Command & Control: Understanding, Denying and Detecting - A review of malware C2 techniques, detection and defences

In this survey, we first briefly review the current state of cyber attacks, highlighting significant recent changes in how and why such attacks are performed. We then investigate the mechanics of malware command and control (C2) establishment: we provide a comprehensive review of the techniques used by attackers to set up such a channel and to hide its presence from the attacked parties and the security tools they use. We then switch to the defensive side of the problem, and review approaches that have been proposed for the detection and disruption of C2 channels. We also map such techniques to widely-adopted security controls, emphasizing gaps or limitations (and success stories) in current best practices.Comment: Work commissioned by CPNI, available at c2report.org. 38 pages. Listing abstract compressed from version appearing in repor

Mitigating security breaches through insurance: Logit and Probit models for quantifying e-risk

The common e-threats deterring ecommerce are identity theft, hacking, virus attack, graffiti, phishing, Denial of Service (DoS), sabotage by disgruntled employees, loss of laptop, financial fraud and telecom driven frauds. These discourage users from online transactions. Organizations spend millions of dollars to implement the latest perimeter and core security technologies, to deter malicious attackers and to ensure confidentiality, integrity and availability of data. Yet, security breaches are common. It results in loss of opportunity cost, market capitalization and brand equity for organizations. We propose e-risk insurance as a strategy to supplement the security technologies, and to mitigate these financial losses. In this paper, we propose two generalized linear models (GLM) namely Logit and Probit for quantification of the probability of an e-threat, using CSI/FBI data. We also compute the expected loss amount for organizations using collective risk model. Based on it, we ascertain the net premium to be accrued to the insurance companies

An Overview of Economic Approaches to Information Security Management

The increasing concerns of clients, particularly in online commerce, plus the impact of legislations on information security have compelled companies to put more resources in information security. As a result, senior managers in many organizations are now expressing a much greater interest in information security. However, the largest body of research related to preventing breaches is technical, focusing on such issues as encryption and access control. In contrast, research related to the economic aspects of information security is small but rapidly growing. The goal of this technical note is twofold: i) to provide the reader with an structured overview of the economic approaches to information security and ii) to identify potential research directions

A Probabilistic Framework for Security Scenarios with Dependent Actions

This work addresses the growing need of performing meaningful probabilistic analysis of security. We propose a framework that integrates the graphical security modeling technique of attack–defense trees with probabilistic information expressed in terms of Bayesian networks. This allows us to perform probabilistic evaluation of attack–defense scenarios involving dependent actions. To improve the efficiency of our computations, we make use of inference algorithms from Bayesian networks and encoding techniques from constraint reasoning. We discuss the algebraic theory underlying our framework and point out several generalizations which are possible thanks to the use of semiring theory

ICT aspects of power systems and their security

This report provides a deep description of four complex Attack Scenarios that have as final goal to produce damage to the Electric Power Transmission System. The details about protocols used, vulnerabilities, devices etc. have been for obvious reasons hidden, and the ones presented have to be understood as mere (even if realistic) simplified versions of possible power systems.JRC.DG.G.6-Security technology assessmen