PenQuest: a gamified attacker/defender meta model for cyber security assessment and education

Attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. At the same time, the complex interplay of attack techniques and possible countermeasures makes it difficult to appropriately plan, implement, and evaluate an organization’s defense. More often than not, the worlds of technical threats and organizational controls remain disjunct. In this article, we introduce PenQuest, a meta model designed to present a complete view on information system attacks and their mitigation while providing a tool for both semantic data enrichment and security education. PenQuest simulates time-enabled attacker/defender behavior as part of a dynamic, imperfect information multi-player game that derives significant parts of its ruleset from established information security sources such as STIX, CAPEC, CVE/CWE and NIST SP 800-53. Attack patterns, vulnerabilities, and mitigating controls are mapped to counterpart strategies and concrete actions through practical, data-centric mechanisms. The gamified model considers and defines a wide range of actors, assets, and actions, thereby enabling the assessment of cyber risks while giving technical experts the opportunity to explore specific attack scenarios in the context of an abstracted IT infrastructure. We implemented PenQuest as a physical serious game prototype and successfully tested it in a higher education environment. Additional expert interviews helped evaluate the model’s applicability to information security scenarios.

[1]  Jesse Fox,et al.  Assessing the effects of gamification in the classroom: A longitudinal study on intrinsic motivation, social comparison, satisfaction, effort, and academic performance , 2015, Comput. Educ..

[2]  Kenneth Benoit,et al.  quanteda: Quantitative Analysis of Textual Data (R package) , 2015 .

[3]  Dong Seong Kim,et al.  Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees , 2012, Secur. Commun. Networks.

[4]  Vasileios Mavroeidis,et al.  Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence , 2017, 2017 European Intelligence and Security Informatics Conference (EISIC).

[5]  Kristian Beckers,et al.  A Serious Game for Eliciting Social Engineering Security Requirements , 2016, 2016 IEEE 24th International Requirements Engineering Conference (RE).

[6]  Douglas J. Landoll,et al.  The Security Risk Assessment Handbook: A Complete Guide for Performing Security Risk Assessments , 2005 .

[7]  Sebastian Schrittwieser,et al.  TAON: an ontology-based approach to mitigating targeted attacks , 2016, iiWAS.

[8]  上官晓丽,et al.  SP 800-30《风险评估实施指南》研究 , 2011 .

[9]  Adam Shostack,et al.  Elevation of Privilege: Drawing Developers into Threat Modeling , 2014, 3GSE.

[10]  Ju An Wang,et al.  OVM: an ontology for vulnerability management , 2009, CSIIRW '09.

[11]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[12]  Ulrike Lechner,et al.  Wie IT-Security Matchplays als Awarenessmaßnahme die IT-Sicherheit verbessern können , 2017, Wirtschaftsinformatik.

[13]  Javier Esparza,et al.  Learning Workflow Petri Nets , 2010, Fundam. Informaticae.

[14]  Sergio Caltagirone,et al.  The Diamond Model of Intrusion Analysis , 2013 .

[15]  Helge Janicke,et al.  AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes , 2019, Comput. Secur..

[16]  Stephan Merz,et al.  Model Checking , 2000 .

[17]  P. Shannon,et al.  Cytoscape: a software environment for integrated models of biomolecular interaction networks. , 2003, Genome research.

[18]  Ruth Breu,et al.  Threat Intelligence Sharing Platforms: An Exploratory Study of Software Vendors and Research Perspectives , 2017, Wirtschaftsinformatik.

[19]  Y. Shang Optimal Attack Strategies in a Dynamic Botnet Defense Model , 2012 .

[20]  Helge Janicke,et al.  Semantics-aware detection of targeted attacks: a survey , 2017, Journal of Computer Virology and Hacking Techniques.

[21]  Åke J. Holmgren,et al.  Evaluating Strategies for Defending Electric Power Networks Against Antagonistic Attacks , 2007, IEEE Transactions on Power Systems.

[22]  T. Lewis Critical Infrastructure Protection in Homeland Security: Defending a Networked Nation , 2006 .

[23]  Ankur Padia,et al.  UCO: A Unified Cybersecurity Ontology , 2016, AAAI Workshop: Artificial Intelligence for Cyber Security.

[24]  KimDong Seong,et al.  Attack countermeasure trees (ACT): towards unifying the constructs of attack and defense trees , 2012 .

[25]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[26]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[27]  Joint Task Force Recommended Security Controls for Federal Information Systems and Organizations , 2009 .

[28]  Gary Stoneburner,et al.  SP 800-30. Risk Management Guide for Information Technology Systems , 2002 .

[29]  Albert L. Harris,et al.  The impact of information richness on information security awareness training effectiveness , 2009, Comput. Educ..

[30]  Leandros A. Maglaras,et al.  Measuring the Risk of Cyber Attack in Industrial Control Systems , 2016, ICS-CSR.

[31]  Stefan Fenz,et al.  Formalizing information security knowledge , 2009, ASIACCS '09.

[32]  Daniel E. Geer,et al.  Information security is information risk management , 2001, NSPW '01.

[33]  J. Locke,et al.  Some thoughts concerning education , 1989 .

[34]  Chase Qishi Wu,et al.  A Survey of Game Theory as Applied to Network Security , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[35]  Andrew W. Moore,et al.  Reinforcement Learning: A Survey , 1996, J. Artif. Intell. Res..

[36]  Tansu Alpcan,et al.  Security Games with Incomplete Information , 2009, 2009 IEEE International Conference on Communications.

[37]  Harold William Kuhn Lectures on the theory of games , 2003 .

[38]  Rossouw von Solms,et al.  Information security awareness: educating your users effectively , 1998, Inf. Manag. Comput. Secur..

[39]  Bamshad Mobasher,et al.  Model-Based Collaborative Filtering as a Defense against Profile Injection Attacks , 2006, AAAI.

[40]  Joshua J. Pauli,et al.  Abstracting Parent Mitigations from the CAPEC Attack Pattern Dictionary , 2008, Security and Management.

[41]  Roger B. Myerson,et al.  Game theory - Analysis of Conflict , 1991 .

[42]  Zhang Shiyong,et al.  A kind of network security behavior model based on game theory , 2003, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies.

[43]  Timothy W. Finin,et al.  A Target-Centric Ontology for Intrusion Detection , 2003, IJCAI 2003.

[44]  Richard Kissel,et al.  Glossary of Key Information Security Terms , 2014 .

[45]  N. Bambos,et al.  Security investment games of interdependent organizations , 2008, 2008 46th Annual Allerton Conference on Communication, Control, and Computing.

[46]  FoxJesse,et al.  Assessing the effects of gamification in the classroom , 2015 .

[47]  Ulrike Lechner,et al.  Operation Digital Chameleon: Towards an Open Cybersecurity Method , 2016, OpenSym.

[48]  Yiming Li,et al.  What.Hack: Learn Phishing Email Defence the Fun Way , 2017, CHI Extended Abstracts.

[49]  Galia Angelova,et al.  Gamification in Education: A Systematic Mapping Study , 2015, J. Educ. Technol. Soc..

[50]  A. Maslow A Theory of Human Motivation , 1943 .