Early Detection Of Cybersecurity Threats Using .

3y ago
38 Views
2 Downloads
4.05 MB
10 Pages
Last View : 2m ago
Last Download : 2m ago
Upload by : Jerry Bolanos
Transcription

Early Detection of Cybersecurity ThreatsUsing Collaborative CognitionSandeep Narayanan, Ashwinkumar Ganesan, Karuna Joshi, Tim Oates, Anupam Joshi and Tim FininDepartment of Computer Science and Electrical EngineeringUniversity of Maryland, Baltimore County, Baltimore, MD 21250, USA{sand7, gashwin1, kjoshi1, oates, joshi, finin}@umbc.eduAbstract—The early detection of cybersecurity events such asattacks is challenging given the constantly evolving threat landscape. Even with advanced monitoring, sophisticated attackerscan spend more than 100 days in a system before being detected.This paper describes a novel, collaborative framework that assistsa security analyst by exploiting the power of semantically richknowledge representation and reasoning integrated with different machine learning techniques. Our Cognitive CybersecuritySystem ingests information from various textual sources andstores them in a common knowledge graph using terms froman extended version of the Unified Cybersecurity Ontology. Thesystem then reasons over the knowledge graph that combines avariety of collaborative agents representing host and networkbased sensors to derive improved actionable intelligence forsecurity administrators, decreasing their cognitive load andincreasing their confidence in the result. We describe a proofof concept framework for our approach and demonstrate itscapabilities by testing it against a custom-built ransomwaresimilar to WannaCry.I. I NTRODUCTIONA wide and varied range of security tools and systems areavailable to detect and mitigate cybersecurity attacks, including intrusion detection systems (IDS), intrusion detection andprevention systems (IDPS), firewalls, advanced security appliances (ASA), next-gen intrusion prevention systems (NGIPS),cloud security tools, and data center security tools. However,cybersecurity threats and the associated costs to defend againstthem are surging. Sophisticated attackers can still spend morethan 100 days [8] in a victim’s system without being detected.23,000 new malware samples are produced daily [33] anda company’s average cost for a data breach is about 3.4million according to a Microsoft study [20]. Several factorsranging from information flooding to slow response-time,render existing techniques ineffective and unable to reducethe damage caused by these cyber-attacks.Modern security information and event management (SIEM)systems emerged when early security monitoring systemslike IDSs and IDPSs began to flood security analysts withalerts. LogRhythm, Splunk, IBM QRadar, and AlienVault area few of the commercially available SIEM systems [11]. Atypical SIEM collects security-log events from a large arrayof machines in an enterprise, aggregates this data centrally, andanalyzes it to provide security analysts with alerts. However,despite ingesting large volumes of host/network sensor data,their reports are hard to understand, noisy, and typicallylack actionable details [39]. 81% of users reported beingbothered by noise in existing systems in a recent survey onSIEM efficiency [40]. What is missing in such systems is acollaborative effort, not just aggregating data from the host andnetwork sensors, but also their integration and the ability toreason over threat intelligence and sensed data gathered fromcollaborative sources.In this paper, we describe a cognitive assistant for the earlydetection of cybersecurity attacks that is based on collaboration between disparate components. It ingests informationabout newly published vulnerabilities from multiple threatintelligence sources and represents it in a machine-inferableknowledge graph. The current state of the enterprise/networkbeing monitored is also represented in the same knowledgegraph by integrating data from the collaborating traditionalsensors, like host IDSs, firewalls, and network IDSs. Unlikemany traditional systems that present this information toan analyst to correlate and detect, our system fuses threatintelligence with observed data to detect attacks early, ideallybefore the exploit has started. Such a cognitive analysis notonly reduces the false positives but also reduces the cognitiveload on the analyst.Cyber threat intelligence comes from a variety of textualsources. A key challenge with sources like blogs and securitybulletins is their inherent incompleteness. Often, they arewritten for specific audiences and do not explain or definewhat each term means. For example, an excerpt from theMicrosoft security bulletin is “The most severe of the vulnerabilities could allow remote code execution if an attacker sendsspecially crafted messages to a Microsoft Server MessageBlock 1.0 (SMBv1) server.” [22]. Since this text is intendedfor security experts, the rest of the article does not define ordescribe remote code execution or SMB server.To fill this gap, we use the Unified Cybersecurity Ontology [36] (UCO)1 to represent cybersecurity domain knowledge. It provides a common semantic schema for informationfrom disparate sources, allowing their data to be integrated.Concepts and standards from different intelligent sources likeSTIX [1], CVE [21], CCE [24], CVSS [9], CAPEC [23],CYBOX [25], and STUCCO [12] can be represented directlyusing UCO.We have developed a proof of concept system that ingestsinformation from textual sources, combines it with the knowl1 Ontology

