This dissertation presents a formalism for exploring two fundamental, yet underrepresented, cyberattack dynamics. Namely, how adversary actions drive the emergence of cyberattacks and how adversaries manipulate dynamic system structures, such as by creating and destroying objects. The formalism in question is encapsulated in the Dynamic Meta Attack Language (DynaMAL), a meta-level formalism for modeling and simulating cyberattacks with dynamic graphs. DynaMAL has been designed and developed in accordance with the design science research framework across four studies. The first study introduces an attack graph construction language for assessing cloud architectures and identifies the central problem of representing attacks in which adversaries manipulate dynamic system structures. The second study is a systematic literature review of cyberattack simulations that identifies key simulation concepts used in later stages of the design process. Building on the two initial studies, the third study establishes the cyberattack modeling foundations of DynaMAL, comprising a dynamic graph system, a multi-layered graph model, a lazy graph generation strategy, and the DynaMAL grammar. Finally, the fourth study develops the corresponding discrete-event simulation process for DynaMAL. The resulting capabilities are evaluated through a first simulation experiment that uses three cloud penetration testing scenarios that rely on dynamically creating and destroying resources. The scenarios are then solved automatically with near-optimal results by combining two search and optimization algorithms.

I den här avhandlingen presenteras en formalism för att utforska två fundamentala men underrepresenterade cyberattackdynamiker. Dessa är hur antagonisters handlingar driver fram cyberattacker och hur antagonister manipulerar dynamiska systemstrukturer, till exempel genom att skapa och förstöra resurser. Formalismen i fråga är inkapslad i ett Dynamic Meta Attack Language (DynaMAL), en formalism på metanivå för att modellera och simulera cyberattacker med dynamiska grafer. DynaMAL:s design och utveckling fortlöper genom fyra studier utförda i enlighet med designforskningsramverket. Den första studien bidrar med ett attackgrafkonstruktionsspråk för att utvärdera molnarkitekturer, vilket utvecklar problematiken med att representera när antagonister manipulerar dynamiska systemstrukturer. Den andra studien är en systematisk litteraturstudie som granskar cyberattacksimuleringsforskning och uppdagar flertalet nyckelkoncept som understödjer de senare designaktiviterna. I den påföljande tredje studien etableras ett fundament för cyberattackmodellering innefattandes ett dynamiskt grafsystem, en lagerbaserad grafmodell, en lat grafgenereringsstrategi och DynaMAL-grammatiken. Den fjärde studien färdigställer DynaMAL-formalismen genom att implementera en motsvarande diskret händelsestyrd simuleringsprocess. De resulterande förmågorna utvärderas via ett första simuleringsexperiment, varvid tre molnpenetrationstestningsscenarion som krävde att resurser dynamiskt skapades eller förstördes används. Scenariona löses sedan automatiskt med nära inpå optimala resultat genom att kombinera två sök- och optimeringsalgoritmer.

Two types of dynamics are important when modeling cyberattacks: how adversaries chain together techniques across systems and how they change the target systems. Attack graphs are prominent within research communities for automatically mapping and chaining together actions. Modeling adversary-driven system changes is comparatively unexplored, however. One reason could be that modeling adversarial change dynamics poses a blend of problems where the typical attack graph approaches could produce state-space explosions and infinite graphs. Therefore, this work presents the core modeling aspects of the Dynamic Meta Attack Language (DynaMAL), a project to lazily generate attack graphs by combining attack graph construction and simulation methods. DynaMAL lets users declare domain-specific modeling and attack graph generation languages. Then, the attack graphs are generated one step at a time based on the actions of an adversary agent. By only generating what is explicitly requested, DynaMAL can demonstrably change the system model as the attack graph grows while sidestepping typical state-space explosions and graph re-calculation problems. Shifting to a lazy generation process poses new challenges, however. Nevertheless, there is likely a point where lazy approaches will prevail when analyzing large and complex systems.

