248 research outputs found
OSTINATO: Cross-host Attack Correlation Through Attack Activity Similarity Detection
Modern attacks against enterprises often have multiple targets inside the
enterprise network. Due to the large size of these networks and increasingly
stealthy attacks, attacker activities spanning multiple hosts are extremely
difficult to correlate during a threat-hunting effort. In this paper, we
present a method for an efficient cross-host attack correlation across multiple
hosts. Unlike previous works, our approach does not require lateral movement
detection techniques or host-level modifications. Instead, our approach relies
on an observation that attackers have a few strategic mission objectives on
every host that they infiltrate, and there exist only a handful of techniques
for achieving those objectives. The central idea behind our approach involves
comparing (OS agnostic) activities on different hosts and correlating the hosts
that display the use of similar tactics, techniques, and procedures. We
implement our approach in a tool called Ostinato and successfully evaluate it
in threat hunting scenarios involving DARPA-led red team engagements spanning
500 hosts and in another multi-host attack scenario. Ostinato successfully
detected 21 additional compromised hosts, which the underlying host-based
detection system overlooked in activities spanning multiple days of the attack
campaign. Additionally, Ostinato successfully reduced alarms generated from the
underlying detection system by more than 90%, thus helping to mitigate the
threat alert fatigue problemComment: 21 pages, 5 figure
Between Worlds: Securing Mixed JavaScript/ActionScript Multi-Party Web Content
Mixed Flash and JavaScript content has become increasingly prevalent; its purveyance of dynamic features unique to each platform has popularized it for myriad Web development projects. Although Flash and JavaScript security has been examined extensively, the security of untrusted content that combines both has received considerably less attention. This article considers this fusion in detail, outlining several practical scenarios that threaten the security of Web applications. The severity of these attacks warrants the development of new techniques that address the security of Flash-JavaScript content considered as a whole, in contrast to prior solutions that have examined Flash or JavaScript security individually. Toward this end, the article presents FlashJaX, a cross-platform solution that enforces fine-grained, history-based policies that span both Flash and JavaScript. Using in-lined reference monitoring, FlashJaX safely embeds untrusted JavaScript and Flash content in Web pages without modifying browser clients or using special plug-ins. The architecture of FlashJaX, its design and implementation, and a detailed security analysis are exposited. Experiments with advertisements from popular ad networks demonstrate that FlashJaX is transparent to policy-compliant advertisement content, yet blocks many common attack vectors that exploit the fusion of these Web platforms
Leveraging Static Analysis Tools for Improving Usability of Memory Error Sanitization Compilers
Memory errors such as buffer overruns are notorious security vulnerabilities. There has been considerable interest in having a compiler to ensure the safety of compiled code either through static verification or through instrumented runtime checks. While certifying compilation has shown much promise, it has not been practical, leaving code instrumentation as the next best strategy for compilation. We term such compilers Memory Error Sanitization Compilers (MESCs). MESCs are available as part of GCC, LLVM and MSVC suites. Due to practical limitations, MESCs typically apply instrumentation indiscriminately to every memory access, and are consequently prohibitively expensive and practical to only small code bases. This work proposes a methodology that applies state-of-the-art static analysis techniques to eliminate unnecessary runtime checks, resulting in more efficient and scalable defenses. The methodology was implemented on LLVM\u27s Safecode, Integer Overflow, and Address Sanitizer passes, using static analysis of Frama-C and Codesurfer. The benchmarks demonstrate an improvement in runtime performance that makes incorporation of runtime checks a viable option for defenses
Electronic sculpting of ligand-GPCR subtype selectivity:the case of angiotensin II
GPCR subtypes possess distinct functional
and pharmacological profiles,
and thus development of subtype-selective ligands has immense therapeutic
potential. This is especially the case for the angiotensin receptor
subtypes AT1R and AT2R, where a functional negative control has been
described and AT2R activation highlighted as an important cancer drug
target. We describe a strategy to fine-tune ligand selectivity for
the AT2R/AT1R subtypes through electronic control of ligand aromatic-prolyl
interactions. Through this strategy an AT2R high affinity (<i>K</i><sub>i</sub> = 3 nM) agonist analogue that exerted 18,000-fold
higher selectivity for AT2R versus AT1R was obtained. We show that
this compound is a negative regulator of AT1R signaling since it is
able to inhibit MCF-7 breast carcinoma cellular proliferation in the
low nanomolar range
- …