Breaking the Cyber Kill Chain by Modelling Resource Costs

Haga, Kristian

Haga, Kristian

Master thesis

View/Open

no.ntnu:inspera:57320302:24098513.pdf (21.18Mb)

URI

https://hdl.handle.net/11250/2777681

Date

2020

Metadata

Show full item record

Collections

Institutt for datateknologi og informatikk [7453]

Abstract

Denne oppgaven presenterer Resource Cost Model (RCM) - Ressurs Kost Model - en modelleringsteknikk for å estimere kostnadene av å gjennomføre et cyberangrep. Kostnaden estimeres fra de nødvendige ressursene til angrepet. RCM kombinerer den stegvise Cyber Kill Chain og angrepstrær for å assosiere hver ressurs til en fase av cyberangrepet. Nøkkelkonseptet til RCM er at for å utføre et angrep må angriperen anskaffe alle ressursene til hvert steg i kill chain'en. Hvis den forsvarende part klarer å utilgjengeliggjøre én enkelt ressurs, brytes kill chain'en og angrepet kan ikke gjennomføres. Videre, ut i fra egenskaper ved de identifiserte nødvendige ressursene og den estimerte kostnaden, foreslår RCM et sett av mulige angrepsprofiler basert på en ressursbasert profileringsmetodologi.

Kristian Haga har utført forskningen veiledet av professor Guttorm Sindre og seniorforsker Per Håkon Meland.

En short paper basert på arbeid i denne oppgaven har blitt fagfellevurdert og akseptert til ”The Seventh International Workshop on Graphical Models for Security (June 22, 2020)” og vil bli publisert i Lecture Notes i Computer Science serien av Springer. Et pre-print av short paper'en kan leses i Appendix A.

The thesis presents the Resource Cost Model (RCM), a modelling approach to estimate the costs to an attacker to launch a cyberattack. The cost is estimated from the required resources of the attack. RCM combines the stagewise Cyber Kill Chain and attack trees to associate each resource with a phase in the cyberattack. The key concept of RCM is that to launch an attack the adversary must acquire all resources at each stage in the kill chain. If the defending party is able to deny the attacker access to a single resource, the kill chain is broken and the entire attack is mitigated. Further, from the properties of the identified required resources and the derived estimated cost, RCM suggests a set of probable attacker profiles through its resource based cybercriminal profiling methodology.

Kristian Haga has conducted the research supervised by Professor Guttorm Sindre and Senior Researcher Per Håkon Meland. Lead supervisor Sindre has monitored the research process, while co-supervisor Meland has provided feedback and advice.

A short paper based on work from this thesis was peer-reviewed and accepted for ”The Seventh International Workshop on Graphical Models for Security (June 22, 2020)” and it will be published in Lecture Notes in Computer Science series by Springer. A pre-print of the short paper can be viewed in Appendix A.

Publisher

NTNU