search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

quotes
2022 Research Review / DAY 2

Chain Games: Powering Autonomous Threat Hunting

Assuring information system security requires not just preventing system compromises but finding adversaries already present in the network before they can take action on their objectives. Defensive computer operations (DCO) personnel find the technique of cyber threat hunting the most effective approach for identifying such threats. While the Department of Defense (DoD) does conduct human-driven threat hunting, it often does so only when resources are not devoted to other demands. The time, expense, and expert resources required for cyber threat hunting typically preclude comprehensive investigation. However, an autonomous threat-hunting tool could run more pervasively, achieve standards of coverage currently considered impractical, and significantly reduce competition for limited analyst resources.

The time, expense, and expert resources required for cyber threat hunting typically preclude comprehensive investigation.

 Phil Groce
Senior Network Defense Analyst Photo of Phil Groce

In this project, we take on this challenge by developing algorithms to enable fully autonomous threat hunting by modeling threat hunting as a Cyber Camouflage Game (CCG), a type of mathematical game played between a “probing” player (analogous to a threat hunter) and a potentially deceptive “target” (analogous to an attacker). We will test these algorithms in a simulation environment, and evaluate success using metrics derived from CCG analysis and the threat-hunting domain. Cloud telemetry data will be used to develop and verify the hunt algorithms, assessing the sufficiency of this data for threat hunting, and identifying potential gaps that can be fed back into vendor requirements and open standards to make threat hunting more effective in cloud-native environments.

Threat hunting takes time and skill. Inexpensive, faster hunting could investigate more data sources, coordinate for coverage, and help triage human threat hunts. The key to faster, less expensive threat hunting is autonomy. Threat hunting takes time and skill. Inexpensive, faster hunting could investigate more data sources, coordinate for coverage, and help triage human threat hunts. The key to faster, less expensive threat hunting is autonomy.

Our initial investigation is bounded to

  • Microsoft Azure cloud hosting and services (and evaluation of Azure cloud telemetry data)
  • a containerized, infrastructure-as-a-service (IaaS) application architecture intended to be representative of DoD enterprise applications migrated to the cloud
  • an attacker already resident in the environment and seeking to stage application data for later exfiltration

If our work is successful, threat-hunt operators will confirm that algorithms developed from game-theoretic analysis successfully identify attacker-controlled infrastructure as well as or better than the traditional state of the practice within the investigatory constraints.

In Context

This FY2022–23 project

  • aligns with the SEI technical objective to bring capabilities that make new missions possible or improve the likelihood of success of existing ones
  • aligns with the DoD software strategy to attain autonomous cyber operations and resilience in DoD missions
Principal Investigator

Phil Groce
Senior Network Defense Analyst

SEI Collaborators

Matt Sisk
Member of the Technical Staff

Dr. Joshua Fallon
Senior Network Defense Analyst

External Collaborator

Dr. Christopher Kiekintveld
Associate Professor, Computer Science
University of Texas at El Paso (UTEP)

More from Day 2 of Research Review 2022

Maturing Assurance Contracts in Model-Based Engineering

Principal Investigator Dr. Dionisio de Niz

Safety Analysis and Fault Detection Isolation and Recovery Synthesis for Time-Sensitive Cyber-Physical Systems

Principal Investigator Dr. Jerome Hugues