Measuring and visualizing cyber threat intelligence quality

The very raison d’être of cyber threat intelligence (CTI) is to provide meaningful knowledge about cyber security threats. The exchange and collaborative generation of CTI by the means of sharing platforms has proven to be an important aspect of practical application. It is evident to infer that inaccurate, incomplete, or outdated threat intelligence is a major problem as only high-quality CTI can be helpful to detect and defend against cyber attacks. Additionally, while the amount of available CTI is increasing it is not warranted that quality remains unaffected. In conjunction with the increasing number of available CTI, it is thus in the best interest of every stakeholder to be aware of the quality of a CTI artifact. This allows for informed decisions and permits detailed analyses. Our work makes a twofold contribution to the challenge of assessing threat intelligence quality. We first propose a series of relevant quality dimensions and configure metrics to assess the respective dimensions in the context of CTI. In a second step, we showcase the extension of an existing CTI analysis tool to make the quality assessment transparent to security analysts. Furthermore, analysts’ subjective perceptions are, where necessary, included in the quality assessment concept.

     

The Cyber Threat to National Critical Infrastructures: Beyond Theory

ABSTRACT

Adversary threats to critical infrastructures have always existed during times of conflict, but threat scenarios now include peacetime attacks from anonymous computer hackers. Current events, including examples from Israel and Estonia, prove that a certain level of real-world disorder can be achieved from hostile data packets alone. The astonishing achievements of cyber crime and cyber espionage – to which law enforcement and counterintelligence have found little answer – hint that more serious cyber attacks on critical infrastructures are only a matter of time. Still, national security planners should address all threats with method and objectivity. As dependence on IT and the Internet grow, governments should make proportional investments in network security, incident response, technical training, and international collaboration.     

网络靶场攻防场景设计框架

随着网络威胁的暴露范围越来越广,开发新的工具来改进网络防御是一个重大挑战。网络防御中最重要的问题是人员技能培训,网络靶场就是用于此目的。它提供用于训练和对抗比赛的虚拟环境。本文用VDSL语言定义了一个定制的网络环境,并实现了一个框架,允许将网络靶场场景转换为Prism模型。这样就可以进行训练和赛事结果的定量分析并可以对这个框架进行持续优化。     

Classifying resilience approaches for protecting smart grids against cyber threats

Smart grids (SG) draw the attention of cyber attackers due to their vulnerabilities, which are caused by the usage of heterogeneous communication technologies and their distributed nature. While preventing or detecting cyber attacks is a well-studied field of research, making SG more resilient against such threats is a challenging task. This paper provides a classification of the proposed cyber resilience methods against cyber attacks for SG. This classification includes a set of studies that propose cyber-resilient approaches to protect SG and related cyber-physical systems against unforeseen anomalies or deliberate attacks. Each study is briefly analyzed and is associated with the proper cyber resilience technique which is given by the National Institute of Standards and Technology in the Special Publication 800-160. These techniques are also linked to the different states of the typical resilience curve. Consequently, this paper highlights the most critical challenges for achieving cyber resilience, reveals significant cyber resilience aspects that have not been sufficiently considered yet and, finally, proposes scientific areas that should be further researched in order to enhance the cyber resilience of SG.

     

A Study of Performative Hactivist Subcultures and Threats to Businesses

Abstract

Performative hactivism is the use of the Internet for expressing extreme political dissent online. It differs from cyber harassment in that performative hactivism is politically motivated. We found that there are contagion and other social effects among hactivists and that hactivism exhibits feature patterns that define them as subcultures. To conduct our research, we created a provocative Website and blog and then promoted it on the Internet. Using sentiment analyses and logistic regression, we identified features associated with performative hactivism. We then studied the blog remarks and used Website analytics to gain a better understanding of the implications for business security. The results from this work should help business and information security researchers (especially in social engineering), as well as business practice managers, strategists, and security analysts, to predict the lifecycles and impacts of hactivism on their operations and assist them in the creation of interventions.     

A Qualitative Analysis for Evaluating a Cyber Terrorism Framework in Malaysia

ABSTRACT

Terrorist cyber attacks on Critical National Information Infrastructure are possible where motives, resources, and willingness to conduct operations against specific targets influence people to conduct such actions. However, there is no universally accepted definition of cyber terrorism, which seems to be a fundamental challenge in countering cyber terrorism threats. A schematic study has been conducted to discover various definitions of related terms used in this area. Although many policy makers and scholars have studied and provided the concept of cyber terrorism, some of the definitions are static and some are fragmented. Thus, in this research components that constitute cyber terrorism are explored, and the study is supported by systematic validation and an appropriate evaluation mechanism for the proposed components. The introduction of this paper indicates that the nature of cyber terrorism should be formulated from six perspectives: motivation, target, tools of attack, domain, method of action, and impact. According to our observations, there are both similarities and differences in views regarding the proposed cyber terrorism conceptual framework.     

