Modeling of Advanced Threat Actors: Characterization, Categorization and Detection

Tesis por compendio[ES] La información y los sistemas que la tratan son un activo a proteger para personas, organizaciones e incluso países enteros. Nuestra dependencia en las tecnologías de la información es cada día mayor, por lo que su seguridad es clave para nuestro bienestar. Los beneficios que estas tecnologías nos proporcionan son incuestionables, pero su uso también introduce riesgos que ligados a nuestra creciente dependencia de las mismas es necesario mitigar. Los actores hostiles avanzados se categorizan principalmente en grupos criminales que buscan un beneficio económico y en países cuyo objetivo es obtener superioridad en ámbitos estratégicos como el comercial o el militar. Estos actores explotan las tecnologías, y en particular el ciberespacio, para lograr sus objetivos. La presente tesis doctoral realiza aportaciones significativas a la caracterización de los actores hostiles avanzados y a la detección de sus actividades. El análisis de sus características es básico no sólo para conocer a estos actores y sus operaciones, sino para facilitar el despliegue de contramedidas que incrementen nuestra seguridad. La detección de dichas operaciones es el primer paso necesario para neutralizarlas, y por tanto para minimizar su impacto. En el ámbito de la caracterización, este trabajo profundiza en el análisis de las tácticas y técnicas de los actores. Dicho análisis siempre es necesario para una correcta detección de las actividades hostiles en el ciberespacio, pero en el caso de los actores avanzados, desde grupos criminales hasta estados, es obligatorio: sus actividades son sigilosas, ya que el éxito de las mismas se basa, en la mayor parte de casos, en no ser detectados por la víctima. En el ámbito de la detección, este trabajo identifica y justifica los requisitos clave para poder establecer una capacidad adecuada frente a los actores hostiles avanzados. Adicionalmente, proporciona las tácticas que deben ser implementadas en los Centros de Operaciones de Seguridad para optimizar sus capacidades de detección y respuesta. Debemos destacar que estas tácticas, estructuradas en forma de kill-chain, permiten no sólo dicha optimización, sino también una aproximación homogénea y estructurada común para todos los centros defensivos. En mi opinión, una de las bases de mi trabajo debe ser la aplicabilidad de los resultados. Por este motivo, el análisis de tácticas y técnicas de los actores de la amenaza está alineado con el principal marco de trabajo público para dicho análisis, MITRE ATT&CK. Los resultados y propuestas de esta investigación pueden ser directamente incluidos en dicho marco, mejorando así la caracterización de los actores hostiles y de sus actividades en el ciberespacio. Adicionalmente, las propuestas para mejorar la detección de dichas actividades son de aplicación directa tanto en los Centros de Operaciones de Seguridad actuales como en las tecnologías de detección más comunes en la industria. De esta forma, este trabajo mejora de forma significativa las capacidades de análisis y detección actuales, y por tanto mejora a su vez la neutralización de operaciones hostiles. Estas capacidades incrementan la seguridad global de todo tipo de organizaciones y, en definitiva, de nuestra sociedad.[CA] La informació i els sistemas que la tracten són un actiu a protegir per a persones, organitzacions i fins i tot països sencers. La nostra dependència en les tecnologies de la informació es cada dia major, i per aixó la nostra seguretat és clau per al nostre benestar. Els beneficis que aquestes tecnologies ens proporcionen són inqüestionables, però el seu ús també introdueix riscos que, lligats a la nostra creixent dependència de les mateixes és necessari mitigar. Els actors hostils avançats es categoritzen principalment en grups criminals que busquen un benefici econòmic i en països el objectiu dels quals és obtindre superioritat en àmbits estratègics, com ara el comercial o el militar. Aquests actors exploten les tecnologies, i en particular el ciberespai, per a aconseguir els seus objectius. La present tesi doctoral realitza aportacions significatives a la caracterització dels actors hostils avançats i a la detecció de les seves activitats. L'anàlisi de les seves característiques és bàsic no solament per a conéixer a aquests actors i les seves operacions, sinó per a facilitar el desplegament de contramesures que incrementen la nostra seguretat. La detección de aquestes operacions és el primer pas necessari per a netralitzar-les, i per tant, per a minimitzar el seu impacte. En l'àmbit de la caracterització, aquest treball aprofundeix en l'anàlisi de lestàctiques i tècniques dels actors. Aquesta anàlisi sempre és necessària per a una correcta detecció de les activitats hostils en el