Scribd Logo
Upload

Welcome to Scribd!

  • Modeling Cyberspace Operations: Robert Bixler Fernando Maymi

    Uploaded by

    Juan
    7 views16 pages
    SoarTech. Modeling Human reasoning

    Original Title

    Cyber Soar

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    SoarTech. Modeling Human reasoning

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    7 views16 pages

    Modeling Cyberspace Operations: Robert Bixler Fernando Maymi

    Uploaded by

    Juan
    SoarTech. Modeling Human reasoning

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 16

    December 2017

    Modeling Cyberspace
    Operations
    SoarTech, Inc.

    16 May 2018
    Robert Bixler
    Fernando Maymi
    Motivation

    • Sophisticated threats

    • Train humans to counteract them


    December 2017

    • Build better automated defenses

    • Soar is being used to create cyber cognitive (cycog) agents

    We model cyberspace operations using


    SoarTech, Inc.

    tactics, techniques, and procedures


    2
    Tactics, Techniques, and Procedures

    Tactic –employment and ordered


    arrangement of forces in relation to
    each other

    Technique – non-prescriptive way


    to perform missions, functions, or
    tasks
    December 2017

    Procedure – standard, detailed


    steps that prescribe how to
    perform specific tasks
    SoarTech, Inc.
    3
    4 SoarTech, Inc. December 2017 Cyber Kill Chain
    SoarTech, Inc. December 2017
    Operation Model
    December 2017
    SoarTech, Inc.
    Operations

    Operation: a directed graph of tactics and objectives


    December 2017
    Tactics

    Tactic: a directed graph of


    SoarTech, Inc.

    techniques and resources


    December 2017
    SoarTech, Inc.
    Techniques

    Technique: a directed
    graph of procedures,
    some of them optional
    December 2017
    Procedures

    ID: p9
    Name: Drop netids.dll
    Predecessors:  p5, p6, p7
    Preconditions:  A process running with elevated privileges
    on a Windows host
     Network connectivity to the tool server
    Parameters:  server_name – IP address or FQDN of tool
    server
     server_port – port number on tool server
     rem_file_name – name of file on tool server
     loc_directory – directory for local file
    Steps: 1. Establish HTTPS connection to server_name
    SoarTech, Inc.

    on server_port
    2. Download rem_file_name and save it as
    netids.dll in loc_directory
    3. Execute netids.dll
    Post-  netids.dll is executing with elevated
    conditions: privileges

    Procedure: an algorithmic
    way to accomplish a task
    December 2017
    Primitive Action

    Primitive Action: atomic


    unit of process

    ip source ip dest time

    192.168.5.122 224.0.0.251 11:01:06.037


    SoarTech, Inc.

    192.168.1.101 67.212.184.66 11:01:06.082

    192.168.5.123 64.12.90.98 11:01:06.831

    64.12.90.98 192.168.5.122 11:01:07.239

    64.12.90.66 192.168.5.122 11:01:07.567

    192.168.5.122 64.12.90.66 11:01:07.870

    192.168.5.122 205.188.59.19 11:01:08.145


    SoarTech, Inc. December 2017

    Techniques

    Procedures
    Soar Implementation

    Tools

    Forensic Artifacts
    SoarTech, Inc. December 2017

    Tactics

    Human Analyst
    Soar Implementation

    Techniques

    Procedures
    ML Classifier

    Forensic Artifacts
    13 SoarTech, Inc. December 2017 Training Use Case
    14 SoarTech, Inc. December 2017 Prediction Use Case
    Nuggets/Coal

    • Nuggets
    • Human explainable
    • Flexible
    • Less changes to Soar code as new attacks are learned
    December 2017

    • Can generate new attack patterns


    • Levels can be developed independently
    • Reason with incomplete information

    • Coal
    • Large amount of procedures and tactics
    SoarTech, Inc.

    • Anomaly detection is a difficult problem


    • Still can’t detect all novel attack patterns
    SoarTech, Inc. December 2017

    You might also like