EVALUATING THE CYBER SECURITY IN THE INTERNET OF THINGS: SMART HOME VULNERABILITIES

The need for advanced cyber security measures and strategies is attributed to modern sophistication of cyber-attacks and intense media attention when attacks and breaches occur. In May 2014, a congressional report suggested that Americans used approximately 500 million Internet-capable devices at home, including, but not limited to Smartphones, tablets, and other Internet-connected devices, which run various unimpeded applications. Owing to this high level of connectivity, our home environment is not immune to the cyber-attack paradigm; rather, the home has evolved to become one of the most influenced markets where the Internet of Things has had extensive surfaces, vectors for attacks, and unanswered security concerns. Thus, the aim of the present research was to investigate behavioral heuristics of the Internet of Things by adopting an exploratory multiple case study approach. A controlled Internet of Things ecosystem was constructed consisting of real-life data observed during a typical life cycle of initial configuration and average use. The information obtained during the course of this study involved the systematic acquisition and analysis of Smart Home ecosystem link-layer protocol data units (PDUs). The methodology employed during this study involved a recursive multiple case study evaluation of the Smart Home ecosystem data-link layer PDUs and aligned the case studies to the existing Intrusion Kill Chain design model. The proposed solution emerging from the case studies builds the appropriate data collection template while concurrently developing a Security as a Service (SECaaS) capability to evaluate collected results

SOC Critical Path: A defensive Kill Chain model

[EN] Different kill chain models have been defined and analyzed to provide a common sequence of actions followed in offensive cyber operations. These models allow analysts to identify these operations and to understand how they are executed. However, there is a lack of an equivalent model from a defensive point of view: this is, there is no common sequence of actions for the detection of threats and their accurate response. This lack causes not only problems such as unstructured approaches and conceptual errors but, what is most important, inefficiency in the detection and response to threats, as defensive tactics are not well identified. For this reason, in this work we present a defensive kill chain approach where tactics for teams in charge of cyber defense activities are structured and arranged. We introduce the concept of SOC Critical Path (SCP), a novel kill chain model to detect and neutralize threats. SCP is a technology¿independent model that provides an arrangement of mandatory steps, in the form of tactics, to be executed by Computer Network Defense teams to detect hostile cyber operations. By adopting this novel model, these teams increase the performance and the effectiveness of their capabilities through a common framework that formalizes the steps to follow for the detection and neutralization of threats. In this way, our work can be used not only to identify detection and response gaps, but also to implement a continuous improvement cycle over time.Villalón-Huerta, A.; Marco-Gisbert, H.; Ripoll-Ripoll, I. (2022). SOC Critical Path: A defensive Kill Chain model. IEEE Access. 10:13570-13581. https://doi.org/10.1109/ACCESS.2022.314502913570135811

Modeling of Advanced Threat Actors: Characterization, Categorization and Detection

