Evolution of Network Enumeration Strategies in Emulated Computer Networks

Successful attacks on computer networks today do not often owe their victory to directly overcoming strong security measures set up by the defender. Rather, most attacks succeed because the number of possible vulnerabilities are too large for humans to fully protect without making a mistake. Regardless of the security elsewhere, a skilled attacker can exploit a single vulnerability in a defensive system and negate the benefits of those security measures. This paper presents an evolutionary framework for evolving attacker agents in a real, emulated network environment using genetic programming, as a foundation for coevolutionary systems which can automatically discover and mitigate network security flaws. We examine network enumeration, an initial network reconnaissance step, through our framework and present results demonstrating its success, indicating a broader applicability to further cyber-security tasks

Federated Agentless Detection of Endpoints Using Behavioral and Characteristic Modeling

During the past two decades computer networks and security have evolved that, even though we use the same TCP/IP stack, network traffic behaviors and security needs have significantly changed. To secure modern computer networks, complete and accurate data must be gathered in a structured manner pertaining to the network and endpoint behavior. Security operations teams struggle to keep up with the ever-increasing number of devices and network attacks daily. Often the security aspect of networks gets managed reactively instead of providing proactive protection. Data collected at the backbone are becoming inadequate during security incidents. Incident response teams require data that is reliably attributed to each individual endpoint over time. With the current state of dissociated data collected from networks using different tools it is challenging to correlate the necessary data to find origin and propagation of attacks within the network. Critical indicators of compromise may go undetected due to the drawbacks of current data collection systems leaving endpoints vulnerable to attacks. Proliferation of distributed organizations demand distributed federated security solutions. Without robust data collection systems that are capable of transcending architectural and computational challenges, it is becoming increasingly difficult to provide endpoint protection at scale. This research focuses on reliable agentless endpoint detection and traffic attribution in federated networks using behavioral and characteristic modeling for incident response

Gestor de Risco aplicado à área de cibersegurança

No cenário moderno de gestão de riscos de segurança cibernética, uma verdade desconfortável é clara: a gestão de riscos cibernéticos numa empresa, de forma a manter arquiteturas e sistemas seguros e em conformidade, está mais difícil do que nunca. Esta gestão passa por um processo contínuo de identificação, análise, avaliação e tratamento das ameaças de segurança cibernética. Quando se trata de gestores de riscos, geralmente segue-se um processo de quatro etapas, começando com a identificação do risco. Em seguida, o risco é avaliado com base na probabilidade de ameaças que exploram essas vulnerabilidades e o potencial impacto. Os riscos são priorizados e categorizados dependendo da estratégia de mitigação existente, na terceira etapa. Por fim, a quarta etapa, monitorização, é estruturada para a resposta ao risco num ambiente em constante mudança. Esta tese tem como objetivo o desenvolvimento de uma aplicação de gestão de risco de vulnerabilidades dos assets encontrados numa topologia de rede. Esta aplicação web tem por base a framework Flask e o uso da ferramenta open-source Nmap, para a realização da deteção dos assets e todos os serviços que estes incluem. Para a deteção das vulnerabilidades a aplicação conta com uma ligação através de duas APIs, uma para o repositório NVD e outra para o repositório VulDB de forma a identificar as vulnerabilidades existentes de cada serviço encontrado. Toda a informação encontrada é guardada numa base de dados com base em SQLite. De notar que o uso do Nmap é proibido por Lei (109/2009) mas se autorizada de forma evidenciava com permissão das partes envolventes, pode ser usado. Os testes efetuados utilizam a ferramenta VirtualBox para simular virtualmente a rede de um hospital virtual criado num outro projeto. Os resultados são por fim detalhados num relatório através da aplicação web. Este projeto conseguiu de forma bem-sucedida o desenvolvimento de um gestor de risco funcional através de uma aplicação web capaz de mapear uma rede e encontrar os assets com vulnerabilidades. Igualmente bem-sucedida foi a implementação da deteção de vulnerabilidades através de repositórios externos. Por fim esta tese implementou com sucesso uma comparação entre scans de forma a descobrir quais vulnerabilidades foram corrigidas ou que novas vulnerabilidades possam existir em determinados assets. Contudo não foi possível uma implementação com sucesso desta aplicação num projeto já existente usando React. Igualmente não foi realizada uma forma automatizada da realização de scans. Por último, devido aos recursos disponíveis, a rede hospitalar virtual foi bastante reduzida.In the modern scenario of cybersecurity, one uncomfortable truth is clear, the risk management of a company and/or institution in order to keep all its systems and information secure, is harder than ever. This management goes through a continuous cycle of identification, analysis, evaluation, and treatment of the daily threats. Usually risk management follows four steps, starting by the identification of the risk, then the evaluation of it with the probability of actors exploiting any existing vulnerability and the consequent impact. Given this analysis, the risks are prioritized and categorized depending on the mitigation strategy in place, and finally the last step is the monitorization, in other words, the structure that answers to the risk in an ever-changing environment. This Thesis has as objectives the development of a Risk Management web application that scans all the assets of a given network. This web application uses the framework Flask for its development and the open-source tool Nmap for the asset scanning and all the services running on each live host. For the detection of vulnerabilities, the application has a connection to the repository NVD through an API, and to the repository VulDB through another API, in order to identify all the existing vulnerabilities associated with the services found during the scan. All this information is stored on a SQLite database. According to the Portuguese law (109/2009), the use of the tool Nmap is strictly forbidden but can be authorized for use given the proper permission from the involved parties. The experiments use the virtualization software VirtualBox to simulate a network of a virtual Hospital that was already created in another project. All the results are in the end available as a report through the web application. This project was able to develop a functional risk management web application, capable of scan a network in order to find the vulnerable assets. Equally successful was the implementation of the vulnerability detection through the use of external vulnerability databases. Finally, this thesis successfully implemented a comparation between scans to discover which vulnerabilities have been corrected and which ones appear as new in specific assets. However, it was not possible to integrate in a successful way this application to an already existing project using React. Equally not accomplished was an automated way to schedule periodic scans. Finally, given the available resources, the hospital virtual network was largely reduced

VTAC: Virtual terrain assisted impact assessment for cyber attacks

Recently, there has been substantial research in the area of network security. Correlation of intrusion detection sensor alerts, vulnerability analysis, and threat projection are all being studied in hopes to relieve the workload that analysts have in monitoring their networks. Having an automated algorithm that can estimate the impact of cyber attacks on a network is another facet network analysts could use in defending their networks and gaining better overall situational awareness. Impact assessment involves determining the effect of a cyber attack on a network. Impact algorithms may consider items such as machine importance, connectivity, user accounts, known attacker capability, and similar machine configurations. Due to the increasing number of attacks, constantly changing vulnerabilities, and unknown attacker behavior, automating impact assessment is a non-trivial task. This work develops a virtual terrain that contains network and machine characteristics relevant to impact assessment. Once populated, this virtual terrain is used to perform impact assessment algorithms. The goal of this work is to investigate and propose an impact assessment system to assist network analysts in prioritizing attacks and analyzing overall network status. VTAC is tested with several scenarios over a network with a variety of configurations. Insights into the results of the scenarios, including how the network topologies and network asset configurations affect the impact analysis are discussed