Biblio

Cyber Threat Intelligence (CTI) is a rapidly developing field which has evolved in direct response to exponential growth in cyber related crimes and attacks. CTI supports Communication and Information System (CIS)Security in order to bolster defenses and aids in the development of threat models that inform an organization's decision making process. In a military organization like NATO, CTI additionally supports Cyberspace Operations by providing the Commander with essential intelligence about the adversary, their capabilities and objectives while operating in and through cyberspace. There have been many contributions to the CTI field; a noteworthy contribution is the ATT&CK® framework by the Mitre Corporation. ATT&CK® contains a comprehensive list of adversary tactics and techniques linked to custom or publicly known Advanced Persistent Threats (APT) which aids an analyst in the characterization of Indicators of Compromise (IOCs). The ATT&CK® framework also demonstrates possibility of supporting an organization with linking observed tactics and techniques to specific APT behavior, which may assist with adversary characterization and identification, necessary steps towards attribution. The NATO Allied Command Transformation (ACT) and the NATO Communication and Information Agency (NCI Agency) have been experimenting with the use of deception techniques (including decoys) to increase the collection of adversary related data. The collected data is mapped to the tactics and techniques described in the ATT&CK® framework, in order to derive evidence to support adversary characterization; this intelligence is pivotal for the Commander to support mission planning and determine the best possible multi-domain courses of action. This paper describes the approach, methodology, outcomes and next steps for the conducted experiments.

One of the main security concerns of enterprise-level organizations which provide network-based services is combating with complex cybersecurity attacks like advanced persistent threats (APTs). The main features of these attacks are being multilevel, multi-step, long-term and persistent. Also they use an intrusion kill chain (IKC) model to proceed the attack steps and reach their goals on targets. Traditional security solutions like firewalls and intrusion detection and prevention systems (IDPSs) are not able to prevent APT attack strategies and block them. Recently, deception techniques are proposed to defend network assets against malicious activities during IKC progression. One of the most promising approaches against APT attacks is Moving Target Defense (MTD). MTD techniques can be applied to attack steps of any abstraction levels in a networked infrastructure (application, host, and network) dynamically for disruption of successful execution of any on the fly IKCs. In this paper, after presentation and discussion on common introduced IKCs, one of them is selected and is used for further analysis. Also, after proposing a new and comprehensive taxonomy of MTD techniques in different levels, a mapping analysis is conducted between IKC models and existing MTD techniques. Finally, the effect of MTD is evaluated during a case study (specifically IP Randomization). The experimental results show that the MTD techniques provide better means to defend against IKC-based intrusion activities.