National Critical Infrastructure, Cyberthreats, Attack Strategies, Mitigations
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
1
Reference
Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.
Introduction
Welcome to our sixth week together covering the protection of our national infrastructure. This week we’ll be
examining collection and correlation of cyberthreat intelligence for applying data to the defense of your local
network and across the national critical infrastructure.
Assigned Reading
Textbook Chapters 8 and 9 covering discretion as a mechanism of protecting
the digital infrastructure of our national cybersecurity infrastructure.
Discussion
Pick a popular strain of malware currently affecting the digital community.
Try to select a unique bit of malware that your peers haven’t covered yet.
Tell how the malware originated, what it does, who is responsible for creating and distributing it, and how to recover from it.
Explain any special elements of it that make it interesting or particularly effective.
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
2
Learning Outcomes
This week we will be learning about how to utilize discretion the protection of our local networks and the overall
national critical infrastructure. We will also look at how we can use passive protections to decrease the likelihood
of vulnerability discovery. The less that you look like a target and the less attention you draw to yourself
decreases the likelihood of an intentional attack.
Collection and Correlation
What is collection and how does it apply to the national critical infrastructure?
What is correlation and how does it apply to the national CI?
Describe malware and the categories of attack associated with it.
Describe state-sponsored malware.
Distinguish state-sponsored malware from cybercrime.
Explain malware prevention mechanisms.
What is reverse engineering and how does it work?
Reference
Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
3
Research Paper
Next week you will have a requirement to create a research paper as a final term project. You will be required to
select one case study from the textbook, research the topic, and report on the case.
Content
The structure of your paper should be about seven to eight pages, not including
the title, abstract, and reference pages. That’s seven to eight pages of content.
Your submission must be in full APA 7th Edition format.
Title page (no Running Head):
Abstract
Body (7-8 pages)
Introduction
Case Study with appropriate citation
Discussion
Conclusion
Proper Section Headers
References (at least four)
Correct grammar, spelling, form, and format.
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
4
Collection
“The principle of collection involves automated gathering of system-related information about national
infrastructure to enable security analysis.” (Amoroso, 2012)
Local versus National
International third-party providers like PacketViperTM have sensors deployed around the
world that monitor malicious traffic and report back to governments and businesses.
Locally, you can install packet traffic monitors like Wireshark (below) and logging tools
(right) to collect system-related information.
Reference
Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.
https://www.packetviper.com
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
5
Correlation
“The principle of correlation involves a specific type of analysis that can be performed on factors related to national
infrastructure protection. The goal of correlation is to identify whether security-related indicators might emerge
from the analysis.” (Amoroso, 2012)
Local versus National
Huge volumes of data are collected every data at the local level and must
be analyzed. This volume makes manual analysis impossible. There are
tools available in both open-
source and commercial
products that will facilitate this
analysis. At the national level,
refined data is sent to the cyber
threat intelligence groups we’ve
already discussed for wider
dissemination in forms such as
Yara rules as seen to the left.
Reference
Amoroso, E. (2012). Cyber attacks: Protecting national infrastructure, 1st Ed. Butterworth-Heinemann.
https://github.com/Yara-Rules/rules
https://www.tenable.com/
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
6
Malware
Noun – Software that is specifically designed to disrupt, damage, or gain unauthorized access to a computer system.
Origin: 1990s blend of ‘malicious’ and ‘software’. (Oxford Dictionary)
Impact
How has malware directly affected you? As an individual, you
have probably had your personal identifiable information (PII)
stolen and perhaps even been the victim of identity theft. As
a cybersecurity professional, you’ve probably had several
occasions where you’ve had to clean up a computer or a
network that has been infected. As an employee of a business
or even student you may have been kept from working on a
project or missed a deadline due to malware infection. Malware
affects everyone and there seems to be no escape from it.
Reference
Sikorski, M. and Horig, A. (2012). Practical malware analysis: A hands-on guide to dissecting malicious software.
San Francisco, CA: No Starch Press. ISBN: 978-1593272906.
https://honigconte.com/
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
7
State-Sponsored Malware
“It is the policy of the United States to strengthen the security and resilience of its critical infrastructure against
both physical and cyber threats” (PPD-21, 2013).
