Current Trends in Small Unmanned Aircraft Systems: Implications for U.S. Special Operations Forces

This paper assesses current trends in small unmanned aircraft systems (sUAS) technology and its applications to the Special Operations Forces (SOF) community. Of critical concern to SOF is that commercial-off-the-shelf (COTS) sUAS technologies are relatively inexpensive, improving at a dramatic rate, and widely available throughout the world. Insurgents, terrorists, violent extremist organizations (VEOs) and other nefarious actors have used COTS sUAS to conduct offensive attacks as well as to develop battlefield situation awareness; these technological improvements combined with their widespread availability will require enhanced and rapidly adaptive counter-sUAS measures in the future. To understand the most current trends in the unmanned aircraft systems (UAS) technology and their applicability to SOF, this paper analyzes the definition and classification of sUAS, their major applications, and characteristics. In the military context, UAS are principally used for intelligence, surveillance, and reconnaissance (ISR), border security, counterinsurgency, attack and strike, target identification and designation, communications relay, electronic attack, remote sensing, and aerial mapping. As technology improves, smaller versions of sUAS will be used by both friendly operators and maligned actors (insurgents, terrorists, VEOs, nation states) as force multipliers for military operations. As armed forces around the world continue to invest in research and development of sUAS technologies, there will be tremendous potential to revolutionize warfare, particularly in context of special operations. Consequently, the use of sUAS technology by SOF is likely to escalate over the next decade, as is the likelihood of sUAS countermeasures due to the availability of the technology within nefarious organizations

INTEGRATION OF INTELLIGENCE TECHNIQUES ON THE EXECUTION OF PENETRATION TESTS (iPENTEST)

Penetration Tests (Pentests) identify potential vulnerabilities in the security of computer systems via security assessment. However, it should also benefit from widely recognized methodologies and recommendations within this field, as the Penetration Testing Execution Standard (PTES). The objective of this research is to explore PTES, particularly the three initial phases: 1. Pre-Engagement Interactions; 2. Intelligence Gathering; 3. Threat Modeling; and ultimately to apply Intelligence techniques to the Threat Modeling phase. To achieve this, we will use open-source and/or commercial tools to structure a process to clarify how the results were reached using the research inductive methodology. The following steps were implemented: i) critical review of the “Penetration Testing Execution Standard (PTES)”; ii) critical review of Intelligence Production Process; iii) specification and classification of contexts in which Intelligence could be applied; iv) definition of a methodology to apply Intelligence Techniques to the specified contexts; v) application and evaluation of the proposed methodology to real case study as proof of concept. This research has the ambition to develop a model grounded on Intelligence techniques to be applied on PTES Threat Modeling phase

Data-driven framework and experimental validation for security monitoring of networked systems

Cyber attacks have become more prevalent in the last few years, and several attacks have made headlines worldwide. It has become a lucrative business for cybercriminals who are motivated by financial gains. Other motives include political, social and espionage. Organisations are spending a vast amount of money from their IT budget to secure their critical assets from such attacks, but attackers still find ways to compromise these assets. According to a recent data breach report from IBM, the cost of a data breach is estimated to be around $4.24 million, and on average, it takes 287 days to detect and contain such breaches. Cyber attacks are continuing to increase, and no organisation is immune to such attacks, as demonstrated recently by the cyber attack on FireEye, a leading global cybersecurity firm. This thesis aims to develop a data-driven framework for the security monitoring of networked systems. In this framework, models for detecting cyberattack stages, predicting cyber attacks using time series forecasting and the IoC model were developed to detect attacks that the security monitoring tools may have missed. In the cyberattack stage detection, the Cyber Kill Chain was leveraged and then mapped the detection modules to the various stages of the APT lifecycle. In the cyber prediction model, time series based feature forecasting was utilised to predict attacks to help system administrators take preventative measures. The Indicator of Compromise (IoC) model used host-based features to help detect IoCs more accurately. The main framework utilises network, host and IoC features. In these three models, the prediction accuracy of 91.1% and 98.8% was achieved for the APT and IoC models, while the time series forecasting model produced a reasonable low mean absolute error (MAE) and root mean square error (RMSE) score. The author also contributed to another paper on effective feature selection methods using deep feature abstraction in the form of unsupervised auto-encoders to extract more features. Wrapper-based feature selection techniques were then utilised using Support Vector Machine (SVM), Naive Bayes and Decision tree to select the highest-ranking features. Artificial Neural Networks (ANN) classifier was then used to distinguish impersonation from normal traffic. The contribution of the author to this paper was on the feature selection methods. This model achieved an overall accuracy of 99.5%. It is anticipated that these models will allow decision-makers and systems administrators to take proactive approaches to secure their systems and reduce data breaches