Tesis por compendio[ES] La información y los sistemas que la tratan son un activo a proteger para personas, organizaciones e incluso países enteros. Nuestra dependencia en las tecnologías de la información es cada día mayor, por lo que su seguridad es clave para nuestro bienestar. Los beneficios que estas tecnologías nos proporcionan son incuestionables, pero su uso también introduce riesgos que ligados a nuestra creciente dependencia de las mismas es necesario mitigar. Los actores hostiles avanzados se categorizan principalmente en grupos criminales que buscan un beneficio económico y en países cuyo objetivo es obtener superioridad en ámbitos estratégicos como el comercial o el militar. Estos actores explotan las tecnologías, y en particular el ciberespacio, para lograr sus objetivos. La presente tesis doctoral realiza aportaciones significativas a la caracterización de los actores hostiles avanzados y a la detección de sus actividades. El análisis de sus características es básico no sólo para conocer a estos actores y sus operaciones, sino para facilitar el despliegue de contramedidas que incrementen nuestra seguridad. La detección de dichas operaciones es el primer paso necesario para neutralizarlas, y por tanto para minimizar su impacto. En el ámbito de la caracterización, este trabajo profundiza en el análisis de las tácticas y técnicas de los actores. Dicho análisis siempre es necesario para una correcta detección de las actividades hostiles en el ciberespacio, pero en el caso de los actores avanzados, desde grupos criminales hasta estados, es obligatorio: sus actividades son sigilosas, ya que el éxito de las mismas se basa, en la mayor parte de casos, en no ser detectados por la víctima. En el ámbito de la detección, este trabajo identifica y justifica los requisitos clave para poder establecer una capacidad adecuada frente a los actores hostiles avanzados. Adicionalmente, proporciona las tácticas que deben ser implementadas en los Centros de Operaciones de Seguridad para optimizar sus capacidades de detección y respuesta. Debemos destacar que estas tácticas, estructuradas en forma de kill-chain, permiten no sólo dicha optimización, sino también una aproximación homogénea y estructurada común para todos los centros defensivos. En mi opinión, una de las bases de mi trabajo debe ser la aplicabilidad de los resultados. Por este motivo, el análisis de tácticas y técnicas de los actores de la amenaza está alineado con el principal marco de trabajo público para dicho análisis, MITRE ATT&CK. Los resultados y propuestas de esta investigación pueden ser directamente incluidos en dicho marco, mejorando así la caracterización de los actores hostiles y de sus actividades en el ciberespacio. Adicionalmente, las propuestas para mejorar la detección de dichas actividades son de aplicación directa tanto en los Centros de Operaciones de Seguridad actuales como en las tecnologías de detección más comunes en la industria. De esta forma, este trabajo mejora de forma significativa las capacidades de análisis y detección actuales, y por tanto mejora a su vez la neutralización de operaciones hostiles. Estas capacidades incrementan la seguridad global de todo tipo de organizaciones y, en definitiva, de nuestra sociedad.[CA] La informació i els sistemas que la tracten són un actiu a protegir per a persones, organitzacions i fins i tot països sencers. La nostra dependència en les tecnologies de la informació es cada dia major, i per aixó la nostra seguretat és clau per al nostre benestar. Els beneficis que aquestes tecnologies ens proporcionen són inqüestionables, però el seu ús també introdueix riscos que, lligats a la nostra creixent dependència de les mateixes és necessari mitigar. Els actors hostils avançats es categoritzen principalment en grups criminals que busquen un benefici econòmic i en països el objectiu dels quals és obtindre superioritat en àmbits estratègics, com ara el comercial o el militar. Aquests actors exploten les tecnologies, i en particular el ciberespai, per a aconseguir els seus objectius. La present tesi doctoral realitza aportacions significatives a la caracterització dels actors hostils avançats i a la detecció de les seves activitats. L'anàlisi de les seves característiques és bàsic no solament per a conéixer a aquests actors i les seves operacions, sinó per a facilitar el desplegament de contramesures que incrementen la nostra seguretat. La detección de aquestes operacions és el primer pas necessari per a netralitzar-les, i per tant, per a minimitzar el seu impacte. En l'àmbit de la caracterització, aquest treball aprofundeix en l'anàlisi de lestàctiques i tècniques dels actors. Aquesta anàlisi sempre és necessària per a una correcta detecció de les activitats hostils en el ciberespai, però en el cas dels actors avançats, des de grups criminals fins a estats, és obligatòria: les seves activitats són sigiloses, ja que l'éxit de les mateixes es basa, en la major part de casos, en no ser detectats per la víctima. En l'àmbit de la detecció, aquest treball identifica i justifica els requisits clau per a poder establir una capacitat adequada front als actors hostils avançats. Adicionalment, proporciona les tàctiques que han de ser implementades en els Centres d'Operacions de Seguretat per a optimitzar les seves capacitats de detecció i resposta. Hem de destacar que aquestes tàctiques, estructurades en forma de kill-chain, permiteixen no només aquesta optimització, sinò tambié una aproximació homogènia i estructurada comú per a tots els centres defensius. En la meva opinio, una de les bases del meu treball ha de ser l'aplicabilitat dels resultats. Per això, l'anàlisi de táctiques i tècniques dels actors de l'amenaça està alineada amb el principal marc públic de treball per a aquesta anàlisi, MITRE ATT&CK. Els resultats i propostes d'aquesta investigació poden ser directament inclosos en aquest marc, millorant així la caracterització dels actors hostils i les seves activitats en el ciberespai. Addicionalment, les propostes per a millorar la detecció d'aquestes activitats són d'aplicació directa tant als Centres d'Operacions de Seguretat actuals com en les tecnologies de detecció més comuns de la industria. D'aquesta forma, aquest treball millora de forma significativa les capacitats d'anàlisi i detecció actuals, i per tant millora alhora la neutralització d'operacions hostils. Aquestes capacitats incrementen la seguretat global de tot tipus d'organitzacions i, en definitiva, de la nostra societat.[EN] Information and its related technologies are a critical asset to protect for people, organizations and even whole countries. Our dependency on information technologies increases every day, so their security is a key issue for our wellness. The benefits that information technologies provide are questionless, but their usage also presents risks that, linked to our growing dependency on technologies, we must mitigate. Advanced threat actors are mainly categorized in criminal gangs, with an economic goal, and countries, whose goal is to gain superiority in strategic affairs such as commercial or military ones. These actors exploit technologies, particularly cyberspace, to achieve their goals. This PhD Thesis significantly contributes to advanced threat actors' categorization and to the detection of their hostile activities. The analysis of their features is a must not only to know better these actors and their operations, but also to ease the deployment of countermeasures that increase our security. The detection of these operations is a mandatory first step to neutralize them, so to minimize their impact. Regarding characterization, this work delves into the analysis of advanced threat actors' tactics and techniques. This analysis is always required for an accurate detection of hostile activities in cyberspace, but in the particular case of advances threat actors, from criminal gangs to nation-states, it is mandatory: their activities are stealthy, as their success in most cases relies on not being detected by the target. Regarding detection, this work identifies and justifies the key requirements to establish an accurate response capability to face advanced threat actors. In addition, this work defines the tactics to be deployed in Security Operations Centers to optimize their detection and response capabilities. It is important to highlight that these tactics, with a kill-chain arrangement, allow not only this optimization, but particularly a homogeneous and structured approach, common to all defensive centers. In my opinion, one of the main bases of my work must be the applicability of its results. For this reason, the analysis of threat actors' tactics and techniques is aligned with the main public framework for this analysis, MITRE ATT&CK. The results and proposals from this research can be directly included in this framework, improving the threat actors' characterization, as well as their cyberspace activities' one. In addition, the proposals to improve these activities' detection are directly applicable both in current Security Operations Centers and in common industry technologies. In this way, I consider that this work significantly improves current analysis and detection capabilities, and at the same time it improves hostile operations' neutralization. These capabilities increase global security for all kind of organizations and, definitely, for our whole society.Villalón Huerta, A. (2023). Modeling of Advanced Threat Actors: Characterization, Categorization and Detection [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/193855Compendi