ciberespai, però en el cas dels actors avançats, des de grups criminals fins a estats, és obligatòria: les seves activitats són sigiloses, ja que l'éxit de les mateixes es basa, en la major part de casos, en no ser detectats per la víctima. En l'àmbit de la detecció, aquest treball identifica i justifica els requisits clau per a poder establir una capacitat adequada front als actors hostils avançats. Adicionalment, proporciona les tàctiques que han de ser implementades en els Centres d'Operacions de Seguretat per a optimitzar les seves capacitats de detecció i resposta. Hem de destacar que aquestes tàctiques, estructurades en forma de kill-chain, permiteixen no només aquesta optimització, sinò tambié una aproximació homogènia i estructurada comú per a tots els centres defensius. En la meva opinio, una de les bases del meu treball ha de ser l'aplicabilitat dels resultats. Per això, l'anàlisi de táctiques i tècniques dels actors de l'amenaça està alineada amb el principal marc públic de treball per a aquesta anàlisi, MITRE ATT&CK. Els resultats i propostes d'aquesta investigació poden ser directament inclosos en aquest marc, millorant així la caracterització dels actors hostils i les seves activitats en el ciberespai. Addicionalment, les propostes per a millorar la detecció d'aquestes activitats són d'aplicació directa tant als Centres d'Operacions de Seguretat actuals com en les tecnologies de detecció més comuns de la industria. D'aquesta forma, aquest treball millora de forma significativa les capacitats d'anàlisi i detecció actuals, i per tant millora alhora la neutralització d'operacions hostils. Aquestes capacitats incrementen la seguretat global de tot tipus d'organitzacions i, en definitiva, de la nostra societat.[EN] Information and its related technologies are a critical asset to protect for people, organizations and even whole countries. Our dependency on information technologies increases every day, so their security is a key issue for our wellness. The benefits that information technologies provide are questionless, but their usage also presents risks that, linked to our growing dependency on technologies, we must mitigate. Advanced threat actors are mainly categorized in criminal gangs, with an economic goal, and countries, whose goal is to gain superiority in strategic affairs such as commercial or military ones. These actors exploit technologies, particularly cyberspace, to achieve their goals. This PhD Thesis significantly contributes to advanced threat actors' categorization and to the detection of their hostile activities. The analysis of their features is a must not only to know better these actors and their operations, but also to ease the deployment of countermeasures that increase our security. The detection of these operations is a mandatory first step to neutralize them, so to minimize their impact. Regarding characterization, this work delves into the analysis of advanced threat actors' tactics and techniques. This analysis is always required for an accurate detection of hostile activities in cyberspace, but in the particular case of advances threat actors, from criminal gangs to nation-states, it is mandatory: their activities are stealthy, as their success in most cases relies on not being detected by the target. Regarding detection, this work identifies and justifies the key requirements to establish an accurate response capability to face advanced threat actors. In addition, this work defines the tactics to be deployed in Security Operations Centers to optimize their detection and response capabilities. It is important to highlight that these tactics, with a kill-chain arrangement, allow not only this optimization, but particularly a homogeneous and structured approach, common to all defensive centers. In my opinion, one of the main bases of my work must be the applicability of its results. For this reason, the analysis of threat actors' tactics and techniques is aligned with the main public framework for this analysis, MITRE ATT&CK. The results and proposals from this research can be directly included in this framework, improving the threat actors' characterization, as well as their cyberspace activities' one. In addition, the proposals to improve these activities' detection are directly applicable both in current Security Operations Centers and in common industry technologies. In this way, I consider that this work significantly improves current analysis and detection capabilities, and at the same time it improves hostile operations' neutralization. These capabilities increase global security for all kind of organizations and, definitely, for our whole society.Villalón Huerta, A. (2023). Modeling of Advanced Threat Actors: Characterization, Categorization and Detection [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/193855Compendi

