Enhancements to Threat, Vulnerability, and Mitigation Knowledge for Cyber Analytics, Hunting, and Simulations

If a hunter’s hypothesis starts from a potential target, e.g., “Our Web Servers are under attack and this will lead to Persistence,” then they will start with CVE search, looking for instances of web server vulnerabilities. Information from within CVE entries that list web server vulnerabilities potentially allows the hunter to take some actions, perhaps checking what versions are on their system. Then, the knowledge within CWE entries that are linked from these same CVE entries informs them of how to leverage tools and logging to give visibility into activities that reveal privilege escalation. As a final step, links from the CWE entry to Attack Pattern (CAPEC) and Technique informs them, e.g., to look at activity involving files that would be dangerous in the wrong hands (access control).

Let us presume that a cyber hunter acknowledges that the network perimeter has been compromised. They want to identify whether a hosted product is targeted by a specific APT tactic, such as persistence, and is vulnerable because of a particular weakness. Moreover, they want to find which Attack Patterns use any of the tactic’s techniques, weaknesses, and different vulnerabilities. They also want to know if any tools can be used to enable the tactic.

To support performing these tasks, the knowledge sources provide paths (easily traceable using BRON) that connect a Tactic to a tool for a known exploit. One finds multiple paths that link Persistence (a Tactic) to CVEs with exploits targeting Apache Struts 2 that are enabled by a Metasploit module.

One such path is (with abbreviated text):

This path in one direction is: Given an attacker’s objective is Persistence, an attack subverting environment variable values, by means of exploiting dynamic linker hijacking technique, could be used to hijack execution flow and run a malicious binary due to improper input validation weaknesses in Apache Struts 2.5.0-2.5.16 with a Metasploit module.

An interpretation of this path in the other direction is: If any of a given network’s computers are running Apache Struts 2 versions 2.5.0-2.5.16, then the administrators need to be alert for the invocation of a Metasploit module that will hijack it to execute a malicious payload that can achieve persistence by exploiting improper input validation weaknesses that allow the attack to subvert environment variable values by hijacking environment variables used by a dynamic linker to load shared libraries.

A Nash equilibrium occurs when two players are playing their best response to the strategies of their opponent(s), and no player can deviate to achieve a higher payoff. Let \((S, r)\) be a game of n players, where \(S = (S_1 \dots S_n)\) contains the strategy set \(S_i\) for each player and \(r : x \rightarrow \mathbb {R}\) is the reward function. Each player selects a strategy \(x_i \in S_i\) from their strategy set. We denote \(x_{-i}\) as the selected strategies of all other players except player i. A set of chosen strategies \(x^*\) is a Nash equilibrium if \(\forall i, x_i \in S_i, r(x_i, x_{-i}) \le r(x_i^*, x_{-i}^*)\). In other words, no player can deviate from their equilibrium strategy \(x_i^*\) and receive a higher payoff.

To find a player’s best response strategy exactly, one could draw a game tree, enumerate all possible branches, and find the optimal action via backwards induction. The problem then becomes a brute force search over the entire state space. Here, this amounts to search over all combinations of attack patterns and software patches. Heuristics such as alpha-beta pruning improve the search time by pruning branches, but solving still requires search and full knowledge of the opponent’s actions [19]. Thus, this approach becomes infeasible when the number of possible states or actions becomes too large.

Reinforcement learning (RL) consists of one or more agents acting as players who interact with an environment consisting of a set of states \(\mathcal {S}\), actions \(\mathcal {A}\), and a reward function \(r : \mathcal {S} x \mathcal {A} \rightarrow \mathbb {R}\). The goal of the agent is to maximize its reward. RL environments typically rely on the Markov assumption that the environment is essentially memoryless and that the present state and reward only depends on the previous state and action. RL agents are often evaluated based on their regret R, which is defined as \(R = \sum _{t=1}^T r_t^{\pi _t} - \sum _{t=1}^T r_t^{\pi ^*}\), where the agent acts in \(t=1 \dots T\) rounds, \(r_t^{\pi _t}\) is the average reward achieved in round t from following policy \(\pi _t\), and \(r_t^{\pi ^*}\) is the average reward achieved in round t from following the optimal policy \(\pi ^*\). Intuitively, regret is the difference in expected rewards between following the learned policy and some optimal policy \(\pi ^*\). Our works uses multi-agent RL to find best response policies of a two-player game. Our two-player game models a preventative defense in competition with a threat (attack). We call the policies or strategies of the competitions in this game “adversarial postures.”

