Nazia Sharmin

Shanto Roy, Nazia Sharmin, Jaime C. Acosta et al.

Adversaries are often able to penetrate networks and compromise systems by exploiting vulnerabilities in people and systems. The key to the success of these attacks is information that adversaries collect throughout the phases of the cyber kill chain. We summarize and analyze the methods, tactics, and tools that adversaries use to conduct reconnaissance activities throughout the attack process. First, we discuss what types of information adversaries seek, and how and when they can obtain this information. Then, we provide a taxonomy and detailed overview of adversarial reconnaissance techniques. The taxonomy introduces a categorization of reconnaissance techniques based on the source as third-party, human-, and system-based information gathering. This paper provides a comprehensive view of adversarial reconnaissance that can help in understanding and modeling this complex but vital aspect of cyber attacks as well as insights that can improve defensive strategies, such as cyber deception.

Iffat Anjum, Mohammad Sujan Miah, Mu Zhu et al.

Enterprises are increasingly concerned about adversaries that slowly and deliberately exploit resources over the course of months or even years. A key step in this kill chain is network reconnaissance, which has historically been active (e.g., network scans) and therefore detectable. However, new networking technology increases the possibility of passive network reconnaissance, which will be largely undetectable by defenders. In this paper, we propose Snaz, a technique that uses deceptively crafted honey traffic to confound the knowledge gained through passive network reconnaissance. We present a two-player non-zero-sum Stackelberg game model that characterizes how a defender should deploy honey traffic in the presence of an adversary who is aware of Snaz. In doing so, we demonstrate the existence of optimal defender strategies that will either dissuade an adversary from acting on the existence of real vulnerabilities observed within network traffic, or reveal the adversary's presence when it attempts to unknowingly attack an intrusion detection node.