Modeling of Advanced Threat Actors: Characterization, Categorization and Detection

Tesis por compendio[ES] La información y los sistemas que la tratan son un activo a proteger para personas, organizaciones e incluso países enteros. Nuestra dependencia en las tecnologías de la información es cada día mayor, por lo que su seguridad es clave para nuestro bienestar. Los beneficios que estas tecnologías nos proporcionan son incuestionables, pero su uso también introduce riesgos que ligados a nuestra creciente dependencia de las mismas es necesario mitigar. Los actores hostiles avanzados se categorizan principalmente en grupos criminales que buscan un beneficio económico y en países cuyo objetivo es obtener superioridad en ámbitos estratégicos como el comercial o el militar. Estos actores explotan las tecnologías, y en particular el ciberespacio, para lograr sus objetivos. La presente tesis doctoral realiza aportaciones significativas a la caracterización de los actores hostiles avanzados y a la detección de sus actividades. El análisis de sus características es básico no sólo para conocer a estos actores y sus operaciones, sino para facilitar el despliegue de contramedidas que incrementen nuestra seguridad. La detección de dichas operaciones es el primer paso necesario para neutralizarlas, y por tanto para minimizar su impacto. En el ámbito de la caracterización, este trabajo profundiza en el análisis de las tácticas y técnicas de los actores. Dicho análisis siempre es necesario para una correcta detección de las actividades hostiles en el ciberespacio, pero en el caso de los actores avanzados, desde grupos criminales hasta estados, es obligatorio: sus actividades son sigilosas, ya que el éxito de las mismas se basa, en la mayor parte de casos, en no ser detectados por la víctima. En el ámbito de la detección, este trabajo identifica y justifica los requisitos clave para poder establecer una capacidad adecuada frente a los actores hostiles avanzados. Adicionalmente, proporciona las tácticas que deben ser implementadas en los Centros de Operaciones de Seguridad para optimizar sus capacidades de detección y respuesta. Debemos destacar que estas tácticas, estructuradas en forma de kill-chain, permiten no sólo dicha optimización, sino también una aproximación homogénea y estructurada común para todos los centros defensivos. En mi opinión, una de las bases de mi trabajo debe ser la aplicabilidad de los resultados. Por este motivo, el análisis de tácticas y técnicas de los actores de la amenaza está alineado con el principal marco de trabajo público para dicho análisis, MITRE ATT&CK. Los resultados y propuestas de esta investigación pueden ser directamente incluidos en dicho marco, mejorando así la caracterización de los actores hostiles y de sus actividades en el ciberespacio. Adicionalmente, las propuestas para mejorar la detección de dichas actividades son de aplicación directa tanto en los Centros de Operaciones de Seguridad actuales como en las tecnologías de detección más comunes en la industria. De esta forma, este trabajo mejora de forma significativa las capacidades de análisis y detección actuales, y por tanto mejora a su vez la neutralización de operaciones hostiles. Estas capacidades incrementan la seguridad global de todo tipo de organizaciones y, en definitiva, de nuestra sociedad.[CA] La informació i els sistemas que la tracten són un actiu a protegir per a persones, organitzacions i fins i tot països sencers. La nostra dependència en les tecnologies de la informació es cada dia major, i per aixó la nostra seguretat és clau per al nostre benestar. Els beneficis que aquestes tecnologies ens proporcionen són inqüestionables, però el seu ús també introdueix riscos que, lligats a la nostra creixent dependència de les mateixes és necessari mitigar. Els actors hostils avançats es categoritzen principalment en grups criminals que busquen un benefici econòmic i en països el objectiu dels quals és obtindre superioritat en àmbits estratègics, com ara el comercial o el militar. Aquests actors exploten les tecnologies, i en particular el ciberespai, per a aconseguir els seus objectius. La present tesi doctoral realitza aportacions significatives a la caracterització dels actors hostils avançats i a la detecció de les seves activitats. L'anàlisi de les seves característiques és bàsic no solament per a conéixer a aquests actors i les seves operacions, sinó per a facilitar el desplegament de contramesures que incrementen la nostra seguretat. La detección de aquestes operacions és el primer pas necessari per a netralitzar-les, i per tant, per a minimitzar el seu impacte. En l'àmbit de la caracterització, aquest treball aprofundeix en l'anàlisi de lestàctiques i tècniques dels actors. Aquesta anàlisi sempre és necessària per a una correcta detecció de les activitats hostils en el ciberespai, però