Containment Strategy Formalism in a Probabilistic Threat Modelling Framework / Formalisering av inneslutningstrategier i ett ramverk för probabilistisk hotmodellering

Fahlander, Per

January 2021

Background - Foreseeing, mitigating and preventing cyber-attacks is more important than ever before. Advances in the field of probabilistic threat modelling can help organisations understand their own resilience profile against cyber-attacks. Previous research has proposed MAL, a meta language for capturing the attack logic of a considered domain and running attack simulations in a depicted model of the defender’s system. While this modality is already somewhat established, less is known about how to proactively model containment protocols for when an incident already has occurred. Purpose - By proposing a formalism for how to describe and reason about containment in a MAL-based system-specific model, this study aims to bridge the divide between probabilistic threat modelling and the containment phase in the incident response life-cycle. The main issues are how to formalise containment as well as how to reason about selecting the most beneficial strategy for a considered model. Method - The study firstly sets out to identify practical instances of incident containment in the literature. Then, some of these incidents and respective containment items will be encoded with a novel methodology. A containment strategy selection algorithm will be proposed that guides containment decisions by working with the encoded constructs and a system-specific model. Finally, the encoded items will be verified and the algorithm validated through example scenarios.  Result & Analysis - The verification tests showed that all implementations of encoded constructs yielded results according to expectation. Validity tests also indicated that the algorithm endorsed the correct solution to a significant extent. The null hypothesis, being that the number of correctly predicted containment strategies could be explained strictly by coincidence, was namely rejected by two validity tests with respective p-values of 8:2. 10-12 and 2:9 . 10-17, both < 0:05. Conclusion - The study demonstrates a viable methodology for describing and reasoning about containment of incidents in a MAL-based framework. This was indicated by verification and validity testing that confirmed the correctness of the incident and containment action implementations as well as that the propensity for the algorithm to favour containment strategies that align with human reasoning. / Bakgrund - Att förutse, mildra och förebygga cyberattacker är viktigare än någonsin tidigare. Framsteg inom området kring probabilistisk hotmodellering kan hjälpa organisationer att förstå sin egen motståndskraft mot cyber-attacker. Tidigare forskning har introducerat MAL, ett metaspråk för att fånga attacklogik inom en betraktad domän och köra attack simuleringar i en avbildad model av försvararens system. Medan denna modalitet redan är hyfsat etablerad är det mindre känt hur man aktivt kan modellera inneslutningsprotokoll för tillfällen då en incident redan har inträffat. Syfte - Genom att introducera en formalism för att beskriva och resonera om inneslutningsåtgärder givet en MAL-baserade system-specifika modell hoppas den här studien sammanlänka probabilistisk hotmodellering med inneslutningsfasen inom livscykeln för incidenthantering. Studien arbetar med hur man kan formalisera inneslutningsåtgärder samt hur man kan resonera för att välja den mest fördelaktiga strategin givet en modell. Metod - Studien syftar först till att identifiera praktiska exempel på inneslutning av incidenter i litteraturen. Därefter formaliseras några av dessa exempel på incidenter och inneslutningsåtgärder med en ny metod. En algoritm för att välja bland dessa inneslutningsåtgärder kommer också att introduceras. Slutligen kommer de formaliserade incidenterna och inneslutningsåtgärderna att verifieras samt algoritmen att valideras. Resultat & Analys - Verifieringstesterna visade att alla implementationer gav upphov till resultat som stämde med förväntningarna. Giltighetstester visade också att algoritmen i betydande grad valde rätt lösning. Nollhypotesen, d.v.s. att antalet korrekt förutsagda inneslutningsstrategier kunde förklaras strikt av slumpen, avvisades av två giltighetstester med respektive p-värden på 8; 2 . 10-12 och 2; 9 . 10-17, båda < 0; 05. Slutsats - Studien demonstrerar en realistisk metod för att beskriva och resonera kring inneslutning av incidenter i ett MAL-baserat ramverk. Verifikationstesterna bekräftade att implementationerna av incidenter och inneslutningsåtgärder var korrekta. Giltighetstesterna visade även att algoritmen valde inneslutningsstrategier som stämmer överens med mänskligt omdöme i en signifikant utsträckning.

mal

corelang

incident response

containment

threat modelling

Computer Sciences

Datavetenskap (datalogi)

IT security: Exploring the Benefits of Cloud Computing for Incident Response / IT-säkerhet: en utforskande studie av fördelarna med cloud computing för incident response

