is one that can decide on, commit to, and prosecute a particular course of action. Volitional entities can purposefully strive for intended outcomes. Examples are persons, organizations, and intelligent software agents. A formal model is one that is fully specified such that entities, relationships and reasoning logic can be combined to enable machine inferences and generate logical hypotheses that can be evaluated by users for their truth value. Our approach rests on formal modeling of the motivations, intentions, methods and capabilities of volitional entities. Particularly important for maintaining the capability to monitor, understand and predict the activities of Advanced Persistent Threat entities, because the time periods over which these entities remain active virtually ensures analyst turnover. Knowledge loss due to analyst turnover can be significantly ameliorated by ongoing formal modeling of threat entities. 2

3 Cyber Threat Entity Analytics Monitoring, analysis and ongoing defense against advanced persistent cyber threat entities is subject to the same opportunities, complexities and pitfalls as intelligence analysis of any sophisticated and persistent threat group. Intelligence analysis is largely a problem of figuring out what are the agendas and goals of nefarious human groups, by what tactics, techniques and procedures they pursue their agenda, what attack surfaces they tend to approach, and what are the roles and capabilities of group members. For advanced persistent threat groups, intelligence analysis software tools are useful for organizing and sharing critical information such as domain names, IP addresses, X.509 encryption certificates and MD5 hashes of malware in their arsenal of digital weapons. Knowledge maintenance over time and knowledge sharing among analysts can be powerfully enabled by appropriate analytic software tools. It is almost always networks of people that seek to carry out operations serious enough to warrant national attention. Cyber threat entity analysis techniques enable long term monitoring of advanced persistent threats. 3

4 Modeling Cyber Threat Actors and Groups APT Group Entity AK Group Goal Goal ID Name Method AK Group Agenda Agenda ID Name Goal Method AK * Group ID Name Type AoO Agenda Goal Method Member Ally Rival AK ** Group Member Member ID Name Role AoO Skill Goal Method Ally Rival *** Other Networks AK Group Task Task ID Name Task * Group Type could be state actor, transnational criminal, hacktivist, or other (analyst defined) * Member roles can range from setting the agenda, establishing goals or methods, planning tasks, to performing tasks *** Individuals inevitably belong to multiple, overlapping and separate, networks such as political, social, tribal, familial, business, religious 4

5 Modeling Advance Persistent Threats Agenda overarching objectives (Ex. Maintain anonymity, cyber espionage, prepare cyber attacks ) ABSTRACT APT Concept State Actor Strategic Goals strategies to achieve agenda (Ex. Infiltrate targeted networks, maintain backdoor access.) Tactical Methods methods to achieve strategic goals (Ex. Spear phishing, DoS, DDoS, logic bomb, viruses, worms ) CONCRETE APT Instance XXXXXXXX Strategic Goals strategies to achieve agenda (Ex. Infiltrate targeted networks, maintain backdoor access.) Tactical Methods methods to achieve strategic goals (Ex. Spear phishing, DoS, DDoS, logic bomb, viruses, worms ) Tactical Ops plans/parts of plans for tactical event sequences (Ex. Planned (event sequences that are or may be planned in the future) Progressing (event sequences that are or may be unfolding in the present) Past (established 937 C2 servers on on 849 IP addresses in 2012) 5

6 Modeling Cyber Threat Actors 6

7 Deep Modeling of Cyber Threat Actors 7

8 Structured Threat Information Expression (STIX) language Cyber Threat Actor Properties Threat Actor Type e.g., State Actor, Hacker, Hacktivist, Insider Motivation e.g., Ideological, Economic, Ego, Political Intended Effect e.g., Military Advantage, Extortion, Theft Sophistication Aspirant, Novice, Practitioner, Expert, Innovator Observed TTPs e.g., Exploit, Resources, Phases, Victims Associated Campaigns e.g., Industry Sector, Knowledge Category Associated Actors Other threat actors that appear associated, possibly including organized groups 8

9 Structured Threat Information Expression (STIX) language 9 Trusted Automated exchange of Indicator Information (TAXII) language

10 Counter Cyber Threat Technology Necessary but not Sufficient The technology approach to cyber defense described in this presentation is only one part of a systemic package that must also include education and policy. Cyber threat entity modeling is an efficient way to simultaneously maintain technology, education, and policy barriers to cyber-attack. Initial intrusions into secure networks is almost always accomplished via social engineering. Insider Threats Naïveté/ignorance Compromised/blackmailed Greedy/needy Ideologically hostile 10

11 End 11

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information