en el cas dels actors avançats, des de grups criminals fins a estats, és obligatòria: les seves activitats són sigiloses, ja que l'éxit de les mateixes es basa, en la major part de casos, en no ser detectats per la víctima. En l'àmbit de la detecció, aquest treball identifica i justifica els requisits clau per a poder establir una capacitat adequada front als actors hostils avançats. Adicionalment, proporciona les tàctiques que han de ser implementades en els Centres d'Operacions de Seguretat per a optimitzar les seves capacitats de detecció i resposta. Hem de destacar que aquestes tàctiques, estructurades en forma de kill-chain, permiteixen no només aquesta optimització, sinò tambié una aproximació homogènia i estructurada comú per a tots els centres defensius. En la meva opinio, una de les bases del meu treball ha de ser l'aplicabilitat dels resultats. Per això, l'anàlisi de táctiques i tècniques dels actors de l'amenaça està alineada amb el principal marc públic de treball per a aquesta anàlisi, MITRE ATT&CK. Els resultats i propostes d'aquesta investigació poden ser directament inclosos en aquest marc, millorant així la caracterització dels actors hostils i les seves activitats en el ciberespai. Addicionalment, les propostes per a millorar la detecció d'aquestes activitats són d'aplicació directa tant als Centres d'Operacions de Seguretat actuals com en les tecnologies de detecció més comuns de la industria. D'aquesta forma, aquest treball millora de forma significativa les capacitats d'anàlisi i detecció actuals, i per tant millora alhora la neutralització d'operacions hostils. Aquestes capacitats incrementen la seguretat global de tot tipus d'organitzacions i, en definitiva, de la nostra societat.[EN] Information and its related technologies are a critical asset to protect for people, organizations and even whole countries. Our dependency on information technologies increases every day, so their security is a key issue for our wellness. The benefits that information technologies provide are questionless, but their usage also presents risks that, linked to our growing dependency on technologies, we must mitigate. Advanced threat actors are mainly categorized in criminal gangs, with an economic goal, and countries, whose goal is to gain superiority in strategic affairs such as commercial or military ones. These actors exploit technologies, particularly cyberspace, to achieve their goals. This PhD Thesis significantly contributes to advanced threat actors' categorization and to the detection of their hostile activities. The analysis of their features is a must not only to know better these actors and their operations, but also to ease the deployment of countermeasures that increase our security. The detection of these operations is a mandatory first step to neutralize them, so to minimize their impact. Regarding characterization, this work delves into the analysis of advanced threat actors' tactics and techniques. This analysis is always required for an accurate detection of hostile activities in cyberspace, but in the particular case of advances threat actors, from criminal gangs to nation-states, it is mandatory: their activities are stealthy, as their success in most cases relies on not being detected by the target. Regarding detection, this work identifies and justifies the key requirements to establish an accurate response capability to face advanced threat actors. In addition, this work defines the tactics to be deployed in Security Operations Centers to optimize their detection and response capabilities. It is important to highlight that these tactics, with a kill-chain arrangement, allow not only this optimization, but particularly a homogeneous and structured approach, common to all defensive centers. In my opinion, one of the main bases of my work must be the applicability of its results. For this reason, the analysis of threat actors' tactics and techniques is aligned with the main public framework for this analysis, MITRE ATT&CK. The results and proposals from this research can be directly included in this framework, improving the threat actors' characterization, as well as their cyberspace activities' one. In addition, the proposals to improve these activities' detection are directly applicable both in current Security Operations Centers and in common industry technologies. In this way, I consider that this work significantly improves current analysis and detection capabilities, and at the same time it improves hostile operations' neutralization. These capabilities increase global security for all kind of organizations and, definitely, for our whole society.Villalón Huerta, A. (2023). Modeling of Advanced Threat Actors: Characterization, Categorization and Detection [Tesis doctoral]. Universitat Politècnica de València. https://doi.org/10.4995/Thesis/10251/193855Compendi

