INTEGRATION OF INTELLIGENCE TECHNIQUES ON THE EXECUTION OF PENETRATION TESTS (iPENTEST)

Penetration Tests (Pentests) identify potential vulnerabilities in the security of computer systems via security assessment. However, it should also benefit from widely recognized methodologies and recommendations within this field, as the Penetration Testing Execution Standard (PTES). The objective of this research is to explore PTES, particularly the three initial phases: 1. Pre-Engagement Interactions; 2. Intelligence Gathering; 3. Threat Modeling; and ultimately to apply Intelligence techniques to the Threat Modeling phase. To achieve this, we will use open-source and/or commercial tools to structure a process to clarify how the results were reached using the research inductive methodology. The following steps were implemented: i) critical review of the “Penetration Testing Execution Standard (PTES)”; ii) critical review of Intelligence Production Process; iii) specification and classification of contexts in which Intelligence could be applied; iv) definition of a methodology to apply Intelligence Techniques to the specified contexts; v) application and evaluation of the proposed methodology to real case study as proof of concept. This research has the ambition to develop a model grounded on Intelligence techniques to be applied on PTES Threat Modeling phase

Fundamental Concepts of Cyber Resilience: Introduction and Overview

Given the rapid evolution of threats to cyber systems, new management approaches are needed that address risk across all interdependent domains (i.e., physical, information, cognitive, and social) of cyber systems. Further, the traditional approach of hardening of cyber systems against identified threats has proven to be impossible. Therefore, in the same way that biological systems develop immunity as a way to respond to infections and other attacks, so too must cyber systems adapt to ever-changing threats that continue to attack vital system functions, and to bounce back from the effects of the attacks. Here, we explain the basic concepts of resilience in the context of systems, discuss related properties, and make business case of cyber resilience. We also offer a brief summary of ways to assess cyber resilience of a system, and approaches to improving cyber resilience.Comment: This is a preprint version of a chapter that appears in the book "Cyber Resilience of Systems and Networks," Springer 201

Threat awareness for critical infrastructures resilience

Utility networks are part of every nation’s critical infrastructure, and their protection is now seen as a high priority objective. In this paper, we propose a threat awareness architecture for critical infrastructures, which we believe will raise security awareness and increase resilience in utility networks. We first describe an investigation of trends and threats that may impose security risks in utility networks. This was performed on the basis of a viewpoint approach that is capable of identifying technical and non-technical issues (e.g., behaviour of humans). The result of our analysis indicated that utility networks are affected strongly by technological trends, but that humans comprise an important threat to them. This provided evidence and confirmed that the protection of utility networks is a multi-variable problem, and thus, requires the examination of information stemming from various viewpoints of a network. In order to accomplish our objective, we propose a systematic threat awareness architecture in the context of a resilience strategy, which ultimately aims at providing and maintaining an acceptable level of security and safety in critical infrastructures. As a proof of concept, we demonstrate partially via a case study the application of the proposed threat awareness architecture, where we examine the potential impact of attacks in the context of social engineering in a European utility company

DEFINING, MEASURING, AND ANALYZING DEFENSIBILITY IN THE DEFENSIVE CYBER OPERATIONS CONTEXT

When talking about cyber systems, both researchers and decision makers have used the term "defensibility" widely, but there is no universal definition for it and no method to observe and measure it. This study examines how defensibility can be defined in a defensive cyber operations context, what critical factors constitute it, and how those factors could be measured. This is done by first examining doctrine and research to create a framework of meaning for defensibility. Second, the study proposes seven fundamental capabilities that a defender needs to be able to perform in defensive cyber operations and a set of system attributes that affect those capabilities. Finally, a set of measures for those attributes is proposed to allow defensibility to be observed and measured. The results of this study are a definition of defensibility for the defensive cyber operations context, a list of system attributes that constitute its defensibility, and a set of associated measurements for these attributes. Using these, it is possible to analyze the defensibility of a system to indicate what restrictions a defender might have when conducting operations in the system and the areas where the system needs to improve. This work is the first step in building defensibility into a useful tool that highlights the needs of a defensive actor who conducts dynamic defensive operations in a system, versus the needs of an actor who implements static measures to increase cyber security.Löjtnant, Swedish NavyApproved for public release. Distribution is unlimited

