SOC Critical Path: A defensive Kill Chain model

[EN] Different kill chain models have been defined and analyzed to provide a common sequence of actions followed in offensive cyber operations. These models allow analysts to identify these operations and to understand how they are executed. However, there is a lack of an equivalent model from a defensive point of view: this is, there is no common sequence of actions for the detection of threats and their accurate response. This lack causes not only problems such as unstructured approaches and conceptual errors but, what is most important, inefficiency in the detection and response to threats, as defensive tactics are not well identified. For this reason, in this work we present a defensive kill chain approach where tactics for teams in charge of cyber defense activities are structured and arranged. We introduce the concept of SOC Critical Path (SCP), a novel kill chain model to detect and neutralize threats. SCP is a technology¿independent model that provides an arrangement of mandatory steps, in the form of tactics, to be executed by Computer Network Defense teams to detect hostile cyber operations. By adopting this novel model, these teams increase the performance and the effectiveness of their capabilities through a common framework that formalizes the steps to follow for the detection and neutralization of threats. In this way, our work can be used not only to identify detection and response gaps, but also to implement a continuous improvement cycle over time.Villalón-Huerta, A.; Marco-Gisbert, H.; Ripoll-Ripoll, I. (2022). SOC Critical Path: A defensive Kill Chain model. IEEE Access. 10:13570-13581. https://doi.org/10.1109/ACCESS.2022.314502913570135811

Cost-Benefit Analysis of a Hybrid Terrorist Attack on a Power Plant

Uurimustöö sihiks on võrrelda kahe erineva, ühtse eesmärgiga lähenemisviisi maksumust. Mõlema lähenemisviisi eesmärgiks on elektrijaama ohtu seadmine tegeliku kahju tekitamise teel (sh terve rajatise hävitamine või rajatise osade hävitamine, takistamaks pikaajalist energia tootmist, valikuliselt inimohvritega). Tuvastasime, et enamuses uurimustöödes ja meediaväljaannetes on peamine rõhuasetus üksnes elektrijaama häkkimisel, järeldades, et selline meetod ei saa kulukuse tõttu muutuda terroristide tavapäraseks tegutsemisviisiks (v.a juhtudel, kus antud tegevus on riigi poolt rahastatud). Tõime välja, et rünnaku füüsiline külg on sageli välja jäetud - seda nii rajatiste turvasüsteemide disainis kui ka ründevektorite analüüsis ja meie eluviisi ohustavate aspektide ennustamises. Meie peamiseks sõnumiks on analüüsida küber- ja füüsilisi osi kombineeritult - kaardistades võrgutopoloogiat ja analüüsides, kas kriitilistele osadele on lihtsam ligi pääseda füüsiliselt või võrguühenduse kaudu. Rünnakustsenaariumide modelleerimiseks kasutame ründepuudiagramme ja vaja minevate vahendite uurimiseks rakendame kulude ja tulude analüüsi (ainsaks erinevuseks on, et tulu on sama küber- ja hübriidstsenaariumide puhul). Meie peamiseks hüpoteesiks on, et hübriidne lähenemisviis - kombineerides küber- ja füüsilisi vahendeid elektrijaama ohtu seadmiseks - on odavam kui puhtalt küberrünnak.In our thesis we want to compare costs between two different approaches that have the same goal – compromise a power plant by creating a physical effect (whether destruction of the whole facility or some of its parts and by that disrupting the power supply operation for a long term, optionally causing human casualties). We saw that in most research papers and media publications main focus is on just hacking into the power plant stating that it is way too expensive to become a usual practice for terrorists, unless state funded. We point out that physical aspect is often omitted – both when designing security systems of a facil- ity and also when thinking about attack vectors and foreseeing threats to our way of living. Our main message is to think cyber and physical together – map logical topology to physi- cal and see if some critical parts are easier to access physically than via logical cyber hubs. For modelling attack scenarios we use attack tree diagrams and for analysing resources needed to achieve stated goal we use cost-benefit analysis (with the only difference – ben- efit is the same for both cyber and hybrid scenarios). Our main hypothesis states that hy- brid approach, combination of cyber and physical means to compromise the power plant, is cheaper than pure cyber