Classification of Clickjacking Attacks and Detection Techniques

ABSTRACT

Among many existing security threats, clickjacking attacks are the least understood and one of the common emerging security threats on the Web. A clickjacking attack lures users to click on objects transparently placed in malicious Web pages that may lead to unwanted operations on the legitimate Websites without the knowledge of the users. In particular, victims can be tricked to click on objects from various Websites such as social networks (Facebook, Twitter), shopping (Amazon), and online banking. Therefore, clickjacking attacks need to be addressed to mitigate these unwanted consequences. To combat the clickjacking attacks, it is necessary to understand how clickjacking attacks occur in the real world along with the comparative performance of the state-of-the art solutions.

In this article, we discuss various basic and advanced clickjacking attacks. We then discuss a number of client, server, and proxy-level approaches that can be employed to combat clickjacking attacks. We also highlight the advantages and disadvantages along with attack type coverage information. The findings should enable security practitioners to be aware of the most recent development in this area and choose the appropriate defense mechanism based on their needs.     

iAES:面向网络安全博客的IOC自动抽取方法

网络威胁指标(IOC)作为网络威胁的行为特征,可以按照标准组织起来并部署在安全系统中防御攻击.博客是重要的网络威胁情报来源,及时从中收集网络威胁指标能够快速应对新的安全威胁,但人工阅读并抽取IOC的方式耗时耗力,所以我们迫切需要一种从网络安全博客中自动抽取IOC的方法.为此,本文提出了一种面向网络安全博客的IOC自动抽...     

MRRbot:基于冗余机制的多角色P2P僵尸网络模型

对现有僵尸网络的防御已取得很大成效,但僵尸网络不断演变进化,尤其在三网融合不断推进的背景下,这给防御者带来新的挑战.因此,预测未来僵尸网络以及时应对,非常必要.提出了一种基于冗余机制的多角色P2P僵尸网络模型(MRRbot),该模型引入虚壳僵尸终端,能够很大程度上验证僵尸终端的软硬件环境,增强其可信度和针对性;采用信息冗余机制和服务终端遴选算法,使僵尸终端能够均衡、高效地访问服务终端,提高命令控制信道的健壮性和抗毁性.对MRRbot的可控性、时效性和抗毁性进行了理论分析和实验评估,并就其健壮性与前人工作进行了比较.结果表明,MRRbot能够高效下发指令,有效对抗防御,更具威胁.探讨了可能的防御策略,提出基于志愿者网络的防御体系.     

Institutions for Cyber Security: International Responses and Global Imperatives

Almost everyone recognizes the salience of cyberspace as a fact of daily life. Given its ubiquity, scale, and scope, cyberspace has become a fundamental feature of the world we live in and has created a new reality for almost everyone in the developed world and increasingly for people in the developing world. This paper seeks to provide an initial baseline, for representing and tracking institutional responses to a rapidly changing international landscape, real as well as virtual. We shall argue that the current institutional landscape managing security issues in the cyber domain has developed in major ways, but that it is still “under construction.” We also expect institutions for cyber security to support and reinforce the contributions of information technology to the development process. We begin with (a) highlights of international institutional theory and an empirical “census” of the institutions-in-place for cyber security, and then turn to (b) key imperatives of information technology-development linkages and the various cyber processes that enhance developmental processes, (c) major institutional responses to cyber threats and cyber crime as well as select international and national policy postures so critical for industrial countries and increasingly for developing states as well, and (d) the salience of new mechanisms designed specifically in response to cyber threats.     

Forecasting Malware Conditions: Worsening Conditions,Some Bright Spots

ABSTRACT

With a simple model originating from mathematical biology, the dependencies for the number of infected computers are identified. The actions in the battle between cyber attack and cyber defense are linked to these dependencies. The article shows that using statistics directly to quantify the effect of security measures is difficult. The security effect is calculated for a periodic reset of all software and software compartments. Software diversity needs coordination above the level of individual organizations. Looking at the big picture, more countermeasures are proposed to improve security against malware in general.     

