SOC Critical Path: A defensive Kill Chain model

[EN] Different kill chain models have been defined and analyzed to provide a common sequence of actions followed in offensive cyber operations. These models allow analysts to identify these operations and to understand how they are executed. However, there is a lack of an equivalent model from a defensive point of view: this is, there is no common sequence of actions for the detection of threats and their accurate response. This lack causes not only problems such as unstructured approaches and conceptual errors but, what is most important, inefficiency in the detection and response to threats, as defensive tactics are not well identified. For this reason, in this work we present a defensive kill chain approach where tactics for teams in charge of cyber defense activities are structured and arranged. We introduce the concept of SOC Critical Path (SCP), a novel kill chain model to detect and neutralize threats. SCP is a technology¿independent model that provides an arrangement of mandatory steps, in the form of tactics, to be executed by Computer Network Defense teams to detect hostile cyber operations. By adopting this novel model, these teams increase the performance and the effectiveness of their capabilities through a common framework that formalizes the steps to follow for the detection and neutralization of threats. In this way, our work can be used not only to identify detection and response gaps, but also to implement a continuous improvement cycle over time.Villalón-Huerta, A.; Marco-Gisbert, H.; Ripoll-Ripoll, I. (2022). SOC Critical Path: A defensive Kill Chain model. IEEE Access. 10:13570-13581. https://doi.org/10.1109/ACCESS.2022.314502913570135811

Markov Model of Cyber Attack Life Cycle Triggered by Software Vulnerability

Software vulnerability life cycles illustrate changes in detection processes of software vulnerabilities during using computer systems. Unfortunately, the detection can be made by cyber-adversaries and a discovered software vulnerability may be consequently exploited for their own purpose. The vulnerability may be exploited by cyber-criminals at any time while it is not patched. Cyber-attacks on organizations by exploring vulnerabilities are usually conducted through the processes divided into many stages. These cyber-attack processes in literature are called cyber-attack live cycles or cyber kill chains. The both type of cycles have their research reflection in literature but so far, they have been separately considered and modeled. This work addresses this deficiency by proposing a Markov model which combine a cyber-attack life cycle with an idea of software vulnerability life cycles. For modeling is applied homogeneous continuous time Markov chain theory

Markov Model of Cyber Attack Life Cycle Triggered by Software Vulnerability

Software vulnerability life cycles illustrate changes in detection processes of software vulnerabilities during using computer systems. Unfortunately, the detection can be made by cyber-adversaries and a discovered software vulnerability may be consequently exploited for their own purpose. The vulnerability may be exploited by cyber-criminals at any time while it is not patched. Cyber-attacks on organizations by exploring vulnerabilities are usually conducted through the processes divided into many stages. These cyber-attack processes in literature are called cyber-attack live cycles or cyber kill chains. The both type of cycles have their research reflection in literature but so far, they have been separately considered and modeled. This work addresses this deficiency by proposing a Markov model which combine a cyber-attack life cycle with an idea of software vulnerability life cycles. For modeling is applied homogeneous continuous time Markov chain theory

The Internet of Hackable Things

The Internet of Things makes possible to connect each everyday object to the Internet, making computing pervasive like never before. From a security and privacy perspective, this tsunami of connectivity represents a disaster, which makes each object remotely hackable. We claim that, in order to tackle this issue, we need to address a new challenge in security: education

Efficacy of Incident Response Certification in the Workforce

Numerous cybersecurity certifications are available both commercially and via institutes of higher learning. Hiring managers, recruiters, and personnel accountable for new hires need to make informed decisions when selecting personnel to fill positions. An incident responder or security analyst\u27s role requires near real-time decision-making, pervasive knowledge of the environments they are protecting, and functional situational awareness. This concurrent mixed methods paper studies whether current commercial certifications offered in the cybersecurity realm, particularly incident response, provide useful indicators for a viable hiring candidate. Managers and non-managers alike do prefer hiring candidates with an incident response certification. Both groups affirmatively believe commercial cybersecurity certified job candidates with that same certification can update, modify, and improve the incident response process. The reasoning for this belief is focused more on tie-breaking and common parlance within the information security analyst domain and less on the ability to perform the job. A practical component within the certification process is valuable, and networking expertise is the primary interest of those seeking qualified incident responders. The qualitative component highlighted soft-skills, such as communication, enthusiasm, critical thinking, and awareness, as sought-after abilities lacking in certification offerings covered within this study

