Lateral Movement in Windows Systems and Detecting the Undetected ShadowMove

Lateral Movement is a pervasive threat that exists because modern networked systems that provide access to multiple users are far more efficient than their non-networked counterparts. It is a well-known attack methodology with extensive research completed into preventing lateral movement in enterprise systems. However, attackers are using more sophisticated methods to move laterally that bypass typical detection systems. This research comprehensively reviews the problems in lateral movement detection and outlines common defenses to protect modern systems from lateral movement attacks. A literature review is conducted, outlining new techniques for automatic detection of malicious lateral movement, explaining common attack methods utilized by Advanced Persistent Threats, and components built into the Windows operating system that can assist with discovering malicious lateral movement. Finally, a novel method for moving laterally is introduced and studied, and an original method for detecting this method of lateral movement is proposed

Towards a secure web server

Securing a web server on an insecure operating system can often prove to be unsuccessful. This leads us to consider structuring an operating system architecture specially configured for a secure web server. The first half of the paper presents an analysis of some common attacks against a web server. In the second half, the paper focuses on ways to secure a web server. An essential phase in securing a web server consists of securing the operating system on which the server is run. This is important because compromising a flaw in the operating system might lead to an attack on the web server. Denial of Service (DOS) attack is one of the most common attacks that are aimed at the web server. It can be addressed to a large extent by using a proper resource control mechanism. We propose a security architecture design that integrates resource control and accountability into Mandatory Access Control (MAC) architecture. The implementation incorporates resource control into SELinux, which has MAC built into it. This is then integrated with Multi Agent Intrusion Detection System (MAIDS), which is a framework for an intrusion detection system that is modularly compatible with other detection systems. Integration with MAIDS is done to alert the system administrator whenever a DOS attack occurs. The MAIDS software will monitor the resource control mechanism to check whether a DOS attack has taken place or not. Finally, we present the design and implementation of a security tool that checks for configurations of the web server and the operating system on which it is run

A Novel Method for Moving Laterally and Discovering Malicious Lateral Movements in Windows Operating Systems: A Case Study

Lateral movement is a pervasive threat because modern networked systems that provide access to multiple users are far more efficient than their non-networked counterparts. It is a well-known attack methodology with extensive research conducted investigating the prevention of lateral movement in enterprise systems. However, attackers use increasingly sophisticated methods to move laterally that bypass typical detection systems. This research comprehensively reviews the problems in lateral movement detection and outlines common defenses to protect modern systems from lateral movement attacks. A literature review outlines techniques for automatic detection of malicious lateral movement, explaining common attack methods utilized by advanced persistent threats and components built into the Windows operating system that can assist with discovering malicious lateral movement. Finally, a novel approach for moving laterally designed by other security researchers is reviewed and studied, an original process for detecting this method of lateral movement is proposed, and the application of the detection methodology is also expanded

SoK: Security of Programmable Logic Controllers

Billions of people rely on essential utility and manufacturing infrastructures such as water treatment plants, energy management, and food production. Our dependence on reliable infrastructures makes them valuable targets for cyberattacks. One of the prime targets for adversaries attacking physical infrastructures are Programmable Logic Controllers (PLCs) because they connect the cyber and physical worlds. In this study, we conduct the first comprehensive systematization of knowledge that explores the security of PLCs: We present an in-depth analysis of PLC attacks and defenses and discover trends in the security of PLCs from the last 17 years of research. We introduce a novel threat taxonomy for PLCs and Industrial Control Systems (ICS). Finally, we identify and point out research gaps that, if left ignored, could lead to new catastrophic attacks against critical infrastructures.Comment: 25 pages, 13 figures, Extended version February 2024, A shortened version is to be published in the 33rd USENIX Security Symposium, for more information, see https://efrenlopez.org

Information Security and Privacy in the Cloud of Healthcare Sector, and The Use of Miter Att&ck Framework to Keep the Healthcare Secure

