2022 Research Review / DAY 2
Chain Games: Powering Autonomous Threat Hunting
Assuring information system security requires not just preventing system compromises but finding adversaries already present in the network before they can take action on their objectives. Defensive computer operations (DCO) personnel find the technique of cyber threat hunting the most effective approach for identifying such threats. While the Department of Defense (DoD) does conduct human-driven threat hunting, it often does so only when resources are not devoted to other demands. The time, expense, and expert resources required for cyber threat hunting typically preclude comprehensive investigation. However, an autonomous threat- hunting tool could run more pervasively, achieve standards of coverage currently considered impractical, and significantly reduce competition for limited analyst resources.
In this project, we take on this challenge by developing algorithms to enable fully autonomous threat hunting by modeling threat hunting as a Cyber Camouflage Game (CCG), a type of mathematical game played between a “probing” player (analogous to a threat hunter) and a potentially deceptive “target” (analogous to an attacker). We will test these algorithms in a simulation environment, and evaluate success using metrics derived from CCG analysis and the threat-hunting domain. Cloud telemetry data will be used to develop and verify the hunt algorithms, assessing the sufficiency of this data for threat hunting, and identifying potential gaps that can be fed back into vendor requirements and open standards to make threat hunting more effective in cloud-native environments.
Our initial investigation is bounded to
- Microsoft Azure cloud hosting and services (and evaluation of Azure cloud telemetry data)
- a containerized, infrastructure-as-a-service (IaaS) application architecture intended to be representative of DoD enterprise applications migrated to the cloud
- an attacker already resident in the environment and seeking to stage application data for later exfiltration
If our work is successful, threat-hunt operators will confirm that algorithms developed from game-theoretic analysis successfully identify attacker-controlled infrastructure as well as or better than the traditional state of the practice within the investigatory constraints.
This FY2022–23 project
- aligns with the SEI technical objective to bring capabilities that make new missions possible or improve the likelihood of success of existing ones
- aligns with the DoD software strategy to attain autonomous cyber operations and resilience in DoD missions