Threat Modelling and Analysis of Web Application Attacks

There has been a rapid growth in the use of the Internet over the years with billions of businesses using it as a means of communication. The World Wide Web has served as the major tool for disseminating information which has resulted into the development of an architecture used in information sharing between remotely connected clients. A web application is a computer program that operates on web technologies and browsers to carry out assignments over the Internet. In designing a secured web application, it is essential to assess and model the viable threats. Threat Modelling is a process used to improve on the application security by pointing out threats and vulnerabilities, outlining mitigation measures to prevent or eliminate the effect of threats in a system. With the constant increase in the number of attacks on web applications, it has become essential to constantly improve on the existing threat models to increase the level of security posture of web applications for proactiveness and strategic goals in operational and application security. In this thesis, three different threat models; STRIDE, Kill Chain and Attack Tree were simulated and analyzed for SQL injection and Cross Site Scripting attacks using the Microsoft SDL threat modelling tool, Trike modelling tool and SeaMonster modelling tool respectively. This study would be useful for future research in developing a new and more efficient threat model based on the existing ones, it would also help organizations determine which of the models used in this research is best suited for the business’ security framework. The objective of this thesis is to analyze the three commonly used models, examining the strengths and weaknesses discovered during the simulation and compare the performances

Analisis Insider Threat pada Sistem Keamanan Rumah Cerdas Menggunakan Malicious Traffic Monitoring

Ancaman serangan siber semakin banyak dan kompleks, berdasarkan catatan Badan Siber dan Sandi Negara (BSSN) bahwa di Indonesia pada tahun 2022 terdapat anomali trafik atau malicious traffic ratusan juta. Berdasarkan sumber ancaman maka dapat serangan siber dapat dikategorikan serangan siber yang bersumber dari internal (insider threat) dan serangan siber yang bersumber dari luar (outsider threat). Saat ini serangan siber tidak hanya dari luar atau outsider karena serangan siber dapat bersumber dari perangkat yang digunakan atau kebiasaan pengguna dalam mengakses internet. Untuk mendeteksi ancaman serangan siber pada ekosistem rumah cerdas menggunakan penelitian ini mengadopsi metode Network Development Life Cycle (NDLC). Berdasarkan hasil analisis pada ekosistem rumah memungkinkan diterapkan teknik port mirroring pada router. Sehingga pada perancangan mengggunakan Miktorik dan MalTrail sebagai sensor deteksi malicious traffic untuk mengetahui aktivitas anomali. Hasil dari penelitian ini menunjukan bahwa ancaman serangan siber yang bersumber dari internal dapat disebabkan dari kebiasaan pengguna dalam mengakses internet. Sedangkan perangkat cerdas yang terpasang dalam penelitian ini tidak ditemukan adanya malicious traffic atau aktivitas anomali. Maka penelitian ini masih perlu dilakukan improvisasi menggunakan teknik network packet capture

Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability

[ES] La presente tesis doctoral realiza un análisis en detalle de los elementos de decisión necesarios para mejorar la comprensión de la situación en ciberdefensa con especial énfasis en la percepción y comprensión del analista de un centro de operaciones de ciberseguridad (SOC). Se proponen dos arquitecturas diferentes basadas en el análisis forense de flujos de datos (NF3). La primera arquitectura emplea técnicas de Ensemble Machine Learning mientras que la segunda es una variante de Machine Learning de mayor complejidad algorítmica (lambda-NF3) que ofrece un marco de defensa de mayor robustez frente a ataques adversarios. Ambas propuestas buscan automatizar de forma efectiva la detección de malware y su posterior gestión de incidentes mostrando unos resultados satisfactorios en aproximar lo que se ha denominado un SOC de próxima generación y de computación cognitiva (NGC2SOC). La supervisión y monitorización de eventos para la protección de las redes informáticas de una organización debe ir acompañada de técnicas de visualización. En este caso, la tesis aborda la generación de representaciones tridimensionales basadas en métricas orientadas a la misión y procedimientos que usan un sistema experto basado en lógica difusa. Precisamente, el estado del arte muestra serias deficiencias a la hora de implementar soluciones de ciberdefensa que reflejen la relevancia de la misión, los recursos y cometidos de una organización para una decisión mejor informada. El trabajo de investigación proporciona finalmente dos áreas claves para mejorar la toma de decisiones en ciberdefensa: un marco sólido y completo de verificación y validación para evaluar parámetros de soluciones y la elaboración de un conjunto de datos sintéticos que referencian unívocamente las fases de un ciberataque con los estándares Cyber Kill Chain y MITRE ATT & CK.[CA] La present tesi doctoral realitza una anàlisi detalladament dels elements de decisió necessaris per a millorar la comprensió de la situació en ciberdefensa amb especial èmfasi en la percepció i comprensió de l'analista d'un centre d'operacions de ciberseguretat (SOC). Es proposen dues arquitectures diferents basades en l'anàlisi forense de fluxos de dades (NF3). La primera arquitectura empra tècniques de Ensemble Machine Learning mentre que la segona és una variant de Machine Learning de major complexitat algorítmica (lambda-NF3) que ofereix un marc de defensa de major robustesa enfront d'atacs adversaris. Totes dues propostes busquen automatitzar de manera efectiva la detecció de malware i la seua posterior gestió d'incidents mostrant uns resultats satisfactoris a aproximar el que s'ha denominat un SOC de pròxima generació i de computació cognitiva (NGC2SOC). La supervisió i monitoratge d'esdeveniments per a la protecció de les xarxes informàtiques d'una organització ha d'anar acompanyada de tècniques de visualització. En aquest cas, la tesi aborda la generació de representacions tridimensionals basades en mètriques orientades a la missió i procediments que usen un sistema expert basat en lògica difusa. Precisament, l'estat de l'art mostra serioses deficiències a l'hora d'implementar solucions de ciberdefensa que reflectisquen la rellevància de la missió, els recursos i comeses d'una organització per a una decisió més ben informada. El treball de recerca proporciona finalment dues àrees claus per a millorar la presa de decisions en ciberdefensa: un marc sòlid i complet de verificació i validació per a avaluar paràmetres de solucions i l'elaboració d'un conjunt de dades sintètiques que referencien unívocament les fases d'un ciberatac amb els estàndards Cyber Kill Chain i MITRE ATT & CK.[EN] This doctoral thesis performs a detailed analysis of the decision elements necessary to improve the cyber defence situation awareness with a special emphasis on the perception and understanding of the analyst of a cybersecurity operations center (SOC). Two different architectures based on the network flow forensics of data streams (NF3) are proposed. The first architecture uses Ensemble Machine Learning techniques while the second is a variant of Machine Learning with greater algorithmic complexity (lambda-NF3) that offers a more robust defense framework against adversarial attacks. Both proposals seek to effectively automate the detection of malware and its subsequent incident management, showing satisfactory results in approximating what has been called a next generation cognitive computing SOC (NGC2SOC). The supervision and monitoring of events for the protection of an organisation's computer networks must be accompanied by visualisation techniques. In this case, the thesis addresses the representation of three-dimensional pictures based on mission oriented metrics and procedures that use an expert system based on fuzzy logic. Precisely, the state-of-the-art evidences serious deficiencies when it comes to implementing cyber defence solutions that consider the relevance of the mission, resources and tasks of an organisation for a better-informed decision. The research work finally provides two key areas to improve decision-making in cyber defence: a solid and complete verification and validation framework to evaluate solution parameters and the development of a synthetic dataset that univocally references the phases of a cyber-attack with the Cyber Kill Chain and MITRE ATT & CK standards.Llopis Sánchez, S. (2023). Decision Support Elements and Enabling Techniques to Achieve a Cyber Defence Situational Awareness Capability [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/19424

A Bayesian-Network-Based Framework for Risk Analysis and Decision Making in Cybersecurity

