A Multi-criteria Approach to Improve the Cyber Security Visibility Through Breach Attack Simulations
Resumo
Cyber threats are increasingly present in our daily lives and represent a great risk for companies. In this sense, organisations run breach attack simulations to generate an action plan and recommendations that must be followed. However, these action plans are the result of the tacit knowledge of specialists. Upon this issue, this research proposes a formal and automatic method to generate prioritized action plans to improve the visibility of the environment. The method proposed here is demonstrated through an experiment, in which the results were consistent and useful for the scenario in which it was tested.
Palavras-chave:
multi-criteria, breach attack simulations, kill chain, MITRE attack
Referências
Barron, F. H. and Barrett, B. E. (1996). Decision quality using ranked attribute weights. Management science, 42(11):1515–1523.
Brans, J.-P., Vincke, P., and Mareschal, B. (1986). How to select and how to rank projects: The promethee method. European journal of operational research, 24(2):228–238.
Chakraborty, S., Zavadskas, E. K., and Antucheviciene, J. (2015). Applications of was pas method as a multi-criteria decision-making tool. Economic Computation and Economic Cybernetics Studies and Research, 49(1):5–22.
De Haes, S., Van Grembergen, W., Joshi, A., and Huygh, T. (2020). Cobit as a framework for enterprise governance of it. In Enterprise governance of information technology, pages 125–162. Springer.
Gomes, C. F. S., Santos, M. d., Teixeira, L. F. H. d. S. d. B., Sanseverino, A. M., and Barcelos, M. R. d. S. (2020). Sapevo-m: a group multicriteria ordinal ranking method. Pesquisa Operacional, 40.
Gourisetti, S. N. G., Mylrea, M., and Patangia, H. (2019). Cybersecurity vulnerability mitigation framework through empirical paradigm (cyfer): Prioritized gap analysis. IEEE Systems Journal, 14(2):1897–1908.
Horta Neto, A. J. and Fernandes Pereira dos Santos, A. (2020). Cyber threat hunting through automated hypothesis and multi-criteria decision making. In 2020 IEEE International Conference on Big Data (Big Data), pages 1823–1830.
MITRE (2022). Mitre att&ck. https://attack.mitre.org. (Accessed on 05/26/2022).
Mylrea, M., Gourisetti, S. N. G., Larimer, C., and Noonan, C. (2018). Insider threat cybersecurity framework webtool & methodology: Defending against complex cyber-physical threats. In 2018 IEEE Security and Privacy Workshops (SPW), pages 207– 216. IEEE.
NIST (2022). National institute of standards and technology. https://nist.gov. (Accessed on 05/26/2022).
Opricovic, S. and Tzeng, G.-H. (2004). Compromise solution by mcdm methods: A comparative analysis of vikor and topsis. European journal of operational research, 156(2):445–455.
Ramos, A., Milfont, R. T., Holanda Filho, R., and Rodrigues, J. J. (2019). Enabling online quantitative security analysis in 6lowpan networks. IEEE Internet of Things Journal, 6(3):5631–5638.
Rezaei, J. (2015). Best-worst multi-criteria decision-making method. Omega, 53:49–57.
Roy, B. and Bertier, P. (1971). La méthode ELECTRE II: une methode de classement en precedence de critères multiples.
Saaty, T. L. (2008). Decision making with the analytic hierarchy process. International journal of services sciences, 1(1):83–98.
Salabun, W., Watróbski, J., and Shekhovtsov, A. (2020). Are mcda methods benchmarkable: a comparative study of topsis, vikor, copras, and promethee ii methods. Symmetry, 12(9):1549.
SANS (2022). Sysadmin, audit, network, security. https://www.sans.org. (Accessed on 05/25/2022).
Shahid, W. B., Aslam, B., Abbas, H., Khalid, S. B., and Afzal, H. (2022). An enhanced deep learning based framework for web attacks detection, mitigation and attacker profiling. Journal of Network and Computer Applications, 198:103270.
Shinde, P. S. and Ardhapurkar, S. B. (2016). Cyber security analysis using vulnerability assessment and penetration testing. In 2016 World Conference on Futuristic Trends in Research and Innovation for Social Welfare (Startup Conclave), pages 1–5. IEEE.
Stiawan, D. (2017). Cyber-attack penetration test and vulnerability analysis. International Journal of Online and Biomedical Engineering.
Watróbski, J., Jankowski, J., Ziemba, P., Karczmarczyk, A., and Ziolo, M. (2019). Generalised framework for multi-criteria method selection. Omega, 86:107–124.
Zolanvari, M., Teixeira, M. A., Gupta, L., Khan, K. M., and Jain, R. (2019). Machine learning-based network vulnerability analysis of industrial internet of things. IEEE Internet of Things Journal, 6(4):6822–6834.
