Towards Reconstructing Multi-Step Cyber Attacks in Modern Cloud Environments with Tripwires

TL;DR

This paper proposes a framework that integrates cyber deception, automatic tripwire deployment, and attack graphs to improve the reconstruction of multi-step cyber attacks in complex cloud environments.

Contribution

It introduces a novel framework combining cyber deception and attack graphs to enhance attack detection and reconstruction accuracy in cloud settings.

Findings

Framework enables more accurate attack reconstruction

Cyber deception reduces false positives

Automated tripwire deployment enhances detection capabilities

Abstract

Rapidly-changing cloud environments that consist of heavily interconnected components are difficult to secure. Existing solutions often try to correlate many weak indicators to identify and reconstruct multi-step cyber attacks. The lack of a true, causal link between most of these indicators still leaves administrators with a lot of false-positives to browse through. We argue that cyber deception can improve the precision of attack detection systems, if used in a structured, and automatic way, i.e., in the form of so-called tripwires that ultimately span an attack graph, which assists attack reconstruction algorithms. This paper proposes an idea for a framework that combines cyber deception, automatic tripwire injection and attack graphs, which eventually enables us to reconstruct multi-step cyber attacks in modern cloud environments.