Development and Validation of a Proof-of-Concept Prototype for Analytics-based Malicious Cybersecurity Insider Threat in a Real-Time Identification System

Insider threat has continued to be one of the most difficult cybersecurity threat vectors detectable by contemporary technologies. Most organizations apply standard technology-based practices to detect unusual network activity. While there have been significant advances in intrusion detection systems (IDS) as well as security incident and event management solutions (SIEM), these technologies fail to take into consideration the human aspects of personality and emotion in computer use and network activity, since insider threats are human-initiated. External influencers impact how an end-user interacts with both colleagues and organizational resources. Taking into consideration external influencers, such as personality, changes in organizational polices and structure, along with unusual technical activity analysis, would be an improvement over contemporary detection tools used for identifying at-risk employees. This would allow upper management or other organizational units to intervene before a malicious cybersecurity insider threat event occurs, or mitigate it quickly, once initiated. The main goal of this research study was to design, develop, and validate a proof-of-concept prototype for a malicious cybersecurity insider threat alerting system that will assist in the rapid detection and prediction of human-centric precursors to malicious cybersecurity insider threat activity. Disgruntled employees or end-users wishing to cause harm to the organization may do so by abusing the trust given to them in their access to available network and organizational resources. Reports on malicious insider threat actions indicated that insider threat attacks make up roughly 23% of all cybercrime incidents, resulting in $2.9 trillion in employee fraud losses globally. The damage and negative impact that insider threats cause was reported to be higher than that of outsider or other types of cybercrime incidents. Consequently, this study utilized weighted indicators to measure and correlate simulated user activity to possible precursors to malicious cybersecurity insider threat attacks. This study consisted of a mixed method approach utilizing an expert panel, developmental research, and quantitative data analysis using the developed tool on simulated data set. To assure validity and reliability of the indicators, a panel of subject matter experts (SMEs) reviewed the indicators and indicator categorizations that were collected from prior literature following the Delphi technique. The SMEs’ responses were incorporated into the development of a proof-of-concept prototype. Once the proof-of-concept prototype was completed and fully tested, an empirical simulation research study was conducted utilizing simulated user activity within a 16-month time frame. The results of the empirical simulation study were analyzed and presented. Recommendations resulting from the study also be provided

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Cyber-Physical Threat Intelligence for Critical Infrastructures Security

