ENDPOINT DEFENSE AS CODE (EDAC): CONFIGURABLE CONTEXTUAL ANALYSIS OF PROCESS BEHAVIORS FROM KERNEL/USER EVENT TRACING

The current industry standard to detect cyber threat activity on endpoints (workstations, servers, etc.) centers around the use of endpoint defense software. The software products marketed are Endpoint Protection Platforms (EPP), Endpoint Detection and Response (EDR), and eXtended Detection and Response (XDR) solutions. These solutions are typically deployed onto endpoints across enterprises and monitor various aspects of each operating system for malicious activity. Current generations of these three solutions have similar underlying software architectures, user workflows, and detection capabilities. These solutions also have a number of issues that inadvertently allow advanced cyber threat actors to succeed in their operations, such as, lack of resilience to intentional evasions against critical software components, lack of resilience against user configuration errors, low detection rates of atomic techniques, low configurability for process-level behaviors, and semantically inappropriate alert messages. As proven in prior research and research that the author is conducting concurrently alongside this research, these issues can be capitalized on by knowledgeable and observant attackers to enable their technique chains to succeed undetected. Through years of professional experience deploying, testing, and evaluating various commercial endpoint solutions in various system architectures (commercial enterprise systems, government systems, disconnected/air-gapped systems, etc.), the author has learned that many commercial endpoint defense technologies are designed to make decisions for the operators on what activity is benign and what activity is malicious, without giving operators the ability to change this decision making. Vendors of these solutions add to this by illustrating a measure of trust in the solution’s ecacy by releasing their detection statistics of known Indicators of Compromise (IOCs). These IOCs may or may not be used by attackers in the future as new attack techniques are developed. This creates a iv detection gap between known techniques that can be detected, and actual techniques that are being executed. In addition to this, the author has observed in organizations across many industries a level of indiscriminate trust in commercial endpoint solutions. Many organizations fully trust endpoint solutions to be the sole defense mechanism on an endpoint without fully testing the solution for resiliency or detection gaps. All of these facts and circumstances create gaps, inconsistencies, and avenues for highly observant cyber attackers to maneuver in and out of systems undetected. This document illustrates all of the research that has been completed as part of this dissertation to solve the identified issues with current-generation endpoint defense solutions. The overarching approach to solving the identified problems was to use the Design Science Research (DSR) methodology to develop a software artifact that is su- ciently di↵erent and more impactful than existing solutions, and test the designed artifact against real-world attack technique stimulus to prove its validity and usefulness within real-world system architectures. The developed artifact gives operators the flexibility to define attack technique behaviors of interest through a custom developed configuration syntax and utilizes Event Tracing for Windows (ETW) telemetry emanating from the Windows operating system in a unique way to detect the defined attack behaviors. Validation experiments on the developed artifact proved that the artifact, along with the user-defined configuration file, successfully detected 36/48 of the chosen atomic attack technique stimuli. The results represent a significantly broad coverage of detection that current-generation endpoint solutions fail to accomplish, thereby illustrating the need to incorporate the developed artifact into real-world environments to combat cyber-attack activity

A Single P-loop Glutamate Point Mutation to either Lysine or Arginine Switches the Cation–Anion Selectivity of the CNGA2 Channel

Cyclic nucleotide-gated (CNG) channels play a critical role in olfactory and visual transduction. Site-directed mutagenesis and inside-out patch-clamp recordings were used to investigate ion permeation and selectivity in two mutant homomeric rat olfactory CNGA2 channels expressed in HEK293 cells. A single point mutation of the negatively charged pore loop (P-loop) glutamate (E342) to either a positively charged lysine or arginine resulted in functional channels, which consistently responded to cGMP, although the currents were generally extremely small. The concentration–response curve of the lysine mutant channel was very similar to that of wild-type (WT) channels, suggesting no major structural alteration to the mutant channels. Reversal potential measurements, during cytoplasmic NaCl dilutions, showed that the lysine and the arginine mutations switched the selectivity of the channel from cations (PCl/PNa = 0.07 [WT]) to anions (PCl/PNa = 14 [Lys] or 10 [Arg]). Relative anion permeability sequences for the two mutant channels, measured with bi-ionic substitutions, were NO3− > I− > Br− > Cl− > F− > acetate−, the same as those obtained for anion-selective GABA and glycine channels. The mutant channels also seem to have an extremely small single-channel conductance, measured using noise analysis of about 1–2 pS, compared to a WT value of about 29 pS. The results showed that it is predominantly the charge of the E342 residue in the P-loop, rather than the pore helix dipoles, which controls the cation–anion selectivity of this channel. However, the outward rectification displayed by both mutant channels in symmetrical NaCl solutions suggests that the negative ends of the pore helix dipoles may play a role in reducing the outward movement of Cl− ions through these anion-selective channels. These results have potential implications for the determinants of anion–cation selectivity in the large family of P-loop–containing channels

Minimally Invasive Mitral Valve Surgery I: Patient Selection, Evaluation, and Planning.

