Files
Abstract
The unprecedented increase in the number and sophistication of cyber-attacks (e.g., advanced persistent threats or APTs for short) has called for effective and efficient threat-hunting techniques and robust security defenses. Various events (host level or network level) can be readily captured today. Analyzing such events can offer great insights into both ongoing attacks and the security posture of the system under protection. This dissertation presents a distributed hierarchical event monitoring agent architecture to facilitate two important aspects of cyber defense: efficient threat hunting and the enforcement assessment of critical security controls (CSCs).Efficient and Scalable Threat Hunting. Although the end hosts and networking devices can record all benign and adversarial actions and use them for threat hunting, it is infeasible to monitor everything. The existing centralized threat-hunting approach continuously collects monitored logs and transfers them to the central server, which incurs high memory usage and communication overhead and thus creates scalability issues on the monitored network. Besides, single event matching on the end-host devices to detect attacks generates false alerts, causing the \emph{alert fatigue} problem. To overcome the limitations of existing tools and research works (i.e., monitoring everything, memory requirement, communication overhead, and many false alerts), we present a distributed hierarchical monitoring agent architecture in this dissertation. This architecture detects attack techniques at the agent level, classifies composite and primitive events, and disseminates detected attack techniques or subscribed event information to the upper-level agents or managers. This solution advances the current methodologies in threat hunting through the adoption of hierarchical event filtering-based monitoring, significantly enhancing the scalability of monitoring tasks and reducing memory usage and communication overhead without compromising the accuracy of the state-of-the-art centralized threat-hunting approaches. Our evaluation of both simulated attack use cases and the DARPA OpTC attack dataset shows that the proposed approach reduces communication overhead by 43% to 64% and memory usage by 45% to 60% compared with centralized threat-hunting approaches while enabling local decision-making and maintaining the same accuracy of threat-hunting by state-of-the-art centralized approaches.CSC Enforcement Assessment. Organizations like NIST (National Institute of Standards and Technology) and CIS (Center for Internet Security) provide cyber security frameworks (CSF) and critical security controls (CSCs) as best practice guidelines to enforce cybersecurity and defend against attacks. These guidelines use well-defined measures and metrics to validate the enforcement of the CSCs. However, analyzing the implementations of security products to validate CSC enforcement is non-trivial. First, the guidelines are not fixed in order to adapt to the evolution of attack techniques. Second, manually developing measures and metrics to monitor and implementing those monitoring mechanisms are resource-intensive tasks and massively dependent on the security analyst's expertise and knowledge. To tackle those problems, we use large language models (LLMs) as a knowledge base and reasoner to extract measures, metrics, and detailed steps of the monitoring mechanism implementation from CSC descriptions to reduce the dependency on human expertise. Our approach used few-shot learning with chain-of-thought prompting to generate measures and metrics and then generated knowledge prompting for metrics implementation on top of our distributed hierarchical monitoring agent architecture. Our evaluation shows that using LLMs to extract measures and metrics and monitoring implementation mechanisms can reduce dependency on humans and semi-automate the extraction process. We also demonstrate metric implementation steps using generated knowledge promoting with ChatGPT.