729 research outputs found
Tracking Cyber Adversaries with Adaptive Indicators of Compromise
A forensics investigation after a breach often uncovers network and host
indicators of compromise (IOCs) that can be deployed to sensors to allow early
detection of the adversary in the future. Over time, the adversary will change
tactics, techniques, and procedures (TTPs), which will also change the data
generated. If the IOCs are not kept up-to-date with the adversary's new TTPs,
the adversary will no longer be detected once all of the IOCs become invalid.
Tracking the Known (TTK) is the problem of keeping IOCs, in this case regular
expressions (regexes), up-to-date with a dynamic adversary. Our framework
solves the TTK problem in an automated, cyclic fashion to bracket a previously
discovered adversary. This tracking is accomplished through a data-driven
approach of self-adapting a given model based on its own detection
capabilities.
In our initial experiments, we found that the true positive rate (TPR) of the
adaptive solution degrades much less significantly over time than the naive
solution, suggesting that self-updating the model allows the continued
detection of positives (i.e., adversaries). The cost for this performance is in
the false positive rate (FPR), which increases over time for the adaptive
solution, but remains constant for the naive solution. However, the difference
in overall detection performance, as measured by the area under the curve
(AUC), between the two methods is negligible. This result suggests that
self-updating the model over time should be done in practice to continue to
detect known, evolving adversaries.Comment: This was presented at the 4th Annual Conf. on Computational Science &
Computational Intelligence (CSCI'17) held Dec 14-16, 2017 in Las Vegas,
Nevada, US
Tracking Cyber Adversaries with Adaptive Indicators of Compromise
A forensics investigation after a breach often uncovers network and host
indicators of compromise (IOCs) that can be deployed to sensors to allow early
detection of the adversary in the future. Over time, the adversary will change
tactics, techniques, and procedures (TTPs), which will also change the data
generated. If the IOCs are not kept up-to-date with the adversary's new TTPs,
the adversary will no longer be detected once all of the IOCs become invalid.
Tracking the Known (TTK) is the problem of keeping IOCs, in this case regular
expressions (regexes), up-to-date with a dynamic adversary. Our framework
solves the TTK problem in an automated, cyclic fashion to bracket a previously
discovered adversary. This tracking is accomplished through a data-driven
approach of self-adapting a given model based on its own detection
capabilities.
In our initial experiments, we found that the true positive rate (TPR) of the
adaptive solution degrades much less significantly over time than the naive
solution, suggesting that self-updating the model allows the continued
detection of positives (i.e., adversaries). The cost for this performance is in
the false positive rate (FPR), which increases over time for the adaptive
solution, but remains constant for the naive solution. However, the difference
in overall detection performance, as measured by the area under the curve
(AUC), between the two methods is negligible. This result suggests that
self-updating the model over time should be done in practice to continue to
detect known, evolving adversaries.Comment: This was presented at the 4th Annual Conf. on Computational Science &
Computational Intelligence (CSCI'17) held Dec 14-16, 2017 in Las Vegas,
Nevada, US
Adaptive Traffic Fingerprinting for Darknet Threat Intelligence
Darknet technology such as Tor has been used by various threat actors for
organising illegal activities and data exfiltration. As such, there is a case
for organisations to block such traffic, or to try and identify when it is used
and for what purposes. However, anonymity in cyberspace has always been a
domain of conflicting interests. While it gives enough power to nefarious
actors to masquerade their illegal activities, it is also the cornerstone to
facilitate freedom of speech and privacy. We present a proof of concept for a
novel algorithm that could form the fundamental pillar of a darknet-capable
Cyber Threat Intelligence platform. The solution can reduce anonymity of users
of Tor, and considers the existing visibility of network traffic before
optionally initiating targeted or widespread BGP interception. In combination
with server HTTP response manipulation, the algorithm attempts to reduce the
candidate data set to eliminate client-side traffic that is most unlikely to be
responsible for server-side connections of interest. Our test results show that
MITM manipulated server responses lead to expected changes received by the Tor
client. Using simulation data generated by shadow, we show that the detection
scheme is effective with false positive rate of 0.001, while sensitivity
detecting non-targets was 0.016+-0.127. Our algorithm could assist
collaborating organisations willing to share their threat intelligence or
cooperate during investigations.Comment: 26 page
Cyber security research frameworks for coevolutionary network defense
Cyber security is increasingly a challenge for organizations everywhere. Defense systems that require less expert knowledge and can adapt quickly to threats are strongly needed to combat the rise of cyber attacks. Computational intelligence techniques can be used to rapidly explore potential solutions while searching in a way that is unaffected by human bias.
Several architectures have been created for developing and testing systems used in network security, but most are meant to provide a platform for running cyber security experiments as opposed to automating experiment processes. In the first paper, we propose a framework termed Distributed Cyber Security Automation Framework for Experiments (DCAFE) that enables experiment automation and control in a distributed environment.
Predictive analysis of adversaries is another thorny issue in cyber security. Game theory can be used to mathematically analyze adversary models, but its scalability limitations restrict its use. Computational game theory allows us to scale classical game theory to larger, more complex systems. In the second paper, we propose a framework termed Coevolutionary Agent-based Network Defense Lightweight Event System (CANDLES) that can coevolve attacker and defender agent strategies and capabilities and evaluate potential solutions with a custom network defense simulation.
