AN AUTOMATED POST-EXPLOITATION MODEL FOR OFFENSIVE CYBERSPACE OPERATIONS

The Department of Defense (DOD) uses vulnerability assessment tools to identify necessary patches for its many cyber systems to mitigate cyberspace threats and exploitation. If an organization misses a patch, or a patch cannot be applied in a timely manner, for instance, to minimize network downtime, then measuring and identifying the impact of such unmitigated vulnerabilities is offloaded to red teaming or penetration testing services. Most of these services concentrate on initial exploitation, which stops short of realizing the larger security impact of post-exploitation actions and are a scarce resource that cannot be applied to all systems in the DOD. This gap in post-exploitation services results in an increased susceptibility to offensive cyberspace operations (OCO). This thesis expands upon the automated initial exploitation model of the Cyber Automated Red Team Tool (CARTT), initially developed at the Naval Postgraduate School, by developing and implementing automated post-exploitation for OCO. Implementing post-exploitation automation reduces the workload on red teams and penetration testers by providing necessary insight into the impact of exploited vulnerabilities. Patching these weaknesses will result in increased availability, confidentiality, and integrity of DOD cyberspace systems.Outstanding ThesisLieutenant, United States NavyApproved for public release. Distribution is unlimited

A taxonomy of malicious traffic for intrusion detection systems

With the increasing number of network threats it is essential to have a knowledge of existing and new network threats to design better intrusion detection systems. In this paper we propose a taxonomy for classifying network attacks in a consistent way, allowing security researchers to focus their efforts on creating accurate intrusion detection systems and targeted datasets

Security Code Smells in Android ICC

Android Inter-Component Communication (ICC) is complex, largely unconstrained, and hard for developers to understand. As a consequence, ICC is a common source of security vulnerability in Android apps. To promote secure programming practices, we have reviewed related research, and identified avoidable ICC vulnerabilities in Android-run devices and the security code smells that indicate their presence. We explain the vulnerabilities and their corresponding smells, and we discuss how they can be eliminated or mitigated during development. We present a lightweight static analysis tool on top of Android Lint that analyzes the code under development and provides just-in-time feedback within the IDE about the presence of such smells in the code. Moreover, with the help of this tool we study the prevalence of security code smells in more than 700 open-source apps, and manually inspect around 15% of the apps to assess the extent to which identifying such smells uncovers ICC security vulnerabilities.Comment: Accepted on 28 Nov 2018, Empirical Software Engineering Journal (EMSE), 201

VTAC: Virtual terrain assisted impact assessment for cyber attacks

Recently, there has been substantial research in the area of network security. Correlation of intrusion detection sensor alerts, vulnerability analysis, and threat projection are all being studied in hopes to relieve the workload that analysts have in monitoring their networks. Having an automated algorithm that can estimate the impact of cyber attacks on a network is another facet network analysts could use in defending their networks and gaining better overall situational awareness. Impact assessment involves determining the effect of a cyber attack on a network. Impact algorithms may consider items such as machine importance, connectivity, user accounts, known attacker capability, and similar machine configurations. Due to the increasing number of attacks, constantly changing vulnerabilities, and unknown attacker behavior, automating impact assessment is a non-trivial task. This work develops a virtual terrain that contains network and machine characteristics relevant to impact assessment. Once populated, this virtual terrain is used to perform impact assessment algorithms. The goal of this work is to investigate and propose an impact assessment system to assist network analysts in prioritizing attacks and analyzing overall network status. VTAC is tested with several scenarios over a network with a variety of configurations. Insights into the results of the scenarios, including how the network topologies and network asset configurations affect the impact analysis are discussed

Jailbreaking ChatGPT via Prompt Engineering: An Empirical Study

Large Language Models (LLMs), like ChatGPT, have demonstrated vast potential but also introduce challenges related to content constraints and potential misuse. Our study investigates three key research questions: (1) the number of different prompt types that can jailbreak LLMs, (2) the effectiveness of jailbreak prompts in circumventing LLM constraints, and (3) the resilience of ChatGPT against these jailbreak prompts. Initially, we develop a classification model to analyze the distribution of existing prompts, identifying ten distinct patterns and three categories of jailbreak prompts. Subsequently, we assess the jailbreak capability of prompts with ChatGPT versions 3.5 and 4.0, utilizing a dataset of 3,120 jailbreak questions across eight prohibited scenarios. Finally, we evaluate the resistance of ChatGPT against jailbreak prompts, finding that the prompts can consistently evade the restrictions in 40 use-case scenarios. The study underscores the importance of prompt structures in jailbreaking LLMs and discusses the challenges of robust jailbreak prompt generation and prevention

Identification of Attack Paths Using Kill Chain and Attack Graphs

The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Kill chain and attack graphs are threat modeling concepts that enable determining weak security defense points. We propose a novel kill chain attack graph that merges kill chain and attack graphs together. This approach determines possible chains of attacker’s actions and their materialization within the protected network. The graph generation uses a categorization of threats according to violated security properties. The graph allows determining the kill chain phase the administrator should focus on and applicable countermeasures to mitigate possible cyber threats. We implemented the proposed approach for a predefined range of cyber threats, especially vulnerability exploitation and network threats. The approach was validated on a real-world use case. Publicly available implementation contains a proof-of-concept kill chain attack graph generator