Integrating Security Behavior into Attack Simulations

The increase of cyber-attacks raised security concerns for critical assets worldwide in the last decade. Leading to more efforts spent towards increasing the cyber security among companies and countries. For the sake of enhancing cyber security, representation and testing of attacks have prime importance in understanding system vulnerabilities. One of the available tools for simulating attacks on systems is the Meta Attack Language (MAL), which allows representing the effects of certain cyber-attacks. However, only understanding the component vulnerabilities is not enough in securing enterprise systems. Another important factor is the ‘human‘, which constitutes the biggest ‘insider threat‘. For this, Security Behavior Analysis (SBA) helps understanding which system components that might be directly affected by the ‘human‘. As such, in this work, the authors present an approach for integrating user actions, so called “security behavior”, by mapping SBA to a MAL-based language through MITRE ATT&CK techniques.

[1]  Nicole Beebe,et al.  The Enemy Within the Insider: Detecting the Insider Threat Through Addiction Theory , 2014 .

[2]  Sachin Shetty,et al.  Artificial Intelligence Empowered Cyber Threat Detection and Protection for Power Utilities , 2019, 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC).

[3]  김광수,et al.  The Design and Implementation of Simulated Threat Generator based on MITRE ATT&CK for Cyber Warfare Training , 2019 .

[4]  Scott D. Lathrop,et al.  Towards a definition of cyberspace tactics, techniques and procedures , 2017, 2017 IEEE International Conference on Big Data (Big Data).

[5]  Ulrich Riehm,et al.  Was bei einem Blackout geschieht : Folgen eines langandauernden und großräumigen Stromausfalls , 2011 .

[6]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[7]  Jean Pierre Brans,et al.  HOW TO SELECT AND HOW TO RANK PROJECTS: THE PROMETHEE METHOD , 1986 .

[8]  Horst Lichter,et al.  Developing a Semantic Mapping between TOGAF and BSI-IT-Grundschutz , 2018 .

[9]  Tamara Dinev,et al.  Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture , 2012, Decis. Sci..

[10]  Mahmood Hussain Shah,et al.  Information security management needs more holistic approach: A literature review , 2016, Int. J. Inf. Manag..

[11]  Mikko T. Siponen,et al.  Which Factors Explain Employees' Adherence to Information Security Policies? An Empirical Study , 2007, PACIS.

[12]  Peng Ning,et al.  False data injection attacks against state estimation in electric power grids , 2011, TSEC.

[13]  Khurram Shahzad,et al.  Securi CAD by Foreseeti: A CAD Tool for Enterprise Cyber Security Management , 2015, 2015 IEEE 19th International Enterprise Distributed Object Computing Workshop.

[14]  Myung Kil Ahn,et al.  Automated Cyber Threat Emulation Based on ATT&CK for Cyber Security Training , 2020 .

[15]  Jacques Ophoff,et al.  A Descriptive Literature Review and Classification of Insider Threat Research , 2014 .

[16]  Jian-Wei Wang,et al.  Cascade-based attack vulnerability on the US power grid. , 2009 .

[17]  Wilco Engelsman,et al.  Modeling enterprise risk management and security with the ArchiMate language , 2015 .

[18]  Simon Hacks,et al.  Creating Meta Attack Language Instances using ArchiMate: Applied to Electric Power and Energy System Cases , 2019, 2019 IEEE 23rd International Enterprise Distributed Object Computing Conference (EDOC).

[19]  Moez Limayem,et al.  Force of Habit and Information Systems Usage: Theory and Initial Validation , 2003, J. Assoc. Inf. Syst..

[20]  Kyungho Lee,et al.  A Review of Insider Threat Detection Approaches With IoT Perspective , 2020, IEEE Access.

[21]  Karen A. Scarfone,et al.  Guide to Industrial Control Systems (ICS) Security , 2015 .

[22]  S. E Adewumi,et al.  Review on Insider Threat Detection Techniques , 2019, Journal of Physics: Conference Series.

[23]  Khurram Shahzad,et al.  P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language , 2015, IEEE Trans. Dependable Secur. Comput..

[24]  Hafiz M. Farooq,et al.  Optimal Machine Learning Algorithms for Cyber Threat Detection , 2018, 2018 UKSim-AMSS 20th International Conference on Computer Modelling and Simulation (UKSim).

[25]  Markus Buschle,et al.  Automatic data collection for enterprise architecture models , 2012, Software & Systems Modeling.

[26]  Simon Hacks,et al.  An Attack Simulation Language for the IT Domain , 2020, GraMSec@CSF.

[27]  Robert Lagerström,et al.  Re-using Enterprise Architecture Repositories for Agile Threat Modeling , 2019, 2019 IEEE 23rd International Enterprise Distributed Object Computing Workshop (EDOCW).

[28]  Simon Hacks,et al.  A Method for Assigning Probability Distributions in Attack Simulation Languages , 2021, Complex Syst. Informatics Model. Q..

