search menu icon-carat-right cmu-wordmark

Chain Games: Powering Autonomous Threat Hunting

November 2022 Presentation
Phil Groce

This project focuses on developing algorithms from game-theoretic analysis to successfully identify an attacker-controlled infrastructure as well as or better than the traditional state of the practice within the investigatory constraints.

Publisher:

Software Engineering Institute

Abstract

In this project, we take on the challenge of finding adversaries already present in the network by developing algorithms to enable fully autonomous threat hunting by modeling threat hunting as a Cyber Camouflage Game (CCG), a type of mathematical game played between a “probing” player (analogous to a threat hunter) and a potentially deceptive “target” (analogous to an attacker).

We will test these algorithms in a simulation environment, and evaluate success using metrics derived from CCG analysis and the threat-hunting domain. Cloud telemetry data will be used to develop and verify the hunt algorithms, assessing the sufficiency of this data for threat hunting, and identifying potential gaps that can be fed back into vendor requirements and open standards to make threat hunting more effective in cloud-native environments.