Cyber kill chain

Статья посвящена изучению модели Cyber Kill Chain (CKC). В статье рассматриваются терминология модели СКС и ее история. Также представлены этапы модели и их особенности. Произведен детальный анализ каждого этапа. На основе проведенного исследования была создана схема модели для упрощенного понимания.The article is devoted to the study of the CKC model. The article discusses the terminology of the SCS model and its history. The steps of the model and their features are also presented. A detailed analysis of each stage was made. Based on the study, a model diagram was created for simplified understanding

Experimental analysis of intrusion detection systems using machine learning algorithms and artificial neural networks

Since the invention of the internet for military and academic research purposes, it has evolved to meet the demands of the increasing number of users on the network, who have their scope beyond military and academics. As the scope of the network expanded maintaining its security became a matter of increasing importance. With various users and interconnections of more diversified networks, the internet needs to be maintained as securely as possible for the transmission of sensitive information to be one hundred per cent safe; several anomalies may intrude on private networks. Several research works have been released around network security and this research seeks to add to the already existing body of knowledge by expounding on these attacks, proffering efficient measures to detect network intrusions, and introducing an ensemble classifier: a combination of 3 different machine learning algorithms. An ensemble classifier is used for detecting remote to local (R2L) attacks, which showed the lowest level of accuracy when the network dataset is tested using single machine learning models but the ensemble classifier gives an overall efficiency of 99.8%