Hardware-Assisted Processor Tracing for Automated Bug Finding and Exploit Prevention

The proliferation of binary-only program analysis techniques like fuzz testing and symbolic analysis have lead to an acceleration in the number of publicly disclosed vulnerabilities. Unfortunately, while bug finding has benefited from recent advances in automation and a decreasing barrier to entry, bug remediation has received less attention. Consequently, analysts are publicly disclosing bugs faster than developers and system administrators can mitigate them. Hardware-supported processor tracing within commodity processors opens new doors to observing low-level behaviors with efficiency, transparency, and integrity that can close this automation gap. Unfortunately, several trade-offs in its design raise serious technical challenges that have limited widespread adoption. Specifically, modern processor traces only capture control flow behavior, yield high volumes of data that can incur overhead to sift through, and generally introduce a semantic gap between low-level behavior and security relevant events. To solve the above challenges, I propose control-oriented record and replay, which combines concrete traces with symbolic analysis to uncover vulnerabilities and exploits. To demonstrate the efficacy and versatility of my approach, I first present a system called ARCUS, which is capable of analyzing processor traces flagged by host-based monitors to detect, localize, and provide preliminary patches to developers for memory corruption vulnerabilities. ARCUS has detected 27 previously known vulnerabilities alongside 4 novel cases, leading to the issuance of several advisories and official developer patches. Next, I present MARSARA, a system that protects the integrity of execution unit partitioning in data provenance-based forensic analysis. MARSARA prevents several expertly crafted exploits from corrupting partitioned provenance graphs while incurring little overhead compared to prior work. Finally, I present Bunkerbuster, which extends the ideas from ARCUS and MARSARA into a system capable of proactively hunting for bugs across multiple end-hosts simultaneously, resulting in the discovery and patching of 4 more novel bugs.Ph.D

2022 - The Third Annual Fall Symposium of Student Scholars

The full program book from the Fall 2022 Symposium of Student Scholars, held on November 17, 2022. Includes abstracts from the presentations and posters.https://digitalcommons.kennesaw.edu/sssprograms/1026/thumbnail.jp

RoboCISO2 : uso de tecnologias de RPA e IA para dar diariamente ao CISO a análise situacional do estado da cibersegurança da sua organização

Trabalho de Projeto de Mestrado, Informática, 2021, Universidade de Lisboa, Faculdade de CiênciasO Chief Information Security Officer (CISO) da Altice Portugal tem o RoboCISO para o auxiliar na governança da cibersegurança da empresa. O RoboCISO é um sistema de Robotic Process Automation (RPA), que alerta e informa o CISO, de uma forma contínua, sobre o estado de um conjunto de vetores de risco por si escolhidos. O objetivo deste projeto centrou-se no desenvolvimento de uma versão complementar do RoboCISO, a que apelidámos de RoboCISO2, que introduziu o conceito do Daily Security Brief (DSB). O DSB é um documento PDF que de uma forma sintética, concisa e global apresenta ao CISO uma análise situacional diária do estado da cibersegurança da Altice Portugal. Este documento é enviado para o CISO via email, uma vez por dia, todos os dias. Este contém um sumário inicial e o corpo do documento encontra-se dividido em diferentes vetores de risco, apresentando gráficos, tabelas e frases curtas para cada um. Os vetores de risco em análise são os incidentes de cibersegurança, em particular os ataques de Denial of Service (DoS)/Distributed Denial of Service (DDoS), os Service Level Agreement (SLA) que foram excedidos na vertente de resolução de incidentes (Exceeded SLAs), a verificação do funcionamento das plataformas críticas da organização (Current Health (Uptime) of DCY Systems), a avaliação dos ratings atribuídos pela Bitsight (External CyberHygiene) e a avaliação de tópicos como o estado da instalação dos patches de segurança (Internal CyberHygiene). O RoboCISO2 é um sistema que permite a geração automática e robotizada do DSB, recorrendo a RPA e a Inteligência artificial (IA) para a escolha da informação que aparece no sumário inicial e para atribuir uma classificação a cada vetor de risco de acordo com o seu estado. O RoboCISO permite manter o CISO da Altice Portugal permanentemente informado, isto é, sempre que ocorre por exemplo um incidente de cibersegurança, este é alertado. Enquanto que o RoboCISO2, permite aglutinar toda a informação crucial num só documento, possibilitando ao CISO observar a informação como um todo e adquirir uma consciência situacional do estado da cibersegurança da sua organização. A observação da informação relevante sintetizada num único documento aumenta a capacidade de compreensão e processamento da mesma e facilita a tomada de decisão.Altice Portugal's Chief Information Security Officer (CISO) has RoboCISO to assist in the governance of the company's cybersecurity. RoboCISO is a Robotic Process Automation (RPA) system that continuously alerts and informs the CISO of the status of a set of risk vectors chosen by him. The aim of this project focused on the development of a complementary version of RoboCISO, which we dubbed RoboCISO2, that introduced the concept of the Daily Security Brief (DSB). The DSB is a PDF document that, in a synthetic, concise, and global way, presents the CISO with a daily situational analysis of the state of cybersecurity at Altice Portugal. This document is sent to CISO via email, once a day, every day. This contains an initial summary and the body of the document is divided into different risk vectors, presenting graphs, tables, and short sentences for each one. The risk vectors under analysis are cybersecurity incidents, in particular Denial of service (DoS)/Distributed Denial of Service (DDoS) attacks, Service Level Agreement (SLA) that were exceeded in terms of incident resolution (Exceeded SLAs), verification of the operation of the company's critical platforms (Current Health (Uptime) of DCY Systems), assessment of ratings assigned by Bitsight (External CyberHygiene) and assessment of topics like the installation status of security patches (Internal CyberHygiene). RoboCISO2 is a system that allows the automatic and robotic generation of the DSB, using RPA and Artificial Intelligence (AI) to choose the information that appear in the initial summary and to assign a classification to each risk vector accordingly with your status. RoboCISO allows to keep Altice Portugal's CISO permanently informed, that is, whenever a cybersecurity incident occurs, it is alerted. Meanwhile, RoboCISO2, allows to agglutinate all the crucial information in a single document, enabling the CISO to look at the information as a whole and acquire situational awareness of the state of cybersecurity in its organization. The observation of relevant information synthesized in a single document increases the ability to understand and process it and ease the decision making

