National Critical Infrastructure, Cyberthreats, Attack Strategies, Mitigations

profiletestnik2
EmergingThreatsandCountermeasuresWeek6Lecture-CollectionandCorrelation.pptx

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

1

Reference

Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.

Introduction

Welcome to our sixth week together covering the protection of our national infrastructure. This week we’ll be

examining collection and correlation of cyberthreat intelligence for applying data to the defense of your local

network and across the national critical infrastructure.

Assigned Reading

Textbook Chapters 8 and 9 covering discretion as a mechanism of protecting

the digital infrastructure of our national cybersecurity infrastructure.

Discussion

Pick a popular strain of malware currently affecting the digital community.

Try to select a unique bit of malware that your peers haven’t covered yet.

Tell how the malware originated, what it does, who is responsible for creating and distributing it, and how to recover from it.

Explain any special elements of it that make it interesting or particularly effective.

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

2

Learning Outcomes

This week we will be learning about how to utilize discretion the protection of our local networks and the overall

national critical infrastructure. We will also look at how we can use passive protections to decrease the likelihood

of vulnerability discovery. The less that you look like a target and the less attention you draw to yourself

decreases the likelihood of an intentional attack.

Collection and Correlation

What is collection and how does it apply to the national critical infrastructure?

What is correlation and how does it apply to the national CI?

Describe malware and the categories of attack associated with it.

Describe state-sponsored malware.

Distinguish state-sponsored malware from cybercrime.

Explain malware prevention mechanisms.

What is reverse engineering and how does it work?

Reference

Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

3

Research Paper

Next week you will have a requirement to create a research paper as a final term project. You will be required to

select one case study from the textbook, research the topic, and report on the case.

Content

The structure of your paper should be about seven to eight pages, not including

the title, abstract, and reference pages. That’s seven to eight pages of content.

Your submission must be in full APA 7th Edition format.

Title page (no Running Head):

Abstract

Body (7-8 pages)

Introduction

Case Study with appropriate citation

Discussion

Conclusion

Proper Section Headers

References (at least four)

Correct grammar, spelling, form, and format.

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

4

Collection

“The principle of collection involves automated gathering of system-related information about national

infrastructure to enable security analysis.” (Amoroso, 2012)

Local versus National

International third-party providers like PacketViperTM have sensors deployed around the

world that monitor malicious traffic and report back to governments and businesses.

Locally, you can install packet traffic monitors like Wireshark (below) and logging tools

(right) to collect system-related information.

Reference

Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.

https://www.packetviper.com

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

5

Correlation

“The principle of correlation involves a specific type of analysis that can be performed on factors related to national

infrastructure protection. The goal of correlation is to identify whether security-related indicators might emerge

from the analysis.” (Amoroso, 2012)

Local versus National

Huge volumes of data are collected every data at the local level and must

be analyzed. This volume makes manual analysis impossible. There are

tools available in both open-

source and commercial

products that will facilitate this

analysis. At the national level,

refined data is sent to the cyber

threat intelligence groups we’ve

already discussed for wider

dissemination in forms such as

Yara rules as seen to the left.

Reference

Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.

https://github.com/Yara-Rules/rules

https://www.tenable.com/

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

6

Malware

Noun – Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.

Origin: 1990s blend of ‘malicious’ and ‘software’. (Oxford Dictionary)

Impact

How has malware directly affected you? As an individual, you

have probably had your personal identifiable information (PII)

stolen and perhaps even been the victim of identity theft. As

a cybersecurity professional, you’ve probably had several

occasions where you’ve had to clean up a computer or a

network that has been infected. As an employee of a business

or even student you may have been kept from working on a

project or missed a deadline due to malware infection. Malware

affects everyone and there seems to be no escape from it.

Reference

Sikorski, M. and Horig, A. (2012). Practical malware analysis: A hands-on guide to dissecting malicious software.

San Francisco, CA: No Starch Press. ISBN: 978-1593272906.

https://honigconte.com/

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

7

State-Sponsored Malware

“It is the policy of the United States to strengthen the security and resilience of its critical infrastructure against

both physical and cyber threats” (PPD-21, 2013).