Cognitive Risk Framework for Cybersecurity: Bounded Rationality

Cyber risk professionals face a formidable challenge in keeping pace with the asymmetric nature of today’s advanced threats in cyber security. Spending on cyber security has skyrocketed yet the threat continues to grow exponentially. This phenomenon is called the Cyber Paradox and describes what has become an entrenched battle for security professionals in defending against an increasingly sophisticated adversary that, to date, has adapted faster than defensive measures to prevent loss of data or access to sensitive information. Conventional security defenses have proven less than effective resulting in a virtual “Maginot’s Line” of increased fortification by hardening the enterprise yet resulting in greater vulnerability to achieving the goals of defending the organization from cyber threats (“Maginot’s Line”, n.d.). This article reviews the causes of these misperceptions in security defense and explores research in decision science, intelligence and security informatics, machine learning, and the role of simplicity in shaping a cognitive risk framework. The findings conclude that the human-machine interaction is the greatest threat in cyber space yet very few, if any, security professionals are well versed in strategies to close this gap. The purpose of this article is to bring to light evolving new strategies with promising success and to reveal a few surprises in how simplicity is an under-appreciated strategy in cyber security. Complete text of “Cognitive Hack: The New Battleground in Cybersecurity … the Human Mind” is available here: https://www.crcpress.com/Cognitive-Hack-The-New-Battleground-in-Cybersecurity--the-Human-Mind/Bone/p/book/9781498749817     

Visual analysis of pressure in football

Modern movement tracking technologies enable acquisition of high quality data about movements of the players and the ball in the course of a football match. However, there is a big difference between the raw data and the insights into team behaviors that analysts would like to gain. To enable such insights, it is necessary first to establish relationships between the concepts characterizing behaviors and what can be extracted from data. This task is challenging since the concepts are not strictly defined. We propose a computational approach to detecting and quantifying the relationships of pressure emerging during a game. Pressure is exerted by defending players upon the ball and the opponents. Pressing behavior of a team consists of multiple instances of pressure exerted by the team members. The extracted pressure relationships can be analyzed in detailed and summarized forms with the use of static and dynamic visualizations and interactive query tools. To support examination of team tactics in different situations, we have designed and implemented a novel interactive visual tool “time mask”. It enables selection of multiple disjoint time intervals in which given conditions are fulfilled. Thus, it is possible to select game situations according to ball possession, ball distance to the goal, time that has passed since the last ball possession change or remaining time before the next change, density of players’ positions, or various other conditions. In response to a query, the analyst receives visual and statistical summaries of the set of selected situations and can thus perform joint analysis of these situations. We give examples of applying the proposed combination of computational, visual, and interactive techniques to real data from games in the German Bundesliga, where the teams actively used pressing in their defense tactics.     

An Agent-Based Socio-Technical Approach to Impact Assessment for Cyber Defense

ABSTRACT

This paper presents a novel simulation for estimating the impact of cyber attacks. Current approaches have adopted the probabilistic risk analysis in order to estimate the impact of attacks mostly on assets or business processes. More recent approaches involve vulnerability analysis on networks of systems and sensor input from third-party detection tools in order to identify attack paths. All these methods are focusing on one level at a time, defining impact in terms of confidentiality, integrity, and availability, failing to place people and technology together in an organization’s functional context. We propose an interdependency impact assessment approach, focusing on the responsibilities and the dependencies that flow through the supply chain, mapping them down into an agent-based socio-technical model. This method is useful for modeling consequences across all levels of organizations networks—business processes, business roles, and systems. We are aiming to make chaining analysis on threat scenarios and perform impact assessment, providing situational awareness for cyber defense purposes. Although the model has various applications, our case study is specifically focusing on critical information infrastructures due to the criticality of the systems and the fact that the area is still lacking security-focused research and heavily relies on reliability theory and failure rate.     

Characterizing warfare in red teaming.

Red teaming is the process of studying a problem by anticipating adversary behaviors. When done in simulations, the behavior space is divided into two groups; one controlled by the red team which represents the set of adversary behaviors or bad guys, while the other is controlled by the blue team which represents the set of defenders or good guys. Through red teaming, analysts can learn about the future by forward prediction of scenarios. More recently, defense has been looking at evolutionary computation methods in red teaming. The fitness function in these systems is highly stochastic, where a single configuration can result in multiple different outcomes. Operational, tactical and strategic decisions can be made based on the findings of the evolutionary method in use. Therefore, there is an urgent need for understanding the nature of these problems and the role of the stochastic fitness to gain insight into the possible performance of different methods. This paper presents a first attempt at characterizing the search space difficulties in red teaming to shed light on the expected performance of the evolutionary method in stochastic environments.     

Role network measures to assess healthcare team adaptation to complex situations: the case of venous thromboembolism prophylaxis

Hospitals are complex environments that rely on clinicians working together to provide appropriate care to patients. These clinical teams adapt their interactions to meet changing situational needs. Venous thromboembolism (VTE) prophylaxis is a complex process that occurs throughout a patient’s hospitalisation, presenting five stages with different levels of complexity: admission, interruption, re-initiation, initiation, and transfer. The objective of our study is to understand how the VTE prophylaxis team adapts as the complexity in the process changes; we do this by using social network analysis (SNA) measures. We interviewed 45 clinicians representing 9 different cases, creating 43 role networks. The role networks were analysed using SNA measures to understand team changes between low and high complexity stages. When comparing low and high complexity stages, we found two team adaptation mechanisms: (1) relative increase in the number of people, team activities, and interactions within the team, or (2) relative increase in discussion among the team, reflected by an increase in reciprocity.