Emerg Infect Dis

PMC4550154611

Catching the flu: syndromic surveillance, algorithmic governmentality and global health security

This thesis offers a critical analysis of the rise of syndromic surveillance systems for the advanced detection of pandemic threats within contemporary global health security frameworks. The thesis traces the iterative evolution and ascendancy of three such novel syndromic surveillance systems for the strengthening of health security initiatives over the past two decades: 1) The Program for Monitoring Emerging Diseases (ProMED-mail); 2) The Global Public Health Intelligence Network (GPHIN); and 3) HealthMap. This thesis demonstrates how each newly introduced syndromic surveillance system has become increasingly oriented towards the integration of digital algorithms into core surveillance capacities to continually harness and forecast upon infinitely generating sets of digital, open-source data, potentially indicative of forthcoming pandemic threats. This thesis argues that the increased centrality of the algorithm within these next-generation syndromic surveillance systems produces a new and distinct form of infectious disease surveillance for the governing of emergent pathogenic contingencies. Conceptually, the thesis also shows how the rise of this algorithmic mode of infectious disease surveillance produces divergences in the governmental rationalities of global health security, leading to the rise of an algorithmic governmentality within contemporary contexts of Big Data and these surveillance systems. Empirically, this thesis demonstrates how this new form of algorithmic infectious disease surveillance has been rapidly integrated into diplomatic, legal, and political frameworks to strengthen the practice global health security – producing subtle, yet distinct shifts in the outbreak notification and reporting transparency of states, increasingly scrutinized by the algorithmic gaze of syndromic surveillance

Safety and Reliability - Safe Societies in a Changing World

The contributions cover a wide range of methodologies and application areas for safety and reliability that contribute to safe societies in a changing world. These methodologies and applications include: - foundations of risk and reliability assessment and management - mathematical methods in reliability and safety - risk assessment - risk management - system reliability - uncertainty analysis - digitalization and big data - prognostics and system health management - occupational safety - accident and incident modeling - maintenance modeling and applications - simulation for safety and reliability analysis - dynamic risk and barrier management - organizational factors and safety culture - human factors and human reliability - resilience engineering - structural reliability - natural hazards - security - economic analysis in risk managemen

Using Twitter data to provide qualitative insights into pandemics and epidemics

Background: One area of public health research specialises in examining public views and opinions surrounding infectious disease outbreaks. Although interviews and surveys are valid sources of this information, views and opinions are necessarily generated by the context, rather than spontaneous. As such, social media has increasingly been viewed as legitimate source of pragmatic, unfiltered public opinion. Objectives: This research attempts to better understand how users converse about infectious disease outbreaks on the social media platform Twitter. The study was undertaken in order to address a gap in knowledge because previous empirical studies that have analysed infectious disease outbreaks on Twitter have focused on employing quantitative methods as the primary form of data analysis. After analysing individual cases on Ebola, Zika, and swine flu, the study performs an important comparison in the types of discussions taking place on Twitter and is the first empirical study to do so. Methods: A number of pilot studies were initially designed and conducted in order to help inform the main study. The study then manually labels tweets on infectious disease outbreaks assisted by the qualitative analysis programme NVivo, and performs an analysis using the Health Belief Model, concepts around information theory, and a number of sociological principles. The data were purposively sampled according to when Google Trends Data showed a heightened interest in the respective outbreaks, and a case study approach was utilised. Results: A substantial number of themes were uncovered which were not reported in previous literature, demonstrating the potential of qualitative methodologies for extracting greater insight into public health opinions from Twitter data. The study noted several limitations of Twitter data for use in qualitative research. However, results demonstrated the potential of Twitter to identify discussions around infectious diseases that might not emerge in an interview and/or which might not be included in a survey