A Comprehensive Cybersecurity Defense Framework for Large Organizations

There is a growing need to understand and identify overarching organizational requirements for cybersecurity defense in large organizations. Applying proper cybersecurity defense will ensure that the right capabilities are fielded at the right locations to safeguard critical assets while minimizing duplication of effort and taking advantage of efficiencies. Exercising cybersecurity defense without an understanding of comprehensive foundational requirements instills an ad hoc and in many cases conservative approach to network security. Organizations must be synchronized across federal and civil agencies to achieve adequate cybersecurity defense. Understanding what constitutes comprehensive cybersecurity defense will ensure organizations are better protected and more efficient. This work, represented through design science research, developed a model to understand comprehensive cybersecurity defense, addressing the lack of standard requirements in large organizations. A systemic literature review and content analysis were conducted to form seven criteria statements for understanding comprehensive cybersecurity defense. The seven criteria statements were then validated by a panel of expert cyber defenders utilizing the Delphi consensus process. Based on the approved criteria, the team of cyber defenders facilitated the development of a Comprehensive Cybersecurity Defense Framework prototype for understanding cybersecurity defense. Through the Delphi process, the team of cyber defense experts ensured the framework matched the seven criteria statements. An additional and separate panel of stakeholders conducted the Delphi consensus process to ensure a non-biased evaluation of the framework. The comprehensive cybersecurity defense framework is developed through the data collected from two distinct and separate Delphi panels. The framework maps risk management, behavioral, and defense in depth frameworks with cyber defense roles to offer a comprehensive approach to cyber defense in large companies, agencies, or organizations. By defining the cyber defense tasks, what those tasks are trying to achieve and where best to accomplish those tasks on the network, a comprehensive approach is reached

Improving the Relevance of Cyber Incident Notification for Mission Assurance

Military organizations have embedded Information and Communication Technology (ICT) into their core mission processes as a means to increase operational efficiency, improve decision making quality, and shorten the kill chain. This dependence can place the mission at risk when the loss, corruption, or degradation of the confidentiality, integrity, and/or availability of a critical information resource occurs. Since the accuracy, conciseness, and timeliness of the information used in decision making processes dramatically impacts the quality of command decisions, and hence, the operational mission outcome; the recognition, quantification, and documentation of critical mission-information resource dependencies is essential for the organization to gain a true appreciation of its operational risk. This research identifies existing decision support systems and evaluates their capabilities as a means for capturing, maintaining and communicating mission-to-information resource dependency information in a timely and relevant manner to assure mission operations. This thesis answers the following research question: Which decision support technology is the best candidate for use in a cyber incident notification system to overcome limitations identified in the existing United States Air Force cyber incident notification process

Cyber Operator Competencies: The Role of Cognitive Competencies in Cyber Operator Practice and Education

