Abstract

Analysts in cyber security are responsible for monitoring and responding to security incidents in computer systems. They constantly need to acquire sophisticated skills to detect and mitigate sophisticated attacks such as multi-stage and multi-step network attacks (MSNA) that can long hours, days and even months. Unfortunately, there is a lack of MSNA datasets where cyber security analyst can train themselves about this matter. Moreover, its inherent complexity makes very difficult to cyber security analysts to detect them just reading logs. This work presents a human-centric approach to create simulations for training cyber security analysts about detecting and prioritizing concurrent MSNAs. Thus, we hypothesize that using this approach, cyber security analysts will do these tasks better and/or faster than using the outputs of Intrusion detection systems. To do this, we have designed and implemented NetWars to simulate concurrent MSNAs for training cybersecurity analysts. The MSNAs were obtained from the CTF22 of the DEFCON where highly skilled teams attack and defend themselves during three days. Results are encouraging. During the training, cyber security analysts receive multiple concurrent MSNAs from 19 different attackers, where the trainee must decide which attack to prioritize for mitigation given that she has limited resources. The tool's adoption also yielded a remarkable 95 % success rate in generating accurate answers. The usability of the NetWar s prototype was highlighted by the users.