Active Cyber Defense Planning and Orchestration
The overwhelming number of recent data breaches reported that hundreds of terabytes of highly sensitive information, including national, financial, and personal, have been stolen from different organizations, indicating a clear asymmetric disadvantage that defenders face against cyber attackers. Modern attackers are well organized, highly stealthy, and stay persistent in the network for years; therefore, they are known as advanced persistent threats (APT). Existing detection and prevention based cyber defense techniques usually approach the target for specific, known attack signatures, descriptions, and behaviors. However, APT attackers can easily avoid such detection techniques by employing reconnaissance, fingerprinting, and social engineering. It is often very challenging and sometimes infeasible for defenders to prevent the information gathering of the adversary and patch all the vulnerabilities in the system. Therefore, a proactive defense approach is needed to break such asymmetry. Active Cyber Defense (ACD) is a promising paradigm to achieve this goal. ACD can proactively mislead adversaries and enables a unique opportunity to engage with them to learn new attack tactics and techniques. ACD enhances real-time detection, analysis, and mitigation of APT attacks. ACD can be achieved through cyber agility and cyber deception. Cyber Agility, such as moving target defense (MTD), enables cyber systems to defend proactively against sophisticated attacks by dynamically changing the system configuration parameters (called mutable parameters) in order to deter adversaries from reaching their goals. On the other hand, Cyber Deception is an intentional misrepresentation of the system's ground truth to manipulate adversaries' actions.Although cyber deception and MTD have been around for more than decades, static configurations and the lack of automation made many of the existing techniques easily discoverable by attackers and too expensive to manage, which diminishes the value of these technologies. Sophisticated APTs are very dynamic and thereby require a highly adaptive and embedded defense that can dynamically create honey resources and orchestrate the ACD environment appropriately according to the adversary behavior in real-time.To overcome these challenges, this dissertation introduced an autonomous resilient ACD framework, having the following aspects: (1) developing multistrategy ACD policies that leverage an optimal dynamic composition of various MTD and deception techniques to maximize the defense utility, (2) a policy specification language and an extensible rich API integrated with a synthesis engine for developing different MTD techniques without consulting about the low-level network and system configuration management, (3) a theoretical framework and implementation for an autonomous goal-oriented cyber deception planner that optimizes deception decision-making.