5 research outputs found
Ransomware Simulator for In-Depth Analysis and Detection: Leveraging Centralized Logging and Sysmon for Improved Cybersecurity
Abstract
Ransomware attacks have become increasingly prevalent and sophisticated, posing significant threats to organizations and individuals worldwide. To effectively combat these threats,
security professionals must continuously develop and adapt their detection and mitigation
strategies. This master thesis presents the design and implementation of a ransomware simulator to facilitate an in-depth analysis of ransomware Tactics, Techniques, and Procedures
(TTPs) and to evaluate the effectiveness of centralized logging and Sysmon, including the
latest event types, in detecting and responding to such attacks.
The study explores the advanced capabilities of Sysmon as a logging tool and data source,
focusing on its ability to capture multiple event types, such as file creation, process execution,
and network traffic, as well as the newly added event types. The aim is to demonstrate the
effectiveness of Sysmon in detecting and analyzing malicious activities, with an emphasis on
the latest features. By focusing on the comprehensive aspects of a cyber-attack, the study
showcases the versatility and utility of Sysmon in detecting and addressing various attack
vectors.
The ransomware simulator is developed using a PowerShell script that emulates various
ransomware TTPs and attack scenarios, providing a comprehensive and realistic simulation
of a ransomware attack. Sysmon, a powerful system monitoring tool, is utilized to monitor
and log the activities associated with the simulated attack, including the events generated by
the new Sysmon features. Centralized logging is achieved through the integration of Splunk
Enterprise, a widely used platform for log analysis and management. The collected logs are
then analyzed to identify patterns, indicators of compromise (IoCs), and potential detection
and mitigation strategies.
Through the development of the ransomware simulator and the subsequent analysis of
Sysmon logs, this research contributes to strengthening the security posture of organizations
and improving cybersecurity measures against ransomware threats, with a focus on the latest
Sysmon capabilities. The results demonstrate the importance of monitoring and analyzing
system events to effectively detect and respond to ransomware attacks. This research can serve
as a basis for further exploration of ransomware detection and response strategies, contributing
to the advancement of cybersecurity practices and the development of more robust security
measures against ransomware threats
Cyber Threat Intelligence Exchange
The processing and exchange of Cyber Threat Intelligence (CTI) has become an increas- ingly important topic in recent years. This trend can be attributed to various factors. On the one hand, the exchange of information offers great potential to strengthen the knowledge base of companies and thus improve their protection against cyber threats. On the other hand, legislators in various countries have recognized this potential and translated it into legal reporting requirements. However, CTI is still a very young research area with only a small body of literature. Hence, there are hardly any guidelines, uniform standards, or speciļ¬cations that deļ¬ne or support such an exchange. This dissertation addresses the problem by reviewing the methodological foundations for the exchange of threat intelligence in three focal areas. First, the underlying data formats and data structures are analyzed, and the basic methods and models are developed. In the further course of the work, possibilities for integrating humans into the analysis process of security incidents and into the generation of CTI are investigated. The ļ¬nal part of the work examines possible obstacles in the exchange of CTI. Both the legal environment and mechanisms to create incentives for an exchange are studied. This work thus creates a solid basis and a structured framework for the cooperative use of CTI