research-article

Integrating Security Behavior into Attack Simulations

Authors:

Robert Lagerström,

Anna Georgiadou,

Ariadni Michalitsi PsarrouAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 120, Pages 1 - 13

https://doi.org/10.1145/3465481.3470475

Published: 17 August 2021 Publication History

Abstract

The increase of cyber-attacks raised security concerns for critical assets worldwide in the last decade. Leading to more efforts spent towards increasing the cyber security among companies and countries. For the sake of enhancing cyber security, representation and testing of attacks have prime importance in understanding system vulnerabilities. One of the available tools for simulating attacks on systems is the Meta Attack Language (MAL), which allows representing the effects of certain cyber-attacks. However, only understanding the component vulnerabilities is not enough in securing enterprise systems. Another important factor is the ‘human‘, which constitutes the biggest ‘insider threat‘. For this, Security Behavior Analysis (SBA) helps understanding which system components that might be directly affected by the ‘human‘. As such, in this work, the authors present an approach for integrating user actions, so called “security behavior”, by mapping SBA to a MAL-based language through MITRE ATT&CK techniques.

References

[1]

Information Systems Audit and Control Association (isaca). 2012. COBIT5: A Business Framework for the Governance and Management of Enterprise IT. (2012).

[2]

S. Aurigemma and R. Panko. 2012. A Composite Framework for Behavioral Compliance with Information Security Policies. In 45th Hawaii International Conference on Systems Sciences. Maui, Hawaii.

[3]

M. Présent and B. Roy. 1986. and D. ilhol, ”A programming method for determining which Paris metro stations should be renovated,” European Journal of Operational Research 24, 2(1986), 318–334.

[4]

G. Bajaj, R. Agarwal, P. Singh, N. Georgantas, and V. Issarny. 2018. 4W1H in IoT Semantics. IEEE Access 6(2018), 65488–65506. https://doi.org/10.1109/ACCESS.2018.2878100

[5]

Iver Band, Wilco Engelsman, C Feltus, Sonia González Paredes, and Dux Diligens. 2015. Modeling Enterprise Risk Management and Security with the ArchiMate®. Language, The Open Group(2015).

[6]

J.-P. Brans, P. Vincke, and B. Mareschal. 1986. How to select and how to rank projects: The PROMETHEE method. European Journal of Operational Research 24, 2 (1986), 228–238.

[7]

Ismail Butun, Magnus Almgren, Vincenzo Gulisano, and Marina Papatriantafilou. 2020. Intrusion Detection in Industrial Networks via Data Streaming. In Industrial IoT. Springer, 213–238.

[8]

Ismail Butun, Alexios Lekidis, and Daniel Ricardo dos Santos. 2020. Security and Privacy in Smart Grids: Challenges, Current Solutions and Future Opportunities. In The International Conference on Information Systems Security and Privacy (ICISSP). INSTICC.

[9]

R. E. Crossler, A. C. Johnston, P. B. Lowry, Q. Hu, M. Warkentin, and R. Baskerville. 2013. Future directions for behavioral information security research. Computers & Security 32(2013), 90–101. https://doi.org/10.1016/j.cose.2012.09.010

Digital Library

[10]

Defense Use Case. 2016. Analysis of the cyber attack on the Ukrainian power grid. Electricity Information Sharing and Analysis Center (E-ISAC) (2016).

[11]

Mathias Ekstedt, Pontus Johnson, Robert Lagerström, Dan Gorton, Joakim Nydrén, and Khurram Shahzad. 2015. securiCAD by foreseeti: A CAD tool for enterprise cyber security management. In Enterprise Distributed Object Computing Workshop (EDOCW), 2015 IEEE 19th International. IEEE, 152–155.

[12]

J. H. Eloff and M. Eloff. 2005. Information Security Architecture. Computer Fraud 2005, 11 (2005), 10–16.

[13]

EnergyShield. 2019. Description of Action Part B. Technical Report.

[14]

EnergyShield. 2021. Deliverable 1.5 – System architecture. Technical Report.