For comparison, we use a CCA that evolves two populations using selection and variation (crossover and mutation) techniques. One population comprises attacks and the other defenses. In each generation, competitions are held by pairing an attack and a defense. CCA differs from RL models, including no need for gradient updates and value function estimation [57]. In addition, CCAs are flexible and pose few restrictions on the types of environments that may be used. We will compare CCAs to RL in terms of their abilities to find NE and the quality of their adversarial strategies (postures) at equilibrium.

We begin by detailing the modeling assumptions of the environment. We then describe each algorithm in turn and the modifications to the environment necessary for its function.

Environment. We define our simulation environment as follows:

Scenario. The scenario is that an attacker may not know the network structure before launching an attack, and the defender certainly cannot know which attack patterns will be selected. Time. The simulation proceeds in rounds. In a single round, both an attack and a defense are made simultaneously, independently, and without knowledge of the other player’s actions. At the end of the round, both players see their own reward but do not learn the other player’s actions. Attack decision. An attack is the selection of three attack patterns from the CAPEC repository [37]. There may be 0, 1, or more than 1 software configuration affected by each attack pattern. There were 546 CAPECs resulting in 162,771,336 potential combinations. Defense decision. A defense is the selection of three software configurations, as identified by CPE, to patch on the network [43]. A patch increments every instance of the particular software to the next available version, similar to how a network administrator would roll out a systemwide update. Note that there is no guarantee the upgrade will fix any security risks to particular attack patterns and may introduce new ones. We used a network with 20 unique software configurations for a total of 8,000 patch combinations. Network environment. We model an enterprise network. It contains a map between each software configuration and the number of occurrences on the network. We experimented with a single network. Reward. The reward is the sum of the CVSS scores for every software configuration on the network affected by the selected attack patterns as identified in BRON. The CVSS score is retrieved from BRON by tracing a path from a CAPEC to a CWE, and then from CWE to a CVE. The CVSS score is returned for the CPEs of the CVE that match the network. Note that this is a minimax game, so the attacker receives a positive reward with increased risk, while the defender receives the negation of that reward. The defender’s max reward is 0, while the attacker’s max reward depends on the network. Nash equilibrium strategy. A distribution over attack patterns for attacker and patches for defender that results in the average reward that is highest for attacker and lowest for defender, given the opponent’s strategy.

Competitive Coevolutionary Algorithm (CCA). Figure 2(a) shows an overview of a CCA. Each attacker–defender pair in the competition is assigned a CVSS score. Fitness is then calculated as the mean expected utility of competition scores (the average of all competitions). The populations are evolved in alternating steps: First, the attack population is selected, varied, updated, and evaluated against the defenses, and then, the same for the defense population.

We treat each population as an agent, i.e., a player or adversary of one type or the other (either attacker or defender) and its members as strategies in a mixed strategy NE [61]. This formulation has two advantages. First, the evolutionary dynamics allocate members of the population to maximize individual fitness, which in turn maximizes the collective fitness. Thus, the dynamics are present to select members of the population that approximate the optimal mixed strategy NE. Second, the mean population reward obtained from the CCA is equal to the expected reward from playing a round with a single randomly selected strategy from the population. This means we have an exact performance measure and a fair way to compare a CCA population to a single RL agent operating under its own learned distribution over actions.

Reinforcement Learning. We developed two separate OpenAI gym environments—one for each agent—and updated each with changes to the opponent’s strategy [7, 61].

