RSA Laboratories



Cyberattacks today have become so sophisticated that some degree of compromise in any large system is nearly impossible to prevent. Defenders of critical systems today consequently aim not at complete control of their computing resources, but at maximal control. FlipIt is a simple game that models cybersecurity in its contemporary form as an ongoing territorial battle. The game provides a structure for detailed analysis and optimization of defensive strategies, and a mathematically rigorous contribution to the fledgling science of cybersecurity.

Advanced Persistent Threat

An Advanced Persistent Threat (APT), in industry terminology, is a sophisticated, targeted attacker or attack against a computing system containing a high-value asset or controlling a physical system. Detecting APTs is a non-trivial task, since the attacker can constantly modify and adapt his tactics to exploit a particular organization or entity. At RSA Labs, researchers are developing new anomaly detection frameworks applicable to previously unknown attacks.

A characteristic of an APT is that it is not a vector of attack or playbook of tactics, but rather a campaign. Attackers are by no means bound by a formula or technology. To caution against overly narrow characterization of APTs, we illustrate potential strategies of deception and evasion available in this setting by appealing to the stories of Sherlock Holmes by Sir Arthur Conan Doyle.

Botnet Models

We apply an analytical approach to study peer-to-peer botnets using graph models from network theory. Each node in the graph represents an infected host, and edges reflect communications between the hosts. Measuring a botnet's "usefulness" by various graph properties, we evaluate the effectiveness of recommended botnet takedown strategies. Our results show that certain network structures allow the botnet to be resilient to takedown attempts, and to recover quickly after a fraction of nodes are removed.