PenQuest: a gamified attacker/defender meta model for cyber security assessment and education

Abstract: Attacks on IT systems are a rising threat against the confidentiality, integrity, and availability of critical information and infrastructures. At the same time, the complex interplay of attack techniques and possible countermeasures makes it difficult to appropriately plan, implement, and evaluate an organization's defense. More often than not, the worlds of technical threats and organizational controls remain disjunct. In this article, we introduce PenQuest, a meta model designed to present a complete view o… Show more

“…For attack modeling and the subsequent interpretation of classified system 375 behavior, we utilize PenQuest [43,44], our versatile attacker-defender meta model that takes the definition of threat stages and provides concrete actions based on accepted security languages and standards. See Figure 2 for an overview of the model.…”

“…Specifically, PenQuest allows for simulating time-enabled attacker/defender 380 behavior as part of a dynamic, imperfect information multi-player game that derives significant parts of its ruleset from established information security sources such as STIX [4], CAPEC 1 , CVE 2 /CWE 3 , and the NIST SP800-53 security & privacy controls standard [27]. Attack patterns, vulnerabilities, and mitigating controls are mapped to counterpart strategies and concrete actions through [43,44]. The lower left side depicts the AIDIS data provider (agent) monitoring for anomalies or pattern occurrence, while the right sight shows PenQuest's class structure for a generalized Action X (see definition below).…”

“…The modeling of unique events closes the gap to the data layer and allows us to lower the level of abstraction to the actual systemic representation. For more 460 information about PenQuest and the model-to-data mapping, see [43] and [44].…”

“…Decision trees are computed in R using the randomForest function 10 , while our SVM implementation utilizes 935 svm Linear and svm Linear Grid. The mapping of resulting anomaly reports and scores to the PenQuest [43,44] model is currently done manually.…”

“…Both static and dynamic (behavioral) models are used [56]. AIDIS proposes the use of 'PenQuest' [43,44], an advanced dynamic approach realized as a fullfledged strategy game. In the following, we discuss existing work similar to our modeling approach.…”

AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes

“…For attack modeling and the subsequent interpretation of classified system 375 behavior, we utilize PenQuest [43,44], our versatile attacker-defender meta model that takes the definition of threat stages and provides concrete actions based on accepted security languages and standards. See Figure 2 for an overview of the model.…”

“…Specifically, PenQuest allows for simulating time-enabled attacker/defender 380 behavior as part of a dynamic, imperfect information multi-player game that derives significant parts of its ruleset from established information security sources such as STIX [4], CAPEC 1 , CVE 2 /CWE 3 , and the NIST SP800-53 security & privacy controls standard [27]. Attack patterns, vulnerabilities, and mitigating controls are mapped to counterpart strategies and concrete actions through [43,44]. The lower left side depicts the AIDIS data provider (agent) monitoring for anomalies or pattern occurrence, while the right sight shows PenQuest's class structure for a generalized Action X (see definition below).…”

“…The modeling of unique events closes the gap to the data layer and allows us to lower the level of abstraction to the actual systemic representation. For more 460 information about PenQuest and the model-to-data mapping, see [43] and [44].…”

“…Decision trees are computed in R using the randomForest function 10 , while our SVM implementation utilizes 935 svm Linear and svm Linear Grid. The mapping of resulting anomaly reports and scores to the PenQuest [43,44] model is currently done manually.…”

“…Both static and dynamic (behavioral) models are used [56]. AIDIS proposes the use of 'PenQuest' [43,44], an advanced dynamic approach realized as a fullfledged strategy game. In the following, we discuss existing work similar to our modeling approach.…”

AIDIS: Detecting and classifying anomalous behavior in ubiquitous kernel processes

Cybersecurity Awareness Through Serious Games: A Systematic Literature Review

Gamification in Software Development: Systematic Literature Review