Active offensive cyber situational awareness: theory and practice

This thesis was submitted for the degree of Doctor of Philosophy and awarded by Brunel University.There is an increasing gap between the progress of technological systems and the successful exploitation of these systems through cyber-attack. Whilst the mechanism and scope of cyberspace is progressing with each passing day, risk factors and the ability to process the required amount of data from cyberspace efficiently are proving to be major obstacles to achieving desired outcomes from cyber operations. This, coupled with the dramatic increase in the numbers of cyber attackers, who are constantly producing new ways of attacking and paralysing cyber systems for political or financial gain, is a critical issue for countries that have linked their major infrastructures with Internet applications. The defensive methods currently applied to counter these evolving attacks are no longer sufficient, due to their preventive and reactive nature. This research has developed a new Active Situational Awareness theoretical model for Active Defence that aims to enhance the agility and quality of cyber situational awareness in organisations in order to counter cyber attacks. Situational Awareness (SA) is a crucial component in every organisation. It helps in the assessment of an immediate situation in relation to the environment. Current SA models adopt a reactive attitude, which responds to events and works in passive manner to any progressing enemy cyber attack. This creates a defensive mind-set and consequently influences the operator to process and utilise knowledge only within the concept of attack prevention. Thus, one can assume that operators will only gather certain knowledge after the occurrence of an attack, instead of actively searching for new intelligence to create new knowledge about the cyber attack before it takes place. This research study introduces a new approach that incorporates an Active Defence posture; namely, a ‘winning attitude’ that conforms to the military stratagems of Sun Tzu, where operators always engage attackers directly in order to create new knowledge in an agile manner by deploying active intelligence-gathering techniques to inform active defence postures in cyberspace. This also allows the system being protected to remain one step ahead of the attackers to ultimately defeat them and thwart any costly attacks. To back these statements, this study issued a survey to 200 cyber defence and security experts in order to collect data on their opinions concerning the current state of Active SA. Structural Equation Modelling (SEM) was then employed to analyse the data gathered from the survey. The results of the analysis revealed significant importance of Active Offensive Intelligence gathering in enhancing Cyber SA. The SEM showed there is a significant impact on SA Agility and Quality from Active Intelligence gathering activities. Further to this, the SEM results informed the design of the serious gaming environments utilised in this research to verify the SEM causality model. Also, the SEM informed the design of a SA assessment metric, where a behavioural anchor rating scale was used along with ground truth to measure participant SA performance. The results of this experiment revealed that there was 2 times better enhancement in cyber Situational awareness among those who did utilise active measures compared with participants who did not which mean almost double and this shows the importance of offensive intelligence gathering in enhancing cyber SA and speed up defender decision making and OODA loop. This research provided for the first time a novel theory for active cyber SA that is aligned with military doctrine. Also, a novel assessment framework and approaches for evaluating and quantifying cyber SA performance was developed in this research study. Finally, a serious gaming environment was developed for this research and used to evaluate the active SA theory which has an impact on training, techniques and practice Deception utilisation by Active groups revealed the importance of having deception capabilities as part of active tools that help operators to understand attackers’ intent and motive, and give operators more time to control the impact of cyber attacks. However, incorrect utilisation of deception capabilities during the experiment led operators to lose control over cyber attacks. Active defence is required for future cyber security. However, this trend towards the militarisation of cyberspace demands new or updated laws and regulations at an international level. Active intelligence methods define the principal capability at the core of the new active situational awareness model order in to deliver enhanced agility and quality in cyber SA.Abu Dhabi Police General Head Quarter

Crime scripting: A systematic review

The file attached to this record is the author's final peer reviewed version.More than two decades after the publication of Cornish’s seminal work about the script-theoretic approach to crime analysis, this article examines how the concept has been applied in our community. The study provides evidence confirming that the approach is increasingly popular; and takes stock of crime scripting practices through a systematic review of over one hundred scripts published between 1994 and 2018. The results offer the first comprehensive picture of this approach, and highlights new directions for those interested in using data from cyber-systems and the Internet of Things to develop effective situational crime prevention measures

Analysis of a South African cyber-security awareness campaign for schools using interdisciplinary communications frameworks

To provide structure to cyber awareness and educational initiatives in South Africa, Kortjan and Von Solms (2014) developed a five-layer cyber-security awareness and education framework. The purpose of the dissertation is to determine how the framework layers can be refined through the integration of communication theory, with the intention to contribute towards the practical implications of the framework. The study is approached qualitatively and uses a case study for argumentation to illustrate how the existing framework can be further developed. Drawing on several comprehensive campaign planning models, the dissertation illustrates that not all important campaign planning elements are currently included in the existing framework. Proposed changes in the preparation layer include incorporating a situational and target audience analysis, determining resources allocated for the campaign, and formulating a communication strategy. Proposed changes in the delivery layer of the framework are concerned with the implementation, monitoring and adjustment, as well as reporting of campaign successes and challenges. The dissertation builds on, and adds to, the growing literature on the development of campaigns for cyber-security awareness and education aimed at children

