Cyberattacks today have become so sophisticated that some degree of compromise in any large system is nearly impossible to prevent. Defenders of critical systems today consequently aim not at complete control of their computing resources, but at maximal control. FlipIt is a simple game that models cybersecurity in its contemporary form as an ongoing territorial battle. The game provides a structure for detailed analysis and optimization of defensive strategies, and a mathematically rigorous contribution to the fledgling science of cybersecurity.
- Download: FLIPIT: The Game of "Stealthy Takeover"
- Download: Prof. Ron Rivest's CRYPTO '11 invited talk on FlipIt
- Download: Defending Against the Unknown Enemy: Applying FLIPIT to System Security
Advanced Persistent Threat
An Advanced Persistent Threat (APT), in industry terminology, is a sophisticated, targeted attacker or attack against a computing system containing a high-value asset or controlling a physical system. Detecting APTs is a non-trivial task, since the attacker can constantly modify and adapt his tactics to exploit a particular organization or entity. At RSA Labs, researchers are developing new anomaly detection frameworks applicable to previously unknown attacks.
A characteristic of an APT is that it is not a vector of attack or playbook of tactics, but rather a campaign. Attackers are by no means bound by a formula or technology. To caution against overly narrow characterization of APTs, we illustrate potential strategies of deception and evasion available in this setting by appealing to the stories of Sherlock Holmes by Sir Arthur Conan Doyle.
- Sherlock Holmes and the case of the advanced persistent threat, Ari Juels and Ting-Fang Yen, in 5th USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET), April 2012.
We apply an analytical approach to study peer-to-peer botnets using graph models from network theory. Each node in the graph represents an infected host, and edges reflect communications between the hosts. Measuring a botnet's "usefulness" by various graph properties, we evaluate the effectiveness of recommended botnet takedown strategies. Our results show that certain network structures allow the botnet to be resilient to takedown attempts, and to recover quickly after a fraction of nodes are removed.
- Revisiting Botnet Models and Their Implications for Takedown Strategies, Ting-Fang Yen, Michael K. Reiter, in First Conference on Principles of Security and Trust (POST), March 2012.