CNA Tactics and Techniques: A Structure Proposal

[EN] Destructive and control operations are today a major threat for cyber physical systems. These operations, known as Computer Network Attack (CNA), and usually linked to state-sponsored actors, are much less analyzed than Computer Network Exploitation activities (CNE), those related to intelligence gathering. While in CNE operations the main tactics and techniques are defined and well structured, in CNA there is a lack of such consensuated approaches. This situation hinders the modeling of threat actors, which prevents an accurate definition of control to identify and to neutralize malicious activities. In this paper, we propose the first global approach for CNA operations that can be used to map real-world activities. The proposal significantly reduces the amount of effort need to identify, analyze, and neutralize advanced threat actors targeting cyber physical systems. It follows a logical structure that can be easy to expand and adapt.Villalón-Huerta, A.; Ripoll-Ripoll, I.; Marco-Gisbert, H. (2021). CNA Tactics and Techniques: A Structure Proposal. Journal of Sensor and Actuator Networks. 10(1):1-23. https://doi.org/10.3390/jsan10010014S12310

Foucault in Cyberspace: Surveillance, Sovereignty, and Hardwired Censors

This is an essay about law in cyberspace. I focus on three interdependent phenomena: a set of political and legal assumptions that I call the jurisprudence of digital libertarianism, a separate but related set of beliefs about the state\u27s supposed inability to regulate the Internet, and a preference for technological solutions to hard legal issues on-line. I make the familiar criticism that digital libertarianism is inadequate because of its blindness towards the effects of private power, and the less familiar claim that digital libertarianism is also surprisingly blind to the state\u27s own power in cyberspace. In fact, I argue that the conceptual structure and jurisprudential assumptions of digital libertarianism lead its practitioners to ignore the ways in which the state can often use privatized enforcement and state-backed technologies to evade some of the supposed practical (and constitutional) restraints on the exercise of legal power over the Net. Finally, I argue that technological solutions which provide the keys to the first two phenomena are neither as neutral nor as benign as they are currently perceived to be. Some of my illustrations will come from the current Administration proposals for Internet copyright regulation, others from the Communications Decency Act and the cryptography debate. In the process, I make opportunistic and unsystematic use of the late Michel Foucault\u27s work to criticise some the jurisprudential orthodoxy of the Net

The future of Cybersecurity in Italy: Strategic focus area

This volume has been created as a continuation of the previous one, with the aim of outlining a set of focus areas and actions that the Italian Nation research community considers essential. The book touches many aspects of cyber security, ranging from the definition of the infrastructure and controls needed to organize cyberdefence to the actions and technologies to be developed to be better protected, from the identification of the main technologies to be defended to the proposal of a set of horizontal actions for training, awareness raising, and risk management

Hacker, influencer, counter-culture spy: cyberspace actors’ models of misinformation and counter-operations

As misinformation continues to spread on social media, its residents have begun to fight back, independent of any platform. This organic resistance to the diffusion of misinformation is a clearly observable phenomenon with roots in Anonymous’ distributed campaigns from the 2010s outwards. Hacker and information security communities are acting in defense of some of their favorite spaces, most notably, Twitter. Security researchers of all stripes use it for sharing indicators of compromise but, as the diffusion of misinformation becomes more problematic it becomes more difficult to find signals in the noise. These actors’ response to the issues at hand is polarizing, some convinced that political (counter) argumentation is a perpetual nuisance while others passionately attack the roots of misinformation, wherever they perceive it. In this study, researchers interview twenty-three cyberspace actors, highly active on Twitter & Discord, to better understand their mental models of misinformation, how they conceptualize counter operations and their thoughts on the efficacy of the tactics, tools and procedures involved therein

Enhancing Cyberspace Monitoring in the United States Aviation Industry: A Multi-Layered Approach for Addressing Emerging Threats

This research project examined the cyberspace domain in the United States (U.S.) aviation industry from many different angles. The research involved learning about the U.S. aviation cyberspace environment, the landscape of cyber threats, new technologies like 5G and smart airports, cybersecurity frameworks and best practices, and the use of aviation cyberspace monitoring capabilities. The research looked at how vulnerable the aviation industry is from cyber-attacks, analyzed the possible effects of cyber-attacks on the industry, and suggests ways to improve the industry\u27s cybersecurity posture. The project\u27s main goal was to protect against possible cyber-attacks and make sure that the aviation industry is safe and secure

Learning from Kaupapa Māori: Issues and techniques for engagement

This article argues for recognition of the value and relevance of Indigenous knowledges about principles and practices of engagement to theory-building and praxis in public relations. Specifically, in this article, the Kaupapa Māori body of knowledge and practice that has developed around Indigenous/non-Indigenous engagement in Aotearoa is identified as a valid source of insight for the analogous situation of organisation-public engagement where power imbalance is inherent

Countering Expansion and Organization of Terrorism in Cyberspace

Terrorists use cyberspace and social media technology to create fear and spread violent ideologies, which pose a significant threat to public security. Researchers have documented the importance of the application of law and regulation in dealing with the criminal activities perpetrated through the aid of computers in cyberspace. Using routine activity theory, this study assessed the effectiveness of technological approaches to mitigating the expansion and organization of terrorism in cyberspace. The study aligned with the purpose area analysis objective of classifying and assessing potential terrorist threats to preempt and mitigate the attacks. Data collection included document content analysis of the open-source documents, government threat assessments, legislation, policy papers, and peer-reviewed academic literature and semistructured interviews with fifteen security experts in Nigeria. Yin\u27s recommended analysis process of iterative and repetitive review of materials was applied to the documents analysis, including interviews of key public and private sector individuals to identify key themes on Nigeria\u27s current effort to secure the nation\u27s cyberspace. The key findings were that the new generation of terrorists who are more technological savvy are growing, cybersecurity technologies are effective and quicker tools, and bilateral/multilateral cooperation is essential to combat the expansion of terrorism in cyberspace. The implementation of recommendations from this study will improve the security in cyberspace, thereby contributing to positive social change. The data provided may be useful to stakeholders responsible for national security, counterterrorism, law enforcement on the choice of cybersecurity technologies to confront terrorist expansion, and organization in cyberspace