We designed the action spaces of our environment to ensure compatibility with the RL algorithms, as RL algorithms can perform poorly in large discrete action spaces [12]. To handle the large number of attack pattern combinations, we converted the action space for the selection of attack pattern triplets into a continuous action space represented by a cube of edge length 2 centered at the origin. The agent’s action was represented by the selection of a coordinate within this cube. To convert this point into three attack patterns, we partitioned each axis into equal-sized intervals, with each interval representing a single attack pattern. Thus, we could determine the attack pattern \(c(x_i)\) for coordinate \(x_i\) of dimension i by taking \(c(x_i) = \mathbf {\alpha } [ \lfloor \frac{\scriptstyle x_i + 1}{\scriptstyle 2} |\mathbf {\alpha }| \rfloor ]\), where \(\mathbf {\alpha }\) is some zero-indexed list of CAPECs, \(|\mathbf {\alpha }|\) denotes the cardinality of the list, and \(\mathbf {\alpha }[i]\) denotes the ith element of list \(\mathbf {\alpha }\). Note that this is equivalent to partitioning the size-2 cube into \(|\mathbf {\alpha }|^3\) smaller cubes of side length \(2/|\mathbf {\alpha }|\), where each represents a unique combination of 3 CAPECs.

Our MARL training algorithm is shown in Figure 2(b). We trained both the attack and defense agents in an alternating schedule using a single environmental sample (batch size of 1) for each agent per episode. Each agent would learn using an environmental sample, update its internal model, make a prediction, and update their opponent’s reward function based on their adversarially chosen action. Our training algorithm is presented in Algorithm 1.

The experimental details are in Appendix A.4. The MARL and CCA attack agents achieved markedly similar equilibria (see Figure 3) when searching for attack patterns and defensive postures in the form of patches. Our results suggest that not only with MARL, but also with the CCA, the exploration-exploitation tradeoff seems to be a key factor for determining an agent’s convergence towards a possible equilibria. This suggests that, for each algorithm, there is an optimal ratio of exploration versus exploitation; this ratio is based on the quality of the samples drawn through random chance. Each algorithm has its own method for approaching this tradeoff, but the hyperparameter tuning can have a significant impact on the final outcome. For example, we investigate the breadth of threat behavior, in the form of attack patterns (CAPECs), the defensive postures have been evaluated against with the different ML methods. We observed that the CCA’s attacker used 108 unique CAPECs while the MARL attacker used 248.

This demonstration and comparison of ML for NE identification and modeling simulation for finding and evaluating defensive postures used the BRON property graph to find paths from attack patterns (CAPECs) to vulnerabilities (CVEs).

Next, we will show how supervised ML can be used to infer novel cybersecurity knowledge in the form of relationships between data sources.

We create a workflow for each relationship (see Figure 5). Each workflow is the same, except it integrates different, optimally selected, Language Embedding Models and classifiers from a preliminary training and testing stage. In this stage, we take three steps to obtain the machine learning components of a workflow and note what neighboring and indirect text entries will be used. A summary of this supervised training stage (details in Section 4.1.2) is:

After training, using F1 measures obtained from test data, we select the best set of four classifiers and Language Embedding Models, noting the record format of each dataset used in training the selected models. These are inserted at the beginning of the workflow for working with unlabeled data.

The workflow progresses with inputs assembled like the records of the noted training dataset. We exhaustively sample pairs of entries that are not linked and trace their other cross-source links to match the dataset’s. These pairs are encoded and passed to the classifiers, one per Language Embedding Model. Each classifier outputs the probability of the pair being linked by the relationship. The curator tunes the classifier parameters to obtain some quantity of candidate linked pairs from each classifier (4. in Figure 5). The candidates from all classifiers are then combined according to how a curator decides how to rank them (here, it is ordered by the sum of probabilities). The curator then sets a threshold and passes ranked candidates above it to experts.

The experts label (5. in Figure 5) the candidates using their text descriptions as a starting point for their assessment. Their labels are: Unlinked, no relationship between the two entries. Interesting, the relationship is not certain, yet interesting. Linked, there is a relationship between the two entries.

Finally, the curator derives a final label from consensus rules using the experts’ labels (6.). Here, we use the curation rules: Implausible (IM): All expert labels are Unlinked. Interesting (IN): All expert labels are either Interesting or Linked, and not all are Linked. Plausible (P): All expert labels are Linked. Undecided (U): All candidates not one of IM, IN, P.