Öhman, Malin

January 2023

This study examines the potential of Cloud Computing in enhancing incident response in IT security. It explores how cloud computing features, such as rapid elasticity and on-demand self-service, can positively impact IT infrastructure decisions during incident response scenarios. Through interviews with IT security consultants, insights are gathered on the interplay between incident response and Cloud Computing. The research findings highlight the significant economic impact of security incidents that emerges as a critical concern for organizations. Furthermore, the study reveals that the aftermath of an incident presents a unique opportunity to strengthen an organization's security posture, which aligns with the theory that security measures are often perceived as unnecessary until a breach occurs. This study demonstrates that leveraging cloud computing characteristics can yield several advantages for IT infrastructure decisions in incident response scenarios in terms of speed and efficiency, and that Cloud Computing offers the potential for improved visibility, ease of investigation, and inherent security measures. However, organizations need to address the challenge of acquiring the necessary expertise to securely utilize cloud resources. The time aspect emerges as a prominent benefit, as cloud resources can be rapidly provisioned compared to the lengthy process of acquiring and implementing hardware. Overall, cloud computing presents a viable option for rebuilding IT infrastructure after security incidents, particularly when functional backups are lacking.

IT security

Incident Response

Cloud Computing

IT infrastructure

Information Systems

Enhancing the Admissibility of Live Box Data Capture in Digital Forensics: Creation of the Live Box Computer Preservation Response (LBCPR) and Comparative Study Against Dead Box Data Acquisition

Emilia Mancilla (14202911)

05 December 2022

<p>There are several techniques and methods on how to capture data during a Live Box response in computer forensics, but the key towards these acquisitions is to keep the collected data admissible in a judicial court process. Different approaches during a Live Box examination will lead to data changes in the computer, due to the volatile nature of data stored in memory. The inevitable changes of volatile data are what cause the controversy when admitting digital evidence to court room proceedings.</p> <p>The main goal of this dissertation was to create a process model, titled Live Box Computer Preservation Response(LBCPR), that would assist in ensuing validity, reliably and accuracy of evidence in a court of law. This approach maximizes the admissibly of digital data derived from a Live Box response. </p> <p>The LBCPR was created to meet legal and technical requirements in acquiring data from a live computer. With captured Live Box computer data, investigators can further add value to their investigation when processing and analyzing the captured data set, that would have otherwise been permanently unrecoverable upon powering down the machine. By collecting the volatile data prior to conducting Dead Box forensics, there is an increased amount of information that that can be a utilized to understand the state of the machine upon collection when combined with the stored data contents. </p> <p>This study created a comparative analysis on data collection with the LBCPR method versus traditional Dead Box forensics techniques, further proving the expected results of Live Box techniques capturing volatile data. However, due to the structure of the LBCPR, there were enhanced capabilities of obtaining value from the randomization of memory dumps, because of the assistance of the collected logs in the process model. In addition, with the legal admissibility focus, there was incorporation of techniques to keep data admissible in a court of law. </p>

Digital forensics

digital forensics

live box

dead box

LBCPR

process model

Incident Response

volatile data

admissibility of evidence

Forenzní analýza malware / Forensic Malware Analysis

Král, Benjamin

January 2018

This master's thesis describes methodologies used in malware forensic analysis including methods used in static and dynamic analysis. Based on those methods a tool intended to be used by Computer Security Incident Response Teams (CSIRT) is designed to allow fast analysis and decisions regarding malware samples in security incident investigations. The design of this tool is thorougly described in the work along with the tool's requirements on which the tool design is based on. Based on the design a ForensIRT tool is implemented and then used to analyze a malware sample Cridex to demonstrate its capabilities. Finally the analysis results are compared to those of other comparable available malware forensics tools.

LEIA: The Live Evidence Information Aggregator : A Scalable Distributed Hypervisor‐based Peer‐2‐Peer Aggregator of Information for Cyber‐Law Enforcement I

Homem, Irvin

January 2013

The Internet in its most basic form is a complex information sharing organism. There are billions of interconnected elements with varying capabilities that work together supporting numerous activities (services) through this information sharing. In recent times, these elements have become portable, mobile, highly computationally capable and more than ever intertwined with human controllers and their activities. They are also rapidly being embedded into other everyday objects and sharing more and more information in order to facilitate automation, signaling that the rise of the Internet of Things is imminent. In every human society there are always miscreants who prefer to drive against the common good and engage in illicit activity. It is no different within the society interconnected by the Internet (The Internet Society). Law enforcement in every society attempts to curb perpetrators of such activities. However, it is immensely difficult when the Internet is the playing field. The amount of information that investigators must sift through is incredibly massive and prosecution timelines stated by law are prohibitively narrow. The main solution towards this Big Data problem is seen to be the automation of the Digital Investigation process. This encompasses the entire process: From the detection of malevolent activity, seizure/collection of evidence, analysis of the evidentiary data collected and finally to the presentation of valid postulates. This paper focuses mainly on the automation of the evidence capture process in an Internet of Things environment. However, in order to comprehensively achieve this, the subsequent and consequent procedures of detection of malevolent activity and analysis of the evidentiary data collected, respectively, are also touched upon. To this effect we propose the Live Evidence Information Aggregator (LEIA) architecture that aims to be a comprehensive automated digital investigation tool. LEIA is in essence a collaborative framework that hinges upon interactivity and sharing of resources and information among participating devices in order to achieve the necessary efficiency in data collection in the event of a security incident. Its ingenuity makes use of a variety of technologies to achieve its goals. This is seen in the use of crowdsourcing among devices in order to achieve more accurate malicious event detection; Hypervisors with inbuilt intrusion detection capabilities to facilitate efficient data capture; Peer to Peer networks to facilitate rapid transfer of evidentiary data to a centralized data store; Cloud Storage to facilitate storage of massive amounts of data; and the Resource Description Framework from Semantic Web Technologies to facilitate the interoperability of data storage formats among the heterogeneous devices. Within the description of the LEIA architecture, a peer to peer protocol based on the Bittorrent protocol is proposed, corresponding data storage and transfer formats are developed, and network security protocols are also taken into consideration. In order to demonstrate the LEIA architecture developed in this study, a small scale prototype with limited capabilities has been built and tested. The prototype functionality focuses only on the secure, remote acquisition of the hard disk of an embedded Linux device over the Internet and its subsequent storage on a cloud infrastructure. The successful implementation of this prototype goes to show that the architecture is feasible and that the automation of the evidence seizure process makes the otherwise arduous process easy and quick to perform.

Digital Investigation

Incident Response

Digital Evidence

Automated Evidence Seizure

Collaborative Forensics

Live Forensics

Big Data

P2P Networks

Cloud Storage

Hypervisors

Computer and Information Sciences

Data- och informationsvetenskap

Critical competencies required by cybersecurity leaders in small fintech companies

Hassan, Syed Muhammad Waqar Ul

January 2024

Small fintech companies face significant cybersecurity challenges that require specialized leadership competencies. This study identifies the critical competencies needed by cybersecurity leaders in small Fintech companies, guided by the ISO 27021:2017 standard. Utilizing a mixed-methods approach, the research includes semi-structured interviews and surveys with participants from eleven Fintech companies in Pakistan. Key findings highlight the importance of strategic leadership, particularly in aligning cybersecurity strategies with business objectives, ensuring regulatory compliance, and managing resources effectively. Incident response management is also crucial, emphasizing the need for developing and implementing response playbooks, leading teams effectively, and conducting thorough root cause analyses. Technological proficiency, including familiarity with emerging cybersecurity technologies and strong encryption standards, is essential for maintaining robust defenses. The study concludes with recommendations for training and development programs aimed at enhancing the competencies of cybersecurity leaders in the fintech sector, thereby improving the overall security posture and resilience of small fintech companies.

Cybersecurity leadership

cybersecurity

ISO 27021:2017

strategic leadership

incident response management

technological proficiency

Fintech sector

Information Systems, Social aspects

The challenges and opportunities in incident response for companies

Vassiliadis, Terry, Hedström, Jenny

January 2024

This study presents challenges and opportunities in Incident Response as a part of Digital Forensic Readiness. For this study, the authors adopted a qualitative approach to identify and analyse challenges and opportunities for companies in Incident Response, specifically from the perspective of cybersecurity consultants in the Swedish market. Semi-structured interviews were conducted to collect data, and thematic coding was performed to analyse the data from interviews. Identifying and analysing these challenges and opportunities can provide valuable insights for cybersecurity practitioners, policymakers, and the academic community. The result of this study is that companies face challenges regarding Incident Response due to a lack of processes and in-house knowledge. The challenges may vary depending on the size of the company. Opportunities for companies with a successful Incident Response capability showed higher trust from customers, vendors, and partners, as well as brand trust due to the competitive nature of IT. Some of the important key factors contributing to successful Incident Response capability were well-established processes and staff training.

Digital forensic readiness

incident response

digital forensics

frameworks

challenges

opportunities

DFR

IR

DFIR

Information Systems, Social aspects

A new model for worm detection and response : development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis

Mohd Saudi, Madihah

January 2011

Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future.

621.382

A 3-DIMENSIONAL UAS FORENSIC INTELLIGENCE-LED TAXONOMY (U-FIT)

Fahad Salamh (11023221)

22 July 2021

Although many counter-drone systems such as drone jammers and anti-drone guns have been implemented, drone incidents are still increasing. These incidents are categorized as deviant act, a criminal act, terrorist act, or an unintentional act (aka system failure). Examples of reported drone incidents are not limited to property damage, but include personal injuries, airport disruption, drug transportation, and terrorist activities. Researchers have examined only drone incidents from a technological perspective. The variance in drone architectures poses many challenges to the current investigation practices, including several operation approaches such as custom commutation links. Therefore, there is a limited research background available that aims to study the intercomponent mapping in unmanned aircraft system (UAS) investigation incorporating three critical investigative domains---behavioral analysis, forensic intelligence (FORINT), and unmanned aerial vehicle (UAV) forensic investigation. The UAS forensic intelligence-led taxonomy (U-FIT) aims to classify the technical, behavioral, and intelligence characteristics of four UAS deviant actions --- including individuals who flew a drone too high, flew a drone close to government buildings, flew a drone over the airfield, and involved in drone collision. The behavioral and threat profiles will include one criminal act (i.e., UAV contraband smugglers). The UAV forensic investigation dimension concentrates on investigative techniques including technical challenges; whereas, the behavioral dimension investigates the behavioral characteristics, distinguishing among UAS deviants and illegal behaviors. Moreover, the U-FIT taxonomy in this study builds on the existing knowledge of current UAS forensic practices to identify patterns that aid in generalizing a UAS forensic intelligence taxonomy. The results of these dimensions supported the proposed UAS forensic intelligence-led taxonomy by demystifying the predicted personality traits to deviant actions and drone smugglers. The score obtained in this study was effective in distinguishing individuals based on certain personality traits. These novel, highly distinguishing features in the behavioral personality of drone users may be of particular importance not only in the field of behavioral psychology but also in law enforcement and intelligence.

Human Information Behaviour

Computer System Security

Data Encryption

Networking and Communications

UAV remote sensing

Cyber Crime

Cyber Forensic

Incident Response

Threat Intelligence

Intelligent models

personality dimensions

Psychology

behavior characterization

Cybersecurity

Drone

A new model for worm detection and response. Development and evaluation of a new model based on knowledge discovery and data mining techniques to detect and respond to worm infection by integrating incident response, security metrics and apoptosis.

Mohd Saudi, Madihah

January 2011

Worms have been improved and a range of sophisticated techniques have been integrated, which make the detection and response processes much harder and longer than in the past. Therefore, in this thesis, a STAKCERT (Starter Kit for Computer Emergency Response Team) model is built to detect worms attack in order to respond to worms more efficiently. The novelty and the strengths of the STAKCERT model lies in the method implemented which consists of STAKCERT KDD processes and the development of STAKCERT worm classification, STAKCERT relational model and STAKCERT worm apoptosis algorithm. The new concept introduced in this model which is named apoptosis, is borrowed from the human immunology system has been mapped in terms of a security perspective. Furthermore, the encouraging results achieved by this research are validated by applying the security metrics for assigning the weight and severity values to trigger the apoptosis. In order to optimise the performance result, the standard operating procedures (SOP) for worm incident response which involve static and dynamic analyses, the knowledge discovery techniques (KDD) in modeling the STAKCERT model and the data mining algorithms were used. This STAKCERT model has produced encouraging results and outperformed comparative existing work for worm detection. It produces an overall accuracy rate of 98.75% with 0.2% for false positive rate and 1.45% is false negative rate. Worm response has resulted in an accuracy rate of 98.08% which later can be used by other researchers as a comparison with their works in future. / Ministry of Higher Education, Malaysia and Universiti Sains Islam Malaysia (USIM)

Apoptosis

Data mining

Security metrics

Knowledge discovery technique (KDD)

Standard Operating Procedures (SOP)

Worm incident response

Static analysis

Dynamic analysis

Worm rules

Worm classification

STAKCERT model

Worm detection

Internet security