Local versus National
Countries have a vested interest in developing and
protecting their critical infrastructures. Some countries
attempt to enhance their capabilities by stealing from
others. Some countries want to harm competition from
foreign countries. And still others want to prepare for
kinetic warfare by practicing attacks against foreign
critical infrastructure.
References
Gertz, B. (September 28, 2016). China cyber espionage continues. The Washington Time. Retrieved 7/23/2018 from
https://www.washingtontimes.com/news/2016/sep/28/china-cyber-espionage-continues/.
Kaspersky, E. (February 25, 2015). The most sophisticated cyber espionage campaign ever – but who’s behind it? Forbes. Retrieved 7/20/2018 from
https://www.forbes.com/sites/eugenekaspersky/2015/02/25/the-most-sophisticated-cyber-espionage-campaign-ever-but-whos-behind-it/#2155f9eefa0a.
Yan, S. (March 24, 2016). Chinese man admits to cyberspying on Boeing and other US firms. CNN. Retrieved 7/23/2016) from
https://money.cnn.com/2016/03/24/technology/china-cyber-espionage-military/index.html.
PPD-21. (February 12, 2013). Presidential Policy Directive 21 – Critical Infrastructure Security and Resilience. Retrieved 7/20/2018 from https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil.
https://www.fbi.gov
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
8
Cybercrime
Criminal activity (such as fraud, theft, or distribution of child pornography) committed using a computer especially
to illegally access, transmit, or manipulate data. (https://www.merriam-webster.com/)
Local versus National
Theft of digital content, encryption ransomware, DDoS ransom attacks,
corporate espionage, identity theft, business email compromise, phishing
attacks, and the list goes on. There are also digital components of traditional
criminal activity that can be attributed as cybercrime. Organized criminal
organizations from all over the world are now involved making this a multi-
billion-dollar international criminal business. Coordinating the response to
these attacks requires interdiction at the national and international level.
Critical infrastructure systems are especially vulnerable to system shut-down
attacks as they can’t afford to be non-operational for any duration of time.
References
NJCCIC. (2018). Ransomware. New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Retrieved 7/22/2018 from https://www.cyber.nj.gov/threat-profiles/ransomware-variants/.
US v. Sazonov. (2017). United States v. Sazonov, Docket 1:17-mj-02798. United States District Court for the Southern District of New York. Retrieve 7/23/2018 from http://tsi.brooklaw.edu/cases/united-states-v-sazonov.
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
9
Experimenting and Prevention
Where do hacker go for their training, support, and services?
They go to the dark web. Several research programs have found
that more content is there than on the surface web.
Signature versus Behavioral
The anti-malware systems that you’re used are called signature
based. That’s because once malware is identified, it is sent to
a lab for analysis and a hash value is created. That hash is sent
to anti-malware systems on servers and desktops for comparison
to incoming files to quarantine matches. Behavior based anti-
malware continuously watches the activity of programs, services,
and processes for aberrant behavior like unexpected encryption
occurring on files. Suspecting ransomware, the anti-malware
will shut down the offending process until a human can intervene
and determine if was a legitimate execution.
cdn.images.dailystar.co.uk/
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
10
Reverse Engineering
It’s not like you see in the movies. It’s also not for the faint-hearted. Still, it’s something you should know about.
Reference
Google. (2018). Retrieved 7/20/2018 from http://www.virustotal.com.
Windbg screenshot
Ollydbg screenshot
ITS 834 Emerging Threats & Countermeasures
Week 6 – Collection and Correlation
Dr. Brian Toevs ([email protected])
11
Conclusion
This week you were asked to read Chapters 8 and 9 of our textbook. In addition to the lecture you have just followed,
you should have met the learning objectives expected of you this week. You will now be evaluated on the
retention of this material through your Discussion posts and weekly Quiz.
Lessons Learned
What is collection and how does it apply to the national critical infrastructure?
What is correlation and how does it apply to the national CI?
Describe malware and the categories of attack associated with it.
Describe state-sponsored malware.
Distinguish state-sponsored malware from cybercrime.
Explain malware prevention mechanisms.
What is reverse engineering and how does it work?
Next Week
Read Chapter 10 of your textbook about Awareness. You will have a Discussion thread to post and a quiz on the material presented in the textbook.