Modern critical infrastructures can be considered as large scale Cyber Physical Systems (CPS). Therefore, when designing, implementing, and operating systems for Critical Infrastructure Protection (CIP), the boundaries between physical security and cybersecurity are blurred. Emerging systems for Critical Infrastructures Security and Protection must therefore consider integrated approaches that emphasize the interplay between cybersecurity and physical security techniques. Hence, there is a need for a new type of integrated security intelligence i.e., Cyber-Physical Threat Intelligence (CPTI). This book presents novel solutions for integrated Cyber-Physical Threat Intelligence for infrastructures in various sectors, such as Industrial Sites and Plants, Air Transport, Gas, Healthcare, and Finance. The solutions rely on novel methods and technologies, such as integrated modelling for cyber-physical systems, novel reliance indicators, and data driven approaches including BigData analytics and Artificial Intelligence (AI). Some of the presented approaches are sector agnostic i.e., applicable to different sectors with a fair customization effort. Nevertheless, the book presents also peculiar challenges of specific sectors and how they can be addressed. The presented solutions consider the European policy context for Security, Cyber security, and Critical Infrastructure protection, as laid out by the European Commission (EC) to support its Member States to protect and ensure the resilience of their critical infrastructures. Most of the co-authors and contributors are from European Research and Technology Organizations, as well as from European Critical Infrastructure Operators. Hence, the presented solutions respect the European approach to CIP, as reflected in the pillars of the European policy framework. The latter includes for example the Directive on security of network and information systems (NIS Directive), the Directive on protecting European Critical Infrastructures, the General Data Protection Regulation (GDPR), and the Cybersecurity Act Regulation. The sector specific solutions that are described in the book have been developed and validated in the scope of several European Commission (EC) co-funded projects on Critical Infrastructure Protection (CIP), which focus on the listed sectors. Overall, the book illustrates a rich set of systems, technologies, and applications that critical infrastructure operators could consult to shape their future strategies. It also provides a catalogue of CPTI case studies in different sectors, which could be useful for security consultants and practitioners as well

Development of a Cybersecurity Skills Index: A Scenarios-Based, Hands-On Measure of Non-IT Professionals\u27 Cybersecurity Skills

Completing activities online are a part of everyday life, both professionally and personally. But, conducting daily operations, interacting, and sharing information on the Internet does not come without its risks as well as a potential for harm. Substantial financial and information losses for individuals, organizations, and governments are reported regularly due to vulnerabilities as well as breaches caused by insiders. Although advances in Information Technology (IT) have been significant over the past several decades when it comes to protection of corporate information systems (IS), human errors and social engineering appear to prevail in circumventing such IT protections. While most employees may have the best of intentions, without cybersecurity skills they represent the weakest link in an organization’s IS security. Skills are defined as the combination of knowledge, experience, and ability to do something well. Cybersecurity skills correspond to the skills surrounding the hardware and software required to execute IS security to mitigate cyber-attacks. The main goal of this research study was to develop a scenarios-based, hands-on measure of non-IT professionals’ cybersecurity skills. As opposed to IT professionals, end-users are one of the weakest links in the cybersecurity chain, due to their limited cybersecurity skills. Historically, non-IT professionals (i.e., office assistants, managers, executives) have access to sensitive data and represent 72% to 95% of cybersecurity threats to organizations. This study addressed the problem of threats to organizational IS due to vulnerabilities and breaches caused by employees. Current measures of cybersecurity skills of non-IT professionals are based on self-reported surveys and were found inaccurate. Prior IS and medical research found participants view scenarios as nonintrusive and unintimidating. Therefore, this research study utilized scenarios with observable hands-on tasks to measure and quantify cybersecurity skills of non-IT professionals. This study included developmental research with a sequential-exploratory approach to combine qualitative and quantitative data collection. To ensure validity and reliability of the Cybersecurity Skills Index (CSI), a panel of 18 subject matter experts (SMEs) reviewed the CSI following the Delphi expert methodology. The SMEs’ responses were incorporated into the development of an iPad application (app) prototype (MyCyberSkills™). Following the iPad app prototype development, eight SMEs provided feedback on the scenarios, tasks, and scoring of the app using the Delphi technique. Furthermore, pilot testing of the app was conducted by manually collecting and scoring the hands-on task performance of a group of 21 non-IT professionals. The manually collected data were compared to the app computed results to ensure reliability and validity. All revisions were incorporated into the prototype prior to the start of the empirical research phase. Once the iPad app prototype was completed and fully tested, the quantitative research phase used the prototype to collect data and document the results of the measure. Participants from multiple public organizations were asked to complete the scenarios-based, hands-on tasks as presented in the prototype. Following the pre-analysis data screening, this study used a combination of descriptive statistics and one-way analysis of variance (ANOVA) to address the research questions. Results from 188 participants indicate that educational level and experience using technology appear to be significant demographic variables when it comes to the level of cybersecurity skills demonstrated by non-IT professionals. Moreover, job function, hours accessing the Internet, or primary online activity did not appear to be significant variables when it comes to the level of cybersecurity skills of this population. This research validated that the CSI benchmarking index could be used to assess an individual’s cybersecurity skills level. As organizations continue to rely on the Internet for conducting their daily operations, understanding an employee’s cybersecurity skills level is critical to securing an organization’s IS. Moreover, the CSI operationalized into the MyCyberSkills™ iPad app prototype can be used to assess an organization’s employee’s demonstrated skills on cybersecurity tasks. Furthermore, assessing the cybersecurity skills levels of employees could provide an organization insight into what is needed to further mitigate threats due to vulnerabilities and breaches caused by employees. Discussions and implications for future research are provided