PhD ThesesMany approaches have been proposed to define, measure and manage cybersecurity risk. A common theme underpinning Cybersecurity Risk Assessment (CRA) involves modelling relationships between risk factors and the use of statistical and probabilistic inference to calculate risk. This thesis focuses on the use of Bayesian Networks (BNs) for this dual purpose. The application of BNs to CRA was a nontrivial task while with the computational efficiency and flexibility of BN algorithms has improved such that they can now be widely applied to solve a variety of CRA problems. One such advance is in Hybrid Bayesian Networks (HBNs) to support inference in models containing discrete and continuous variables. HBNs are now routinely used for prediction and diagnostic inference tasks and have been extended, in the form of Influence Diagrams (IDs), to support decision making tasks. This thesis proposes an HBN based CRA framework for comprehensive cybersecurity causal risk analysis and probabilistic calculation. We introduce causal risk analysis into cybersecurity problems and use a kill chain model to illustrate how causal analysis can guide the cybersecurity risk modelling. The proposed framework is flexible and extensible in a way that it can incorporate other CRA models built using BNs. We illustrate this by showing how the framework can incorporate risk analysis models of both organizational and technical perspectives. For organizational risk analysis, where the focus is on defending information assets/systems of organizations in an economically efficient way, the thesis shows how BNs can be used for modelling causal/probabilistic relationship between involved variables and conducting risk assessment. For technical risk analysis, which is motived by the perspective of cybersecurity analysts, it argues that IDs can be used to model the game between the defender and the attacker in a cybersecurity problem, calculate risks and support designing optimal cyber defenses dynamically

Computational intelligence-enabled cybersecurity for the Internet of Things

The computational intelligence (CI) based technologies play key roles in campaigning cybersecurity challenges in complex systems such as the Internet of Things (IoT), cyber-physical-systems (CPS), etc. The current IoT is facing increasingly security issues, such as vulnerabilities of IoT systems, malware detection, data security concerns, personal and public physical safety risk, privacy issues, data storage management following the exponential growth of IoT devices. This work aims at investigating the applicability of computational intelligence techniques in cybersecurity for IoT, including CI-enabled cybersecurity and privacy solutions, cyber defense technologies, intrusion detection techniques, and data security in IoT. This paper also attempts to provide new research directions and trends for the increasingly IoT security issues using computational intelligence technologies

Cyber Security of Critical Infrastructures

Critical infrastructures are vital assets for public safety, economic welfare, and the national security of countries. The vulnerabilities of critical infrastructures have increased with the widespread use of information technologies. As Critical National Infrastructures are becoming more vulnerable to cyber-attacks, their protection becomes a significant issue for organizations as well as nations. The risks to continued operations, from failing to upgrade aging infrastructure or not meeting mandated regulatory regimes, are considered highly significant, given the demonstrable impact of such circumstances. Due to the rapid increase of sophisticated cyber threats targeting critical infrastructures with significant destructive effects, the cybersecurity of critical infrastructures has become an agenda item for academics, practitioners, and policy makers. A holistic view which covers technical, policy, human, and behavioural aspects is essential to handle cyber security of critical infrastructures effectively. Moreover, the ability to attribute crimes to criminals is a vital element of avoiding impunity in cyberspace. In this book, both research and practical aspects of cyber security considerations in critical infrastructures are presented. Aligned with the interdisciplinary nature of cyber security, authors from academia, government, and industry have contributed 13 chapters. The issues that are discussed and analysed include cybersecurity training, maturity assessment frameworks, malware analysis techniques, ransomware attacks, security solutions for industrial control systems, and privacy preservation methods

Advanced persistent threats detection based on deep learning approach.

Advanced Persistent Threats (APTs) have been a major challenge in securing both Information Technology (IT) and Operational Technology (OT) systems. APT is a sophisticated attack that masquerade their actions to navigates around defenses, breach networks, often, over multiple network hosts and evades detection. It also uses "low-and-slow" approach over a long period of time. Resource availability, integrity, and confidentiality of the operational cyber-physical systems (CPS) state and control is highly impacted by the safety and security measures in place. A framework multi-stage detection approach termed "APTDASAC" to detect different tactics, techniques, and procedures (TTPs) used during various APT steps is proposed. Implementation was carried out in three stages: (i) Data input and probing layer - this involves data gathering and preprocessing, (ii) Data analysis layer; applies the core process of "APTDASAC" to learn the behaviour of attack steps from the sequence data, correlate and link the related output and, (iii) Decision layer; the ensemble probability approach is utilized to integrate the output and make attack prediction. The framework was validated with three different datasets and three case studies. The proposed approach achieved a significant attacks detection capability of 86.36% with loss as 0.32%, demonstrating that attack detection techniques applied that performed well in one domain may not yield the same good result in another domain. This suggests that robustness and resilience of operational systems state to withstand attack and maintain system performance are regulated by the safety and security measures in place, which is specific to the system in question