DECEPTION BASED TECHNIQUES AGAINST RANSOMWARES: A SYSTEMATIC REVIEW

Ransomware is the most prevalent emerging business risk nowadays. It seriously affects business continuity and operations. According to Deloitte Cyber Security Landscape 2022, up to 4000 ransomware attacks occur daily, while the average number of days an organization takes to identify a breach is 191. Sophisticated cyber-attacks such as ransomware typically must go through multiple consecutive phases (initial foothold, network propagation, and action on objectives) before accomplishing its final objective. This study analyzed decoy-based solutions as an approach (detection, prevention, or mitigation) to overcome ransomware. A systematic literature review was conducted, in which the result has shown that deception-based techniques have given effective and significant performance against ransomware with minimal resources. It is also identified that contrary to general belief, deception techniques mainly involved in passive approaches (i.e., prevention, detection) possess other active capabilities such as ransomware traceback and obstruction (thwarting), file decryption, and decryption key recovery. Based on the literature review, several evaluation methods are also analyzed to measure the effectiveness of these deception-based techniques during the implementation process

Ransomware and Malware Sandboxing

The threat of ransomware that encrypts data on a device and asks for payment to decrypt the data affects individual users, businesses, and vital systems including healthcare. This threat has become increasingly more prevalent in the past few years. To understand ransomware through malware analysis, care must be taken to sandbox the ransomware in an environment that allows for a detailed and comprehensive analysis while also preventing it from being able to further spread. Modern malware often takes measures to detect whether it has been placed into an analysis environment to prevent examination. In this work, several notable pieces of ransomware were placed into sandbox environments to discover how they might obfuscate themselves for evading analysis and to determine ways they propagate. The goal of the work is to identify and understand these how these obfuscation and propagation techniques function in a sandbox, so that mitigation methods can be developed

Think twice before you click! : exploring the role of human factors in cybersecurity and privacy within healthcare organizations

The urgent need to protect sensitive patient data and preserve the integrity of healthcare services has propelled the exploration of cybersecurity and privacy within healthcare organizations [1]. Recognizing that advanced technology and robust security measures alone are insufficient [2], our research focuses on the often-overlooked human element that significantly influences the efficacy of these safeguards. Our motivation stems from the realization that individual behaviors, decision-making processes, and organizational culture can be both the weakest link and the most potent tool in achieving a secure environment. Understanding these human dimensions is paramount as even the most sophisticated protocols can be undone by a single lapse in judgment. This research explores the impact of human behavior on cybersecurity and privacy within healthcare organizations and presents a new methodological approach for measuring and raising awareness among healthcare employees. Understanding the human influence in cybersecurity and privacy is critical for mitigating risks and strengthening overall security posture. Moreover, the thesis aims to place emphasis on the human aspects focusing more on the often-overlooked factors that can shape the effectiveness of cybersecurity and privacy measures within healthcare organizations. We have highlighted factors such as employee awareness, knowledge, and behavior that play a pivotal role in preventing security incidents and data breaches [1]. By focusing on how social engineering attacks exploit human vulnerabilities, we underline the necessity to address these human influenced aspects. The existing literature highlights the crucial role that human factors and awareness training play in strengthening cyber resilience, especially within the healthcare sector [1]. Developing well-customized training programs, along with fostering a robust organizational culture, is vital for encouraging a secure and protected digital healthcare setting [3]. Building on the recognized significance of human influence in cybersecurity within healthcare organizations, a systematic literature review became indispensable. The existing body of research might not have fully captured all ways in which human factors, such as psychology, behavior, and organizational culture, intertwined with technological aspects. A systematic literature review served as a robust foundation to collate, analyze, and synthesize existing knowledge, and to identify gaps where further research was needed. In complement to our systematic literature review and investigation of human factors, our research introduced a new methodological approach through a concept study based on an exploratory survey [4]. Recognizing the need to uncover intricate human behavior and psychology in the context of cybersecurity, we designed this survey to probe the multifaceted dimensions of cybersecurity awareness. The exploratory nature of the survey allowed us to explore cognitive, emotional, and behavioral aspects, capturing information that is often overlooked in conventional analyses. By employing this tailored survey, we were able to collect insights that provided a more textured understanding of how individuals within healthcare organizations perceive and engage with cybersecurity measures