edge about a system’s state as observed by collaborating hostsand network sensors, and reasons over them to detect known(and potentially unknown) attacks. We developed multipleagents, including a process monitoring agent, a file monitoringagent and a Snort agent, that run on respective machines andprovide data to the Cognitive CyberSecurity (CCS) module.This module reasons over the data and stored knowledge graphto detect various cybersecurity events. The detected eventsare then reported to the security analyst using a dashboardinterface described in section V-D. We also developed acustom ransomware program, similar to Wannacry, to test theeffectiveness of our prototype system. Its design and workingare described in section VI-A. We build upon our earlier workin this domain [26].The rest of this paper is organized as follows. Section IIidentifies key challenges in cybersecurity attack detection followed by a brief discussion of related work in Section III. Ourcognitive approach to detect cybersecurity events is describedin Section IV. Implementation details of our prototype systemand a concrete use case scenario to demonstrate our system’seffectiveness are in Sections V and VI, before we discuss ourfuture directions in Section VII.II. BACKGROUNDDespite the existence of several tools in the security space,attack detection is still a challenging task. Often, attackersadapt themselves to newer security systems and find new wayspast them. This section describes some challenges in detectingcybersecurity attacks.A critical issue which affects the spread and associatedcosts of a cyber-attack is the time gap between an exploitbecoming public and the systems being patched in response.This is evident with the infamous Wannacry ransomware.The core vulnerability used by Wannacry (Windows SMBRemote Code Execution Vulnerability) was first published byMicrosoft Security Bulletin [22] and Cisco NGFW in March2017. Later in April 2017, Shadow Brokers (a hacker group)released a set of tools including Eternal Blue2 and DoublePulsar which used this vulnerability to gain access to victimmachines. It was only by mid-May that the actual Wannacryransomware started to spread3 internally using these tools. Alarge-scale spread of Wannacry that affected over two hundredthousand machines could have been mitigated if it had beenquickly identified and affected systems had been patched.Variations of the same cyber-attack is another challengefaced by existing attack detection systems. Many enterprisetools still use signatures and policies specific to attacks fordetection. However, smart attackers evade such systems byslightly modifying existing attacks. Sometimes, hackers evenuse combinations of tools from other attacks to evade them.An example is the Petya ransomware4 attack, which wasdiscovered in 2016 and spreads via email attachments andinfected computers running Windows. It overwrites the Master2 https://en.wikipedia.org/wiki/EternalBlue3 https://en.wikipedia.org/wiki/WannaCryransomware attack4 the-petya-ransomware/Boot Record (MBR), installs a custom boot loader, and forcesa system to reboot. The custom boot-loader then encrypts theMaster-File-Table (MFT) records and renders the completefile system unreadable. The attack did not result in largescale infection of machines. However, another attack surfacedin 2017 that shares significant code with Petya. In the newattack, named NotPetya5 , attackers use Eternal Blue to spreadrather than using email attachments. Often, the malware itselfis encrypted and similar code is hard to detect. By modifyinghow they spread, systems used to detect potential behavioralsignatures can also be bypassed.Yet another challenge in attack detection is a class of attackscalled Advanced Persistent Threats (APTs). These tend to besophisticated and persistent over a longer time period [18][34].The attackers gain illegal access to an organization’s networkand may go undetected for a significant time with knowledgeof the complete scope of attack remaining unknown. Unlikeother common threats, such as viruses and trojans, APTsare implemented in multiple stages [34]. The stages broadlyinclude a reconnaissance (or surveillance) of the target networkor hosts, gaining illegal access, payload delivery, and executionof malicious programs [3]. Although these steps remain thesame, the specific vulnerabilities used to perform them mightchange from one APT to another. Hence, new approaches fordetecting threats (or APTs) should have the ability to adapt tothe evolving threats and thereby help detect the attacks earlyon.Our prototype system, detailed in Section IV ingests knowledge from different threat intelligence sources and representsthem in such a way that it can be directly used for attackdetection. Such fast adaptation capabilities help our systemcater to changing threat landscapes. It also helps to reduce thetime gap problem described earlier. Moreover, the presence ofthe knowledge graph and reasoning based on them helps toidentify variations in attacks.III. R ELATED W ORKA. Security & Event ManagementAs the complexity of threats and APTs grow, severalcompanies have released commercial platforms for securityinformation and event management (SIEM) that integrateinformation from different sources. A typical SIEM has a number of features such as managing logs from disparate sources,correlation analysis of various events, and mechanisms toalert system administrators [35]. IBM’s QRadar, for example,can manage logs, detect anomalies, assess vulnerabilities, andperform forensic analysis of known incidents [15]. Its threatintelligence comes from IBM’s X-Force [27]. Cisco’s Talos[5] is another threat intelligence system. Many SIEMs6 , suchas LogRhythm, Splunk, AlienVault, Micro Focus, McAfee,LogPoint, Dell Technologies (RSA), Elastic, Rapid 7 and5 need-to-know-now.html6 gpoint-vs-splunk

