Hardening Critical Infrastructure Networks Against Attacker Reconnaissance

Abstract

The knowledge an attacker gathers about the critical infrastructure network they infiltrate allows them to customize the payload and remain undetected while causing maximum impact. This knowledge is a consequence of internal reconnaissance in the cyber network by lateral movement and is enabled by exploiting discovered vulnerabilities. This stage of the attack is also the longest, thereby giving a defender the biggest opportunity to detect and react to the attacker.

This paper helps a defender minimize the information an attacker might gain once in the network. This can be done by curbing lateral movement, misdirecting the attacker or inhibiting reachability to a critical device. We use a linear threshold models of attack propagation to analyze potential attack loss and use this to find actions that a defender might invest in while staying within their budgetary constraints. We show that while finding the best solution subject to these constraints is computationally intractable, the objective function is supermodular, allowing for a tractable technique with a known approximation bound.

A Proof of Theorem 1

Given an attack graph \(\mathcal {A} = (V,E,p)\) we need to show that for any set \(\pi \subseteq E\) and an edge \(e=(u,v) \in E \setminus \pi \)

$$\begin{aligned} \mathcal {R}(\mathcal {A}\setminus \pi ) - \mathcal {R}(\mathcal {A}\setminus (\pi \cup \{e\})) \ge 0 \end{aligned}$$

This proof is very similar to the proof in [11] and only differs in our function of interest (attack loss function).

The space of attack scenarios \(\varOmega _{\mathcal {A} \setminus \pi }\), can be divided into three disjoint partitions based on the edge selected for node v. \(\varOmega _{\mathcal {A} \setminus \pi }^e\) (edge \(e = (u,v)\) is chosen), \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}\) (a different edge \(\overline{e} = (u^{'},v)\) is chosen) and \(\varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) (no incoming edge is selected).

Now for, the space \(\varOmega _{\mathcal {A} \setminus (\pi \cup \{e\})}\) we note that the space is a subset of \(\varOmega _{\mathcal {A} \setminus \pi }\) since any scenario graph in the former can be generated in the latter. Also, the only scenarios not present in the former are ones where the edge e is involved. Thus, \(\varOmega _{\mathcal {A} \setminus (\pi \cup \{e\})}\) can be defined based on two partitions as: \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}} \cup \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\).

Using these disjoint partitions, we can write the difference as:

$$\begin{aligned} \mathcal {R}(\mathcal {A}&\setminus \pi ) - \mathcal {R}(\mathcal {A}\setminus (\pi \cup \{e\})) \\&= \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^e} Pr[A|\mathcal {A}\setminus \pi ] L(A) \\&+ \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}} (Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)]) L(A) \\&+ \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }} (Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)]) L(A) \end{aligned}$$

For the space \(\varOmega _{\mathcal {A} \setminus \pi }^{\overline{e}}\) we have \(Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = 0\) since from Eq. 6 we have, \(p(v,A,\mathcal {A}\setminus \pi ) = p(v,A,\mathcal {A}\setminus (\pi \cup \{e\})) = p(\overline{e})\). This is due to the fact that in this space, under both cases, edge \(\overline{e}\) is chosen for node v.

For the space \(\varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) we have:

$$\begin{aligned} Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = -p_e \prod _{v' \ne v} p(v',A,\mathcal {A}\setminus \pi ) \end{aligned}$$

This stems from the fact that we can rewrite the above difference in terms of the node v and all other nodes \(v'\ne v\) as \(Pr[A|\mathcal {A}\setminus \pi ] - Pr[A|\mathcal {A}\setminus (\pi \cup e)] = \prod _{v' \ne v} p(v',A,\mathcal {A} \setminus \pi ) \times [p(v,A,\mathcal {A}\setminus \pi ) - p(v,A,\mathcal {A}\setminus (\pi \cup \{e\}))]\).

As for the difference in probabilities when node v has no incoming edge we see that it goes to \(-p_e\) due to the fact that \(p(v,A,\mathcal {A}\setminus \pi ) = 1 - \sum _{x \in E \setminus \pi } p_x = 1 - \sum _{x \in E \setminus (\pi \cup \{e\})} p_x - p_e = p(v,A,\mathcal {A}\setminus (\pi \cup \{e\})) -p_e\).

Now consider the following two facts:

• Every graph \(A' \in \varOmega _{\mathcal {A} \setminus \pi }^e\) has a corresponding graph \(A \in \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }\) and vice versa where \(A' = A \cup \{e\}\) i.e. they differ only in the edge e.

• A graph \(A' \in \varOmega _{\mathcal {A} \setminus \pi }^e\) has probability \(Pr[A'|\mathcal {A}\setminus \pi ] = p_e \prod _{v' \ne v}p(v',A',\mathcal {A}\setminus \pi )\). Note that this is essentially Eq. 7 rewritten in terms of e.

Hence:

$$\begin{aligned} \mathcal {R}(\mathcal {A}\setminus \pi ) - \mathcal {R}(\mathcal {A}\setminus (\pi \cup \{e\})) = \sum _{A \in \varOmega _{\mathcal {A} \setminus \pi }^{\emptyset }} Pr[A'|\mathcal {A}\setminus \pi ] [L(A') - L(A)] \end{aligned}$$

Since this is a non-negative sum and by Lemma 2 we know that \(L(A') - L(A) \ge 0\) we can see that the risk function is monotone decreasing in the policy \(\pi \)

   \(\blacksquare \)