-
Current Challenges of Cyber Threat and Vulnerability Identification Using Public Enumerations
Authors:
Lukáš Sadlek,
Pavel Čeleda,
Daniel Tovarňák
Abstract:
Identification of cyber threats is one of the essential tasks for security teams. Currently, cyber threats can be identified using knowledge organized into various formats, enumerations, and knowledge bases. This paper studies the current challenges of identifying vulnerabilities and threats in cyberspace using enumerations and data about assets. Although enumerations are used in practice, we poin…
▽ More
Identification of cyber threats is one of the essential tasks for security teams. Currently, cyber threats can be identified using knowledge organized into various formats, enumerations, and knowledge bases. This paper studies the current challenges of identifying vulnerabilities and threats in cyberspace using enumerations and data about assets. Although enumerations are used in practice, we point out several issues that still decrease the quality of vulnerability and threat identification. Since vulnerability identification methods are based on network monitoring and agents, the issues are related to the asset discovery, the precision of vulnerability discovery, and the amount of data. On the other hand, threat identification utilizes graph-based, nature-language, machine-learning, and ontological approaches. The current trend is to propose methods that utilize tactics, techniques, and procedures instead of low-level indicators of compromise to make cyber threat identification more mature. Cooperation between standards from threat, vulnerability, and asset management is also an unresolved issue confirmed by analyzing relationships between public enumerations and knowledge bases. Last, we studied the usability of techniques from the MITRE ATT&CK knowledge base for threat modeling using network monitoring to capture data. Although network traffic is not the most used data source, it allows the modeling of almost all tactics from the MITRE ATT&CK.
△ Less
Submitted 29 June, 2022;
originally announced June 2022.
-
HTTPS Event-Flow Correlation: Improving Situational Awareness in Encrypted Web Traffic
Authors:
Stanislav Špaček,
Petr Velan,
Pavel Čeleda,
Daniel Tovarňák
Abstract:
Achieving situational awareness is a challenging process in current HTTPS-dominant web traffic. In this paper, we propose a new approach to encrypted web traffic monitoring. First, we design a method for correlating host-based and network monitoring data based on their common features and a correlation time-window. Then we analyze the correlation results in detail to identify configurations of web…
▽ More
Achieving situational awareness is a challenging process in current HTTPS-dominant web traffic. In this paper, we propose a new approach to encrypted web traffic monitoring. First, we design a method for correlating host-based and network monitoring data based on their common features and a correlation time-window. Then we analyze the correlation results in detail to identify configurations of web servers and monitoring infrastructure that negatively affect the correlation. We describe these properties and possible data preprocessing techniques to minimize their impact on correlation performance. Furthermore, to test the correlation method's behavior in different web server setups and for recent encryption protocols, we modify it by adapting the correlation features to TLS 1.3 and QUIC. Finally, we evaluate the correlation method on a dataset collected from a campus network. The results show that while the correlation requires monitoring of custom event and flow features, it remains feasible even when using encryption protocols designed for the near future.
△ Less
Submitted 22 June, 2022;
originally announced June 2022.
-
Identification of Attack Paths Using Kill Chain and Attack Graphs
Authors:
Lukáš Sadlek,
Pavel Čeleda,
Daniel Tovarňák
Abstract:
The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Ki…
▽ More
The ever-evolving capabilities of cyber attackers force security administrators to focus on the early identification of emerging threats. Targeted cyber attacks usually consist of several phases, from initial reconnaissance of the network environment to final impact on objectives. This paper investigates the identification of multi-step cyber threat scenarios using kill chain and attack graphs. Kill chain and attack graphs are threat modeling concepts that enable determining weak security defense points. We propose a novel kill chain attack graph that merges kill chain and attack graphs together. This approach determines possible chains of attacker's actions and their materialization within the protected network. The graph generation uses a categorization of threats according to violated security properties. The graph allows determining the kill chain phase the administrator should focus on and applicable countermeasures to mitigate possible cyber threats. We implemented the proposed approach for a predefined range of cyber threats, especially vulnerability exploitation and network threats. The approach was validated on a real-world use case. Publicly available implementation contains a proof-of-concept kill chain attack graph generator.
