Assessment of cyber threats discovered by OSINT

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2022Despite the high maturity levels of CTI (Cyber Threat Intelligence) tools, techniques, procedures and frameworks, there are still gaps that must be considered and addressed. More than 50% of the world’s population is now online and growing, as the COVID-19 pandemic is pushing the large-scale adoption of technology in the most diverse areas. This context, aligned to the emerging technologies (e.g.: Cloud-computing, IoT, 5G) is enabling, allowing, and amplifying more complex and faster cyber-attacks. “Security-by design” is not yet the main principle, as products need to be quickly deployed into the market, delivering vulnerable targets into the Internet ecosystem. It is estimated that cy bercrime inflict damages of 6 billion USD in 2021, growing 15% per year, positioning it as the world’ third-largest economy, reaching 10.5 billion USD in 2025 [1]. Cyberattacks on critical infrastructures was considered the fifth top risk in 2020, as structural industries and sectors are juicy targets. On the other hand, the likelihood of detection and prosecu tion is estimated to be 0.05% in the USA [2]. To fight this threat and reduce the risk, it is essential that CTI parties join forces to improve coordination and cooperation, to reduce the time between the generation of CTI and its dissemination and achieve the balance between CTI in-time-dissemination and high-quality CTI. The quality of CTI is a huge barrier: most of the platforms ingest data from paid feeds and OSINT sources, gathering, filtering, analyzing, and aggregating, usually with little or no data-quality assessment. This increases the pressure on cyber-security analysts, who deal with plenty of generated alerts. IoCs (Indicator of Compromise) must go through an assessment process and be scored, so CTI consumers can decide and suit the measures accordingly. According to ENISA 2020 CTI survey [3], only 4% of CTI users can implement processes to measure CTI efficiency. This dissertation presents an overview of the existing CTI methodologies and technologies, proposing one solution to be adopted and integrated in CTI tools to assess, qualify, score and advise cyber-security analysts

Assessing the evidential value of artefacts recovered from the cloud

Cloud computing offers users low-cost access to computing resources that are scalable and flexible. However, it is not without its challenges, especially in relation to security. Cloud resources can be leveraged for criminal activities and the architecture of the ecosystem makes digital investigation difficult in terms of evidence identification, acquisition and examination. However, these same resources can be leveraged for the purposes of digital forensics, providing facilities for evidence acquisition, analysis and storage. Alternatively, existing forensic capabilities can be used in the Cloud as a step towards achieving forensic readiness. Tools can be added to the Cloud which can recover artefacts of evidential value. This research investigates whether artefacts that have been recovered from the Xen Cloud Platform (XCP) using existing tools have evidential value. To determine this, it is broken into three distinct areas: adding existing tools to a Cloud ecosystem, recovering artefacts from that system using those tools and then determining the evidential value of the recovered artefacts. From these experiments, three key steps for adding existing tools to the Cloud were determined: the identification of the specific Cloud technology being used, identification of existing tools and the building of a testbed. Stemming from this, three key components of artefact recovery are identified: the user, the audit log and the Virtual Machine (VM), along with two methodologies for artefact recovery in XCP. In terms of evidential value, this research proposes a set of criteria for the evaluation of digital evidence, stating that it should be authentic, accurate, reliable and complete. In conclusion, this research demonstrates the use of these criteria in the context of digital investigations in the Cloud and how each is met. This research shows that it is possible to recover artefacts of evidential value from XCP

Security Control and Remediation Activities in Enterprise Environment

Cílem této práce bylo popsat řízení bezpečnosti a kontrolní mechanizmy, které jsou používané v korporátním prostředí. Práce se zabývá teoretickým popisem standardů používaných pro aplikační bezpečnost, dále popisuje nástroje určené pro získavání informací o firemním prostředí, které mohou být použity pro odhalovaní bezpečnostních zranitelností, nebo pro jejich odstranění. Také popisuje procesy, kterými se mají společnosti řídit, aby byla minimalizována možnost dopadu na produkci a rovněž zaručena trvalá bezpečnost prostředí. Uvedené jsou i kontroly dosažených výsledků při použití nových technologií a jejich finanční i časové výhody.The goal of this thesis is to describe the security control and remediation activities which are used in corporate environment. The thesis deals with the theoretical insight into the standards used for application security, describes tools used for gathering of information about enterprise environment, which might be used to reveal sefety vulnerabilities or for their remediation. Processes, which should be followed by companies to minimize the impact on production and to ensure the environment safety, are described as well. Mentioned is also the verification of gathered data gained by new technical approaches and their financial and time-related benefits.

