Global ETD Search

11	Containment Strategy Formalism in a Probabilistic Threat Modelling Framework / Formalisering av inneslutningstrategier i ett ramverk för probabilistisk hotmodellering Fahlander, Per January 2021 (has links) Background - Foreseeing, mitigating and preventing cyber-attacks is more important than ever before. Advances in the field of probabilistic threat modelling can help organisations understand their own resilience profile against cyber-attacks. Previous research has proposed MAL, a meta language for capturing the attack logic of a considered domain and running attack simulations in a depicted model of the defender’s system. While this modality is already somewhat established, less is known about how to proactively model containment protocols for when an incident already has occurred. Purpose - By proposing a formalism for how to describe and reason about containment in a MAL-based system-specific model, this study aims to bridge the divide between probabilistic threat modelling and the containment phase in the incident response life-cycle. The main issues are how to formalise containment as well as how to reason about selecting the most beneficial strategy for a considered model. Method - The study firstly sets out to identify practical instances of incident containment in the literature. Then, some of these incidents and respective containment items will be encoded with a novel methodology. A containment strategy selection algorithm will be proposed that guides containment decisions by working with the encoded constructs and a system-specific model. Finally, the encoded items will be verified and the algorithm validated through example scenarios. Result & Analysis - The verification tests showed that all implementations of encoded constructs yielded results according to expectation. Validity tests also indicated that the algorithm endorsed the correct solution to a significant extent. The null hypothesis, being that the number of correctly predicted containment strategies could be explained strictly by coincidence, was namely rejected by two validity tests with respective p-values of 8:2. 10-12 and 2:9 . 10-17, both < 0:05. Conclusion - The study demonstrates a viable methodology for describing and reasoning about containment of incidents in a MAL-based framework. This was indicated by verification and validity testing that confirmed the correctness of the incident and containment action implementations as well as that the propensity for the algorithm to favour containment strategies that align with human reasoning. / Bakgrund - Att förutse, mildra och förebygga cyberattacker är viktigare än någonsin tidigare. Framsteg inom området kring probabilistisk hotmodellering kan hjälpa organisationer att förstå sin egen motståndskraft mot cyber-attacker. Tidigare forskning har introducerat MAL, ett metaspråk för att fånga attacklogik inom en betraktad domän och köra attack simuleringar i en avbildad model av försvararens system. Medan denna modalitet redan är hyfsat etablerad är det mindre känt hur man aktivt kan modellera inneslutningsprotokoll för tillfällen då en incident redan har inträffat. Syfte - Genom att introducera en formalism för att beskriva och resonera om inneslutningsåtgärder givet en MAL-baserade system-specifika modell hoppas den här studien sammanlänka probabilistisk hotmodellering med inneslutningsfasen inom livscykeln för incidenthantering. Studien arbetar med hur man kan formalisera inneslutningsåtgärder samt hur man kan resonera för att välja den mest fördelaktiga strategin givet en modell. Metod - Studien syftar först till att identifiera praktiska exempel på inneslutning av incidenter i litteraturen. Därefter formaliseras några av dessa exempel på incidenter och inneslutningsåtgärder med en ny metod. En algoritm för att välja bland dessa inneslutningsåtgärder kommer också att introduceras. Slutligen kommer de formaliserade incidenterna och inneslutningsåtgärderna att verifieras samt algoritmen att valideras. Resultat & Analys - Verifieringstesterna visade att alla implementationer gav upphov till resultat som stämde med förväntningarna. Giltighetstester visade också att algoritmen i betydande grad valde rätt lösning. Nollhypotesen, d.v.s. att antalet korrekt förutsagda inneslutningsstrategier kunde förklaras strikt av slumpen, avvisades av två giltighetstester med respektive p-värden på 8; 2 . 10-12 och 2; 9 . 10-17, båda < 0; 05. Slutsats - Studien demonstrerar en realistisk metod för att beskriva och resonera kring inneslutning av incidenter i ett MAL-baserat ramverk. Verifikationstesterna bekräftade att implementationerna av incidenter och inneslutningsåtgärder var korrekta. Giltighetstesterna visade även att algoritmen valde inneslutningsstrategier som stämmer överens med mänskligt omdöme i en signifikant utsträckning. mal corelang incident response containment threat modelling Computer Sciences Datavetenskap (datalogi)