Local versus National

Countries have a vested interest in developing and

protecting their critical infrastructures. Some countries

attempt to enhance their capabilities by stealing from

others. Some countries want to harm competition from

foreign countries. And still others want to prepare for

kinetic warfare by practicing attacks against foreign

critical infrastructure.

References

Gertz, B. (September 28, 2016). China cyber espionage continues. The Washington Time. Retrieved 7/23/2018 from

https://www.washingtontimes.com/news/2016/sep/28/china-cyber-espionage-continues/.

 

Kaspersky, E. (February 25, 2015). The most sophisticated cyber espionage campaign ever – but who’s behind it? Forbes. Retrieved 7/20/2018 from

https://www.forbes.com/sites/eugenekaspersky/2015/02/25/the-most-sophisticated-cyber-espionage-campaign-ever-but-whos-behind-it/#2155f9eefa0a.

 

Yan, S. (March 24, 2016). Chinese man admits to cyberspying on Boeing and other US firms. CNN. Retrieved 7/23/2016) from

https://money.cnn.com/2016/03/24/technology/china-cyber-espionage-military/index.html.

PPD-21. (February 12, 2013). Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience. Retrieved 7/20/2018 from https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.

https://www.fbi.gov

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

8

Cybercrime

Criminal activity (such as fraud, theft, or distribution of child pornography) committed using a computer especially

to illegally access, transmit, or manipulate data. (https://www.merriam-webster.com/)

Local versus National

Theft of digital content, encryption ransomware, DDoS ransom attacks,

corporate espionage, identity theft, business email compromise, phishing

attacks, and the list goes on. There are also digital components of traditional

criminal activity that can be attributed as cybercrime. Organized criminal

organizations from all over the world are now involved making this a multi-

billion-dollar international criminal business. Coordinating the response to

these attacks requires interdiction at the national and international level.

Critical infrastructure systems are especially vulnerable to system shut-down

attacks as they can’t afford to be non-operational for any duration of time.

References

NJCCIC. (2018). Ransomware. New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Retrieved 7/22/2018 from https://www.cyber.nj.gov/threat-profiles/ransomware-variants/.

 

US v. Sazonov. (2017). United States v. Sazonov, Docket 1:17-mj-02798. United States District Court for the Southern District of New York. Retrieve 7/23/2018 from http://tsi.brooklaw.edu/cases/united-states-v-sazonov.

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

9

Experimenting and Prevention

Where do hacker go for their training, support, and services?

They go to the dark web. Several research programs have found

that more content is there than on the surface web.

Signature versus Behavioral

The anti-malware systems that you’re used are called signature

based. That’s because once malware is identified, it is sent to

a lab for analysis and a hash value is created. That hash is sent

to anti-malware systems on servers and desktops for comparison

to incoming files to quarantine matches. Behavior based anti-

malware continuously watches the activity of programs, services,

and processes for aberrant behavior like unexpected encryption

occurring on files. Suspecting ransomware, the anti-malware

will shut down the offending process until a human can intervene

and determine if was a legitimate execution.

cdn.images.dailystar.co.uk/

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

10

Reverse Engineering

It’s not like you see in the movies. It’s also not for the faint-hearted. Still, it’s something you should know about.

Reference

Google. (2018). Retrieved 7/20/2018 from http://www.virustotal.com.

Windbg screenshot

Ollydbg screenshot

ITS 834 Emerging Threats & Countermeasures

Week 6 – Collection and Correlation

Dr. Brian Toevs ([email protected])

11

Conclusion

This week you were asked to read Chapters 8 and 9 of our textbook. In addition to the lecture you have just followed,

you should have met the learning objectives expected of you this week. You will now be evaluated on the

retention of this material through your Discussion posts and weekly Quiz.

Lessons Learned

What is collection and how does it apply to the national critical infrastructure?

What is correlation and how does it apply to the national CI?

Describe malware and the categories of attack associated with it.

Describe state-sponsored malware.

Distinguish state-sponsored malware from cybercrime.

Explain malware prevention mechanisms.

What is reverse engineering and how does it work?

Next Week

Read Chapter 10 of your textbook about Awareness. You will have a Discussion thread to post and a quiz on the material presented in the textbook.