Using Covert Means to Establish Cybercraft Command and Control

With the increase in speed and availability of computers, our nation\u27s computer and information systems are being attacked with increased sophistication. The Air Force Research Laboratory (AFRL) Information Directorate (RI) is researching a next generation network defense architecture, called Cybercraft, that provides automated and trusted cyber defense capabilities for AF network assets. This research we consider the issues to protect or obfuscate command and control aspects of Cybercraft. In particular, we present a methodology to hide aspects of Cybercraft platform initialization in context to formation of hierarchical, peer-to-peer groups that collectively form the Cybercraft network. Because malicious code networks (known as botnets) currently manifest many properties of obfuscating command and control sequencing, we evaluate and consider our proposed methodology in light of leading bot detection algorithms. This research subjects Bothunter to a series of tests to validate these claims. We use a leading bot detection utility, Bothunter, and an ARP validation tool, XArp, to build a case for the effectiveness of our approach. We present three scenarios that correlate to how we believe Cybercraft platforms integrate in the future and consider stealthiness in terms of these representative tools. Our research gives emphasis on measurable hiding related to the Cybercraft initialization sequence, and we show how common network protocols such as ARP, HTTP, and DNS may be modified to carry C2 commands while evading common detection methods found in current tools

Malicious uses of blockchains by malware: from the analysis to Smart-Zephyrus

Open Access funding provided thanks to the CRUE-CSIC agreement with Springer Nature. This work was supported by the Madrid Government (Comunidad de Madrid-Spain) under the multiannual agreement with UC3M (“fostering young doctor research”, DEPROFAKE-CM-UC3M) and in the context of the V PRICIT research and technological innovation regional program; by CAM by grant CYNAMON P2018/TCS-4566-CM, co-funded with ERDF; by 1208 Min. of Science and Innovation of Spain by grant ODIO PID2019-1209 111429RB-C21 (AEI/10.13039/50110 12100011033); and by Funding for APC: Universidad Carlos III de Madrid (Read & Publish Agreement CRUE-CSIC 2023)

