Farsighted Risk Mitigation of Lateral Movement Using Dynamic Cognitive Honeypots

Lateral movement of advanced persistent threats has posed a severe security challenge. Due to the stealthy and persistent nature of the lateral movement, defenders need to consider time and spatial locations holistically to discover latent attack paths across a large time-scale and achieve long-term security for the target assets. In this work, we propose a time-expanded random network to model the stochastic service links in the user-host enterprise network and the adversarial lateral movement. We design cognitive honeypots at idle production nodes and disguise honey links as service links to detect and deter the adversarial lateral movement. The location of the honeypot changes randomly at different times and increases the honeypots' stealthiness. Since the defender does not know whether, when, and where the initial intrusion and the lateral movement occur, the honeypot policy aims to reduce the target assets' Long-Term Vulnerability (LTV) for proactive and persistent protection. We further characterize three tradeoffs, i.e., the probability of interference, the stealthiness level, and the roaming cost. To counter the curse of multiple attack paths, we propose an iterative algorithm and approximate the LTV with the union bound for computationally efficient deployment of cognitive honeypots. The results of the vulnerability analysis illustrate the bounds, trends, and a residue of LTV when the adversarial lateral movement has infinite duration. Besides honeypot policies, we obtain a critical threshold of compromisability to guide the design and modification of the current system parameters for a higher level of long-term security. We show that the target node can achieve zero vulnerability under infinite stages of lateral movement if the probability of movement deterrence is not less than the threshold.

[1]  Rudzidatul Akmam Dziyauddin,et al.  Proposed Framework for Network Lateral Movement Detection Based On User Risk Scoring in SIEM , 2018, 2018 2nd International Conference on Telematics and Future Generation Networks (TAFGEN).

[2]  Quanyan Zhu,et al.  A Dynamic Games Approach to Proactive Defense Strategies against Advanced Persistent Threats in Cyber-Physical Systems , 2019, Comput. Secur..

[3]  Quanyan Zhu,et al.  Adaptive Honeypot Engagement through Reinforcement Learning of Semi-Markov Decision Processes , 2019, GameSec.

[4]  Joseph Mitola,et al.  Cognitive radio: making software radios more personal , 1999, IEEE Wirel. Commun..

[5]  Neal Krawetz,et al.  Anti-honeypot technology , 2004, IEEE Security & Privacy Magazine.

[6]  Quanyan Zhu,et al.  Optimal Timing in Dynamic and Robust Attacker Engagement During Advanced Persistent Threats , 2017, 2019 International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks (WiOPT).

[7]  William H. Sanders,et al.  A Game-Theoretic Approach to Respond to Attacker Lateral Movement , 2016, GameSec.

[8]  Quanyan Zhu,et al.  Analysis and Computation of Adaptive Defense Strategies Against Advanced Persistent Threats for Cyber-Physical Systems , 2018, GameSec.

[9]  Shen Su,et al.  Real-Time Lateral Movement Detection Based on Evidence Reasoning Network for Edge Computing Environment , 2019, IEEE Transactions on Industrial Informatics.

[10]  Kerem Kaynar,et al.  A taxonomy for attack graph generation and usage in network security , 2016, J. Inf. Secur. Appl..

[11]  Shouhuai Xu,et al.  Cybersecurity Dynamics: A Foundation for the Science of Cybersecurity , 2020, Proactive and Dynamic Network Defense.

[12]  Ehab Al-Shaer,et al.  Verifying the Enforcement and Effectiveness of Network Lateral Movement Resistance Techniques , 2018, ICETE.

[13]  Quanyan Zhu,et al.  Game of Duplicity: A Proactive Automated Defense Mechanism by Deception Design , 2020, ArXiv.

[14]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[15]  Quanyan Zhu,et al.  On Multi-Phase and Multi-Stage Game-Theoretic Modeling of Advanced Persistent Threats , 2018, IEEE Access.

[16]  Jack W. Stokes,et al.  Latte: Large-Scale Lateral Movement Detection , 2018, MILCOM 2018 - 2018 IEEE Military Communications Conference (MILCOM).

[17]  Chunxiao Jiang,et al.  Reinforcement Learning Based Capacity Management in Multi-Layer Satellite Networks , 2020, IEEE Transactions on Wireless Communications.

[18]  Rami G. Melhem,et al.  Roaming honeypots for mitigating service-level denial-of-service attacks , 2004, 24th International Conference on Distributed Computing Systems, 2004. Proceedings..

[19]  Karel Horák,et al.  Optimizing honeypot strategies against dynamic lateral movement using partially observable stochastic games , 2019, Comput. Secur..

[20]  Indrajit Ray,et al.  Enterprise Cyber Resiliency Against Lateral Movement: A Graph Theoretic Approach , 2019, ArXiv.

[21]  Yi Yang,et al.  Efficient Route Planning on Public Transportation Networks: A Labelling Approach , 2015, SIGMOD Conference.

[22]  Quanyan Zhu,et al.  Adaptive Strategic Cyber Defense for Advanced Persistent Threats in Critical Infrastructure Networks , 2018, PERV.

[23]  Ricardo J. Rodríguez,et al.  Quantitative security analysis of a dynamic network system under lateral movement-based attacks , 2019, Reliab. Eng. Syst. Saf..

[24]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[25]  Nicola Santoro,et al.  Time-varying graphs and dynamic networks , 2010, Int. J. Parallel Emergent Distributed Syst..

[26]  Chaomei Lo,et al.  A Graph-Based Impact Metric for Mitigating Lateral Movement Cyber Attacks , 2016, SafeConfig@CCS.