[15]

H. M. Farooq and N. M. Otaibi. 2018. Optimal Machine Learning Algorithms for Cyber Threat Detection. In 2018 UKSim-AMSS 20th International Conference on Computer Modelling and Simulation (UKSim. https://doi.org/10.1109/UKSim.2018.00018

[16]

A. Georgiadou, S. Mouzakitis, and D. Askounis. 2020. Designing a Cyber-security Culture Assessment Survey Targeting Critical Infrastructures During Covid-19 Crisis. International Journal of Network Security & Its Applications (IJNSA) 13, 1(2020), 33–50. https://doi.org/10.5121/ijnsa.2021.13103

[17]

Anna Georgiadou, Spiros Mouzakitis, and Dimitris Askounis. 2021. Assessing MITRE ATT&CK Risk Using a Cyber-Security Culture Framework. Sensors 21, 9 (2021). https://doi.org/10.3390/s21093267

[18]

A. Georgiadou, S. Mouzakitis, and D. Askounis. 2021. Detecting Insider Threat via a Cyber-Security Culture Framework. Journal of Computer Information Systems(2021). https://doi.org/10.1080/08874417.2021.1903367

[19]

Anna Georgiadou, Spiros Mouzakitis, and Dimitris Askounis. 2021. Working from home during COVID-19 crisis: a cyber security culture assessment survey. Security Journal (26 Feb 2021). https://doi.org/10.1057/s41284-021-00286-2

[20]

Anna Georgiadou, Spiros Mouzakitis, Kanaris Bounas, and Dimitrios Askounis. 2020. A Cyber-Security Culture Framework for Assessing Organization Readiness. Journal of Computer Information Systems 0, 0 (2020), 1–11. https://doi.org/10.1080/08874417.2020.1845583 arXiv:https://doi.org/10.1080/08874417.2020.1845583

[21]

E. Grandry, C. Feltus, and E. Dubois. 2013. Conceptual Integration of Enterprise Architecture Management and Security Risk Management. In 2013 17th IEEE International Enterprise Distributed Object Computing Conference Workshops. 114–123. https://doi.org/10.1109/EDOCW.2013.19

Digital Library

[22]

F. L. Greitzer. 2019. Insider Threats: It’s the HUMAN, Stupid!. In Proceedings of the Northwest Cybersecurity Symposium. Richland WA USA. https://doi.org/10.1145/3332448.3332458

Digital Library

[23]

F. L. Greitzer and D. A. Frincke. 2010. Combining Traditional Cyber Security Audit Data with Psychosocial Data: Towards Predictive Modeling for Insider Threat Mitigation. In Insider Threats in Cyber Security, vol. 49. Springer, Boston, 85–113. https://doi.org/10.1007/978-1-4419-7133-3_5

[24]

Simon Hacks, Alexander Hacks, Sotirios Katsikeas, Benedikt Klaer, and Robert Lagerström. 2019. Creating Meta Attack Language Instances using ArchiMate: Applied to Electric Power and Energy System Cases. In 2019 IEEE 23rd International Enterprise Distributed Object Computing Conference (EDOC). 88–97. https://doi.org/10.1109/EDOC.2019.00020

[25]

Simon Hacks, Sotirios Katsikeas, Engla Ling, Robert Lagerström, and Mathias Ekstedt. 2020. powerLang: a probabilistic attack simulation language for the power domain. Energy Informatics 3, 1 (2020).

[26]

K. Hasan, S. Shetty, and S. Ullah. 2019. Artificial Intelligence Empowered Cyber Threat Detection and Protection for Power Utilities. In 2019 IEEE 5th International Conference on Collaboration and Internet Computing (CIC), Los Angeles (Ed.). https://doi.org/10.1109/CIC48465.2019.00049

[27]

Hannes Holm, Markus Buschle, Robert Lagerström, and Mathias Ekstedt. 2014. Automatic data collection for enterprise architecture models. Software & Systems Modeling 13, 2 (2014), 825–841.

Digital Library

[28]

H. Holm, K. Shahzad, M. Buschle, and M. Ekstedt. 2015. P2CySeMoL: Predictive, Probabilistic Cyber Security Modeling Language. IEEE Transactions on Dependable and Secure Computing 12, 6 (2015), 626–639. https://doi.org/10.1109/TDSC.2014.2382574

Digital Library

[29]

S. Hong, K. Kim, and T. Kim. 2019. The Design and Implementation of Simulated Threat Generator based on MITRE ATT&CK for Cyber Warfare Training. Journal of the Korea Institute of Military Science and Technology 22, 6(2019), 797–805. https://doi.org/10.9766/KIMST.2019.22.6.797

[30]

Q. Hu, T. Dinev, P. Hart, and D. Cooke. 2012. Managing Employee Compliance with Information Security Policies: The Critical Role of Top Management and Organizational Culture. Decision Sciences 43 (August 2012), 4. https://doi.org/10.1111/j.1540-5915.2012.00361.x

[31]

Joint Task Force Transformation Initiative. 2013. SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations. National Institute of Standards and Technology.