Widespread adoption of minimally invasive mitral valve repair and replacement may be fostered by practice consensus and standardization. This expert opinion, first of a 3-part series, outlines current best practices in patient evaluation and selection for minimally invasive mitral valve procedures, and discusses preoperative planning for cannulation and myocardial protection

The dependence of galaxy group star formation rates and metallicities on large scale environment

We construct a sample of 75,863 star forming galaxies with robust metallicity and star formation rate measurements from the Sloan Digital Sky Survey Data Release 7 (SDSS DR7), from which we select a clean sample of compact group (CG) galaxies. The CGs are defined to be close configurations of at least 4 galaxies that are otherwise apparently isolated. Our selection results in a sample of 112 spectroscopically identified compact group galaxies, which can be further divided into groups that are either embedded within a larger structure, such as a cluster or large group, or truly isolated systems. The compact groups then serve as a probe into the influence of large scale environment on a galaxy's evolution, while keeping the local density fixed at high values. We find that the star formation rates (SFRs) of star forming galaxies in compact groups are significantly different between isolated and embedded systems. Galaxies in isolated systems show significantly enhanced SFR, relative to a control sample matched in mass and redshift, a trend not seen in the embedded systems. Galaxies in isolated systems exhibit a median SFR enhancement at fixed stellar mass of +0.07 \pm 0.03 dex. These dependences on large scale environment are small in magnitude relative to the apparent influence of local scale effects found in previous studies, but the significance of the difference in SFRs between our two samples constrains the effect of large scale environment to be non-zero. We find no significant change in the gas-phase interstellar metallicity for either the isolated or embedded compact group sample relative to their controls. However, simulated samples that include artificial offsets indicate that we are only sensitive to metallicity changes of log O/H >0.13 dex (at 99% confidence), which is considerably larger than the typical metallicity differences seen in previous environmental studies.Comment: Accepted for publication in MNRAS. 16 pages, 9 figure

Reduced blood flow through intrapulmonary arteriovenous anastomoses at rest and during exercise in lowlanders during acclimatization to high altitude

Blood flow through intrapulmonary arteriovenous anastomoses (QIPAVA ) is elevated during exercise at sea level (SL) and at rest in acute normobaric hypoxia. Following high altitude (HA) acclimatization, resting QIPAVA is similar to SL, but it is unknown if this is true during exercise at HA. We reasoned that exercise at HA (5,050 m) would exacerbate QIPAVA due to heightened pulmonary arterial pressure. Using a supine cycle ergometer, seven healthy adults free from intracardiac shunts underwent an incremental exercise test at SL (25, 50, 75% of SL VO2peak ) and at HA (25, 50% of SL VO2peak ). Echocardiography was used to determine cardiac output (Q) and pulmonary artery systolic pressure (PASP) and agitated saline contrast was used to determine QIPAVA (bubble score; 0-5). The principal findings were: (1) Q was similar at SL-rest (3.9 +/- 0.47 l min-1 ) compared with HA-rest (4.5 +/- 0.49 l min-1 ; P = 0.382), but increased from rest during both SL and HA exercise (P < 0.001); (2) PASP increased from SL-rest (19.2 +/- 0.7 mmHg) to HA-rest (33.7 +/- 2.8 mmHg; P = 0.001) and, compared with SL, PASP was further elevated during HA exercise (P = 0.003); (3) QIPAVA was increased from SL-rest (0) to HA-rest (median = 1; P = 0.04) and increased from resting values during SL exercise (P < 0.05), but were unchanged during HA exercise (P = 0.91), despite significant increases in Q and PASP. Theoretical modeling of microbubble dissolution suggests that the lack of QIPAVA in response to exercise at HA is unlikely caused by saline contrast instability

Mode of action of DNA-competitive small molecule inhibitors of tyrosyl DNA phosphodiesterase 2

TDP2 is a 5’-tyrosyl DNA phosphodiesterase important for the repair of DNA adducts generated by non-productive (abortive) activity of topoisomerase II. TDP2 facilitates therapeutic resistance to topoisomerase poisons, which are widely used in the treatment of a range of cancer types. Consequently, TDP2 is an interesting target for the development of small molecule inhibitors that could restore sensitivity to topoisomerase-directed therapies. Previous studies identified a class of deazaflavin-based molecules that showed inhibitory activity against TDP2 at therapeutically useful concentrations, but their mode of action was uncertain. We have confirmed that the deazaflavin series inhibits TDP2 enzyme activity in a fluorescence-based assay, suitable for HTS-screening. We have gone on to determine crystal structures of these compounds bound to a ‘humanised’ form of murine TDP2. The structures reveal their novel mode of action as competitive ligands for the binding site of an incoming DNA substrate, and point the way to generating novel and potent inhibitors of TDP2