RISK ASSESSMENT OF MALICIOUS ATTACKS AGAINST POWER SYSTEMS

The new scenarios of malicious attack prompt for their deeper consideration and mainly when critical systems are at stake. In this framework, infrastructural systems, including power systems, represent a possible target due to the huge impact they can have on society. Malicious attacks are different in their nature from other more traditional cause of threats to power system, since they embed a strategic interaction between the attacker and the defender (characteristics that cannot be found in natural events or systemic failures). This difference has not been systematically analyzed by the existent literature. In this respect, new approaches and tools are needed. This paper presents a mixed-strategy game-theory model able to capture the strategic interactions between malicious agents that may be willing to attack power systems and the system operators, with its related bodies, that are in charge of defending them. At the game equilibrium, the different strategies of the two players, in terms of attacking/protecting the critical elements of the systems, can be obtained. The information about the attack probability to various elements can be used to assess the risk associated with each of them, and the efficiency of defense resource allocation is evidenced in terms of the corresponding risk. Reference defense plans related to the online defense action and the defense action with a time delay can be obtained according to their respective various time constraints. Moreover, risk sensitivity to the defense/attack-resource variation is also analyzed. The model is applied to a standard IEEE RTS-96 test system for illustrative purpose and, on the basis of that system, some peculiar aspects of the malicious attacks are pointed ou

Simulation for Cybersecurity: State of the Art and Future Directions

In this article, we provide an introduction to simulation for cybersecurity and focus on three themes: (1) an overview of the cybersecurity domain; (2) a summary of notable simulation research efforts for cybersecurity; and (3) a proposed way forward on how simulations could broaden cybersecurity efforts. The overview of cybersecurity provides readers with a foundational perspective of cybersecurity in the light of targets, threats, and preventive measures. The simulation research section details the current role that simulation plays in cybersecurity, which mainly falls on representative environment building; test, evaluate, and explore; training and exercises; risk analysis and assessment; and humans in cybersecurity research. The proposed way forward section posits that the advancement of collecting and accessing sociotechnological data to inform models, the creation of new theoretical constructs, and the integration and improvement of behavioral models are needed to advance cybersecurity efforts

Refining the PoinTER “human firewall” pentesting framework

PurposePenetration tests have become a valuable tool in the cyber security defence strategy, in terms of detecting vulnerabilities. Although penetration testing has traditionally focused on technical aspects, the field has started to realise the importance of the human in the organisation, and the need to ensure that humans are resistant to cyber-attacks. To achieve this, some organisations “pentest” their employees, testing their resilience and ability to detect and repel human-targeted attacks. In a previous paper we reported on PoinTER (Prepare TEst Remediate), a human pentesting framework, tailored to the needs of SMEs. In this paper, we propose improvements to refine our framework. The improvements are based on a derived set of ethical principles that have been subjected to ethical scrutiny.MethodologyWe conducted a systematic literature review of academic research, a review of actual hacker techniques, industry recommendations and official body advice related to social engineering techniques. To meet our requirements to have an ethical human pentesting framework, we compiled a list of ethical principles from the research literature which we used to filter out techniques deemed unethical.FindingsDrawing on social engineering techniques from academic research, reported by the hacker community, industry recommendations and official body advice and subjecting each technique to ethical inspection, using a comprehensive list of ethical principles, we propose the refined GDPR compliant and privacy respecting PoinTER Framework. The list of ethical principles, we suggest, could also inform ethical technical pentests.OriginalityPrevious work has considered penetration testing humans, but few have produced a comprehensive framework such as PoinTER. PoinTER has been rigorously derived from multiple sources and ethically scrutinised through inspection, using a comprehensive list of ethical principles derived from the research literature

Cognitive Machine Individualism in a Symbiotic Cybersecurity Policy Framework for the Preservation of Internet of Things Integrity: A Quantitative Study

This quantitative study examined the complex nature of modern cyber threats to propose the establishment of cyber as an interdisciplinary field of public policy initiated through the creation of a symbiotic cybersecurity policy framework. For the public good (and maintaining ideological balance), there must be recognition that public policies are at a transition point where the digital public square is a tangible reality that is more than a collection of technological widgets. The academic contribution of this research project is the fusion of humanistic principles with Internet of Things (IoT) technologies that alters our perception of the machine from an instrument of human engineering into a thinking peer to elevate cyber from technical esoterism into an interdisciplinary field of public policy. The contribution to the US national cybersecurity policy body of knowledge is a unified policy framework (manifested in the symbiotic cybersecurity policy triad) that could transform cybersecurity policies from network-based to entity-based. A correlation archival data design was used with the frequency of malicious software attacks as the dependent variable and diversity of intrusion techniques as the independent variable for RQ1. For RQ2, the frequency of detection events was the dependent variable and diversity of intrusion techniques was the independent variable. Self-determination Theory is the theoretical framework as the cognitive machine can recognize, self-endorse, and maintain its own identity based on a sense of self-motivation that is progressively shaped by the machine’s ability to learn. The transformation of cyber policies from technical esoterism into an interdisciplinary field of public policy starts with the recognition that the cognitive machine is an independent consumer of, advisor into, and influenced by public policy theories, philosophical constructs, and societal initiatives