[32]

ISO Central Secretary. 2013. Information technology — Security techniques — Code of practice for information security controls. Standard ISO/IEC 27002:2013. International Organization for Standardization. https://www.iso.org/standard/54533.html

[33]

ISO Central Secretary. 2015. Information security management. Standard ISO/IEC 27001:2015. International Organization for Standardization. https://www.iso.org/isoiec-27001-information-security.html

[34]

Pontus Johnson, Robert Lagerström, and Mathias Ekstedt. 2018. A Meta Language for Threat Modeling and Attack Simulations. In Proceedings of the 13th International Conference on Availability, Reliability and Security. ACM, 38.

Digital Library

[35]

Sotirios Katsikeas, Simon Hacks, Pontus Johnson, Mathias Ekstedt, Robert Lagerström, Joar Jacobsson, Max Wällstedt, and Per Eliasson. 2020. An Attack Simulation Language for the IT Domain. In Graphical Models for Security. Springer, Cham, 67–86.

[36]

A. Kim, J. Oh, J. Ryu, and K. Lee. 2020. A Review of Insider Threat Detection Approaches. IEEE Access 8(2020), 78847–78867. https://doi.org/10.1109/ACCESS.2020.2990195

[37]

D. Kim, Y. Kim, M.-K. Ahn, and H. Lee. 2020. Automated Cyber Threat Emulation Based on ATT&CK for Cyber Security Training. Journal of the Korea Society of Computer and Information 25, 9(2020), 71–80. https://doi.org/10.9708/jksci.2020.25.09.071

[38]

G.H. Kjølle, I.B. Utne, and O. Gjerde. 2012. Risk analysis of critical infrastructures emphasizing electricity supply and interdependencies. Reliability Engineering & System Safety 105 (2012), 80–89. https://doi.org/10.1016/j.ress.2012.02.006 ESREL 2010.

[39]

Johan König, Kun Zhu, Lars Nordström, Mathias Ekstedt, and Robert Lagerstrom. 2010. Mapping the Substation Configuration Language of IEC 61850 to ArchiMate. In 2010 14th IEEEö International Enterprise Distributed Object Computing Conference Workshops. 60–68. https://doi.org/10.1109/EDOCW.2010.35

Digital Library

[40]

B. Lebek, J. Uffen, M. Neumann, B. Hohler, and M. H. Breitner. 2014. Information security awareness and behavior: a theory-based literature review. Management Research Review 37, 12 (2014), 1049–1092. https://doi.org/10.1108/MRR-04-2013-0085

[41]

M. Limayem and S. G. Hirt. 2003. Force of habit and information systems usage: Theory and initial validation. Journal of the Association for Information Systems 4 (2003), 65–97. https://doi.org/10.17705/1JAIS.00030

[42]

Yao Liu, Peng Ning, and Michael K Reiter. 2011. False data injection attacks against state estimation in electric power grids. ACM Transactions on Information and System Security (TISSEC) 14, 1(2011), 13.

Digital Library

[43]

M. Maasberg and N. L. Beebe. 2014. The Enemy Within the Insider: Detecting the Insider Threat. Journal of Information Privacy and Security 10, 2 (2014), 59–70. https://doi.org/10.1080/15536548.2014.924807

[44]

Delin Mathew, Simon Hacks, and Horst Lichter. 2018. Developing a Semantic Mapping betwen TOGAF and BSI-IT-Grundschutz. In Multikonferenz Wirtschaftsinformatik (MKWI) 2018, Paul Drews, Burkhardt Funk, Peter Niemeyer, and Lie Xie (Eds.), Vol. 5. 1971–1982.

[45]

F. Maymí, R. Bixler, R. Jones, and S. Lathrop. 2017. Towards a definition of cyberspace tactics, techniques and procedures. In 2017 IEEE International Conference on Big Data (Big Data. https://doi.org/10.1109/BigData.2017.8258514

[46]

K. F. McCrohan, K. Engel, and J. W. Harvey. 2010. Influence of Awareness and Training on Cyber Security. Journal of Internet Commerce 9, 1 (2010), 23–41. https://doi.org/10.1080/15332861.2010.487415

[47]

I. Morikawa and Y. Yamaoka. 2011. Threat Tree Templates to Ease Difficulties in Threat Modeling. In 2011 14th International Conference on Network-Based Information Systems. 673–678. https://doi.org/10.1109/NBiS.2011.113

Digital Library

[48]

