Assessment of Group Dynamics During Cyber Crime Through Temporal Network Topology Nima Asadi 1(B ) , Aunshul Rege 2 , and Zoran Obradovic 1 1 Computer and Information Sciences Department, Temple University, Philadelphia, USA nima.asadi@temple.edu 2 Department of Criminal Justice, Temple University, Philadelphia, USA Abstract. Understanding group dynamics can provide valuable insight into how the adversaries progress through cyberattacks and adapt to any disruptions they encounter. However, capturing the characteristics of such dynamics is a difficult task due to complexities in the formation and focus of the adversarial team throughout the attack. In this study, we propose an approach based on concepts and measures of social net- work theory. The results of experiments performed on observations at the US Industrial Control Systems Computer Emergency Response Team’s (ICS-CERT) Red Team-Blue Team cybersecurity training exercise held at Idaho National Laboratory (INL) show that the team dynamics can be captured and characterized using the proposed approach. Moreover, we provide an analysis of the shifts in such dynamics due to the adversarial team’s adaptation to disruptions caused by the defenders. Keywords: Network theory · Group dynamics · Machine learning 1 Introduction Governments and organizations worldwide are experiencing a continuously evolv- ing threat landscape, where cyberadversaries are highly organized, sophisticated, and persistent. Defenders can only be effective if they understand how adver- saries organize, make decisions, carry out attacks, and adapt to disruptions. Earlier research has examined adversarial attack paths also known as intrusion chains, time spent on the various stages of cyberattacks, and which stages adver- saries focus on more when they are disrupted by defenders span [1–4]. However, little is known in the open literature about adversarial group dynamics. It is imperative to study how adversaries interact, structure them- selves, change over the duration of the attack, manage disruptions by defenders, recover from their mistakes, and make decisions as they progress through cyber- attacks in real-time. c  Springer International Publishing AG, part of Springer Nature 2018 R. Thomson et al. (Eds.): SBP-BRiMS 2018, LNCS 10899, pp. 401–407, 2018. https://doi.org/10.1007/978-3-319-93372-6_44