Cybersecurity applications of Blockchain technologies

With the increase in connectivity, the popularization of cloud services, and the rise of the Internet of Things (IoT), decentralized approaches for trust management are gaining momentum. Since blockchain technologies provide a distributed ledger, they are receiving massive attention from the research community in different application fields. However, this technology does not provide cybersecurity by itself. Thus, this thesis first aims to provide a comprehensive review of techniques and elements that have been proposed to achieve cybersecurity in blockchain-based systems. The analysis is intended to target area researchers, cybersecurity specialists and blockchain developers. We present a series of lessons learned as well. One of them is the rise of Ethereum as one of the most used technologies. Furthermore, some intrinsic characteristics of the blockchain, like permanent availability and immutability made it interesting for other ends, namely as covert channels and malicious purposes. On the one hand, the use of blockchains by malwares has not been characterized yet. Therefore, this thesis also analyzes the current state of the art in this area. One of the lessons learned is that covert communications have received little attention. On the other hand, although previous works have analyzed the feasibility of covert channels in a particular blockchain technology called Bitcoin, no previous work has explored the use of Ethereum to establish a covert channel considering all transaction fields and smart contracts. To foster further defence-oriented research, two novel mechanisms are presented on this thesis. First, Zephyrus takes advantage of all Ethereum fields and smartcontract bytecode. Second, Smart-Zephyrus is built to complement Zephyrus by leveraging smart contracts written in Solidity. We also assess the mechanisms feasibility and cost. Our experiments show that Zephyrus, in the best case, can embed 40 Kbits in 0.57 s. for US$1.64, and retrieve them in 2.8 s. Smart-Zephyrus, however, is able to hide a 4 Kb secret in 41 s. While being expensive (around US$ 1.82 per bit), the provided stealthiness might be worth the price for attackers. Furthermore, these two mechanisms can be combined to increase capacity and reduce costs.Debido al aumento de la conectividad, la popularización de los servicios en la nube y el auge del Internet de las cosas (IoT), los enfoques descentralizados para la gestión de la confianza están cobrando impulso. Dado que las tecnologías de cadena de bloques (blockchain) proporcionan un archivo distribuido, están recibiendo una atención masiva por parte de la comunidad investigadora en diferentes campos de aplicación. Sin embargo, esta tecnología no proporciona ciberseguridad por sí misma. Por lo tanto, esta tesis tiene como primer objetivo proporcionar una revisión exhaustiva de las técnicas y elementos que se han propuesto para lograr la ciberseguridad en los sistemas basados en blockchain. Este análisis está dirigido a investigadores del área, especialistas en ciberseguridad y desarrolladores de blockchain. A su vez, se presentan una serie de lecciones aprendidas, siendo una de ellas el auge de Ethereum como una de las tecnologías más utilizadas. Asimismo, algunas características intrínsecas de la blockchain, como la disponibilidad permanente y la inmutabilidad, la hacen interesante para otros fines, concretamente como canal encubierto y con fines maliciosos. Por una parte, aún no se ha caracterizado el uso de la blockchain por parte de malwares. Por ello, esta tesis también analiza el actual estado del arte en este ámbito. Una de las lecciones aprendidas al analizar los datos es que las comunicaciones encubiertas han recibido poca atención. Por otro lado, aunque trabajos anteriores han analizado la viabilidad de los canales encubiertos en una tecnología blockchain concreta llamada Bitcoin, ningún trabajo anterior ha explorado el uso de Ethereum para establecer un canal encubierto considerando todos los campos de transacción y contratos inteligentes. Con el objetivo de fomentar una mayor investigación orientada a la defensa, en esta tesis se presentan dos mecanismos novedosos. En primer lugar, Zephyrus aprovecha todos los campos de Ethereum y el bytecode de los contratos inteligentes. En segundo lugar, Smart-Zephyrus complementa Zephyrus aprovechando los contratos inteligentes escritos en Solidity. Se evalúa, también, la viabilidad y el coste de ambos mecanismos. Los resultados muestran que Zephyrus, en el mejor de los casos, puede ocultar 40 Kbits en 0,57 s. por 1,64 US$, y recuperarlos en 2,8 s. Smart-Zephyrus, por su parte, es capaz de ocultar un secreto de 4 Kb en 41 s. Si bien es cierto que es caro (alrededor de 1,82 dólares por bit), el sigilo proporcionado podría valer la pena para los atacantes. Además, estos dos mecanismos pueden combinarse para aumentar la capacidad y reducir los costesPrograma de Doctorado en Ciencia y Tecnología Informática por la Universidad Carlos III de MadridPresidente: José Manuel Estévez Tapiador.- Secretario: Jorge Blasco Alís.- Vocal: Luis Hernández Encina

Exploring the use of conversational agents to improve cyber situational awareness in the Internet of Things (IoT).

The Internet of Things (IoT) is an emerging paradigm, which aims to extend the power of the Internet beyond computers and smartphones to a vast and growing range of "things" - devices, processes and environments. The result is an interconnected world where humans and devices interact with each other, establishing a smart environment for the continuous exchange of information and services. Billions of everyday devices such as home appliances, surveillance cameras, wearables and doorbells, enriched with computational and networking capabilities, have already been connected to the Internet. However, as the IoT has grown, the demand for low-cost, easy-to-deploy devices has also increased, leading to the production of millions of insecure Internet-connected smart devices. Many of these devices can be easily exploited and leveraged to perform large-scale attacks on the Internet, such as the recently witnessed botnet attacks. Since these attacks often target consumer-level products, which commonly lack a screen or user interface, it can be difficult for users to identify signs of infection and be aware of devices that have been compromised. This thesis presents four studies which collectively explored how user awareness of threats in consumer IoT networks could be improved. Maintaining situational awareness of what is happening within a home network is challenging, not least because malicious activity often occurs in devices which are not easily monitored. This thesis evaluated the effectiveness of conversational agents to improve Cyber Situational Awareness. In doing so, it presented the first study to investigate their ability to help users improve their perception of smart device activity, comprehend this in the context of their home environment, and project this knowledge to determine if a threat had occurred or may occur in the future. The research demonstrated how a BLSTMRNN with word embedding could be used to extract semantic meaning from packets to perform deep packet inspection and detect IoT botnet activity. Specifically, how the models use of contextual information from both the past and future enabled better predictions to be made about the current state (packet) due to the sequential nature of the network traffic. In addition, a cross-sectional study examined users' awareness and perception of threats and found that, although users value security and privacy, they found it difficult to identify threats and infected devices. Finally, novel cross-sectional and longitudinal studies evaluated the use of conversational agents, and demonstrated them to be an effective and efficient method of improving Cyber Situational Awareness. In particular, this was shown to be true when using a multi-modal approach and combining aural, verbal and visual modalities

Early and often: Can real-time intervention by trusted authorities help stop a tsunami of disinformation?