The Cybercrime Triangle

Information technology can increase the convergence of three dimensions of the crime triangle due to the spatial and temporal confluence in the virtual world. In other words, its advancement can lead to facilitating criminals with more chances to commit a crime against suitable targets living in different real-world time zones without temporal and spatial orders. However, within this mechanism, cybercrime can be discouraged “…if the cyber-adversary is handled, the target/victim is guarded, or the place is effectively managed” (Wilcox & Cullen, 2018, p. 134). In fact, Madensen and Eck (2013) assert that only one effective controller is enough to prevent a crime. Given this condition of the crime triangle, it must be noted that each of these components (the offender, the target, and the place) or controllers (i.e., handler, guardian, and manager) can play a pivotal role in reducing cybercrime. To date, scholars and professionals have analyzed the phenomenon of cybercrime and developed cybercrime prevention strategies relying predominantly on cybercrime victimization (suitable targets) but have yet to utilize the broader framework of the crime triangle commonly used in the analysis and prevention of crime. More specifically, the dimensions of cybercrime offenders, places, or controllers have been absent in prior scientific research and in guiding the establishment and examination of cybercrime prevention strategies. Given this gap, much remains to be known as to how these conceptual entities operate in the virtual realm and whether they share similarities with what we know about other crimes in the physical world. Thus, the purpose of this study is to extend the application of the “Crime Triangle,” a derivative of Routine Activity Theory, to crime events in the digital realm to provide scholars, practitioners, and policy makers a more complete lens to improve understanding and prevention of cybercrime incidents. In other words, this dissertation will endeavor to devise a comprehensive framework for our society to use to form cybersecurity policies to implement a secure and stable digital environment that supports continued economic growth as well as national security. The findings of this study suggest that both criminological and technical perspectives are crucial in comprehending cybercrime incidents. This dissertation attempts to independently explore these three components in order to portray the characteristics of cybercriminals, cybercrime victims, and place management. Specifically, this study first explores the characteristics of cybercriminals via a criminal profiling method primarily using court criminal record documents (indictments/complaints) provided by the FIU law library website. Second, the associations between cybercrime victims, digital capable guardianship, perceived risks of cybercrime, and online activity are examined using Eurobarometer survey data. Third, the associations between place management activities and cybercrime prevention are examined using “Phishing Campaign” and “Cybersecurity Awareness Training Program” data derived from FIU’s Division of Information Technology

Scenarios for the development of smart grids in the UK: literature review

Smart grids are expected to play a central role in any transition to a low-carbon energy future, and much research is currently underway on practically every area of smart grids. However, it is evident that even basic aspects such as theoretical and operational definitions, are yet to be agreed upon and be clearly defined. Some aspects (efficient management of supply, including intermittent supply, two-way communication between the producer and user of electricity, use of IT technology to respond to and manage demand, and ensuring safe and secure electricity distribution) are more commonly accepted than others (such as smart meters) in defining what comprises a smart grid. It is clear that smart grid developments enjoy political and financial support both at UK and EU levels, and from the majority of related industries. The reasons for this vary and include the hope that smart grids will facilitate the achievement of carbon reduction targets, create new employment opportunities, and reduce costs relevant to energy generation (fewer power stations) and distribution (fewer losses and better stability). However, smart grid development depends on additional factors, beyond the energy industry. These relate to issues of public acceptability of relevant technologies and associated risks (e.g. data safety, privacy, cyber security), pricing, competition, and regulation; implying the involvement of a wide range of players such as the industry, regulators and consumers. The above constitute a complex set of variables and actors, and interactions between them. In order to best explore ways of possible deployment of smart grids, the use of scenarios is most adequate, as they can incorporate several parameters and variables into a coherent storyline. Scenarios have been previously used in the context of smart grids, but have traditionally focused on factors such as economic growth or policy evolution. Important additional socio-technical aspects of smart grids emerge from the literature review in this report and therefore need to be incorporated in our scenarios. These can be grouped into four (interlinked) main categories: supply side aspects, demand side aspects, policy and regulation, and technical aspects.

Socialbots and the Challenges of Cyberspace Awareness

As security communities brace for the emerging social automation based threats, we examine the mechanisms of developing situation awareness in cyberspace and the governance issues that socialbots bring into this existing paradigm of cyber situation awareness. We point out that an organisation's situation awareness in cyberspace is a phenomena fundamentally distinct from the original conception of situation awareness, requiring continuous data exchange and knowledge management where the standard implementation mechanisms require significant policy attention in light of threats like malicious social automation. We conceptualise Cyberspace Awareness as a socio-technical phenomena with Syntactic, Semantic, and Operatic dimensions - each subject to a number of stressors which are exacerbated under social automation based threats. The paper contributes to the ideas of situational awareness in cyberspace, and characterises the challenges therein around tackling the increasingly social and often pervasive, automation in cyber threat environments