The third paper is a continuation of the CANDLES project in which we rewrote key parts of the framework. Attackers and defenders have been redesigned to evolve pure strategy, and a new network security simulation is devised which specifies network architecture and adds a temporal aspect. We also add a hill climber algorithm to evaluate the search space and justify the use of a coevolutionary algorithm --Abstract, page iv
Deceptive security based on authentication profiling
Passwords are broken. Multi-factor Authentication overcomes password insecurities, but its potentials are often not realised. This article presents InSight, a system to actively identify perpetrators by deceitful adaptation of the accessible system resources using Multi-factor Authentication profiles. This approach improves authentication reliability and attributes users by computing trust scores against profiles. Based on this score, certain functionality is locked, unlocked, buffered, or redirected to a deceptive honeypot, which is used for attribution. The novelty of this approach is twofold; a profile-based multi-factor authentication approach that is combined with a gradient, deceptive honeypot
Towards Reconstructing Multi-Step Cyber Attacks in Modern Cloud Environments with Tripwires
Rapidly-changing cloud environments that consist of heavily interconnected
components are difficult to secure. Existing solutions often try to correlate
many weak indicators to identify and reconstruct multi-step cyber attacks. The
lack of a true, causal link between most of these indicators still leaves
administrators with a lot of false-positives to browse through. We argue that
cyber deception can improve the precision of attack detection systems, if used
in a structured, and automatic way, i.e., in the form of so-called tripwires
that ultimately span an attack graph, which assists attack reconstruction
algorithms. This paper proposes an idea for a framework that combines cyber
deception, automatic tripwire injection and attack graphs, which eventually
enables us to reconstruct multi-step cyber attacks in modern cloud
environments.Comment: To be published in European Interdisciplinary Cybersecurity
Conference (EICC 2020
Cyber Threat Intelligence Model: An Evaluation of Taxonomies, Sharing Standards, and Ontologies within Cyber Threat Intelligence
Cyber threat intelligence is the provision of evidence-based knowledge about
existing or emerging threats. Benefits of threat intelligence include increased
situational awareness and efficiency in security operations and improved
prevention, detection, and response capabilities. To process, analyze, and
correlate vast amounts of threat information and derive highly contextual
intelligence that can be shared and consumed in meaningful times requires
utilizing machine-understandable knowledge representation formats that embed
the industry-required expressivity and are unambiguous. To a large extend, this
is achieved by technologies like ontologies, interoperability schemas, and
taxonomies. This research evaluates existing cyber-threat-intelligence-relevant
ontologies, sharing standards, and taxonomies for the purpose of measuring
their high-level conceptual expressivity with regards to the who, what, why,
where, when, and how elements of an adversarial attack in addition to courses
of action and technical indicators. The results confirmed that little emphasis
has been given to developing a comprehensive cyber threat intelligence ontology
with existing efforts not being thoroughly designed, non-interoperable and
ambiguous, and lacking semantic reasoning capability
Wide spectrum attribution: Using deception for attribution intelligence in cyber attacks
Modern cyber attacks have evolved considerably. The skill level required to conduct
a cyber attack is low. Computing power is cheap, targets are diverse and plentiful.
Point-and-click crimeware kits are widely circulated in the underground economy, while
source code for sophisticated malware such as Stuxnet is available for all to download
and repurpose. Despite decades of research into defensive techniques, such as firewalls,
intrusion detection systems, anti-virus, code auditing, etc, the quantity of successful
cyber attacks continues to increase, as does the number of vulnerabilities identified.
Measures to identify perpetrators, known as attribution, have existed for as long as there
have been cyber attacks. The most actively researched technical attribution techniques
involve the marking and logging of network packets. These techniques are performed
by network devices along the packet journey, which most often requires modification of
existing router hardware and/or software, or the inclusion of additional devices. These
modifications require wide-scale infrastructure changes that are not only complex and
costly, but invoke legal, ethical and governance issues. The usefulness of these techniques
is also often questioned, as attack actors use multiple stepping stones, often innocent
systems that have been compromised, to mask the true source. As such, this thesis
identifies that no publicly known previous work has been deployed on a wide-scale basis
in the Internet infrastructure.
This research investigates the use of an often overlooked tool for attribution: cyber de-
ception. The main contribution of this work is a significant advancement in the field of
deception and honeypots as technical attribution techniques. Specifically, the design and
implementation of two novel honeypot approaches; i) Deception Inside Credential Engine
(DICE), that uses policy and honeytokens to identify adversaries returning from different
origins and ii) Adaptive Honeynet Framework (AHFW), an introspection and adaptive
honeynet framework that uses actor-dependent triggers to modify the honeynet envi-
ronment, to engage the adversary, increasing the quantity and diversity of interactions.
The two approaches are based on a systematic review of the technical attribution litera-
ture that was used to derive a set of requirements for honeypots as technical attribution
techniques. Both approaches lead the way for further research in this field
Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study
Sharing Threat Intelligence is now one of the biggest trends in cyber security industry. Today, no one can deny the necessity for information sharing to fight the cyber battle. The massive production of raw and redundant data coupled with the increasingly innovative attack vectors of the perpetrators demands an ecosystem to scrutinize the information, detect and react to take a defensive stance. Having enough sources for threat intelligence or having too many security tools are the least of our problems. The main challenge lies in threat knowledge management, interoperability between different security tools and then converting these filtered data into actionable items across multiple devices. Large datasets may help filtering the massive information gathering, open standards may somewhat facilitate the interoperability issues, and machine learning may partly aid the learning of malicious traits and features of attack, but how do we coordinate the actionable responses across devices, networks, and other ecosystems to be proactive rather than reactive? This paper presents a study of current threat intelligence landscape (Tactic), information sources, basic Indicators of Compromise (IOCs) (Technique) and STIX and TAXII standard as open source frameworks (Procedure) to augment Cyber Threat Intelligence (CTI) sharing
- …