12	IT security: Exploring the Benefits of Cloud Computing for Incident Response / IT-säkerhet: en utforskande studie av fördelarna med cloud computing för incident response Öhman, Malin January 2023 (has links) This study examines the potential of Cloud Computing in enhancing incident response in IT security. It explores how cloud computing features, such as rapid elasticity and on-demand self-service, can positively impact IT infrastructure decisions during incident response scenarios. Through interviews with IT security consultants, insights are gathered on the interplay between incident response and Cloud Computing. The research findings highlight the significant economic impact of security incidents that emerges as a critical concern for organizations. Furthermore, the study reveals that the aftermath of an incident presents a unique opportunity to strengthen an organization's security posture, which aligns with the theory that security measures are often perceived as unnecessary until a breach occurs. This study demonstrates that leveraging cloud computing characteristics can yield several advantages for IT infrastructure decisions in incident response scenarios in terms of speed and efficiency, and that Cloud Computing offers the potential for improved visibility, ease of investigation, and inherent security measures. However, organizations need to address the challenge of acquiring the necessary expertise to securely utilize cloud resources. The time aspect emerges as a prominent benefit, as cloud resources can be rapidly provisioned compared to the lengthy process of acquiring and implementing hardware. Overall, cloud computing presents a viable option for rebuilding IT infrastructure after security incidents, particularly when functional backups are lacking. IT security Incident Response Cloud Computing IT infrastructure Information Systems
13	Enhancing the Admissibility of Live Box Data Capture in Digital Forensics: Creation of the Live Box Computer Preservation Response (LBCPR) and Comparative Study Against Dead Box Data Acquisition Emilia Mancilla (14202911) 05 December 2022 (has links) <p>There are several techniques and methods on how to capture data during a Live Box response in computer forensics, but the key towards these acquisitions is to keep the collected data admissible in a judicial court process. Different approaches during a Live Box examination will lead to data changes in the computer, due to the volatile nature of data stored in memory. The inevitable changes of volatile data are what cause the controversy when admitting digital evidence to court room proceedings.</p> <p>The main goal of this dissertation was to create a process model, titled Live Box Computer Preservation Response(LBCPR), that would assist in ensuing validity, reliably and accuracy of evidence in a court of law. This approach maximizes the admissibly of digital data derived from a Live Box response. </p> <p>The LBCPR was created to meet legal and technical requirements in acquiring data from a live computer. With captured Live Box computer data, investigators can further add value to their investigation when processing and analyzing the captured data set, that would have otherwise been permanently unrecoverable upon powering down the machine. By collecting the volatile data prior to conducting Dead Box forensics, there is an increased amount of information that that can be a utilized to understand the state of the machine upon collection when combined with the stored data contents. </p> <p>This study created a comparative analysis on data collection with the LBCPR method versus traditional Dead Box forensics techniques, further proving the expected results of Live Box techniques capturing volatile data. However, due to the structure of the LBCPR, there were enhanced capabilities of obtaining value from the randomization of memory dumps, because of the assistance of the collected logs in the process model. In addition, with the legal admissibility focus, there was incorporation of techniques to keep data admissible in a court of law. </p> Digital forensics digital forensics live box dead box LBCPR process model Incident Response volatile data admissibility of evidence
14	Forenzní analýza malware / Forensic Malware Analysis Král, Benjamin January 2018 (has links) This master's thesis describes methodologies used in malware forensic analysis including methods used in static and dynamic analysis. Based on those methods a tool intended to be used by Computer Security Incident Response Teams (CSIRT) is designed to allow fast analysis and decisions regarding malware samples in security incident investigations. The design of this tool is thorougly described in the work along with the tool's requirements on which the tool design is based on. Based on the design a ForensIRT tool is implemented and then used to analyze a malware sample Cridex to demonstrate its capabilities. Finally the analysis results are compared to those of other comparable available malware forensics tools.