Systematic support for accountability in the cloud

PhD ThesisCloud computing offers computational resources such as processing, networking, and storage to customers. Infrastructure as a Service (IaaS) consists of a cloud-based infrastructure to offer consumers raw computation resources such as storage and networking. These resources are billed using a pay-per-use cost model. However, IaaS is far from being a secure cloud infrastructure as the seven main security threats defined by the Cloud Security Alliance (CSA) indicate. Use of logging systems can provide evidence to support accountability for an IaaS cloud. An accountability helps when mitigating known threats. However, previous accountability with logging systems solutions are provided without systematic approaches. These solutions are usually either for the cloud customer side or for the cloud provider side, not for both of them. Moreover, the solutions also lack descriptions of logging systems in the context of a design pattern of the systems' components. This design pattern facilitates analysis of logging systems in terms of their quality. Additionally, there is a number of benefits of this pattern. They could be: to promote the reusability of design and development of logging systems; that designers can access this pattern more easily; to assist a designer adopts design approaches which make a logging system reusable and not to choose approaches which do not concern reusability concepts; and to enhance the documentation and maintenance of existing logging systems. Thus, the aim of this thesis is to provide support for accountability in the cloud with systematic approaches to assist in mitigating the risks associated with real world CSA threats, to benefit both customers and providers. We research the extent to which such logging systems help us to mitigate risks associated with the threats identified by the CSA. The thesis also presents a way of identifying the reference components of logging systems and how they may be arranged to satisfy logging requirements. 'Generic logging components' for logging systems are proposed. These components encompass all possible instantiations of logging solutions for IaaS cloud. The generic logging components can be used to map existing logging systems for the purposes of analysis of the systems' security. Based on the generic components, the thesis identifies design patterns in the context of logging in IaaS cloud. We believe that these identified patterns facilitate analysis of logging systems in terms of their quality. We also argue that: these identified patterns could increase reusability of the design and development of logging systems; designers should access these patterns more easily; the patterns could assist a designer adopts design approaches which make a logging system reusable and not to choose approaches which do not concern reusability concepts; and they can enhance the documentation and maintenance of existing logging systems. We identify a logging solution which is based on the generic logging components to mitigate the risks associated with CSA threat number one. An example of the threat is malicious activities, for example spamming, which are performed in consumers' virtual machines or VMs. We argue that the generic logging components we suggest could be used to perform a systematic analysis of logging systems in terms of security before deploying them in production systems. To assist in mitigating the risks associated with this threat to benefit both customers and providers, we investigate how CSA threat number one can affect the security of both consumers and providers. Then we propose logging solutions based on the generic logging components and the identified patterns. We systematically design and implement a prototype system of the proposed logging solutions in an IaaS to record history of customer's files. This prototype system can be also modified in order to record VMs' process behaviour log files. This system can record the log files while having a smaller trusted computing base, compared to previous work. Additionally, the system can be seen as possible solutions that could tackle the dificult problem of logging file and process activities in the IaaS. Thus, the proposed logging solutions can assist in mitigating the risks associated with the CSA threats to benefit both consumers and providers. This could promote systematic support for accountability in the cloud

Towards non-intrusive software introspection and beyond

Continuous verification and security analysis of software systems are of paramount importance to many organizations. The state-of-the-art for such operations implements agent-based approaches to inspect the provisioned software stack for security and compliance issues. However, this approach, which runs agents on the systems being analyzed, is vulnerable to some attacks, can incur substantial performance impact, and can introduce significant complexity. In this paper, we present the design and prototype implementation of a general-purpose approach for Non-intrusive Software Introspection (NSI). By adhering to NSI, organizations hosting in the cloud can as well control the software introspection workflow with reduced trust in the provider. Experimental analysis of real-world applications demonstrates that NSI presents a lightweight and scalable approach, and has a negligible impact on the performance of applications running on the instance being introspected.Accepted manuscrip

External servers security

Romero Barrero, D. (2010). External servers security. http://hdl.handle.net/10251/9111.Archivo delegad

Security challenges with virtualization

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2009Virtualização é uma palavra em voga no mundo das tecnologias de informação. Com a promessa de reduzir o constante crescimento das infra-estruturas informáticas dentro de um centro de processamento de dados, aliado a outros aspectos importantes como disponibilidade e escalabilidade, as tecnologias de virtualização têm vindo a ganhar popularidade, não só entre os profissionais de tecnologias de informação mas também administradores e directores. No entanto, o aumento da adopção do uso desta tecnologia expõe o sistema a novas preocupações de segurança que normalmente são negligenciadas. Esta tese apresenta o estado da arte das soluções actualmente mais usadas de virtualização de servidores e também um estudo literário dos vários problemas de segurança das tecnologias de virtualização. Estes problemas não são específicos em termos de produto, e são abordados no âmbito de tecnologias de virtualização. No entanto, nesta tese é feita uma análise de vulnerabilidades de duas das mais conhecidas soluções de virtualização: Vmware EXS e Xen. No final, são descritas algumas soluções para melhorar a segurança de acesso a banco online e de comercio electrónico, usando virtualização.Virtualization is a hype word in the IT world. With the promise to reduce the ever-growing infrastructure inside data centers allied to other important concerns such as availability and scalability, virtualization technology has been gaining popularity not only with IT professionals but also among administrators and directors as well. The increasingly rising rate of the adoption of this technology has exposed these systems to new security concerns which in recent history have been ignored or simply overlooked. This thesis presents an in depth state of art look at the currently most used server virtualization solutions, as well as a literature study on various security issues found within this virtualization technology. These issues can be applied to all the current virtualization technologies available without focusing on a specific solution. However, we do a vulnerability analysis of two of the most known virtualization solutions: VMware ESX and Xen. Finally, we describe some solutions on how to improve the security of online banking and e-commerce, using virtualization