Zopounidis, C. and Doumpos, M. (2002). Multicriteria classification and sorting methods: A literature review. European Journal of Operational Research, 138(2):229–246.
Brans, J.-P., Vincke, P., and Mareschal, B. (1986). How to select and how to rank projects: The promethee method. European journal of operational research, 24(2):228–238.
Chakraborty, S., Zavadskas, E. K., and Antucheviciene, J. (2015). Applications of was pas method as a multi-criteria decision-making tool. Economic Computation and Economic Cybernetics Studies and Research, 49(1):5–22.
De Haes, S., Van Grembergen, W., Joshi, A., and Huygh, T. (2020). Cobit as a framework for enterprise governance of it. In Enterprise governance of information technology, pages 125–162. Springer.
Gomes, C. F. S., Santos, M. d., Teixeira, L. F. H. d. S. d. B., Sanseverino, A. M., and Barcelos, M. R. d. S. (2020). Sapevo-m: a group multicriteria ordinal ranking method. Pesquisa Operacional, 40.
Gourisetti, S. N. G., Mylrea, M., and Patangia, H. (2019). Cybersecurity vulnerability mitigation framework through empirical paradigm (cyfer): Prioritized gap analysis. IEEE Systems Journal, 14(2):1897–1908.
Horta Neto, A. J. and Fernandes Pereira dos Santos, A. (2020). Cyber threat hunting through automated hypothesis and multi-criteria decision making. In 2020 IEEE International Conference on Big Data (Big Data), pages 1823–1830.
MITRE (2022). Mitre att&ck. https://attack.mitre.org. (Accessed on 05/26/2022).
Mylrea, M., Gourisetti, S. N. G., Larimer, C., and Noonan, C. (2018). Insider threat cybersecurity framework webtool & methodology: Defending against complex cyber-physical threats. In 2018 IEEE Security and Privacy Workshops (SPW), pages 207– 216. IEEE.
NIST (2022). National institute of standards and technology. https://nist.gov. (Accessed on 05/26/2022).
Opricovic, S. and Tzeng, G.-H. (2004). Compromise solution by mcdm methods: A comparative analysis of vikor and topsis. European journal of operational research, 156(2):445–455.
Ramos, A., Milfont, R. T., Holanda Filho, R., and Rodrigues, J. J. (2019). Enabling online quantitative security analysis in 6lowpan networks. IEEE Internet of Things Journal, 6(3):5631–5638.
Rezaei, J. (2015). Best-worst multi-criteria decision-making method. Omega, 53:49–57.
Roy, B. and Bertier, P. (1971). La méthode ELECTRE II: une methode de classement en precedence de critères multiples.
Saaty, T. L. (2008). Decision making with the analytic hierarchy process. International journal of services sciences, 1(1):83–98.
Salabun, W., Watróbski, J., and Shekhovtsov, A. (2020). Are mcda methods benchmarkable: a comparative study of topsis, vikor, copras, and promethee ii methods. Symmetry, 12(9):1549.
SANS (2022). Sysadmin, audit, network, security. https://www.sans.org. (Accessed on 05/25/2022).
Shahid, W. B., Aslam, B., Abbas, H., Khalid, S. B., and Afzal, H. (2022). An enhanced deep learning based framework for web attacks detection, mitigation and attacker profiling. Journal of Network and Computer Applications, 198:103270.
Shinde, P. S. and Ardhapurkar, S. B. (2016). Cyber security analysis using vulnerability assessment and penetration testing. In 2016 World Conference on Futuristic Trends in Research and Innovation for Social Welfare (Startup Conclave), pages 1–5. IEEE.
Stiawan, D. (2017). Cyber-attack penetration test and vulnerability analysis. International Journal of Online and Biomedical Engineering.
Watróbski, J., Jankowski, J., Ziemba, P., Karczmarczyk, A., and Ziolo, M. (2019). Generalised framework for multi-criteria method selection. Omega, 86:107–124.
Zolanvari, M., Teixeira, M. A., Gupta, L., Khan, K. M., and Jain, R. (2019). Machine learning-based network vulnerability analysis of industrial internet of things. IEEE Internet of Things Journal, 6(4):6822–6834.
Zopounidis, C. and Doumpos, M. (2002). Multicriteria classification and sorting methods: A literature review. European Journal of Operational Research, 138(2):229–246.
Publicado
12/09/2022
Como Citar
HORTA, Antonio; HOLANDA, Raimir; MARINHO, Renato.
A Multi-criteria Approach to Improve the Cyber Security Visibility Through Breach Attack Simulations. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 22. , 2022, Santa Maria.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2022
.
p. 330-343.
DOI: https://doi.org/10.5753/sbseg.2022.224454.