The supervised training is the steps 1.,2.,3. in Figure 5.

(1) – Dataset construction. A dataset “Neighbors,” denoted by N, is drawn from the two sources (collections) with directly linked entries. It is an aggregation of positively labeled, directly linked entries and negatively labeled pairs of entries (one from each source) that have no link between them. Because we do not know how much direct and indirect textual information best informs link inference, we designate sources (collections) in BRON as offensive (O), defensive detection (D), and mitigations (M). This allows us to create four additional datasets by following directly linked “neighbor” (N) entries’ external links to collect additional text entries that may help with inferring the relationship. Details are in Table 5.

(2) – Encode Text Entries in Records. For each of a dataset’s exemplars, we extract the text as one (concatenated) segment and tokenize it. Tokenization includes word stemming, removal of common or connecting words [24]. Because the meaning of the text is critical to inferring a relational link, we use four different Language Embedding Model s to explore feature representations. For choosing the Language Embedding Model, we consider whether the embeddings capture context in text, word meaning (semantics), dimensionality, and training requirement (see Table 6). The Language Embedding Models are Bag-of-Words (BoW), GloVE, BERT, and a BERT fine-tuned on BRON’s domain-specific text, F-BERT. In Section 4.2, we provide additional details on how we used these Language Embedding Models. Each Language Embedding Model yields an updated dataset replacing the text with numerical features as input to a classifier.

(3) – Train One Classifier per Encoding. For each dataset and each Language Embedding Model, we train a RandomForestClassifier from Scikit-learn [49] to infer link probability. The random forest is a meta estimator that fits a number of decision trees on sub-samples of the dataset and uses averaging to improve the predictive accuracy and reduce over-fitting.

Table 7 shows the results of training the classifiers for each relationship, Language Embedding Model, and dataset. At this stage, we had, for each relationship, a set of 4 Language Embedding Models used to express 5 different sets of text knowledge, 20 in total. Each of these 20 experiments culminated in the training of its own RandomForestClassifier and was repeated 100 times. Since we are interested in picking a high-performing trained classifier for our workflow, we select (and report) the best results from testing in Table 7. We see that there is a difference for both Language Embedding Model and dataset for each relation. The best technique uses attack-pattern model is the lowest performing among all five relationship models. The best countermeasure alleviates technique model is superior among all five relationships models. In close second is the best weakness allows vulnerability model. The Language Embedding Model that supports the most best-models is GloVE (from spaCy).

The datasets used in training for these best-models varied depending on the relationship. Over all relationships, NOM is used 6 times (out of 20), NOM and NOMD 5 times, and N (just the text of the pairs of entries) only once. Recall that O represents links to offensive entries. Every relationship had at least one Language Embedding Model that used cross-source entries linked to Offensive entries, however, different combinations of datasets were used in different relationships. This points to the importance of considering multiple options for features and Language Embedding Models.

We next use the workflow of each relationship, acting as the curator. For each relationship, we tune a threshold, C, in the RandomForestClassifier s provide \(\approx 10\) candidates from each workflow classifier. We combine the candidates of the four models and sort them by their probabilities. Then, we down select to the top 10. Finally, we pass these 10 candidates to four experts: \(E_1,E_2,E_3,E_4\). The experts have varying academic and industrial cyber security, hunting, and Security Operation Center experience. They were presented with the text of the candidates’ entries and links to the URLs of the entries. They could also do their own research regarding the proposed entries and the relationship.

Again, acting as the curator, we set up the consensus rules for the final label of the relationship. Our rules are the strict ones stated at the end of Section 4.1.1. Table 8 provides a count of candidates by each final consensus label for each relationship. For three relationships, there was at least one candidate that was Plausible. weakness enables attack-pattern and engagement counters technique yielded the highest number of Plausible candidates. weakness enables attack-pattern and technique uses attack-pattern relationships had the highest number of Interesting candidates. weakness allows vulnerability and technique uses attack-pattern each had a few Implausible candidates. There were no plausible or interesting candidates for the countermeasure alleviates technique relationship. This is reasonable, because D3FEND entries are known to be directly mapped to Techniques [30].