Comodo, exist in the market with capabilities including realtime monitoring, threat intelligence, behavior profiling, dataand user monitoring, application monitoring, log managementand analytics.B. Ontology based SystemsObrst et al. [29] detail a process to design an ontology forthe cybersecurity domain. The study is based on the diamondmodel that defines malicious activity [16]. Ontologies areconstructed in a three-tier architecture consisting of a domainspecific ontology at the lowest layer, a mid-level ontology thatclusters and defines multiple domains together and an upperlevel ontology that is defined to be as universal as possible.Multiple ontologies designed later-on have used the abovementioned process.Oltramari et al. [31] created CRATELO as a three layeredontology to characterize different network security threats.The layers include an ontology for secure operations (OSCO)that combines different domain ontologies, a security-relatedmiddle ontology (SECCO) that extends security concepts, andthe DOLCE ontology [19] at the higher level. In Oltramariet al. [30], a simplified version of the DOLCE ontology(DOLCE-SPRAY) is used to show how a SQL injection attackcan be detected.Ben-Asher et al.[2] designed a hybrid ontology-based modelcombining a network packet-centric ontology (representingnetwork-traffic) with an adaptive cognitive agent. It learns howhumans make decisions while defending against maliciousattacks. The agent is based on instance-based learning theoryusing reinforcement learning to improve decision makingthrough experience. Gregio et al. [13] discusses a comprehensive ontology to define malware behavior.Each of these systems and ontologies looks at a narrowsubset of information, such as network traffic or host systeminformation, while SIEM products do not use the vast capabilities and benefits of an ontological approach and systems to reason using them. In this regard, Cognitive CyberSecurity (CCS)takes a larger and more comprehensive view of security threatsby integrating information from multiple existing ontologiesas well as network and host-based sensors (including systeminformation). It creates a single representative view of the datafor system administrators and then provides a framework toreason across these various sources of data.This paper significantly improves our previous work [37],[38], [26] in this domain, where semantic rules were used todetect cybersecurity attacks. CCS uses the Unified Cybersecurity Ontology that is a STIX-compliant schema to represent,integrate and enhance knowledge about cyber threat intelligence. Current extensions to it help linking standard cyberkill chain phases to various host and network behaviors thatare detected by traditional sensors like Snort and monitoringagents. Unlike our previous work, these extensions allow ourframework to assimilate incomplete text from sources so thatcybersecurity events can be detected in a cognitive manner.IV. C OGNITIVE A PPROACH TO C YBERSECURITYThis section describes our approach to detect cybersecurityattacks. It is inspired by the cognitive process used by humansto assimilate diverse knowledge. Oxford dictionary definescognition [7] as “the mental action or process of acquiringknowledge and understanding through thought, experience,and the senses”. Our cognitive strategy involves acquiringknowledge and data from various intelligence sources andcombining them into an existing knowledge graph that isalready populated with cyber threat intelligence data aboutattack patterns, previous attacks, tools used for attacks, indicators, etc. This is then used to reason over the data frommultiple traditional and non-traditional sensors to detect andpredict cybersecurity events.A novel feature of our framework is its ability to assimilateinformation from dynamic textual sources and combine itwith malware behavioral information, detecting known andunknown attacks. The main challenge with the textual sourcesis that they are meant for human consumption and the information can be incomplete. Moreover, the text is tailored toa specific audience who already have some knowledge aboutthe topic. For instance, if the target audience of an article isa security analyst, the line “Wannacry is a new ransomware.”carries more semantic meaning than the text itself. Based ontheir background knowledge, a security analyst can expandthe previous description and infer the following actions thatWannacry may perform: Wannacry tries to encrypt sensitive files;A downloaded program may have initiated the encryption;Either downloaded keys or randomly generated keys areused for encryption; andWannacry modifies many sensitive files.However, a machine cannot infer this knowledge from thetext alone. Our cognitive approach addresses this issue byintegrating the experiences or security threat concepts (attackspatterns, the actions performed and associated informationlike source and target of attack) in a knowledge graph, andcombining it with new and potentially incomplete textualknowledge using standard reasoning techniques.To address the challenge of structurally storing and processing such knowledge about the cybersecurity domain, weuse the intrusion kill chain, a general pattern observed inmost cybersecurity attacks. Hutchins et al. [14] described anintrusion kill chain with the following seven steps. Reconnaissance: Gathering information about the targetand various existing attacks (e.g., port scanning, collecting public information on hardware/software used, etc.)Weaponization: Combining a specific trojan (softwareto provide remote access to a victim machine) with anexploit (software to get first unauthorized access to thevictim machine, often exploiting vulnerabilities). Trojansand exploits are chosen taking the knowledge from thereconnaissance stage into consideration.

Delivery: Deliver the weaponized payload to the victim machine. (e.g., email attachments, removable media,HTML pages, etc.)Exploitation: Execution of the weaponized payload onthe victim machine.Installation: Once the exploitation is successful, the attacker gains easier access to victim machine by installingthe trojan attached.Command and Control (C2): The trojan installed on thevictim machine can connect to a Command and Controlmachine and get ready to receive various commands tobe executed on the victim machine. Often APTs use sucha strategy.Actions on Objectives: The final step is to carry outdifferent malicious actions on the victim machine. Forexample, a ransomware starts searching and encryptingsensitive files while data ex-filtration attacks send sensitive information to the attackers.Many attacks conform to these seven steps. Hence, werepresent the steps in a knowledge graph and link them torelated information like potential tools and techniques usedin each step, indicators from traditional sensors which detectsthem and so on. For example, we associate the tool nmap withthe reconnaissance step and when its presence is detected bytraditional network detectors like Snort, we infer a potentialreconnaissance step.A well-populated knowledge graph links many conceptsand standard deductive reasoning techniques can be usedfor inference. Such reasoning over the knowledge-graph andnetwork data can find other steps in the cyber kill chain, if theyare present, similar to a human analyst. It should be pointedout that not all attacks apply all seven steps during their lifetime. For example, some attacks are self-contained such thatthere is no requirement of a command and control setup. Oursystem’s confidence that an attack is happening increases asmore indicators are inferred.There are many other advantages of representing cybersecurity attack information around a cyber kill chain. First,it helps easily assimilate information from textual sourcesinto the knowledge graph. For example, the same exploitEternal Blue is detected in the Weaponization stage for majorattacks like those of Wannacry, NotPetya and Retefe. Let usassume that the knowledge graph already has informationabout Eternal Blue, perhaps because it was added as a partof a previous attack. Now with the new information thatNotPetya uses Eternal Blue for exploitation, several thingscan be inferred, such as the indicators that give evidence forNotPetya’s activities even if they are not explicitly specifiedin the graph.Another advantage is that it helps in detecting variationsof existing attacks. To evade attacks, attac