Tabletop Exercise For Cybersecurity Educational Training; Theoretical Grounding And Development

Haridus- ja treeningaspektid on riiklike küberturvalisuse strateegiate vitaalsed komponendid, et kujundada, tugevdada ning proovile panna otsustajate valmisolekut nii aktuaalsete kui võimalike tulevaste küberväljakutsete ees. Küberkaitses ja -julgeolekus on otsuste langetamisel üliolulised kriisijuhtimisoskused, et suuta adekvaatselt vastata juhtumitele, mil era- või avalik heaolu ja turvalisus on ohustatud. Selle magistritöö eesmärk on välja pakkuda küberjulgeoleku strateegiate hariduslike komponentide võimalike ning teadaolevate nõrkuste parandamine, arutledes teadlikkuse väljaõpete mudeleid märkimisväärse mõjuga osavõtjatele, fookusega strateegilise otsustamisvõimega personalil, mis võiks osaleda küberjuhtumis. Töö toetab simulatsioonil põhinevate stsenaariumite kasutamist ning keskendub mudelõppuste kujundamisele. Käesolev töö näitab, kuidas mudelõpe võib olla tõhus viis küberjuhtumites strateegiliste otsuste langetamisel teadlikkuse, mõistmise ja ettevalmistuse kujundamiseks, parandamiseks ning proovilepanemiseks. Lõputöö tugineb ditsiplinaarsel ja kontseptuaalsel õpinguteooriate integratsioonil mängustamisel põhinevate ajenditega ning juhtimisteooriatega. Stsenaariumil põhinev treening pakub turvalist ja paindlikku keskkonda, kus osavõtja on pandud kriitilisse situatsiooni, säilitades realistlikku ülevaate küberkriisi tunnustest ning võimalikest ohtudest. Simulatsioon väljendab võimalikke väljakutseid, nõudes kriisijuhtimisoskusi ning kohast reaktsiooni. Mudelõppused võimaldavad andragoogilise kasu ja hariduslike eesmärkide realiseerimist innovatiivsel ja kaasaval meetodil. Selle treeningmudeli tulemused mõõdetakse kasutades Bloomi õppe-kasvatustöö eesmärkide liigituse kontrollitud taksonoomiat, arvesse võttes kogemusõppe ja paiknevustunnetuse elemente. VOOT-tsükkel pakub läbimõeldud otsustusprotsessi, mis samuti sobib antud ettepaneku dünaamikasse. Lisaks panustab töö originaalse modulaarse juhendiga, mida treenijad ning õppejõud saavad kasutada mudelõppe teostamiseks küberjulgeolekus. Riikliku ja rahvusvahelise tasandi mudelõppuste kogemus ja osavõtt sai empiirilist tuge teoreetilisele integratsioonile ning teadustas modulaarse juhendi arengut. Töö on kvalitatiivne. Lõputöö panustab asjakohasesse akadeemilisse dialoogi selle teoreetiliste alustega. Samuti praktiliselt, kuna pakub vahendeid simulatsioonipõhise mudelõppe läbiviimiseks.Education and training aspects are vital components of national cybersecurity strategies, to shape, enhance and test the decision maker’s level of preparedness before current and future challenges that can arise from a cyber incident. Decision-making processes in cyber defense and security require crucial crisis management competences capable of generating a comprehensive response where safety, well-being and other public and private assets could be put at stake. The purpose of this thesis is to suggest the improvement of potential and perceived weaknesses on the educational components of cyber security strategies, discussing awareness-training models with significant impact on the participants, focusing on strategic decision-making level personnel that could partake of cyber related incidents. The work supports the use of simulation-based scenarios, and concentrates on the design of Tabletop exercises. This thesis shows when a tabletop exercise could be an effective mechanism to shape, enhance and test the awareness, understanding and preparation for strategic decision makers in cyber related incidents. The thesis draws from a disciplinary integration of learning, human computer interaction, and management theories. A scenario-based training provides a safe and flexible environment where the participant is placed into a critical situation while maintaining a realistic insight into the characteristics of cyber crisis and the threats and attacks that may take place. The simulation represents possible challenges, demanding crisis management capacity and an appropriate response. Tabletop exercises permits that andragogical benefits and educational purposes be realized through an innovative and engaging method. Considering elements from experiential learning and situated cognition the learning outcomes of this training model will be measured, using Bloom’s revised taxonomy of educational objectives. The OODA Loop will suggest a thoughtful decision making process that also fits well the dynamic of the current proposal. Additionally, the thesis will contribute with an original modular guide that trainers and educators can use for the implementation of a Tabletop exercise on cyber security. National and international level tabletop exercises experience and participation provided empirical support to the theoretical contribution on theory integration, and informed the modular guide development. The work is qualitative and therefore seeks to observe, interpret and understand, by using documental analysis, and observation methods. The work contributes to the relevant academic dialog on its theoretical grounds and also in practical terms, by providing with tools readily applicable to the creation of simulation based tabletop exercises