Cyber deception allows compensating the late response of defenders countermeasures to the ever evolving tactics, techniques, and procedures (TTPs) of attackers. This proactive defense strategy employs decoys resembling legitimate system components to lure stealthy attackers within the defender environment, slowing and/or denying the accomplishment of their goals. In this regard, the selection of decoys that can expose the techniques used by malicious users plays a central role to incentivize their engagement. However, this is a difficult task to achieve in practice, since it requires an accurate and realistic modeling of the attacker capabilities and his possible targets. In this work, we tackle this challenge and we design a decoy selection scheme that is supported by an adversarial modeling based on empirical observation of real-world attackers. We take advantage of a domain-specific threat modelling language using MITRE ATT&CK framework as source of attacker TTPs targeting enterprise systems. In detail, we extract the information about the execution preconditions of each technique as well as its possible effects on the environment to generate attack graphs modeling the adversary capabilities. Based on this, we formulate a graph partition problem that minimizes the number of decoys detecting a corresponding number of techniques employed in various attack paths directed to specific targets. We compare our optimization-based decoy selection approach against several benchmark schemes that ignore the preconditions between the various attack steps. Results reveal that the proposed scheme provides the highest interception rate of attack paths using the lowest amount of decoys.

翻译：网络欺骗能够弥补防御方对策对于攻击者不断演变的战术、技术与程序（TTP）的响应滞后问题。这种主动防御策略通过部署与合法系统组件相似的诱饵，将隐蔽的攻击者引诱至防御环境内，从而延缓或阻止其达成攻击目标。在此背景下，选择能够暴露恶意用户所用技术的诱饵对于激励其交互行为具有核心作用。然而，由于需要精确且真实地建模攻击者能力及其潜在目标，这在实际中是一项艰巨的任务。本研究针对这一挑战，设计了一种基于真实世界攻击者实证观察的对抗建模所支持的诱饵选择方案。我们利用以MITRE ATT&CK框架为核心的领域特定威胁建模语言，该框架提供了针对企业系统的攻击者TTP信息。具体而言，我们提取每种技术的执行前提条件及其对环境可能产生的影响，以此生成建模攻击者能力的攻击图。基于此，我们构建了一个图划分问题，旨在最小化诱饵数量的同时，检测出针对特定目标的多条攻击路径中所采用的相应技术。我们将这种基于优化的诱饵选择方案与若干忽略不同攻击步骤间前提条件的基准方案进行比较。结果表明，所提方案能以最少的诱饵数量实现最高的攻击路径拦截率。