Configuration Management of Distributed Systems over Unreliable and Hostile Networks

Economic incentives of large criminal profits and the threat of legal consequences have pushed criminals to continuously improve their malware, especially command and control channels. This thesis applied concepts from successful malware command and control to explore the survivability and resilience of benign configuration management systems. This work expands on existing stage models of malware life cycle to contribute a new model for identifying malware concepts applicable to benign configuration management. The Hidden Master architecture is a contribution to master-agent network communication. In the Hidden Master architecture, communication between master and agent is asynchronous and can operate trough intermediate nodes. This protects the master secret key, which gives full control of all computers participating in configuration management. Multiple improvements to idempotent configuration were proposed, including the definition of the minimal base resource dependency model, simplified resource revalidation and the use of imperative general purpose language for defining idempotent configuration. Following the constructive research approach, the improvements to configuration management were designed into two prototypes. This allowed validation in laboratory testing, in two case studies and in expert interviews. In laboratory testing, the Hidden Master prototype was more resilient than leading configuration management tools in high load and low memory conditions, and against packet loss and corruption. Only the research prototype was adaptable to a network without stable topology due to the asynchronous nature of the Hidden Master architecture. The main case study used the research prototype in a complex environment to deploy a multi-room, authenticated audiovisual system for a client of an organization deploying the configuration. The case studies indicated that imperative general purpose language can be used for idempotent configuration in real life, for defining new configurations in unexpected situations using the base resources, and abstracting those using standard language features; and that such a system seems easy to learn. Potential business benefits were identified and evaluated using individual semistructured expert interviews. Respondents agreed that the models and the Hidden Master architecture could reduce costs and risks, improve developer productivity and allow faster time-to-market. Protection of master secret keys and the reduced need for incident response were seen as key drivers for improved security. Low-cost geographic scaling and leveraging file serving capabilities of commodity servers were seen to improve scaling and resiliency. Respondents identified jurisdictional legal limitations to encryption and requirements for cloud operator auditing as factors potentially limiting the full use of some concepts

Augmenting Zero Trust Architecture to endpoints using Distributed Ledger Technologies and Blockchain

With the increasing adoption of cloud computing and remote working, traditional perimeter-based security models are no longer sufficient to protect organizations' digital assets. The need for a more robust security framework led to the emergence of Zero Trust Architecture (ZTA), which challenges the notion of inherent trust and emphasizes the importance of verifying endpoints, users, and applications. However, within ZTA, the already authenticated and authorized communication channel on an endpoint poses a critical vulnerability, making it the Achilles' heel of the architecture [1]. Once compromised, even with valid credentials and authorized access, an endpoint can become a gateway for attackers to move laterally and access sensitive resources. Addressing the vulnerability of endpoints within ZTA is crucial to bolster overall security. By mitigating the risks associated with compromised endpoints, organizations can prevent unauthorized access, privilege escalation, and potential data breaches. Traditional security measures, such as firewalls, antivirus technologies, and Intrusion Detection and Prevention Systems (IDS/IPS), have become less effective in the face of evolving threats and complex network infrastructures. Perimeter-based security models are gradually being replaced by ZTA, which focuses on identity-based perimeters and continuous verification. To enhance endpoint security within ZTA, this research introduces the Blockchain-enabled Intrusion Detection and Prevention System (BIDPS). By integrating blockchain technology, the BIDPS aims to detect and prevent attacker techniques at an early stage before lateral movement occurs. Furthermore, the BIDPS shifts the trust from compromised endpoints to the immutable and transparent nature of the blockchain, creating an explicit system of trust. Through a systematic design and development methodology, a prototype of the BIDPS was created. Extensive testing against various Advanced Persistent Threat (APT) attacks demonstrated the system's high success rate in defending against such attacks. Additionally, novel strategies and performance-enhancing mechanisms were implemented to improve the effectiveness and efficiency of the BIDPS [2]. The BIDPS was evaluated through a combination of observational analysis and A/B testing methodologies. The evaluation confirmed the BIDPS's effectiveness in detecting and preventing malicious activities, as well as its improved performance compared to traditional security measures. The research outcomes validate the viability of the BIDPS as a solution to enhance endpoint security within ZTA. Conclusively, the integration of blockchain technology into ZTA, as exemplified by the BIDPS, offers a promising approach to mitigate the vulnerability of endpoints and reinforce the security of modern IT environments