The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Kill chain and attack graphs are threat modeling concepts that enable determining weak security defense points. We propose a novel kill chain attack graph that merges kill chain and attack graphs together. This approach determines possible chains of attacker's actions and their materialization within the protected network. The graph generation uses a categorization of threats according to violated security properties. The graph allows determining the kill chain phase the administrator should focus on and applicable countermeasures to mitigate possible cyber threats. We implemented the proposed approach for a predefined range of cyber threats, especially vulnerability exploitation and network threats. The approach was validated on a real-world use case. Publicly available implementation contains a proof-of-concept kill chain attack graph generator.
翻译:网络袭击者安全行政人员不断演化的能力迫使网络袭击者将注意力集中在早期识别新出现的威胁上。定向网络袭击通常由几个阶段组成,从初步侦察网络环境到最终对目标产生影响。本文件调查使用杀人链和攻击图查明多步网络威胁情景。杀人链和攻击图是有助于确定薄弱的安全防御点的威胁模型概念。我们提出了一个新的杀人链袭击图,将杀人链和攻击图结合起来。这一方法确定了攻击者行动及其在受保护网络中的实际作用的可能链。图表的生成根据被侵犯的安全特性对威胁进行分类。图表允许确定杀人链阶段,管理员应侧重于和适用对策,以减轻可能的网络威胁。我们实施了预先确定的网络威胁范围的拟议方法,特别是脆弱性剥削和网络威胁。该方法在现实世界使用案例中得到验证。公众可用的实施方法包含一个验证概念的致命链袭击图表生成器。