Cognitive Honeypots against Lateral Movement for Mitigation of Long-Term Vulnerability
share
Lateral movement of advanced persistent threats (APTs) has posed a severe security challenge. Static segregation at separate times and spatial locations is not sufficient to protect valuable assets from stealthy and persistent attackers. Defenders need to consider time and stages holistically to discover the latent attack path across a large time-scale and achieve long-term security for the target assets. In this work, we propose a random time-expanded network to model the stochastic service requests in the enterprise network and the persistent lateral movement over stages. We design cognitive honeypots at idle production nodes to detect and deter the adversarial lateral movement and protect the target node proactively and persistently. To increase the honeypots' stealthiness, the location of the honeypot changes randomly at different times and stages. Based on the probability of service links and the likelihood of successful compromises, the defender can design the optimal honeypot policy that minimizes the long-term cyber risks of the target assets and the probability of interference and roaming cost. We propose an iterative algorithm and approximate the vulnerability with the union bound for computationally efficient deployment of honeypots. The vulnerability analysis results under the optimal and heuristic honeypot policies demonstrate that the proposed cognitive honeypot can effectively protect the target node from the lateral movement attack.
READ FULL TEXT