 

Practitioner Summary: The reason for this study was to quantify team adaptation to complexity in a process using social network analysis (SNA). The VTE prophylaxis team adapted to complexity by two different mechanisms, by increasing the roles, activities, and interactions among the team or by increasing the two-way communication and discussion throughout the team. We demonstrated the ability for SNA to identify adaptation within a team.     

Reinforcement Learning for feedback-enabled cyber resilience

The rapid growth in the number of devices and their connectivity has enlarged the attack surface and made cyber systems more vulnerable. As attackers become increasingly sophisticated and resourceful, mere reliance on traditional cyber protection, such as intrusion detection, firewalls, and encryption, is insufficient to secure the cyber systems. Cyber resilience provides a new security paradigm that complements inadequate protection with resilience mechanisms. A Cyber-Resilient Mechanism (CRM) adapts to the known or zero-day threats and uncertainties in real-time and strategically responds to them to maintain the critical functions of the cyber systems in the event of successful attacks. Feedback architectures play a pivotal role in enabling the online sensing, reasoning, and actuation process of the CRM. Reinforcement Learning (RL) is an important gathering of algorithms that epitomize the feedback architectures for cyber resilience. It allows the CRM to provide dynamic and sequential responses to attacks with limited or without prior knowledge of the environment and the attacker. In this work, we review the literature on RL for cyber resilience and discuss the cyber-resilient defenses against three major types of vulnerabilities, i.e., posture-related, information-related, and human-related vulnerabilities. We introduce moving target defense, defensive cyber deception, and assistive human security technologies as three application domains of CRMs to elaborate on their designs. The RL algorithms also have vulnerabilities themselves. We explain the major vulnerabilities of RL and present develop several attack models where the attacker target the information exchanged between the environment and the agent: the rewards, the state observations, and the action commands. We show that the attacker can trick the RL agent into learning a nefarious policy with minimum attacking effort. The paper introduces several defense methods to secure the RL-enabled systems from these attacks. However, there is still a lack of works that focuses on the defensive mechanisms for RL-enabled systems. Last but not least, we discuss the future challenges of RL for cyber security and resilience and emerging applications of RL-based CRMs.     

Behavioral analysis of botnets for threat intelligence

This paper examines the behavioral patterns of fast-flux botnets for threat intelligence. The Threat Intelligence infrastructure, which we have specifically developed for fast-flux botnet detection and monitoring, enables this analysis. Cyber criminals and attackers use botnets to conduct a wide range of operations including spam campaigns, phishing scams, malware delivery, denial of service attacks, and click fraud. The most advanced botnet operators use fast-flux infrastructure and DNS record manipulation techniques to make their networks more stealthy, scalable, and resilient. Our analysis shows that such networks share common lifecycle characteristics, and form clusters based on size, growth and type of malicious behavior. We introduce a social network connectivity metric, and show that command and control and malware botnets have similar scores with this metric while spam and phishing botnets have similar scores. We describe how a Guilt-by-Association approach and connectivity metric can be used to predict membership in particular botnet families. Finally, we discuss the intelligence utility of fast-flux botnet behavior analysis as a cyber defense tool against advanced persistent threats.     

Cyber–physical risk assessment for false data injection attacks considering moving target defences

In this paper, we examine the factors that influence the success of false data injection (FDI) attacks in the context of both cyber and physical styles of reinforcement. Existing research considers the FDI attack in the context of the ability to change a measurement in a static system only. However, successful attacks will require first intrusion into a system followed by construction of an attack vector that can bypass bad data detection to cause a consequence (such as overloading). Furthermore, the recent development of moving target defences (MTD) introduces dynamically changing system topology, which is beyond the capability of existing research to assess. In this way, we develop a full service framework for FDI risk assessment. The framework considers both the costs of system intrusion via a weighted graph assessment in combination with a physical, line overload-based vulnerability assessment under the existence of MTD. We present our simulations on a IEEE 14-bus system with an overlain RTU network to model the true risk of intrusion. The cyber model considers multiple methods of entry for the FDI attack including meter intrusion, RTU intrusion and combined style attacks. Post-intrusion, our physical reinforcement model analyses the required level of topology divergence to protect against a branch overload from an optimised attack vector. The combined cyber and physical index is used to represent the system vulnerability against FDIA.