A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT&CK

TL;DR

This paper presents a proactive decoy selection scheme for cyber deception that leverages MITRE ATT&CK to model attacker TTPs, optimizing decoy placement to maximize attack interception with minimal resources.

Contribution

It introduces an adversarial modeling approach using attack graphs derived from MITRE ATT&CK, formulating a graph partition problem for effective decoy placement.

Findings

Highest attack path interception rate achieved

Uses fewer decoys compared to benchmarks

Effective modeling of attacker capabilities

Abstract

Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.