Crown Jewels Analysis using Reinforcement Learning with Attack Graphs

TL;DR

This paper introduces CJA-RL, a reinforcement learning-based method for crown jewel analysis in cybersecurity, focusing on identifying critical network points for targeted attacks to improve defense strategies.

Contribution

The paper presents a novel reinforcement learning approach for crown jewel analysis that emphasizes network-driven insights and can enhance cybersecurity operations.

Findings

CJA-RL successfully identified key attack points in complex networks.

Reinforcement learning can automate and improve penetration testing processes.

The method offers interpretable results aligned with threat-models.

Abstract

Cyber attacks pose existential threats to nations and enterprises. Current practice favors piece-wise analysis using threat-models in the stead of rigorous cyber terrain analysis and intelligence preparation of the battlefield. Automated penetration testing using reinforcement learning offers a new and promising approach for developing methodologies that are driven by network structure and cyber terrain, that can be later interpreted in terms of threat-models, but that are principally network-driven analyses. This paper presents a novel method for crown jewel analysis termed CJA-RL that uses reinforcement learning to identify key terrain and avenues of approach for exploiting crown jewels. In our experiment, CJA-RL identified ideal entry points, choke points, and pivots for exploiting a network with multiple crown jewels, exemplifying how CJA-RL and reinforcement learning for penetration testing generally can benefit computer network operations workflows.