Cyber Threats and NATO 2030: Horizon Scanning and Analysis

The book includes 13 chapters that look ahead to how NATO can best address the cyber threats, as well as opportunities and challenges from emerging and disruptive technologies in the cyber domain over the next decade. The present volume addresses these conceptual and practical requirements and contributes constructively to the NATO 2030 discussions. The book is arranged in five short parts...All the chapters in this book have undergone double-blind peer review by at least two external experts.https://scholarworks.wm.edu/asbook/1038/thumbnail.jp

The entangled cyberspace: an integrated approach for predicting cyber-attacks

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonSignificant studies in cyber defence analysis have predominantly revolved around a single linear analysis of information from a single source of evidence (The Network). These studies were limited in their ability to understand the dynamics of entanglements related to cyber-incidents. This research integrates evidence beyond the network in an attempt to understand and predict phases of the kill-chain across the information space. This research provides a multi-dimensional phased analysis of the traditional kill-chain model using structural vector autoregressive models. In the ‘Entangled Cyberspace Framework’, each phase of the kill-chain corresponds to a single dimension of the information space based on time observations of certain events. Events are represented as time signals, where each phase is characterised by multiple time signals representing multiple events on that phase. Multiple time signals are analysed using structural models for multiple time series analysis (Vector Auto-Regressive models). At each phase of the kill-chain, we perform a lagged co-integration analysis of events across the information space. This nature of analysis detects hidden entanglements that characterise events in the kill-chain beyond the network. The measured prediction accuracy and error measured at each stage of the experiment represents the usefulness of selected events in characterising the defined stage of the kill-chain. The entangled cyberspace, in theory, is the fusion of three conceptual foundations: a) A multi-dimensional characterisation of cyberspace, b) A sequential phased model for perpetrating cyber-attacks and c) A structural model for integrating and simultaneously analysing multiple sources of evidence. It starts with the characterisation of the information space into different dimensions of interest. The framework goes further to identify evidence sources across these characterised dimensions and integrates them in the analytical context under consideration (e.g. Malware Injection). The concrete findings show that our approach and analytical methodology are capable of detecting entanglements when applied to a set of entangled activities across the information space. The findings also prove that activities beyond the network have significant effects on the nature of the unfolding cyber-attack vector. The predictive features of events across the kill-chain were also presented in this research as opinion and emotion drivers on the social dimension, packet data details and social and cultural events on the economic layer. Finally, co-integration detected between events across and within dimensions of the information space proves the existence of both inter-dimensional and intra-dimensional entanglements that affect the nature of events unfolding during the kill-chain (from the adversary’s point of view). The novelty of this research rests in the ability to hop across the information space for detecting evidential clues of activities that are related-to cyber-incidents. This research also expands the standard multi-dimensional information space to include SPEC factors as indicators of cyber-incidents. This research improves the current information security management model, specifically in the monitoring, analysis and detection phases. This research provides a methodology that accommodates a robust evidence base for understanding the attack surface. Practically, this research provides a basis for creating applications and tools for protecting critical national infrastructure by integrating data from social platforms, real-world political, cultural and economic events and the cyber-physical