Collecting Cyber Traces : Adding Forensic Evidence In Threat Models

Abstract: There is a rising concern about cyber security as both industry and individuals depend increasingly on the Internet. Threat modeling and attack simulations are the main approaches for the security analyst to examine the universal reliability of Information Technology infrastructures. Many researchers have focused on an efficient way of simulating a cyber-attack so that users can obtain comprehensive information regarding the security and vulnerability of a system. The Meta Attack Language is a research project to create threat models for a specific domain. Following the syntax of Meta Attack Language, the domain-specific language demonstrates the attack steps the attacker probably takes to reach the assets of Information Technology infrastructures. However, the Meta Attack Language cannot currently model the forensic evidence. While the attack steps are performed, traces are left by the attackers. These traces are forensic evidence that is helpful to security engineers. The forensics related to a specific asset reveals the consequence of a cyber-attack. These forensics also assists security engineers in understanding how the cyber-attack was performed and can be used to efficiently detect a similar intrusion in the future. This project investigated various approaches to include traces in probabilistic attack graphs. This project implemented forensic evidence in the Meta Attack Language. Several different mechanisms for extending the Meta Attack Language are proposed. Examples of using the enhanced Meta Attack Language demonstrate the capabilities of collecting traces and presenting the forensics to security engineers while simulating an attack.