△ Less
Submitted 21 June, 2022;
originally announced June 2022.
-
Toolset for Collecting Shell Commands and Its Application in Hands-on Cybersecurity Training
Authors:
Valdemar Švábenský,
Jan Vykopal,
Daniel Tovarňák,
Pavel Čeleda
Abstract:
When learning cybersecurity, operating systems, or networking, students perform practical tasks using a broad range of command-line tools. Collecting and analyzing data about the command usage can reveal valuable insights into how students progress and where they make mistakes. However, few learning environments support recording and inspecting command-line inputs, and setting up an efficient infr…
▽ More
When learning cybersecurity, operating systems, or networking, students perform practical tasks using a broad range of command-line tools. Collecting and analyzing data about the command usage can reveal valuable insights into how students progress and where they make mistakes. However, few learning environments support recording and inspecting command-line inputs, and setting up an efficient infrastructure for this purpose is challenging. To aid engineering and computing educators, we share the design and implementation of an open-source toolset for logging commands that students execute on Linux machines. Compared to basic solutions, such as shell history files, the toolset's added value is threefold. 1) Its configuration is automated so that it can be easily used in classes on different topics. 2) It collects metadata about the command execution, such as a timestamp, hostname, and IP address. 3) Data are instantly forwarded to central storage in a unified, semi-structured format. This enables automated processing, both in real-time and post hoc, to enhance the instructors' understanding of student actions. The toolset works independently of the teaching content, the training network's topology, or the number of students working in parallel. We demonstrated the toolset's value in two learning environments at four training sessions. Over two semesters, 50 students played educational cybersecurity games using a Linux command-line interface. Each training session lasted approximately two hours, during which we recorded 4439 shell commands. The semi-automated data analysis revealed solution patterns, used tools, and misconceptions of students. Our insights from creating the toolset and applying it in teaching practice are relevant for instructors, researchers, and developers of learning environments. We provide the software and data resulting from this work so that others can use them.
△ Less
Submitted 21 December, 2021;
originally announced December 2021.
-
Scalable Learning Environments for Teaching Cybersecurity Hands-on
Authors:
Jan Vykopal,
Pavel Čeleda,
Pavel Seda,
Valdemar Švábenský,
Daniel Tovarňák
Abstract:
This Innovative Practice full paper describes a technical innovation for scalable teaching of cybersecurity hands-on classes using interactive learning environments. Hands-on experience significantly improves the practical skills of learners. However, the preparation and delivery of hands-on classes usually do not scale. Teaching even small groups of students requires a substantial effort to prepa…
▽ More
This Innovative Practice full paper describes a technical innovation for scalable teaching of cybersecurity hands-on classes using interactive learning environments. Hands-on experience significantly improves the practical skills of learners. However, the preparation and delivery of hands-on classes usually do not scale. Teaching even small groups of students requires a substantial effort to prepare the class environment and practical assignments. Further issues are associated with teaching large classes, providing feedback, and analyzing learning gains. We present our research effort and practical experience in designing and using learning environments that scale up hands-on cybersecurity classes. The environments support virtual networks with full-fledged operating systems and devices that emulate real-world systems.
(...)
Using the presented environments KYPO Cyber Range Platform and Cyber Sandbox Creator, we delivered the classes on-site or remotely for various target groups of learners (K-12, university students, and professional learners). The learners value the realistic nature of the environments that enable exercising theoretical concepts and tools. The instructors value time-efficiency when preparing and deploying the hands-on activities. Engineering and computing educators can freely use our software, which we have released under an open-source license. We also provide detailed documentation and exemplary hands-on training to help other educators adopt our teaching innovations and enable sharing of reusable components within the community.
△ Less
Submitted 5 January, 2022; v1 submitted 19 October, 2021;
originally announced October 2021.