Towards Scientific Incident Response

A scientific incident analysis is one with a methodical, justifiable approach to the human decision-making process. Incident analysis is a good target for additional rigor because it is the most human-intensive part of incident response. Our goal is to provide the tools necessary for specifying precisely the reasoning process in incident analysis. Such tools are lacking, and are a necessary (though not sufficient) component of a more scientific analysis process. To reach this goal, we adapt tools from program verification that can capture and test abductive reasoning. As Charles Peirce coined the term in 1900, “Abduction is the process of forming an explanatory hypothesis. It is the only logical operation which introduces any new idea.” We reference canonical examples as paradigms of decision-making during analysis. With these examples in mind, we design a logic capable of expressing decision-making during incident analysis. The result is that we can express, in machine-readable and precise language, the abductive hypotheses than an analyst makes, and the results of evaluating them. This result is beneficial because it opens up the opportunity of genuinely comparing analyst processes without revealing sensitive system details, as well as opening an opportunity towards improved decision-support via limited automation

Review of human decision-making during computer security incident analysis

We review practical advice on decision-making during computer security incident response. Scope includes standards from the IETF, ISO, FIRST, and the US intelligence community. To focus on human decision-making, the scope is the evidence collection, analysis, and reporting phases of response. The results indicate both strengths and gaps. A strength is available advice on how to accomplish many specific tasks. However, there is little guidance on how to prioritize tasks in limited time or how to interpret, generalize, and convincingly report results. Future work should focus on these gaps in explication and specification of decision-making during incident analysis

Considerations for Cross Domain / Mission Resource Allocation and Replanning

NPS NRP Technical ReportNaval platforms are inherently multi-mission - they execute a variety of missions simultaneously. Ships, submarines, and aircraft support multiple missions across domains, such as integrated air and missile defense, ballistic missile defense, anti-submarine warfare, strike operations, naval fires in support of ground operations, and intelligence, surveillance, and reconnaissance. Scheduling and position of these multi-mission platforms is problematic since one warfare area commander desires one position and schedule, while another may have a completely different approach. Commanders struggle to decide and adjudicate these conflicts, because there is plenty of uncertainty about the enemy and the environment. This project will explore emerging innovative data analytic technologies to optimize naval resource allocation and replanning across mission domains. NPS proposes a study that will evaluate the following three solution concepts for this application: (1) game theory, (2) machine learning, and (3) wargaming. The study will first identify a set of operational scenarios that involve distributed and diverse naval platforms and resources and a threat situation that requires multiple concurrent missions in multiple domains. The NPS team will use these scenarios to evaluate the three solution concepts and their applicability to supporting resource allocation and replanning. This project will provide valuable insights into innovative data analytic solution concepts to tackle the Navy's challenge of conducing multiple missions with cross-domain resources.N2/N6 - Information WarfareThis research is supported by funding from the Naval Postgraduate School, Naval Research Program (PE 0605853N/2098). https://nps.edu/nrpChief of Naval Operations (CNO)Approved for public release. Distribution is unlimited.

Ogólny cykl życia ataku cybernetycznego i jego markowowski model

The article proposes a general cyber-attack life cycle which is distinguished from those published in the literature in principle by two additional phases: identifying attackers’ needs and ending a cyber-attack. On the basis of the defined attack life cycle, a stochastic model describing its functioning was presented. The model is based on stationary Continuous-Time Markov Chains