RAISING THE CYBER GUARD: ANALYZING THE COST AND USE OF THE NATIONAL GUARD IN LOCAL MUNICIPAL AND STATE CYBER DEFENSE

Cybersecurity is a national priority for the Homeland Security enterprise. Yet, despite a prioritization at the federal level, municipal and state governments have struggled to incorporate the National Guard in cyber incident response. Cyber incidents strain municipalities and states, which have spent significant resources to mitigate cyber threats. The glaring gap in the National Guard’s role in municipal and state cyber incident response warrants two key questions as to why the National Guard isn’t more readily used. “Is it cost prohibitive to use National Guard assets when compared to private entities?” Or “is there an underlying sociological disconnect regarding the National Guard’s role in cyber disaster when compared to physical disasters.”? Both questions and the National Guard’s role have largely underexamined by Homeland Security professionals and academia requires additional examination. This dissertation seeks to study via a sequential mixed method approach answers to both questions. First, using a quantitative analysis method examining case studies this study seeks to examine if “it is less expensive for municipal and state governments to use the National Guard instead of private sector assistance for cyber incident responses? Sequentially if it is less expensive, this dissertation seeks to utilize a survey-based questionnaire from associations of National Guard and Emergency response personal to answer, “is there and underlying sociological misperceptions that contribute to National Guard’s underutilization for cyber disasters when compared to their role in traditional disaster response?” This study achieved complimenting results: with quantitative testing affirming the initial hypothesis regarding the National Guard’s cost effectiveness versus private sector entities in case studies examined. This led to qualitive studies using surveys to examine possible misperceptions of the National Guard’s role in cyber incident response for municipal and state level operations. Surveys revealed both a lack of understanding and disconnect between the National Guard’s role in cyber incident response when compared it is normal role in physical disasters. This research creates opportunity and future growth for homeland Security professionals to prioritize the understanding and growing role of the National Guard for public and private enterprise at the municipal and state level of cyber incident response

Authentication and Data Protection under Strong Adversarial Model

We are interested in addressing a series of existing and plausible threats to cybersecurity where the adversary possesses unconventional attack capabilities. Such unconventionality includes, in our exploration but not limited to, crowd-sourcing, physical/juridical coercion, substantial (but bounded) computational resources, malicious insiders, etc. Our studies show that unconventional adversaries can be counteracted with a special anchor of trust and/or a paradigm shift on a case-specific basis. Complementing cryptography, hardware security primitives are the last defense in the face of co-located (physical) and privileged (software) adversaries, hence serving as the special trust anchor. Examples of hardware primitives are architecture-shipped features (e.g., with CPU or chipsets), security chips or tokens, and certain features on peripheral/storage devices. We also propose changes of paradigm in conjunction with hardware primitives, such as containing attacks instead of counteracting, pretended compliance, and immunization instead of detection/prevention. In this thesis, we demonstrate how our philosophy is applied to cope with several exemplary scenarios of unconventional threats, and elaborate on the prototype systems we have implemented. Specifically, Gracewipe is designed for stealthy and verifiable secure deletion of on-disk user secrets under coercion; Hypnoguard protects in-RAM data when a computer is in sleep (ACPI S3) in case of various memory/guessing attacks; Uvauth mitigates large-scale human-assisted guessing attacks by receiving all login attempts in an indistinguishable manner, i.e., correct credentials in a legitimate session and incorrect ones in a plausible fake session; Inuksuk is proposed to protect user files against ransomware or other authorized tampering. It augments the hardware access control on self-encrypting drives with trusted execution to achieve data immunization. We have also extended the Gracewipe scenario to a network-based enterprise environment, aiming to address slightly different threats, e.g., malicious insiders. We believe the high-level methodology of these research topics can contribute to advancing the security research under strong adversarial assumptions, and the promotion of software-hardware orchestration in protecting execution integrity therein

Factors Affecting Perceptions of Cybersecurity Readiness Among Workgroup IT Managers