15	LEIA: The Live Evidence Information Aggregator : A Scalable Distributed Hypervisor‐based Peer‐2‐Peer Aggregator of Information for Cyber‐Law Enforcement I Homem, Irvin January 2013 (has links) The Internet in its most basic form is a complex information sharing organism. There are billions of interconnected elements with varying capabilities that work together supporting numerous activities (services) through this information sharing. In recent times, these elements have become portable, mobile, highly computationally capable and more than ever intertwined with human controllers and their activities. They are also rapidly being embedded into other everyday objects and sharing more and more information in order to facilitate automation, signaling that the rise of the Internet of Things is imminent. In every human society there are always miscreants who prefer to drive against the common good and engage in illicit activity. It is no different within the society interconnected by the Internet (The Internet Society). Law enforcement in every society attempts to curb perpetrators of such activities. However, it is immensely difficult when the Internet is the playing field. The amount of information that investigators must sift through is incredibly massive and prosecution timelines stated by law are prohibitively narrow. The main solution towards this Big Data problem is seen to be the automation of the Digital Investigation process. This encompasses the entire process: From the detection of malevolent activity, seizure/collection of evidence, analysis of the evidentiary data collected and finally to the presentation of valid postulates. This paper focuses mainly on the automation of the evidence capture process in an Internet of Things environment. However, in order to comprehensively achieve this, the subsequent and consequent procedures of detection of malevolent activity and analysis of the evidentiary data collected, respectively, are also touched upon. To this effect we propose the Live Evidence Information Aggregator (LEIA) architecture that aims to be a comprehensive automated digital investigation tool. LEIA is in essence a collaborative framework that hinges upon interactivity and sharing of resources and information among participating devices in order to achieve the necessary efficiency in data collection in the event of a security incident. Its ingenuity makes use of a variety of technologies to achieve its goals. This is seen in the use of crowdsourcing among devices in order to achieve more accurate malicious event detection; Hypervisors with inbuilt intrusion detection capabilities to facilitate efficient data capture; Peer to Peer networks to facilitate rapid transfer of evidentiary data to a centralized data store; Cloud Storage to facilitate storage of massive amounts of data; and the Resource Description Framework from Semantic Web Technologies to facilitate the interoperability of data storage formats among the heterogeneous devices. Within the description of the LEIA architecture, a peer to peer protocol based on the Bittorrent protocol is proposed, corresponding data storage and transfer formats are developed, and network security protocols are also taken into consideration. In order to demonstrate the LEIA architecture developed in this study, a small scale prototype with limited capabilities has been built and tested. The prototype functionality focuses only on the secure, remote acquisition of the hard disk of an embedded Linux device over the Internet and its subsequent storage on a cloud infrastructure. The successful implementation of this prototype goes to show that the architecture is feasible and that the automation of the evidence seizure process makes the otherwise arduous process easy and quick to perform. Digital Investigation Incident Response Digital Evidence Automated Evidence Seizure Collaborative Forensics Live Forensics Big Data P2P Networks Cloud Storage Hypervisors Computer and Information Sciences Data- och informationsvetenskap
16	A new model for worm detection and response : development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis Mohd Saudi, Madihah January 2011 (has links) Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future. 621.382
17	A 3-DIMENSIONAL UAS FORENSIC INTELLIGENCE-LED TAXONOMY (U-FIT) Fahad Salamh (11023221) 22 July 2021 (has links) Although many counter-drone systems such as drone jammers and anti-drone guns have been implemented, drone incidents are still increasing. These incidents are categorized as deviant act, a criminal act, terrorist act, or an unintentional act (aka system failure). Examples of reported drone incidents are not limited to property damage, but include personal injuries, airport disruption, drug transportation, and terrorist activities. Researchers have examined only drone incidents from a technological perspective. The variance in drone architectures poses many challenges to the current investigation practices, including several operation approaches such as custom commutation links. Therefore, there is a limited research background available that aims to study the intercomponent mapping in unmanned aircraft system (UAS) investigation