A Graph-Based Impact Metric for Mitigating Lateral Movement Cyber Attacks
Most cyber network attacks begin with an adversary gain- ing a foothold within the network and proceed with lateral movement until a desired goal is achieved. The mechanism by which lateral movement occurs varies but the basic signa- ture of hopping between hosts by exploiting vulnerabilities is the same. Because of the nature of the vulnerabilities typ- ically exploited, lateral movement is very difficult to detect and defend against. In this paper we define a dynamic reach- ability graph model of the network to discover possible paths that an adversary could take using different vulnerabilities, and how those paths evolve over time. We use this reacha- bility graph to develop dynamic machine-level and network- level impact scores. Lateral movement mitigation strategies which make use of our impact scores are also discussed, and we detail an example using a freely available data set.
- Research Organization:
- Pacific Northwest National Lab. (PNNL), Richland, WA (United States)
- Sponsoring Organization:
- USDOE
- DOE Contract Number:
- AC05-76RL01830
- OSTI ID:
- 1334883
- Report Number(s):
- PNNL-SA-120090; 453040300
- Resource Relation:
- Conference: Proceedings of the 2016 ACM Workshop on Automated Decision Making for Active Cyber Defense: (SafeConfig 2015), October 24-28, 2016, Vienna, Austria, 45-52
- Country of Publication:
- United States
- Language:
- English
Similar Records
Enterprise Cyber Resiliency Against Lateral Movement: A Graph Theoretic Approach
Automated Adversary-in-the-Loop Cyber-Physical Defense Planning