Table 9 shows pairs of candidate entries with plausible or interesting consensus labels, how the experts rated them, and the final label. Overall, the examples and counts indicate the framework can yield Plausible or Interesting candidates. Another way to put the results in context is to examine the impact of a new plausible link. We found that the new plausible link for engagement counters technique, between Artifact Diversity (EAC0022) and System Owner/User Discovery (T1033), offers up another possible mitigation to the BeagleBoyz APT.⁹

Acting as cyber hunters, we next explored using the workflow’s results. We consult the 2020 Common Weakness Enumeration (CWE)Top 25 Most Dangerous Software Weaknesses list [40] and see whether any plausible link that the workflow identified would be relevant to any weakness on the list. The list is compiled by MITRE and highlights “the most frequent and critical errors that can lead to serious vulnerabilities in software” [40]. For example, an attacker can exploit these weaknesses to take control of a system, obtain sensitive information, or cause a denial-of-service. BRON already provides the ability to trace ATT&CK techniques that are relationally linked to the top 25 CWEs and mitigations and detections, not only the ones in the CWE, CVE, and CAPEC data sources.

We started by checking how much relational knowledge was already linked to the CWEs in the Top 25 list. We found that all Top 25 CWEs of 2020 have CWE mitigation text, but mitigations along the path of indirectly linked entries are not available. Specifically:

(a) Only six CWE entries are connected to ATT&CK techniques, only four are connected externally to D3FEND entries, and only five to Engage. (b) Seven CWE entries have no CWE detection. (c) Only three CWE entries are not connected to attack patterns. (d) Only CWE-200 is connected to all the BRON sources. (e) One CWE, CWE-416, has just two mitigations in total.

That these critical weaknesses are supported only by a sparse set of relational knowledge increases the relevance of potential undetected links. We therefore tried relationship inference on the top 25 CWEs. For each CWE and the text in BRON, we obtained from the best RandomForestClassifier the probability of links between currently unlinked weaknesses and other entries. We then compared the links that were assessed with high probability to the ones labeled by our experts. We found that four overlap: two direct relationships with CAPECs, e.g., Improper Authentication enables Reusing Session IDs (a.k.a. Session Replay), and two indirect relationships, both Engagecounters Technique relationships. Table 9 highlights the rows of these relevant undetected relationships. Repeating our process, these findings were valid for the top 25 CWEs for 2021, which only differ in three CWE entries.¹⁰

We have investigated how cybersecurity information can help finding, comparing, and improving cybersecurity information.

Next, we present a discussion regarding the comparison of cybersecurity information, ML inference of novel relationships, and ML for finding defensive postures.

Formally, BRON is a graph \(G = (N, E)\), N are nodes, and E are edges. Both nodes and edges can have labels. Nodes, N, are denoted based on data source name l and category c, \(l^c\), e.g., \(\tau ^ o\) is the data source tactic (\(\tau\)) that is of the type offensive (O). The source category c can be: Offensive O, Mitigative \(M,\) or Detection D, \(c \in \lbrace O, M, D\rbrace\). The data source name l can be: Tactics \(\tau\), Techniques \(\epsilon\), Attack Patterns \(\alpha\), Weakness \(\omega\), Vulnerabilities \(\nu\), Exploits \(\chi\), Mitigations \(\delta\), Engagements \(\eta\), Analytics \(\kappa\), \(l \in \lbrace \tau , \epsilon , \alpha , \omega , \nu , \chi , \delta , \eta , \kappa \rbrace\) (see Table 12).

Edges are bidirectional between nodes; see Figure 6 for edges that exist in the data sources. The number of possible edges between nodes is \(|N_i| \times |N_j|\) when \(N_i \ne N_j\).

The information in the BRON property graph is as accurate as the links in the public data sources that it relies on.

Table 12 shows symbols, information sources and types, organization and description of the selected knowledge sources. It is visualized with an example in Figure 7.