Assessment of cyber threats discovered by OSINT

Tese de mestrado, Segurança Informática, Universidade de Lisboa, Faculdade de Ciências, 2022Despite the high maturity levels of CTI (Cyber Threat Intelligence) tools, techniques, procedures and frameworks, there are still gaps that must be considered and addressed. More than 50% of the world’s population is now online and growing, as the COVID-19 pandemic is pushing the large-scale adoption of technology in the most diverse areas. This context, aligned to the emerging technologies (e.g.: Cloud-computing, IoT, 5G) is enabling, allowing, and amplifying more complex and faster cyber-attacks. “Security-by design” is not yet the main principle, as products need to be quickly deployed into the market, delivering vulnerable targets into the Internet ecosystem. It is estimated that cy bercrime inflict damages of 6 billion USD in 2021, growing 15% per year, positioning it as the world’ third-largest economy, reaching 10.5 billion USD in 2025 [1]. Cyberattacks on critical infrastructures was considered the fifth top risk in 2020, as structural industries and sectors are juicy targets. On the other hand, the likelihood of detection and prosecu tion is estimated to be 0.05% in the USA [2]. To fight this threat and reduce the risk, it is essential that CTI parties join forces to improve coordination and cooperation, to reduce the time between the generation of CTI and its dissemination and achieve the balance between CTI in-time-dissemination and high-quality CTI. The quality of CTI is a huge barrier: most of the platforms ingest data from paid feeds and OSINT sources, gathering, filtering, analyzing, and aggregating, usually with little or no data-quality assessment. This increases the pressure on cyber-security analysts, who deal with plenty of generated alerts. IoCs (Indicator of Compromise) must go through an assessment process and be scored, so CTI consumers can decide and suit the measures accordingly. According to ENISA 2020 CTI survey [3], only 4% of CTI users can implement processes to measure CTI efficiency. This dissertation presents an overview of the existing CTI methodologies and technologies, proposing one solution to be adopted and integrated in CTI tools to assess, qualify, score and advise cyber-security analysts

Security Analysis of System Behaviour - From "Security by Design" to "Security at Runtime" -

The Internet today provides the environment for novel applications and processes which may evolve way beyond pre-planned scope and purpose. Security analysis is growing in complexity with the increase in functionality, connectivity, and dynamics of current electronic business processes. Technical processes within critical infrastructures also have to cope with these developments. To tackle the complexity of the security analysis, the application of models is becoming standard practice. However, model-based support for security analysis is not only needed in pre-operational phases but also during process execution, in order to provide situational security awareness at runtime. This cumulative thesis provides three major contributions to modelling methodology. Firstly, this thesis provides an approach for model-based analysis and verification of security and safety properties in order to support fault prevention and fault removal in system design or redesign. Furthermore, some construction principles for the design of well-behaved scalable systems are given. The second topic is the analysis of the exposition of vulnerabilities in the software components of networked systems to exploitation by internal or external threats. This kind of fault forecasting allows the security assessment of alternative system configurations and security policies. Validation and deployment of security policies that minimise the attack surface can now improve fault tolerance and mitigate the impact of successful attacks. Thirdly, the approach is extended to runtime applicability. An observing system monitors an event stream from the observed system with the aim to detect faults - deviations from the specified behaviour or security compliance violations - at runtime. Furthermore, knowledge about the expected behaviour given by an operational model is used to predict faults in the near future. Building on this, a holistic security management strategy is proposed. The architecture of the observing system is described and the applicability of model-based security analysis at runtime is demonstrated utilising processes from several industrial scenarios. The results of this cumulative thesis are provided by 19 selected peer-reviewed papers