Migrating enterprises and business capabilities to cloud platforms like Amazon Web Services (AWS) has become increasingly common. However, securing cloud operations, especially at large scales, can quickly become intractable. Customer-side issues such as service misconfigurations, data breaches, and insecure changes are prevalent. Furthermore, cloud-specific tactics and techniques paired with application vulnerabilities create a large and complex search space. Various solutions and modeling languages for cloud security assessments exist. However, no single one appeared sufficiently cloud-centered and holistic. Many also did not account for tactical security dimensions. This article, therefore, presents a domain-specific modeling language for AWS environments. When used to model AWS environments, manually or automatically, the language automatically constructs and traverses attack graphs to assess security. Assessments, therefore, require minimal security expertise from the user. The modeling language was primarily tested on four third-party AWS environments through securiCAD Vanguard, a commercial tool built around the AWS modeling language. The language was validated further by measuring performance on models provided by anonymous end users and a comparison with a similar open source assessment tool. As of March 2020, the modeling language could represent essential AWS structures, cloud tactics, and threats. However, the tests highlighted certain shortcomings. Data collection steps, such as planted credentials, and some missing tactics were obvious. Nevertheless, the issues covered by the DSL were already reminiscent of common issues with real-world precedents. Future additions to attacker tactics and addressing data collection should yield considerable improvements.

Cyberattack simulations appear across multiple computer security domains and are interpreted in many different but equally viable ways. However, this makes the topic appear fragmented and inconsistent, making it challenging to identify and communicate relevant research. Therefore, this article contributes to a unified baseline by presenting the results of a systematic literature review. The review targeted attack simulations published between 1999 and 2019, specifically those exploring which specific steps result in successful attacks. The search initially produced 647 articles, later reduced to 11 key contributions. Despite being scattered across application domains, their general aims, contributions, and problem statements were remarkably similar. This was despite them generally not citing each other or a common body of work. However, the attack simulations differed in implementation details, such as modeling techniques, attacker decision-making, and how time is incorporated. How to construct a fully unified view of the entire topic is still somewhat unclear, particularly from the 11 articles. However, the results presented here should help orient practitioners and researchers interested in attack simulations regarding both present and future work. Particularly since, despite the seemingly implausible sample, the cumulative evidence suggests that attack simulations have yet to be pursued as a distinct research topic.

Securing web servers and proxies is critical for enterprise networks. Such Internet-facing systems make up a significant portion of the remote attack surface and, thus, serve as prime targets. HTTP Request Smuggling (HRS) is a vulnerability that arises when web servers and proxies interpret the length of a single HTTP request differently. In this study, empirical testing was used to find parsing behaviors that could lead to HRS in six popular proxies and six servers. A literature study was conducted to compile a corpus containing requests adopting all known HRS techniques and different variations. A test harness was built to enable the automatic sending of requests and recording of responses. The responses were then manually analyzed to identify behaviors vulnerable to HRS. In total, 19 vulnerable behaviors were found, and by combining the proxies with the servers, two almost full and four full attacks could be performed. At least one behavior that went against the HTTP specification was found in every system tested. However, not all of these behaviors enabled HRS. In conclusion, most proxies had strict parsing and did not accept requests that could lead to HRS. The servers, however, were not so strict.

This work relies on two observations about cyberattacks: they are driven by adversary actions and they frequently change system structures. However, it is difficult to analyze both aspects simultaneously because it involves analyzing complex networks of interactions between adversary actions and target systems. The existing literature has explored attack graph models and cyberattack simulation techniques for analyzing adversary actions and interactions, but not the structural changes that result from these actions. Conversely, dynamic graph methods have emerged for modeling cyberattacks, but not in response to adversary actions. Therefore, this work complements the Dynamic Meta Attack Language (DynaMAL) with a cyberattack simulation process. DynaMAL is a metalanguage for lazily generating attack graphs in response to adversary actions. The simulation process is a discrete-event simulation in which adversary agents perform actions that can yield successor actions or dynamically change the system. The simulation process was validated by simulating three third-party cloud penetration testing exercises that relied on dynamically adding, removing, and re-configuring resources. Then, the resulting models were solved with ant colony optimization and simulated annealing, which achieved optimal or near-optimal results. These results suggested that DynaMAL is a promising step towards modeling and simulating realistic cyberattack dynamics.