The last decade has seen a dramatic increase in the number, frequency, and scope of cyberattacks, both in the United States and abroad. This upward trend necessitates that a significant aspect of any organization’s information systems strategy involves having a strong cybersecurity profile. Inherent in such a posture is the need to have IT managers who are experts in their field and who are willing and able to employ best practices and educate their users. Furthermore, IT managers need to have awareness of the technology landscape in and around their organizations. After many years of cybersecurity research, large corporations have come to implicitly understand these factors and, as such, have invested heavily in both technology and specialized personnel with the express aim of increasing their cybersecurity capabilities. However, large institutions are comprised of smaller organizational units, which are not always adequately considered when examining the cybersecurity profile of the organization. This oversight is particularly true of colleges and universities where IT managers who are not affiliated with the institution’s central IT department employ their own information security strategies. Such strategies may or may not represent a threat to the institution’s overall level of cybersecurity readiness. Therefore, this research examines the responses of workgroup IT managers who are employed at the school or department level at institutions of higher learning within the United States to determine their perceptions of their cybersecurity readiness. The conceptual model that is developed in this study is referred to as the Practice and Awareness Cybersecurity Readiness Model (PACRM). It examines the relationships between an IT manager’s perceived readiness to detect, prevent, and recover from a cyberattack, and four base factors. Among the factors studied are the manager’s previous level of experience in cybersecurity, the extent of the manager’s use of best practices, the manager’s awareness of the network infrastructure in and around the organizational unit, and the degree to which the manager’s supported user community is educated on topics related to information security. First, a survey instrument is proposed and validated. Then, a Confirmatory Factor Analysis (CFA) is conducted to examine the relationships between the observed variables and the underlying theoretical constructs. Finally, the model is tested using path analysis. The validated instrument will have obvious implications for both cybersecurity researchers and managers. Not only will it be available to other researchers, it will also provide a metric by which practitioners can gauge their perceptions of their cybersecurity readiness. In addition, if the underlying model is found to have been correctly specified, it will provide a theoretical foundation on which to base future research that is not dependent on threats and deterrents but rather on raising the self-efficacy of the human resource

The effect of cyberattacks on European financial institutions: an event study approach

openCyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain.Cyber risk has been a widely debated issue in recent years. The financial world could prove particularly vulnerable when it comes to cyberattacks, given the high level of interconnection between all of the sector’s players. This paper uses the event study methodology to assess the reaction of 15 European financial institutions’ share prices to direct cyberattacks. The same methodology is used for testing the reaction of a sample of 22 financial institutions, based in the Eurozone, to a series of systemic cyberattacks with potential worldwide repercussions. Our research represents an original contribution to the literature in two ways. Firstly, to the best of our knowledge, no authors have previously applied the event study methodology to a sample of shares pertaining exclusively to financial institutions. Even less so to financial institutions exclusively based in the Eurozone. Secondly, to the best of our knowledge, no existing research applied our subdivision between direct and systemic cybersecurity events in a single study. Overall, our study provides empirical evidence on the effect of 14 direct and 3 systemic cyberattacks. These attacks were announced by newspapers between October 2014 and August 2023. This represents an opportunity to update the results of the older event study cybersecurity literature, as well as an opportunity to test the results by more recent studies. The results can also be useful in the interpretation and anticipation of current and future European legislation on cybersecurity. In the case of direct cyberattacks, which explicitly target banks, insurance companies or electronic money institutions, we find that stock prices exhibit negative and significant cumulative abnormal returns. Furthermore, these negative effects become more relevant when considering larger event windows after the attack date. We also divide, in accordance with other studies, direct events between ones that compromise the confidentiality of information and ones that do not. We interestingly find that attacks that do not reveal confidential information have a significant negative effect on their targets. Conversely, cyberattacks that do reveal confidential information held by financial institutions do not have a significant effect on stock prices. Regarding the three systemic events, we find contrasting but interesting results. The breach of a major US bank has an overall negative and significant effect on European companies, in particular the ones based in Italy and Spain. On the other hand, when SolarWinds was discovered to be the vector of a cyberattack on the US Government, no such negative effect was observed. Lastly in the case of the WannaCry ransomware epidemic, we find empirical evidence of negative abnormal returns only for companies based in Germany and Spain

Ransomware's Early Mitigation Mechanisms

International audienceRansomware remains a modern trend. Attackers are still using cryptovirology forcing victims to pay. Notable attacks have been spreading since 2012, starting with Reveton's ran-somware attack to the more recent 2017 WannaCry, Petya and Bad Rabbit cyberattacks. This Ransomware as a Service (RaaS) can lure criminals into developing tools to perform an attack without previous knowledge of the cryptosystem itself. We present in this paper a graph-based ransomware countermeasure to detect malicious threads. It is a new mechanism that doesn't rely on previously used metrics in the literature to detect ransomware such as Shannon's entropy or system calls. An accurate detection is achieved by our solution. The per-thread file system traversal is sufficient to highlight the malicious behaviors. To the best of our knowledge , no previous study has been conducted in this area. The ransomware collection used in our experiments contains more than 700 active examples of ransomware, that were analyzed in our bar metal sandbox environment