Boon-Yuen Ng, Atreyi Kankanhalli, and Yunjie (Calvin) Xu. 2009. Studying users’ computer security behavior: A health belief perspective. Decision Support Systems 46, 4 (2009), 815–825. https://doi.org/10.1016/j.dss.2008.11.010

Digital Library

[49]

U. Noor, Z. Anwar, T. Amjad, and K.-K. R. Choo. 2019. A machine learning-based FinTech cyber threat attribution framework using high-level indicators of compromise. Future Generation Computer Systems 96 (2019), 227–242. https://doi.org/10.1016/j.future.2019.02.013

Digital Library

[50]

T. O. Oladimeji, C. K. Ayo, and S. Adewumi. 2019. Review on Insider Threat Detection Techniques. Journal of Physics: Conference Series 1299 (2019). https://doi.org/10.1088/1742-6596/1299/1/012046

[51]

J. Ophoff, A. Jensen, J. Sanderson-Smith, M. Porter, and K. Johnston. 2014. A Descriptive Literature Review and Classification of Insider Threat Research. In Proceedings of Informing Science & IT Education Conference (InSITE) 2014. Wollongong.

[52]

S. Opricovic and G.-H. Tzeng. 2004. Compromise solution by MCDM methods: A comparative analysis of VIKOR and TOPSIS. European Journal of Operational Research 156, 2 (2004), 445–455.

[53]

S. Pahnila, M. Siponen, and A. Mahmood. 2007. Employees’ Behavior towards IS Security Policy Compliance. In 2007 40th Annual Hawaii International Conference on System Sciences (HICSS’07). Waikoloa.

[54]

M. Parmar and A. Domingo. 2019. On the Use of Cyber Threat Intelligence (CTI) in Support of Developing the Commander’s Understanding of the Adversary. in MILCOM (2019), 2019–2019. https://doi.org/10.1109/MILCOM47813.2019.9020852

Digital Library

[55]

Thomas Petermann, Harald Bradke, Arne Lüllmann, Maik Poetzsch, and Ulrich Riehm. 2011. Was bei einem Blackout geschieht: Folgen eines langandauernden und großflächigen Stromausfalls. Vol. 662. Büro für Technikfolgen-Abschätzung.

[56]

G. Petric and K. Roer. 2018. To measure security culture: A scientific approach. CLTRe North America, Inc.

[57]

Hyeun-Suk Rhee, Cheong-Tag Kim, and Young U. Ryu. 2009. Self-efficacy in information security: Its influence on end users’ information security practice behavior. Computers & Security 28, 8 (2009), 816–826. https://doi.org/10.1016/j.cose.2009.05.008

Digital Library

[58]

Marti Rosas-Casals, Sergi Valverde, and Ricard V Solé. 2007. Topological vulnerability of the European power grid under errors and attacks. International Journal of Bifurcation and Chaos 17, 07 (2007), 2465–2475.

[59]

T. L. Saaty. 1990. How to make a decision: The analytic hierarchy process. European Journal of Operational Research 48, 1 (1990), 9–26.

[60]

Jonathan Schaffer. 2015. What Not to Multiply Without Necessity. Australasian Journal of Philosophy 93, 4 (2015), 644–664. https://doi.org/10.1080/00048402.2014.992447

[61]

M. Siponen, S. Pahnila, and A. Mahmood. 2007. Employees’ Adherence to Information Security Policies: An Empirical Study. Privacy and Trust in Complex Environments 232 (2007), 133–144.

[62]

Z. A. Soomro, M. H. Shah, and J. Ahmed. 2016. Information security management needs more holistic approach: A literature review. International Journal of Information Management 36, 2(2016), 215–225. https://doi.org/10.1016/j.ijinfomgt.2015.11.009

Digital Library

[63]

Keith Stouffer, Joe Falco, and Karen Scarfone. 2011. Guide to industrial control systems (ICS) security. NIST special publication 800, 82 (2011), 16–16.

Digital Library

[64]

Jian-Wei Wang and Li-Li Rong. 2009. Cascade-based attack vulnerability on the US power grid. Safety science 47, 10 (2009), 1332–1336.

[65]

Michael Workman, William H. Bommer, and Detmar Straub. 2008. Security lapses and the omission of information security measures: A threat control model and empirical test. Computers in Human Behavior 24, 6 (2008), 2799–2816. https://doi.org/10.1016/j.chb.2008.04.005 Including the Special Issue: Electronic Games and Personalized eLearning Processes.

