Discovering Cognitive Biases in Cyber Attackers’ Network Exploitation Activities: A Case Study

Abstract: Understanding a cyber attacker's behavior can help improve cyber defenses. However, significant research is needed to learn about attackers’ decision-making processes. For example, some advancement has been made in understanding attackers’ decision biases and the potential that measuring such biases would have for cyber defenses. However, currently, there are no publicly available datasets that could be used to learn about attackers' cognitive biases. New research is needed to provide clear metrics of attacker cognitive biases in professional red teamers, using testbeds that represent realistic cybersecurity scenarios. New studies should go beyond exploratory observations and rely on formal metrics of cognitive biases that can use the actions taken by the adversaries (i.e., rely on what adversaries "do" more than what they "say") and be able to demonstrate how defense strategies can be informed by such attacker biases. In this paper, we start to build upon existing work to demonstrate that we can detect and measure professional red teamers' cognitive biases based on the actions they take in a realistic Advanced Persistent Threat (APT) scenario. We designed a cybersecurity scenario in which an attacker would execute an APT-style attack campaign. The goal for the attacker was to obtain sensitive documents from the target network. To achieve this goal, human attackers were asked to perform network reconnaissance, laterally move to hosts and gain access to the relevant systems, and finally, perform data exfiltration as a post-exploitation task. We used the CyberVAN testbed for our experimentation. CyberVAN is a flexible cyber range that offers a high-fidelity representation of heterogeneous network environments. CyberVAN supports a Human-in-the-loop (HITL) capability that allows participants to remotely log into a VM in a network scenario and interact with other VMs in that scenario. For our experimentation, we designed a network in CyberVAN to enable a multi-step attack campaign wherein participants were required to make decisions at each step in order to progress toward the goal. The network was divided into three levels to represent the different stages of the attack campaign. Participants were provided necessary tools to scan the network, to crack passwords and exploit vulnerabilities. Attackers start their activities from the attacker host, a designated host external to the target network. At level 1 their goal is to gain unauthorized access to one of five hosts by cracking the passwords of valid users on the system. Once attackers successfully log in to a host at level 1, they pivot to a host at level 2 by remotely exploiting security vulnerabilities present in that host. The host was configured with real services containing known vulnerabilities that are remotely exploitable. At level 2, the attacker’s goal is to gain access to the target host at level 3 and exfiltrate as many files as possible from the target machine. From level 2, attackers are given two options to execute the attack: (i) an open-source tool that is reliable but requires additional effort to set up and execute, and (ii) a prepared shell script that is unreliable (small probability of success) but easy to execute. Upon compromising the target host, the final action is to exfiltrate as many files as possible from the host to an external drop site. For exfiltration, attackers choose between standard file transfer applications such as SCP and FTP. Attackers were periodically informed that the network defenders might be monitoring the network and that they might be detected at any stage of the task. If detected, attackers were returned to the previous step and had to perform the task again by choosing a different host/credential/exploit. Results provided evidence of default effect bias, availability bias, and recency bias. Participants chose the first or the last IP address from the network scan result, representing an indication of default effect bias. We also observed that participants preferred simple/easy-to-execute options over complex and reliable options indicative of complexity aversion. Similarly, we observe that recently discovered vulnerabilities were exploited 67% of the time although they only made up 50% of the available vulnerabilities indicative of recency bias. This paper provides initial evidence to identify the cognitive biases and behaviors in cyberattackers.

Keywords: Cyber operations, Behavioral cybersecurity, Cognitive biases, Oppositional Human Factors, and Human behavior.

DOI: 10.54941/ahfe1004771

Cite this paper:

​