A tsunami of disinformation is washing over the world, with social media helping it to spread quickly and widely. The purveyors of disinformation use it to press their agenda by adding untruths where previously there were none, fabricating stories, reporting them out of context, or doctoring images to promote their message. In the past, disinformation has been a prelude to and run concurrently with other attacks, including cyber and conventional warfare, and when officials reacted to disinformation, they successfully slowed its flow but did not entirely stop it, and may not have “won” cyber or conventional battles. Researchers say even multiple corrections don’t fully stop disinformation, and sowing skepticism by forewarning of a probable disinformation campaign is the most successful way of staunching the flow. Tools have been developed to help detect disinformation rapidly but officials often don’t have a plan to track, correct or refute it

Security and Trust in Safety Critical Infrastructures

Critical infrastructures such as road vehicles and railways are undergoing a major change, which increases the dependency of their operation and control on Information Technology (IT) and makes them more vulnerable to malicious intent. New complex communication infrastructures emerge using the increased connectivity of these safety-critical systems to enable efficient management of operational processes, service provisioning, and information exchange for various (third-party) actors. Railway Command and Control Systems (CCSs) turn with the introduction of digital interlocking into an “Internet of Railway Things”, where safety-critical railway signaling components are deployed on common-purpose platforms and connected via standard IP-based networks. Similarly, the mass adoption of Electric Vehicles (EVs) and the need to supply their batteries with energy for charging has given rise to a Vehicle-to-Grid (V2G) infrastructure, which connects vehicles to power grids and multiple service providers to coordinate charging and discharging processes and maintain grid stability under varying power demands. The Plug-and-Charge feature brought in by the V2G communication standard ISO 15118 allows an EV to access charging and value-added services, negotiate charging schedules, and support the grid as a distributed energy resource in a largely automated way, by leveraging identity credentials installed in the vehicle for authentication and payment. The fast deployment of this advanced functionality is driven by economical and political decisions including the EU Green Deal for climate neutrality. Due to the complex requirements and long standardization and development cycles, the standards and regulations, which play the key role in operating and protecting critical infrastructures, are under pressure to enable the timely and cost-effective adoption. In this thesis, we investigate security and safety of future V2G and railway command and control systems with respect to secure communication, platform assurance as well as safety and security co-engineering. One of the major goals in this context is the continuous collaboration and establishment of the proposed security solutions in upcoming domain-specific standards, thus ensuring their practical applicability and prompt implementation in real-world products. We first analyze the security of V2G communication protocols and requirements for secure service provisioning via charging connections. We propose a new Plug-and-Patch protocol that enables secure update of EVs as a value-added service integrated into the V2G charging loop. Since EVs can also participate in energy trading by storing and feeding previously stored energy to grid, home, or other vehicles, we then investigate fraud detection methods that can be employed to identify manipulations and misbehaving users. In order to provide a strong security foundation for V2G communications, we propose and analyze three security architectures employing a hardware trust anchor to enable trust establishment in V2G communications. We integrate these architectures into standard V2G protocols for load management, e-mobility services and value-added services in the V2G infrastructure, and evaluate the associated performance and security trade-offs. The final aspect of this work is safety and security co-engineering, i.e., integration of safety and security processes vital for the adequate protection of connected safety-critical systems. We consider two application scenarios, Electric Vehicle Charging System (EVCS) and Object Controller (OC) in railway CCS, and investigate how security methods like trusted computing can be applied to provide both required safety and security properties. In the case of EVCS, we bind the trust boundary for safety functionality (certified configuration) to the trust boundary in the security domain and design a new security architecture that enforces safety properties via security assertions. For the railway use case, we focus on ensuring non-interference (separation) between these two domains and develop a security architecture that allows secure co-existence of applications with different criticality on the same hardware platform. The proposed solutions have been presented to the committee ISO/TC 22/SC 31/JWG 1 that develops the ISO 15118 standard series and to the DKE working group “Informationssicherheit für Elektromobilität” responsible for the respective application guidelines. Our security extension has been integrated in the newest edition ISO 15118-20 released in April 2022. Several manufacturers have already started concept validation for their future products using our results. In this way, the presented analyses and techniques are fundamental contributions in improving the state of security for e-mobility and railway applications, and the overall resilience of safety-critical infrastructures to malicious attacks