Digital Library

[66]

Wenjun Xiong, Per Carlsson, and Robert Lagerström. 2019. Re-using Enterprise Architecture Repositories for Agile Threat Modeling. In 2019 IEEE 23rd International Enterprise Distributed Object Computing Workshop (EDOCW). 118–127. https://doi.org/10.1109/EDOCW.2019.00031

[67]

Wenjun Xiong, Simon Hacks, and Robert Lagerström. 2021. A Method for Assigning Probability Distributions in Attack Simulation Languages. Complex Systems Informatics and Modeling Quarterly26 (2021), 55–77.

Cited By

Taha ALawall ASuri N(2023)Cloud Security Requirement Based Threat Analysis2023 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC57223.2023.10074275(506-510)Online publication date: 20-Feb-2023
https://doi.org/10.1109/ICNC57223.2023.10074275
Hance JMilbrath JRoss NStraub J(2022)Distributed Attack Deployment Capability for Modern Automated Penetration TestingComputers10.3390/computers1103003311:3(33)Online publication date: 23-Feb-2022
https://doi.org/10.3390/computers11030033
Rencelj Ling EUrrea Cabus JButun ILagerström ROlegard J(2022)Securing Communication and Identifying Threats in RTUs: A Vulnerability AnalysisProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544483(1-7)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544483
Show More Cited By

Index Terms

Integrating Security Behavior into Attack Simulations

Index terms have been assigned to the content through auto-classification.

Recommendations

Measuring and achieving test coverage of attack simulations extended version
Abstract
Designing secure and reliable systems is a difficult task. Threat modeling is a process that supports the secure design of systems by easing the understanding of the system’s complexity, as well as identifying and modeling potential threats. These ...
A Distributed Security Approach against ARP Cache Poisoning Attack
CySSS '22: Proceedings of the 1st Workshop on Cybersecurity and Social Sciences

The Address Resolution Protocol (ARP) has a critical function in the Internet protocol suite, however, it was not designed for security as it does not verify that a response to an ARP request really comes from an authorized party. This weak point in the ...
Cyber security threat modeling based on the MITRE Enterprise ATT&CK Matrix
Abstract
Enterprise systems are growing in complexity, and the adoption of cloud and mobile services has greatly increased the attack surface. To proactively address these security issues in enterprise systems, this paper proposes a threat modeling ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

Horizon 2020 Framework Programme

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
344
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)4

Reflects downloads up to 25 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Taha ALawall ASuri N(2023)Cloud Security Requirement Based Threat Analysis2023 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC57223.2023.10074275(506-510)Online publication date: 20-Feb-2023
https://doi.org/10.1109/ICNC57223.2023.10074275
Hance JMilbrath JRoss NStraub J(2022)Distributed Attack Deployment Capability for Modern Automated Penetration TestingComputers10.3390/computers1103003311:3(33)Online publication date: 23-Feb-2022
https://doi.org/10.3390/computers11030033
Rencelj Ling EUrrea Cabus JButun ILagerström ROlegard J(2022)Securing Communication and Identifying Threats in RTUs: A Vulnerability AnalysisProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544483(1-7)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544483
García-Teodoro PGómez-Hernández JAbellán-Galera A(2022)Multi-labeling of complex, multi-behavioral malware samplesComputers and Security10.1016/j.cose.2022.102845121:COnline publication date: 1-Oct-2022
https://dl.acm.org/doi/10.1016/j.cose.2022.102845
Hacks SKaczmarek-Heß Mde Kinderen STöpel D(2022)A Multi-level Cyber-Security Reference Model in Support of Vulnerability AnalysisEnterprise Design, Operations, and Computing10.1007/978-3-031-17604-3_2(19-35)Online publication date: 3-Oct-2022
https://dl.acm.org/doi/10.1007/978-3-031-17604-3_2
Aldea AHacks S(2022)Analyzing Enterprise Architecture Models by Means of the Meta Attack LanguageAdvanced Information Systems Engineering10.1007/978-3-031-07472-1_25(423-439)Online publication date: 6-Jun-2022
https://dl.acm.org/doi/10.1007/978-3-031-07472-1_25
Karagiannis STokatlis APelekis SKontoulis MDoukas GNtanos CMagkos E(2021)A-DEMO: ATT&CK Documentation, Emulation and Mitigation OperationsProceedings of the 25th Pan-Hellenic Conference on Informatics10.1145/3503823.3503884(328-333)Online publication date: 26-Nov-2021
https://dl.acm.org/doi/10.1145/3503823.3503884

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents