Discovering U.S. Government Threat Hunting Processes And Improvements

William Pierce Maxam III (15339184)

24 April 2023

<p><strong>INTRODUCTION:</strong> Cyber Threat Hunting (TH) is the activity of looking for potential</p> <p>compromises that other cyber defenses may have missed. These compromises cost organiza-</p> <p>tions an estimated $10M each and an effective Threat Hunt can reduce this cost. TH is a</p> <p>new discipline and processes have not yet been standardized. Most TH teams operate with</p> <p>no defined process. This is a problem as repeatable processes are important for a mature</p> <p>TH team.</p> <p><strong>OBJECTIVES:</strong> This thesis offers a Threat Hunt process as well as lessons learned</p> <p>derived from government TH practice.</p> <p><strong>METHODS:</strong> To achieve this I conducted 12 interviews, 1 hour in length, with govern-</p> <p>ment threat hunters. The transcripts of these interviews were analyzed with process and</p> <p>thematic coding. The coding was validated with a second reviewer.</p> <p><strong>RESULTS:</strong> I present a novel TH process depicting the process followed by government</p> <p>threat hunters. Common challenges and suggested solutions brought up by threat hunters</p> <p>were also enumerated and described. The most common problems were minimal automation</p> <p>and missing measures of TH expertise. Challenges with open questions were also identified.</p> <p>Open questions include: determining how to identify the best data to collect, how to create</p> <p>a specific but not rigid process and how to measure and compare the effectiveness of TH pro-</p> <p>cesses. Finally, subjects also provided features that indicate expertise to TH team members</p> <p>and recommendations on how to best integrate newer members into a TH team.</p> <p><strong>CONCLUSION:</strong> This thesis offers a first look at government TH processes. In the short</p> <p>term, the process recommendations provided in this thesis can be implemented and tested.</p> <p>In the long term, experiments in this sensitive context remain an open challenge.</p>

System and network security

Threat Hunting

Cyberspace Operations

A Meta-Learning based IDS

Zhenyu Wan (18431475)

26 April 2024

<p dir="ltr">As the demand for IoT devices continues to grow, our reliance on networks in daily life increases. Whether we are considering individual users or large multinational companies, networks have become an essential asset for people across various industries. However, this dependence on networks also exposes us to security vulnerabilities when traffic is not adequately filtered. A successful attack on the network could have severe consequences for its users. Therefore, the implementation of a network intrusion detection system (IDS) is crucial to safeguard the well-being of our modern society.</p><p dir="ltr">While AI-based IDS is a new force in the field of intrusion detection, it outperforms some traditional approaches. However, it is not without its flaws. The performance of ML-based IDS decreases when applied to a different dataset than the one it was trained on. This decrease in performance hinders the ML-based IDS's ability to be used in a production environment, as the data generated in a production environment also differs from the data that is used to train the IDS. This paper aims to devise an ML-based IDS that is generalizable to a different environment.</p>

System and network security

IDS

network classification

Information System Security

Yucel, Okan

01 January 2003

This thesis analyzes the physical, communicational, and organizational dimensions of information system security process by taking the four-layer approach, which is composed of the policy, model, architecture, and mechanisms into account. Within this scope, according to the results of the security analysis of information systems in METU Informatics Institute, the policy, model, architecture, and mechanisms necessary to prepare a new security process were proposed. As a subcomponent of this proposed security process, the network security of the IS100 course was partially established, and the generated results were evaluated.

A SYSTEMATIC FRAMEWORK FOR ANALYZING THE SECURITY AND PRIVACY OF WIRELESS COMMUNICATION PROTOCOL IMPLEMENTATIONS

Imtiaz Karim (14827771)

24 March 2023

<p> Wireless communication technologies, such as cellular ones, Bluetooth, and WiFi, are fundamental for today’s and tomorrow’s communication infrastructure. Networks based on those technologies are or will be increasingly deployed in many critical domains, such as critical infrastructures, smart cities, healthcare, and industrial environments. Protecting wireless networks against attacks and privacy breaches is thus critical. A fundamental step for the security and privacy of these networks is ensuring that their protocols are implemented as mandated by the standards. These protocols are however quite complex and unfortunately, the lack of secure-by-design approaches for these complex protocols often induces vulnerabilities in implementations with severe security and privacy repercussions. For these protocols, the standards are thousands of pages long, written in natural language, describe the high-level interaction of the protocol entities, and most often depend on human interpretation—which is open to misunderstanding and ambiguity. This inherently entails the question of whether these wireless protocols and their communication equipment implement the corresponding standards correctly or whether the implementations introduce vulnerabilities that can have severe consequences.</p>

System and network security

Communication protocols

4G

5G

Bluetooth Low Energy

Efficient Secure E-Voting and its Application In Cybersecurity Education

Nathan Robert Swearingen (12447549)

22 April 2022

<p>As the need for large elections increases and computer networking becomes more widely used, e-voting has become a major topic of interest in the field of cryptography. However, lack of cryptography knowledge among the general public is one obstacle to widespread deployment. In this paper, we present an e-voting scheme based on an existing scheme. Our scheme features an efficient location anonymization technique built on homomorphic encryption. This technique does not require any participation from the voter other than receiving and summing location shares. Moreover, our scheme is simplified and offers more protection against misbehaving parties. We also give an in-depth security analysis, present performance results, compare our scheme with existing schemes, and describe how our research can be used to enhance cybersecurity education.</p>

Other education not elsewhere classified

System and network security

e-voting

cybersecurity

education

Computer System Security

Education

Novel System Compartmentalization and Reverse Engineering Methods

Derrick P Mckee (12868367)

14 June 2022

<p>The need to secure software systems is more important than ever. However, while a lot of work exists to design and implement secure systems, a fundamental weakness remains. Instead of implementing software with least privilege policies, developers create monolithic systems that allow any instruction near universal memory access. This dissertation attempts to rectify this fundamental weakness to software design through three different contributions.</p> <p>First, I address the monolithic software design problem by proposing and evaluating a novel compartmentalization enforcement mechanism called Hardware-Assisted Kernel Compartmentalization (HAKC). HAKC is capable of enforcing an arbitrary compartmentalization policy using features of the ARMv9 ISA, without the need of any extra virtualization or trusted software layer. I then introduce a method of determining an optimal compartmentalization policy based on user performance and security constraints called FlexC, which is tested using HAKC as the enforcement mechanism. The end result is a hardened, com-partmentalized kernel, customized to a user’s needs, which enforces a least privilege policy that minimizes overhead. Finally, as an avenue for further compartmentalization policy generation, I introduce a novel program analysis framework called IOVec Function Identifier (IOVFI), which foregoes the use of language processing and model learning, but instead uses program state changes as a unique function fingerprint. I show that IOVFI is a more stable and accurate function identifier than the state-of-the-art, even in the presence of differing compilation environments, purposeful obfuscations, and even architecture changes.</p>

Software and application security

System and network security

Compartmentalization

Reverse engineering

Computer security

INTRUSION DETECTION SYSTEM FOR CONTROLLER AREA NETWORK

Vinayak Jayant Tanksale (13118805)

19 July 2022

<p>The rapid expansion of intra-vehicle networks has increased the number of threats to such networks. Most modern vehicles implement various physical and data-link layer technologies. Vehicles are becoming increasingly autonomous and connected. Controller Area Network (CAN) is a serial bus system that is used to connect sensors and controllers (Electronic Control Units – ECUs) within a vehicle. ECUs vary widely in processing power, storage, memory, and connectivity. The goal of this research is to design, implement, and test an efficient and effective intrusion detection system for intra-vehicle CANs. Such a system must be capable of detecting intrusions in almost real-time with minimal resources. The research proposes a specific type of recursive neural network called Long Short-Term Memory (LSTM) to detect anomalies. It also proposes a decision engine that will use LSTM-classified anomalies to detect intrusions by using multiple contextual parameters. We have conducted multiple experiments on the optimal choice of various LSTM hyperparameters. We have tested our classification algorithm and our decision engine using data from real automobiles. We will present the results of our experiments and analyze our findings. After detailed evaluation of our intrusion detection system, we believe that we have designed a vehicle security solution that meets all the outlined requirements and goals.</p>

System and network security

Controller Area Network

Intrusion detection

LSTM networks

RNN

Deep Learning Applications

Cybersecurity

LEVERAGING MULTIMODAL SENSING FOR ENHANCING THE SECURITY AND PRIVACY OF MOBILE SYSTEMS

Habiba Farrukh (13969653)

26 July 2023

<p>Mobile systems, such as smartphones, wearables (e.g., smartwatches, AR/VR headsets),<br> and IoT devices, have come a long way from being just a method of communication to<br> sophisticated sensing devices that monitor and control several aspects of our lives. These<br> devices have enabled several useful applications in a wide range of domains ranging from<br> healthcare and finance to energy and agriculture industries. While such advancement has<br> enabled applications in several aspects of human life, it has also made these devices an<br> interesting target for adversaries.<br> In this dissertation, I specifically focus on how the various sensors on mobile devices can<br> be exploited by adversaries to violate users’ privacy and present methods to use sensors<br> to improve the security of these devices. My thesis posits that multi-modal sensing can be<br> leveraged to enhance the security and privacy of mobile systems.<br> In this, first, I describe my work that demonstrates that human interaction with mobile de-<br> vices and their accessories (e.g., stylus pencils) generates identifiable patterns in permissionless<br> mobile sensors’ data, which reveal sensitive information about users. Specifically, I developed<br> S3 to show how embedded magnets in stylus pencils impact the mobile magnetometer sensor<br> and can be exploited to infer a users incredibly private handwriting. Then, I designed LocIn<br> to infer a users indoor semantic location from 3D spatial data collected by mixed reality<br> devices through LiDAR and depth sensors. These works highlight new privacy issues due to<br> advanced sensors on emerging commodity devices.<br> Second, I present my work that characterizes the threats against smartphone authentication<br> and IoT device pairing and proposes usable and secure methods to protect against these threats.<br> I developed two systems, FaceRevelio and IoTCupid, to enable reliable and secure user and<br> device authentication, respectively, to protect users’ private information (e.g., contacts,<br> messages, credit card details) on commodity mobile and allow secure communication between<br> IoT devices. These works enable usable authentication on diverse mobile and IoT devices<br> and eliminate the dependency on sophisticated hardware for user-friendly authentication.</p>

Data and information privacy

System and network security

Mobile computing

Multimodal sensing

Mobile Security & Privacy

APEX-ICS: Automated Protocol Exploration And Fuzzing For Closed Source ICS Protocols

Parvin Kumar (15354694)

28 April 2023

<p>A closed-source ICS communication is a fundamental component of supervisory software and PLCs operating critical infrastructure or configuring devices. As this is a vital communication, a compromised protocol can allow attackers to take over the entire critical infrastructure network and maliciously manipulate field device values. Thus, it is crucial to conduct security assessments of these closed-source protocol communications before deploy?ing them in a production environment to ensure the safety of critical infrastructure. However, Fuzzing closed-source communication without understanding the protocol structure or state is ineffective, making testing such closed-source communications a challenging task. </p> <p><br></p> <p>This research study introduces the APEX-ICS framework, which consists of two significant components: Automatic closed-source ICS protocol reverse-engineering and stateful black-box fuzzing. The former aims to reverse-engineer the protocol communication, which is critical to effectively performing the fuzzing technique. The latter component leverages the generated grammar to detect vulnerabilities in communication between supervisory software and PLCs. The framework prototype was implemented using the Codesys v3.0 closed-source protocol communication to conduct reverse engineering and fuzzing and successfully identified 4 previously unknown vulnerabilities, which were found to impact more than 400 manufacturer’s devices. </p>

Hardware security

Software and application security

System and network security

Fuzzng

reverse engineering concept

Codesys

ICS

APEX-ICS: Automated Protocol Exploration and Fuzzing For Closed-Source ICS Protocols

Parvin Kumar (15354694)

28 April 2023

<p> A closed-source ICS communication is a fundamental component of supervisory software and PLCs operating critical infrastructure or configuring devices. As this is a vital communication, a compromised protocol can allow attackers to take over the entire critical infrastructure network and maliciously manipulate field device values. Thus, it is crucial to conduct security assessments of these closed-source protocol communications before deploying them in a production environment to ensure the safety of critical infrastructure. However, Fuzzing closed-source communication without understanding the protocol structure or state is ineffective, making testing such closed-source communications a challenging task.</p> <p><br> This research study introduces the APEX-ICS framework, which consists of two significant components: Automatic closed-source ICS protocol reverse-engineering and stateful black-box fuzzing. The former aims to reverse-engineer the protocol communication, which is critical to effectively performing the fuzzing technique. The latter component leverages the generated grammar to detect vulnerabilities in communication between supervisory software and PLCs. The framework prototype was implemented using the Codesys v3.0 closed-source protocol communication to conduct reverse engineering and fuzzing and successfully identified 4 previously unknown vulnerabilities, which were found to impact more than 400 manufacturer’s devices. </p>

Hardware security

Software and application security

System and network security

Fuzzing

Reverse Engineering

ICS