[29]  Deborah A. Frincke,et al.  Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation , 2010, Insider Threats in Cyber Security.

[30]  Ingrid Bouwer Utne,et al.  Risk analysis of critical infrastructures emphasizing electricity supply and interdependencies , 2012, Reliab. Eng. Syst. Saf..

[31]  Nasser Modiri,et al.  Information Security Management , 2011, 2011 International Conference on Computational Intelligence and Communication Networks.

[32]  Ulrich Riehm,et al.  Was bei einem Blackout geschieht , 2011 .

[33]  Yuji Yamaoka,et al.  Threat Tree Templates to Ease Difficulties in Threat Modeling , 2011, 2011 14th International Conference on Network-Based Information Systems.

[34]  Qing Hu,et al.  Future directions for behavioral information security research , 2013, Comput. Secur..

[35]  Kevin F. McCrohan,et al.  Influence of Awareness and Training on Cyber Security , 2010 .

[36]  Ricard V. Solé,et al.  Topological Vulnerability of the European Power Grid under Errors and Attacks , 2007, Int. J. Bifurc. Chaos.

[37]  Thomas L. Saaty,et al.  How to Make a Decision: The Analytic Hierarchy Process , 1990 .

[38]  Marina Papatriantafilou,et al.  Intrusion Detection in Industrial Networks via Data Streaming , 2020, Industrial IoT.

[39]  Manisha Parmar,et al.  On the Use of Cyber Threat Intelligence (CTI) in Support of Developing the Commander's Understanding of the Adversary , 2019, MILCOM 2019 - 2019 IEEE Military Communications Conference (MILCOM).

[40]  Bernard Roy,et al.  A programming method for determining which Paris metro stations should be renovated , 1986 .

[41]  Gwo-Hshiung Tzeng,et al.  Compromise solution by MCDM methods: A comparative analysis of VIKOR and TOPSIS , 2004, Eur. J. Oper. Res..

[42]  Valérie Issarny,et al.  4W1H in IoT Semantics , 2018, IEEE Access.

[43]  Jan H. P. Eloff,et al.  Information security architecture , 2005 .

[44]  Dimitris Askounis,et al.  Designing a Cyber-security Culture Assessment Survey Targeting Critical Infrastructures During Covid-19 Crisis , 2021, International Journal of Network Security & Its Applications.

[45]  Atreyi Kankanhalli,et al.  Studying users' computer security behavior: A health belief perspective , 2009, Decis. Support Syst..

[46]  Joint Task Force Transformation Initiative,et al.  Security and Privacy Controls for Federal Information Systems and Organizations , 2013 .

[47]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[48]  Lars Nordström,et al.  Mapping the Substation Configuration Language of IEC 61850 to ArchiMate , 2010, 2010 14th IEEE International Enterprise Distributed Object Computing Conference Workshops.

[49]  Frank L. Greitzer,et al.  Insider Threats: It's the HUMAN, Stupid! , 2019, Proceedings of the Northwest Cybersecurity Symposium.

[50]  Dimitris Askounis,et al.  Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework , 2021, Sensors.

[51]  Young U. Ryu,et al.  Self-efficacy in information security: Its influence on end users' information security practice behavior , 2009, Comput. Secur..

[52]  Simon Hacks,et al.  powerLang: a probabilistic attack simulation language for the power domain , 2020, Energy Informatics.

[53]  Spiros Mouzakitis,et al.  A Cyber-Security Culture Framework for Assessing Organization Readiness , 2020, J. Comput. Inf. Syst..

[54]  Kim-Kwang Raymond Choo,et al.  A machine learning-based FinTech cyber threat attribution framework using high-level indicators of compromise , 2019, Future Gener. Comput. Syst..

[55]  Jonathan Schaffer,et al.  What Not to Multiply Without Necessity , 2015 .

[56]  Spiros Mouzakitis,et al.  Working from home during COVID-19 crisis: a cyber security culture assessment survey , 2020, Security Journal.

[57]  Eric Dubois,et al.  Conceptual Integration of Enterprise Architecture Management and Security Risk Management , 2013, 2013 17th IEEE International Enterprise Distributed Object Computing Conference Workshops.

[58]  Mathias Ekstedt,et al.  A Meta Language for Threat Modeling and Attack Simulations , 2018, ARES.

[59]  Salvatore Aurigemma,et al.  A Composite Framework for Behavioral Compliance with Information Security Policies , 2012, 2012 45th Hawaii International Conference on System Sciences.

[60]  Dimitris Askounis,et al.  Detecting Insider Threat via a Cyber-Security Culture Framework , 2021, J. Comput. Inf. Syst..

[61]  Daniel Ricardo dos Santos,et al.  Security and Privacy in Smart Grids: Challenges, Current Solutions and Future Opportunities , 2020, ICISSP.

[62]  M. Breitner,et al.  Information security awareness and behavior: a theory-based literature review , 2014 .