Background
Recognizing the attacker’s advantage gained with unlimited reconnaissance time, the cyber security research community has responded with the development of MTDs to mitigate this advantage. MTDs provide security by shifting the target system’s attack surface over time. With the target system’s attack surface changing over time, the adversary cannot rely on information gained from previous reconnaissance efforts.
A foundational survey of MTDs by Lincoln Laboratories categorizes these defenses by the system resources they manipulate [1]. Table 1. Description of the five MTD categories in regard to the modification defense type, what type of attack they were designed to defend against and the associated overhead for the general case [1]. shows each MTD category and its associated security benefits and resource impact. This information influences the development of defense configurations.
MTDs create new C2 challenges for mission assurance. Mission execution depends on deterministic system behavior, while MTDs create a non-deterministic attack surface. A CSA responsible for the security of a mission system currently does not have quantitative information about the effects of a defensive posture, mission resource requirements, or system vulnerabilities. Therefore, a CSA depends on intuition to develop a defensive posture COA to provide mission assurance. MTDs have the potential for providing enhanced cyber security. However, ad hoc defense deployments are as likely to create an internal denial of service as they are to prevent an external one. This inherent risk requires that various cyber defenses are quantified and characterized prior to deployment.
Metrics
There are many factors to consider when generating a cyber defense configuration. One of the most important factors is a measure of security or resistance to attack. Researchers have tried to develop a generalized method for measuring the security of an information system; Manadhata and Wing developed one of the most comprehensive approaches and codified it in terms of a measurement of the attack surface of the system [2] [3]. In their approach, an attack surface metric for an information system is based on an enumeration of all possible entry and exit points into the system, with each point weighted according to the ease of penetration and the consequences (to the defender) of penetration. This paper leverages this definition of an attack surface.
This attack surface measurement is generated by reasoning over models of a system. Models of the network, available defenses, and information flows that are part of the cyber mission are composed to represent the defender’s area of responsibility. Models of the adversary capabilities and available attack vectors in the system represent threats to system security. The attack vector model represents all possible adversary actions; they are combined to generate an attack graph that describes the system’s vulnerabilities. Different cyber defenses, including MTDs, disrupt different attack steps in the attack graph, reducing the number of attack paths available to the adversary to reach his goal. This attack surface measurement capability is used to reason over these models to characterize different defense configurations.
One of the limitations of building an attack surface metric as described above is the challenge of enumerating all possible attack steps available to an attacker. Attack step models must be based on known software vulnerabilities; however, vulnerabilities discovered in the future will result in new attack steps or change the attacker cost or defender consequences of an existing attack step. Any new attack step changes the attack surface measurement. Therefore, the attack step model must also account for zero-day attacks enabled by previously undiscovered vulnerabilities.
This research also addresses the forecasts for discovering the number, type, and severity of zero-day vulnerabilities. This work leverages previous research on Software Vulnerability Discovery Models [4] [5] to generate zero-day forecasts; Last details the current state of this research [6].
In order to ensure the validity of the attack surface measurements, the defense models must accurately describe the performance and behavior of defenses in an active system. Characterization profiles of these defenses include an analysis of the security they provide, measurement of their impact on system resources, and their potential interoperability issues with other defenses. This process generates characterization profiles for all defenses available to a CSA. These characterization profiles, along with mission information, aid in the generation of defense configurations.