With healthcare moving to the cloud, it is necessary to be concerned about the rising cyber-threats. The healthcare industry is one of the most targeted industries by cyber-criminals. This can be attributed to the weak security measures employed and the vast amounts of valuable data that the healthcare industry holds. To ensure that the healthcare industry is secure, this paper proposes the use of the MITRE ATT&CK framework. The MITRE ATT&CK framework presents the best possible way of staying ahead of the threat landscape by helping cyber-security experts understand adversaries\u27 thought processes. By understanding how attackers think and the techniques that they use to gain unauthorized access to IT systems, the healthcare industry can use this information to improve its security architecture. To collect data needed for the study, the qualitative research design will be utilized. Data will be gathered from multiple sources, and the information synthesized to understand how the healthcare industry can improve its security through the application of the MITRE ATT&CK framework

Applicability of Neural Networks to Software Security

Software design flaws account for 50% software security vulnerability today. As attacks on vulnerable software continue to increase, the demand for secure software is also increasing thereby putting software developers under more pressure. This is especially true for those developers whose primary aim is to produce their software quickly under tight deadlines in order to release it into the market early. While there are many tools focusing on implementation problems during software development lifecycle (SDLC), this does not provide a complete solution in resolving software security problems. Therefore designing software with security in mind will go a long way in developing secure software. However, most of the current approaches used for evaluating software designs require the involvement of security experts because many software developers often lack the required expertise in making their software secure. In this research the current approaches used in integrating security at the design level is discussed and a new method of evaluating software design using neural network as evaluation tool is presented. With the aid of the proposed neural network tool, this research found out that software design scenarios can be matched to attack patterns that identify the security flaws in the design scenarios. Also, with the proposed neural network tool this research found out that the identified attack patterns can be matched to security patterns that can provide mitigation to the threat in the attack pattern

Evaluating the Gasday Security Policy Through Penetration Testing and Application of the Nist Cybersecurity Framework

This thesis explores cybersecurity from the perspective of the Marquette University GasDay lab. We analyze three different areas of cybersecurity in three independent chapters. Our goal is to improve the cybersecurity capabilities of GasDay, Marquette University, and the natural gas industry. We present network penetration testing as a process of attempting to gain access to resources of GasDay without prior knowledge of any valid credentials. We discuss our method of identifying potential targets using industry standard reconnaissance methods. We outline the process of attempting to gain access to these targets using automated tools and manual exploit creation. We propose several solutions to those targets successfully exploited and recommendations for others. Next, we discuss GasDay Web and techniques to validate the security of a web-based GasDay software product. We use a form of penetration testing specifically targeted for a website. We demonstrate several vulnerabilities that are able to cripple the availability of the website and recommendations to mitigate these vulnerabilities. We then present the results of performing an inspection of GasDay Web code to uncover vulnerabilities undetectable by automated tools and make suggestions on their fixes. We discuss recommendations on how vulnerabilities can be mitigated or detected in the future. Finally, we apply the NIST Cybersecurity Framework to GasDay. We present the Department of Energy recommendations for the natural gas industry. Using these recommendations and the NIST Framework, we evaluate the overall cybersecurity maturity of the GasDay lab. We present several recommendations where GasDay could improve the maturity levels that are cost-effective and easy to implement. We identify several items missing from a cybersecurity plan and propose methods to implement them. The results of this thesis show that cybersecurity at a research lab is difficult. We demonstrate that even as a member of Marquette University, GasDay cannot rely on Marquette for cybersecurity. We show that the primary obstacle is lack of information - about cybersecurity and the assets GasDay controls. We make recommendations on how these items can be effectively created and managed

Security Frameworks for Machine-to-Machine Devices and Networks

Attacks against mobile systems have escalated over the past decade. There have been increases of fraud, platform attacks, and malware. The Internet of Things (IoT) offers a new attack vector for Cybercriminals. M2M contributes to the growing number of devices that use wireless systems for Internet connection. As new applications and platforms are created, old vulnerabilities are transferred to next-generation systems. There is a research gap that exists between the current approaches for security framework development and the understanding of how these new technologies are different and how they are similar. This gap exists because system designers, security architects, and users are not fully aware of security risks and how next-generation devices can jeopardize safety and personal privacy. Current techniques, for developing security requirements, do not adequately consider the use of new technologies, and this weakens countermeasure implementations. These techniques rely on security frameworks for requirements development. These frameworks lack a method for identifying next generation security concerns and processes for comparing, contrasting and evaluating non-human device security protections. This research presents a solution for this problem by offering a novel security framework that is focused on the study of the “functions and capabilities” of M2M devices and improves the systems development life cycle for the overall IoT ecosystem