collaborative effort, not just aggregating data from the host and network sensors, but also their integration and the ability to reason over threat intelligence and sensed data gathered from collaborative sources. In this paper, we describe a cognitive assistant for the early detection of cybersecurity attacks that is based on collabo-

Related Documents:

Brownie Cybersecurity Explore cybersecurity by earning these three badges! Badge 1: Cybersecurity Basics Badge 2: Cybersecurity Safeguards Badge 3: Cybersecurity Investigator This Cybersecurity badge booklet for girls provides the badge requirements, background information, and fun facts about cybersecurity for all three Brownie

Mar 01, 2018 · ISO 27799-2008 7.11 ISO/IEC 27002:2005 14.1.2 ISO/IEC 27002:2013 17.1.1 MARS-E v2 PM-8 NIST Cybersecurity Framework ID.BE-2 NIST Cybersecurity Framework ID.BE-4 NIST Cybersecurity Framework ID.RA-3 NIST Cybersecurity Framework ID.RA-4 NIST Cybersecurity Framework ID.RA-5 NIST Cybersecurity Framework ID.RM-3 NIST SP 800-53

CSCC Domains and Structure Main Domains and Subdomains Figure (1) below shows the main domains and subdomains of CSCC. Appendix (A) shows relationship between the CSCC and ECC. Cybersecurity Risk Management 1-1 Cybersecurity Strategy 1-2 1- Cybersecurity Governance Periodical Cybersecurity Review and Audit 1-4 Cybersecurity in Information Technology

5 Program MODULE 1: Macro perspective on cybersecurity MODULE 2: Introduction to cyber security concepts MODULE 3: Identification of assets and risk concepts MODULE 4: Protection of assets and detection of attacks MODULE 5: Reaction and Recovery MODULE 6: Cybersecurity Law MODULE 7: Economic Evaluation of Cybersecurity Investments Cybersecurity risks and challenges on

On the Front Lines of Cybersecurity The Essential Elements to Detect and Respond to Threats Gain advanced threat mitigation - before, during, and after a cyber incident. KeyNet Advanced Cybersecurity Includes: 24x7 Security Operations Center Endpoint Detection & Response Security Awareness Training Host Based Intrusion Detection

detection, and recovery Risk Mitigation Strategy Our incident response plan to contain and manage security breaches. Federal partners for unknown threat protection and detection. 9 Census bureau has the ability to take direct action to prevent and resolve internal threats Our team proactively monitors known threats 2020 CENSUS CYBERSECURITY

cybersecurity practices based on NIST's cybersecurity framework in fiscal year 2017. Agencies currently fail to comply with basic cybersecurity standards. During the Subcommittee's review, a number of concerning trends emerged regarding the eight agencies' failure to comply with basic NIST cybersecurity standards. In the

American Revolution: Events Leading to War To view this PDF as a projectable presentation, save the file, click “View” in the top menu bar of the file, and select “Full Screen Mode To request an editable PPT version of this presentation, send a request to CarolinaK12@unc.edu. 1660: The Navigation Acts British Action: – Designed to keep trade in England and support mercantilism .