The motivation of attackers in attack tree analysis

The number of cyberattacks has been growing over time and is expected to keep growing. In order to prevent such attacks, countermeasures have to be put in place by IT security experts. These IT security experts are however often tied to budgets and do not have a good overview of the threats that are present. It is thus necessary to provide them tools that can help them to decide on how to allocate their resources. One of these tools is the attack tree methodology, which is used to analyse complex attacks that consist of multiple steps. Properties of the overall security of the system are derived by properties of the smaller steps. These properties of the attack are represented in the form of parameters that are allocated to the nodes in the attack tree. Some of these parameters used are however dependent on the type of attacker. In order to be able to reuse the attack tree for analysing it for various types of attackers, the parameters in the attack tree have to be made independent of the attacker. In order to do so, attacker properties are considered separately, which are summarized in attacker profiles. So far, methods have been formed to include the attacker’s resources and the attacker’s skill in the attack tree methodology. The result of the current research is a framework that includes the motivation of the attacker in the attack tree methodology. The framework can be used by IT security experts to analyse the attack tree for variously motivated attackers, without having to update the parameter values. A design science approach is used to design the framework, which starts with the identification of the knowledge gap. The knowledge gap lies in how to include the motivation of the attacker in the attack tree methodology. This motivation is assumed to have an influence on the pay-off an attacker receives from performing an attack. The value that including the motivation in the analysis can bring can be summarized as the following: ? The gains parameter is made independent of the type of attacker ? Various pay-offs are possible for variously motivated attackers ? The gains parameter is made more realistic The framework is ensured to reach this potential added value, by adhering to a list of requirements. This list of requirements is build up from constraints to which the framework must conform and dilemmas for which a design choice has to be made. The resulting framework is mainly based on the method presented by Lenin et al. (2014). Changes to the current method are mainly made to the gains parameter. The gains is no longer a global parameter that is only received by the attacker when reaching the root node. Instead it is possible to include intermediate pay-offs, which means that gains can also be allocated to intermediate nodes. In this way, different gains are possible for different attack paths in the attack tree. The gains can thus be represented in a more fine grained way. Also an opt-out possibility is included to allow attackers to perform attacks to only reach an intermediate node and not the root node of the attack tree. In the current method the pay-off for an attacker was considered to be equal to the gains, which was the same for every type of attacker. This gains was also a single value. In the designed framework the gains has been slit up in five types of gains to deal with the five forms of motivation that an attacker may have, which are financial benefits, causing damage, knowledge gaining, pleasure seeking and gaining notoriety within a community. With the use of weight values, the importance of the various types of gains for an attacker can be represented. By multiplying the gains with the weight values, a pay-off can be calculated for a certain type of attacker. This way various pay-offs are possible for variously motivated attackers. A case study has been described to show the working of the framework on a real world case, which also served as a validation of the framework. In addition an expert opinion has been asked to validate the framework. The main improvement that can be made to the framework by future research is focussed on allocating values to the different types of gains and allocating the weight values for the different types of gains. Also attention could be paid to several dependencies between attack and attacker properties that have not yet been taken into account.

[1]  Jan Willemson,et al.  Attacker Profiling in Quantitative Security Assessment Based on Attack Trees , 2014, NordSec.

[2]  Jan Willemson,et al.  Computing Exact Outcomes of Multi-parameter Attack Trees , 2008, OTM Conferences.

[3]  Barbara Kordy,et al.  Foundations of Attack-Defense Trees , 2010, Formal Aspects in Security and Trust.

[4]  Margus Niitsoo Optimal Adversary Behavior for the Serial Model of Financial Attack Trees , 2010, IWSEC.

[5]  Samir Chatterjee,et al.  A Design Science Research Methodology for Information Systems Research , 2008 .

[6]  Marcus K. Rogers,et al.  A two-dimensional circumplex approach to the development of a hacker taxonomy , 2006, Digit. Investig..

[7]  Timothy Casey,et al.  Threat Agent Library Helps Identify Information Security Risks , 2007 .

[8]  Sjouke Mauw,et al.  Foundations of Attack Trees , 2005, ICISC.

[9]  Richard Barber Hackers Profiled — Who Are They and What Are Their Motivations? , 2001 .

[10]  Lars Grunske,et al.  Quantitative risk-based security prediction for component-based systems with explicitly modeled attack profiles , 2008, J. Syst. Softw..

[11]  Nir Kshetri,et al.  The simple economics of cybercrimes , 2006, IEEE Security & Privacy Magazine.

[12]  R.F. Mills,et al.  Using Attack and Protection Trees to Analyze Threats and Defenses to Homeland Security , 2006, MILCOM 2006 - 2006 IEEE Military Communications conference.

[13]  Robert J. Ellison,et al.  Attack Trees , 2009, Encyclopedia of Biometrics.

[14]  Barbara Kordy,et al.  DAG-based attack and defense modeling: Don't miss the forest for the attack trees , 2013, Comput. Sci. Rev..

[15]  Wolter Pieters,et al.  Calculating Adversarial Risk from Attack Trees: Control Strength and Probabilistic Attackers , 2015, DPM/SETOP/QASA.

[16]  Alan D. Smith,et al.  Issues in cybersecurity; understanding the potential risks associated with hackers/crackers , 2002, Inf. Manag. Comput. Secur..

[17]  Jan Willemson,et al.  Serial Model for Attack Tree Computations , 2009, ICISC.

[18]  Jan Willemson,et al.  On Fast and Approximate Attack Tree Computations , 2010, ISPEC.

[19]  Orly Turgeman-Goldschmidt Hackers' Accounts , 2005 .

[20]  Jan Willemson,et al.  Processing Multi-parameter Attacktrees with Estimated Parameter Values , 2007, IWSEC.

[21]  Jan Willemson,et al.  Rational Choice of Security Measures Via Multi-parameter Attack Trees , 2006, CRITIS.