PhD Dissertations in Child and Youth Participation and Competence Development (BUK): 17. Articles 2, 3 and 4 have been removed from the digital thesis due to lack of permission from the publishers. These can be viewed in the relevant journals/books, and in the printed thesis.The theme of this thesis is the role of cognitive competencies in cyber operator practice and education. Cyber operator practice is a new field of research where the importance and attention is growing rapidly. Research has accumulated a solid amount of knowledge about the technical skills required by a cyber operator. However, less is known about the cognitive competencies that support cyber operator proficiency. In order to gain insight into the cognitive demands of cyber operators, the cognitions of young cyber officers(1) attending the Norwegian Defence Cyber Academy have been studied. Findings contributes to the development of theory and evidence-based knowledge needed to develop educational guidelines for the cyber operator workforce. This dissertation proposes and take steps towards validation of a conceptual framework, The Hybrid Space, that describes the cognitive work environment of military cyber operators. The Hybrid Space conceptual framework is introduced in the first article of this thesis and is used in all parts of the study. Methodological contributions include a method and a software to collect quantitative data on cyber operators’ cognitive focus and assess cognitive agility. Cognitive agility is proposed as a competence and a measure of cyber operator performance. Empirical data collected during a cyber defence exercise support our theoretical assumption and helps to further develop The Hybrid Space conceptual framework. Findings indicate that knowledge and understanding of cyberspace as a domain of operations and the cognitive competencies supporting cyber operator proficiency are limited. Cognitive agility is proposed as a cognitive competency and is associated with higher levels of selfregulation. These findings suggest that cognitive competencies can indeed support cyber operator performance. This thesis therefore contributes to cyber operator practice and education by suggesting that education and training would benefit from including the development of cognitive competencies alongside the technical education and training needed to become a cyber operator. In this way, this thesis adds new insight and perspective into the novel area of cyber operator practice. The results provide the first indications that cyber operator performance can be supported by the development of cognitive competencies during education. 1 Cyber officer and cyber operator are used interchangeably throughout the articles and this extended abstract. The reason is that the students undergo the same education, but the position they later get determine their career path and the accompanying title. The use of the terms is maturing in both military and civilian sectors. As of now neither finite guidelines nor agreed upon norms exist that guide the use of the titlesSammendrag Temaet for denne doktoravhandlingen er rollen til kognitive kompetanser i cyber operator praksis og utdanning. Cyber operator praksis er et nytt forskningsfelt som har fatt stor oppmerksomhet de siste arene. Forskning pa omradet har produsert kunnskap om hvilke tekniske kunnskaper og ferdigheter en cyber operator ma ha. Mindre kunnskap finnes om de kognitive kompetansene som en cyber operator trenger for a kunne utove sin praksis effektivt. For a fa bedre innsikt i de kognitive kravene som cyber operatorer stilles ovenfor har jeg studert unge cyber offiserer under utdanning pa Forsvarets Ingeniorhogskole (2) (FIH). Denne avhandlingen bidrar med kunnskap og empirisk grunnlag for a utvikle forskningsbasert utdanning for fremtidens cyber operatorer. Avhandlingen fremholder og starter validering et konseptuelt rammeverk, The Hybrid Space, som beskriver de kognitive kravene militare cyber operatorer ma forholde seg til i utovelsen av sitt virke. Rammeverket blir introdusert i forste artikkel av denne avhandlingen og blir brukt som konseptuelt fundament i resten av avhandlingen. Avhandlingen fremlegger ogsa en metode og et dataverktoy som kan brukes til a samle inn kvantitative data om cyber operatorers kognitive fokus. Dette dataverktoyet kan ogsa benyttes til a undersoke hvordan cyber operatorer utviser kognitiv fleksibilitet over tid nar de gjennomforer en cyber operasjon. Kognitiv fleksibilitet foreslas som et prestasjonsmal for cyber operatorer. Empiriske data innhentet under en cyberforsvars ovelse bekrefter vare teoretiske hypoteser og bidrar til videre utvikling av det konseptuelle rammeverket. Hovedfunnene indikerer at kunnskap om og forstaelse for cyberspace som operasjonsdomene og rollen til kognitive kompetanser i cyber operatorens utforelse av cyber operasjoner er begrenset. Denne avhandlingen argumenter for at evne til fleksibel kognitiv manover i operasjonsmiljoet, definert som ‘cognitive agility’, er en viktig kognitiv kompetanse for cyber operatorer som kan predikeres ved a undersoke evne til selvregulering. Disse funnene indikerer at kognitive kompetanser kan bidra til a understotte cyber operatorers prestasjon. Avhandlingen bidrar til cyber operator praksis og utdanning ved a vise til at utvikling av cyber operator kompetanse bor inkludere utvikling av kognitive kompetanser i tillegg til utvikling av tekniske kunnskaper og ferdigheter. Med disse funnene bidrar denne avhandlingen bidrar til ny innsikt og perspektiv pa cyber operator praksis og utdanning. 2 Forsvarets Ingeniørhøgskole (FIH) endret i 2018 navn til Cyberingeniørskolen (CIS) og ble samtidig underlagt Forsvarets Høgskole (FHS)