incorporating three critical investigative domains---behavioral analysis, forensic intelligence (FORINT), and unmanned aerial vehicle (UAV) forensic investigation. The UAS forensic intelligence-led taxonomy (U-FIT) aims to classify the technical, behavioral, and intelligence characteristics of four UAS deviant actions --- including individuals who flew a drone too high, flew a drone close to government buildings, flew a drone over the airfield, and involved in drone collision. The behavioral and threat profiles will include one criminal act (i.e., UAV contraband smugglers). The UAV forensic investigation dimension concentrates on investigative techniques including technical challenges; whereas, the behavioral dimension investigates the behavioral characteristics, distinguishing among UAS deviants and illegal behaviors. Moreover, the U-FIT taxonomy in this study builds on the existing knowledge of current UAS forensic practices to identify patterns that aid in generalizing a UAS forensic intelligence taxonomy. The results of these dimensions supported the proposed UAS forensic intelligence-led taxonomy by demystifying the predicted personality traits to deviant actions and drone smugglers. The score obtained in this study was effective in distinguishing individuals based on certain personality traits. These novel, highly distinguishing features in the behavioral personality of drone users may be of particular importance not only in the field of behavioral psychology but also in law enforcement and intelligence. Human Information Behaviour Computer System Security Data Encryption Networking and Communications UAV remote sensing Cyber Crime Cyber Forensic Incident Response Threat Intelligence Intelligent models personality dimensions Psychology behavior characterization Cybersecurity Drone
18	A new model for worm detection and response. Development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis. Mohd Saudi, Madihah January 2011 (has links) Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future. / Ministry of Higher Education, Malaysia and Universiti Sains Islam Malaysia (USIM) Apoptosis Data mining Security metrics Knowledge discovery technique (KDD) Standard Operating Procedures (SOP) Worm incident response Static analysis Dynamic analysis Worm rules Worm classification STAKCERT model Worm detection Internet security
19	Skydd och incidentrespons inom IT-säkerhet : En studie kring utvecklingen av ransomware / Protection and incident response within IT-security: A study about the development of ransomware Ericson, Christoffer, Derek, Nick January 2023 (has links) Cybersäkerhet är ett konstant växande hot mot organisationer, genom det ständigt ökade digitaliserade samhället, dock finns tecken på att medvetenheten hos organisationer ökar vad gäller cyberattacker och cybersäkerhet. Cyberattacker kan skapa konsekvenser som kan förhindra organisationens verksamhet. Detta lägger grunden till arbetet, att se hur försvarsförmågan har utvecklats. I värsta fall medför en cyberattack konsekvenser som kan äventyra en organisations överlevnadsförmåga. I och med det nya hotet ransomware, där hotaktören krypterar offrets filer och sedan kräver en lösensumma, har konsekvenserna kraftigt kommit att bli mer fatala. Metoderna för ransomware utvecklas av hotaktörerna vilket kan bidra till mer än bara ekonomiska konsekvenser för organisationen. Mot ransomware gäller i stort samma skyddsåtgärder som mot alla former av cyberattacker, däremot finns en del särskilt viktiga aspekter som belyses i detta arbete, till exempel implementering av backups, adekvat dataskydd samt god Patch Management (d.v.s. protokoll för att åtgärda sårbarheter i programvara). I arbetet sammanställs en branschkonsensus för hur organisationer skall arbeta gentemot cyberattacker, specifikt ransomwareattacker. Detta har gjorts genom en litteratur- och kvalitativ intervjustudie, som sedan har analyserats och diskuterats. Intervjustudien har genomförts hos organisationer som bedöms lämpliga för detta då de dagligen arbetar med cybersäkerhet. En av rekommendationerna är att ha en bra backuprutin, där man skapar, distribuerar och testar dessa. Genom arbetet belyses även hur god patch management bör implementeras. Slutligen presenteras även en ny metod, Ransomware 3.0 där hotaktörer stjäl en organisations IT-miljö för att sedan radera denna lokalt hos organisationen och sedan säljer tillbaka denna, som används av hotaktörerna, som hittills varit okänd, där vidare forskning bör vidtas. / Cybersecurity is a constantly growing threat against organisations due to the increasingly digitalisation of society, although there are signs that the consciousness at organisations has increased regarding cyberattacks and cybersecurity. Cyberattacks can create consequences that can restrain an organisations operations. This creates the foundation for this study, to see how the defence capabilities has developed. A cyberattack can, in the worst case scenario, threaten an organisations ability to survive. In regards to the new threat, ransomware, where the threat actor encrypts the victim’s files and demands a ransom, the consequences can be fatal. The new methods associated with ransomware, where