Federated Agentless Detection of Endpoints Using Behavioral and Characteristic Modeling

During the past two decades computer networks and security have evolved that, even though we use the same TCP/IP stack, network traffic behaviors and security needs have significantly changed. To secure modern computer networks, complete and accurate data must be gathered in a structured manner pertaining to the network and endpoint behavior. Security operations teams struggle to keep up with the ever-increasing number of devices and network attacks daily. Often the security aspect of networks gets managed reactively instead of providing proactive protection. Data collected at the backbone are becoming inadequate during security incidents. Incident response teams require data that is reliably attributed to each individual endpoint over time. With the current state of dissociated data collected from networks using different tools it is challenging to correlate the necessary data to find origin and propagation of attacks within the network. Critical indicators of compromise may go undetected due to the drawbacks of current data collection systems leaving endpoints vulnerable to attacks. Proliferation of distributed organizations demand distributed federated security solutions. Without robust data collection systems that are capable of transcending architectural and computational challenges, it is becoming increasingly difficult to provide endpoint protection at scale. This research focuses on reliable agentless endpoint detection and traffic attribution in federated networks using behavioral and characteristic modeling for incident response

Prevention Of Session Hijacking And IP spoofing With Sensor Nodes And Cryptographic Approach

Many web applications available today make use of some way of session to be able to communicate between the server and client. Unfortunately, it is possible for an attacker to exploit session in order to impersonate another user at a web application. The session hijacking is the most common type of attack in the infrastructure type of network. The confidentially is not providing under this attack to user information. Session hijacking attack is launched by making fake access point. If we detect the fake access point then we can stop session hijacking, and various techniques had been proposed. In this paper, we are giving a new mechanism to detect the fake access point with the use of sensor nodes in the network. In this mechanism we are also giving the protection against IP Spoofing by the use of public private key cryptography key exchange algorithm. We also discuss the results through simulations in Network Simulator 2

Detection and control of small civilian UAVs

With the increasing proliferation of small civilian Unmanned Aerial Vehicles (UAVs), the threat to critical infrastructure (CI) security and privacy is now widely recognised and must be addressed. These devices are easily available at a low cost, with their usage largely unrestricted allowing users to have no accountability. Further, current implementations of UAVs have little to no security measures applied to their control interfaces. To combat the threat raised by small UAVs, being aware of their presence is required, a task that can be challenging and often requires customised hardware. This thesis aimed to address the threats posed by the Parrot AR Drone v2, by presenting a data link signature detection method which provides the characteristics needed to implement a mitigation method, capable of stopping a UAVs movement and video stream. These methods were developed using an experimental procedure and are packaged as a group of Python scripts. A suitable detection method was developed, capable of detecting and identifying a Parrot AR Drone v2 within WiFi operational range. A successful method of disabling the controls and video of a Parrot AR Drone in the air was implemented, with collection of video and control commands also achieved, for after-the-event reconstruction of the video stream. Real-time video monitoring is achievable, however it is deemed detrimental to the flight stability of the Parrot, reducing the effectiveness of monitoring the behaviour of an unidentified Parrot AR Drone v2. Additionally, implementing a range of mitigations for continued monitoring of Parrot AR Drones proved ineffectual, given that the mitigations applied were found to be non-persistent, with the mitigations reverting after control is returned to the controller. While the ability to actively monitor and manipulate Parrot AR Drones was successful, it was not to the degree believed possible during initial research

Network-based APT profiler

Constant innovation in attack methods presents a significant problem for the security community which struggles to remain current in attack prevention, detection and response. The practice of threat hunting provides a proactive approach to identify and mitigate attacks in real-time before the attackers complete their objective. In this research, I present a matrix of adversary techniques inspired by MITRE’s ATT&CK matrix. This study allows threat hunters to classify the actions of advanced persistent threats (APTs) according to network-based behaviors

OSINT-based Email Analyzer for Phishing Detection

It is more and more common to receive emails asking for credentials. They usually say that there is some kind of issue that must be solved by accessing the involved service using the link inside the message text. These emails are often malicious, thought to steal users' or employees' credentials and gain access to personal or corporate areas. This scenario is commonly known as phishing, and nowadays it is the most common cause of corporate data breaches. The attacker tries to exploit human vulnerabilities like fear, concern or carelessness to obtain what would be difficult to achieve otherwise. Even if it is easy from an expert point of view to recognize such attempts, it is not so simple to automatize their detection, due to the fact that there are various techniques to elude systematic checks. Nevertheless, Würth Phoenix wants to improve their cyber defense against any possible threat, and hence they assigned me the task of working on phishing emails detection. This thesis presents a novel program that can analyze all emails delivered to a specifically set up email server without any filtering on incoming traffic, which is then called a "spam-trap-box." Additionally, it is configured with accounts registered for domains owned by failed companies that used to operate in the same industry of Würth Phoenix customers. This way it is more probable to analyze traffic similar to the one in a real case scenario. The innovative part of the analysis implemented is the use of Open Source Intelligence (OSINT) to compare the most relevant parts of an email with evidence of other phishing attempts indexed on the web, which are generally known as Indicators of Compromise (IoCs). After the inspection, if an email is categorized as malicious, new IoCs are created to feed the Würth Phoenix Security Operation Center (SOC), which is the service responsible for the protection against cyber threats offered to their customers. The new indicators include more information than the ones used during the analysis, and the findings are inherent to clients' businesses, thus the SOC has more details to use while analyzing their email traffic

A Framework for Cyber Vulnerability Assessments of InfiniBand Networks

InfiniBand is a popular Input/Output interconnect technology used in High Performance Computing clusters. It is employed in over a quarter of the world’s 500 fastest computer systems. Although it was created to provide extremely low network latency with a high Quality of Service, the cybersecurity aspects of InfiniBand have yet to be thoroughly investigated. The InfiniBand Architecture was designed as a data center technology, logically separated from the Internet, so defensive mechanisms such as packet encryption were not implemented. Cyber communities do not appear to have taken an interest in InfiniBand, but that is likely to change as attackers branch out from traditional computing devices. This thesis considers the security implications of InfiniBand features and constructs a framework for conducting Cyber Vulnerability Assessments. Several attack primitives are tested and analyzed. Finally, new cyber tools and security devices for InfiniBand are proposed, and changes to existing products are recommended

A security analysis of email communications

The objective of this report is to analyse the security and privacy risks of email communications and identify technical countermeasures capable of mitigating them effectively. In order to do so, the report analyses from a technical point of view the core set of communication protocols and standards that support email communications in order to identify and understand the existing security and privacy vulnerabilities. On the basis of this analysis, the report identifies and analyses technical countermeasures, in the form of newer standards, protocols and tools, aimed at ensuring a better protection of the security and privacy of email communications. The practical implementation of each countermeasure is evaluated in order to understand its limitations and identify potential technical and organisational constrains that could limit its effectiveness in practice. The outcome of the above mentioned analysis is a set of recommendations regarding technical and organisational measures that when combined properly have the potential of more effectively mitigating the privacy and security risks of today's email communications.JRC.G.6-Digital Citizen Securit

IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks