A Quantitative Security Risk Analysis Framework for Modelling and Analyzing Advanced Persistent Threats

Abstract

Advanced persistent threats (APTs) are different from other computer-based attacks in their target selection, attack technique, and malicious motive. Distinct from script kiddie attacks, these attacks target critical systems to inflict maximum damage, such as to stall critical industrial processes. Standard defenses against APT attack is to deploy security mechanisms that are typically reminiscent of enterprise defense systems such as firewalls, intrusion detection systems, etc. However, given the nature and attack potential of APT attacks, one cannot rely on these security mechanisms alone as they are susceptible to failure, false alarms, and interfere with usability. A yet another problem is to decide on which mechanisms to deploy and at which points to offer maximum coverage against attacks. We believe, given the unique characteristics of APT attacks, one needs a robust and layered defense to protect against APT by timely detection, prevention, mitigation, and emergency plan. One such objective way to determine the countermeasures’ efficacy is by modeling and simulating attack behaviour.

In this paper, we propose a two-layer framework to analyze the APT attacks. At the top is the domain model of the Enhanced cyber kill chain. We use it to capture the attack phases, techniques, and processes. The bottom layer is the analytic layer of stochastic timed automata derived from the domain model. Key metrics are obtained using a state-of-the-art statistical model - checking techniques. We argue that such a timed analysis can be used to improve the security posture by putting countermeasures at appropriate positions.