the threat actor also exfiltrates the victim’s files, strongly impact the organisations ability to operate. This could lead to economic consequences, as well as damages towards stakeholder relations. Most protective measures applies towards ransomware, however there are some especially important aspects that are presented in this paper, such as implementation of backups, sufficient data protection as well as good Patch Management (protocol to patch vulnerabilities in software). In this paper, an industry consensus on how organisations should work against cyberattacks, especially ransomware, is compiled. This was performed through a litterature and a qualitative interview study. Both studies has been analysed and discussed.The interview study has been accomplished by interviewing appropriate organisations that work with cyber security daily. One of the recommendations is to have a good backup protocol, which implies creating, distributing and testing these backups. This paper also presents how a good patch management should be implemented. Finally, this paper presents a new method, Ransomware 3.0 where the threat actor steals an organisations IT environment, and then destroys the local copy at the organisation to then sell it back, that is used by the threat actors, that is still uncommon knowledge, where continued research have to be conducted. IT-security Cyber Security Data Security IT Attack Cyber Attack Data Exfiltration Ransomware Backup Encryption Patch Management Risk Management Incident Response Compliance. IT-säkerhet Cybersäkerhet Datasäkerhet IT-angrepp Cyberattack Dataläcka Ransomware Backup Kryptering Patch Management Riskhantering Incidentrespons Regelefterlevnad. Engineering and Technology Teknik och teknologier
20	<strong>TOWARDS A TRANSDISCIPLINARY CYBER FORENSICS GEO-CONTEXTUALIZATION FRAMEWORK</strong> Mohammad Meraj Mirza (16635918) 04 August 2023 (has links) <p>Technological advances have a profound impact on people and the world in which they live. People use a wide range of smart devices, such as the Internet of Things (IoT), smartphones, and wearable devices, on a regular basis, all of which store and use location data. With this explosion of technology, these devices have been playing an essential role in digital forensics and crime investigations. Digital forensic professionals have become more able to acquire and assess various types of data and locations; therefore, location data has become essential for responders, practitioners, and digital investigators dealing with digital forensic cases that rely heavily on digital devices that collect data about their users. It is very beneficial and critical when performing any digital/cyber forensic investigation to consider answering the six Ws questions (i.e., who, what, when, where, why, and how) by using location data recovered from digital devices, such as where the suspect was at the time of the crime or the deviant act. Therefore, they could convict a suspect or help prove their innocence. However, many digital forensic standards, guidelines, tools, and even the National Institute of Standards and Technology (NIST) Cyber Security Personnel Framework (NICE) lack full coverage of what location data can be, how to use such data effectively, and how to perform spatial analysis. Although current digital forensic frameworks recognize the importance of location data, only a limited number of data sources (e.g., GPS) are considered sources of location in these digital forensic frameworks. Moreover, most digital forensic frameworks and tools have yet to introduce geo-contextualization techniques and spatial analysis into the digital forensic process, which may aid digital forensic investigations and provide more information for decision-making. As a result, significant gaps in the digital forensics community are still influenced by a lack of understanding of how to properly curate geodata. Therefore, this research was conducted to develop a transdisciplinary framework to deal with the limitations of previous work and explore opportunities to deal with geodata recovered from digital evidence by improving the way of maintaining geodata and getting the best value from them using an iPhone case study. The findings of this study demonstrated the potential value of geodata in digital disciplinary investigations when using the created transdisciplinary framework. Moreover, the findings discuss the implications for digital spatial analytical techniques and multi-intelligence domains, including location intelligence and open-source intelligence, that aid investigators and generate an exceptional understanding of device users' spatial, temporal, and spatial-temporal patterns.</p> Spatial data and applications Knowledge representation and reasoning Digital forensics Data engineering and data science Knowledge and information management Digital curation and preservation Cyber Crime Cybersecurity Cyber Forensics DFIR Digital Forensics Incident Response Threat Intelligence Networking Mobile Forensics iOS Forensics Intelligence Open-source Intelligence (OSINT) Location Intelligence GIS Spatial Analysis Spatiotemporal Analysis UAV Forensics GeoDatabase Geodata

Search results