Pattern Recognition and Applications Lab Cybersecurity › giorgiogiacinto › files › 2020 › 03...

Pattern Recognitionand Applications Lab

Universityof Cagliari, Italy

Department of Electrical and Electronic

Engineering

Cybersecurity

History and Current Threats

Spring Semester 2019-2020

http://pralab.diee.unica.it

The Evolution of Communication

2


Communications

3


Human generations & communications

4D. De Kerckhove


Packet switching for communication• 1965: Two computers at MIT Lincoln Lab communicate

with one another using packet-switching technology.– the signal is first coded into a binary string– the string is subdivided into chunks of equal size– the sender and recipient addresses are added to the string

• with the necessary sequence information– this packet is routed till the final destination through

different computers and networks• packets reach the destination in random order

– the message is reconstructed at destination

5


In the beginning it was the ARPANET• 1969: the U.S. Defense Department's Advanced Research

Projects Agency (ARPA) developed ARPANET, with for Internet communication

• ’70s– Some U.S. and UK Universities start connecting to the

ARPANET– Protocols definition– Email service– Commercial service

6


The growth of the Internet• ‘80s– Universities around the world start creating their national

networks, and connecting these networks one another

• ‘90s– First dial-up Internet services– Birth of the WWW – HTML for creating web sites

• 2000– dot-com bubble– on-line social networks

7


Summing up…• The Internet has been first designed– to be a private network for defence purposes– to be a network for sharing knowledge among researchers

• The Internet enabled digital communication– text, audio, pictures, movies over the same channel

• The Internet was NOT designed – for ordinary communications among persons– for the communication of citizens with banks, the health

sector, the government, etc.

8


Security and Computers

9


The Value of Things

10


Cyber CrimeHigh gain/cost ratio

Goods and Risks are transformed into intangible assets

Low material costs

Life is rarely at risk

Cyber Crime isnot perceived as a Crime

11


The ’80…

12“Wargames”, 1983 - https://youtu.be/U2_h-EFlztY


Nowadays…

13


Computer risks underestimated

14“Wargames”, 1983


History of Computer Attacks

15


Funny names…• 1945

A moth stuck in a relay was discovered in a computer while Grace Hopper was working on a Mark II computer – debugging

• 1964 – 1970A toy whistle that was, at the time, packaged in boxes of Cap'n Crunch cereal, was discovered to emit a tone at precisely 2600 hertz—the same frequency that was used by AT&T long lines to indicate that a trunk line was ready and available to route a new call.

Experimenting with this whistle allowed the development of blue boxes: electronic devices capable of reproducing other tones used by AT&T.

AT&T monitored all the calls from payphones to detect phreakers, those who made free long-distance calls by generating the enabling tones through blue boxes

16


Virus and Worm – the early days• 1979

The first worm was developed at Xerox ParcThe goal was to develop a tool allowing to improve the efficiency of networked computers

• 1983The first time the name computer virus is used

• 1986The Brain, the first virus against MS-DOS systems The developers included their contact information so that infected users could contact them for the removal...

17


Offensive Viruses and Worms• 1987

Alameda, Cascade, Jerusalem, Lehigh and Miami viruses

• 1988Robert Morris succeeded in making a worm travel through the ARPANET and disabling 6000 computer –$ 10.000 fine to Morris

• 1990The first mutant virus is created

• 1995The first virus exploiting the macro feature in MS Word

18


Coordinated attacks• 1998

Solar Sunrise – two Californian teenagers were able to control 500 computers (private, military, government) through a coordinated attack

• 2000Amazon, Yahoo, and eBay were blocked through infected computers at UCSB – flooding

• 2001The Code Red worm caused $2 billion losses by infecting MS Windows NT and Windows 2000 machines

• 2016A DDoS attack against Dyn, a DNS provider, obscured a large part of Internet sites to the users from the US East Coast

19


Evolution of attacker’s motivations

20

Threat Actors: Occasional Intruders

Motives: Testing and probing systems and channels, computer disruptions, hacking

Attacks: Exploiting absence of security controls, sniffing data traffic

Threat Actors: Script Kiddies,

Motives: Notoriety and fame, world-wide notoriety spread virus and worms, computer disruptions, profit from botnet-spamming

Attacks: Viruses, Worms, DoS, Buffer Overflow Exploits, Spamming, Sniffing Network Traffic, Phishing emails with viruses

Threat Actors: Fraudsters, cyber-gangs

Motives: Identity Theft, Online and Credit/Debit Card Fraud

Attacks: SQLi, Sniffing Wireless Traffic, Session Hijacking, Phishing, Vishing, Drive by Download, Account take-over, MitM, MiTB, counterfeiting, banking malware, Trojans

Threat Actors: Hacktivists, cyber criminals, country sponsored spies, cyber-warfare actors, fraudsters,

Motives: Political, Stealing Company Secrets, Fraud, Reputation Damage

Attacks: DDoS, APTs, Account Take Over, MitM, MitB,Session Hijacking,

1995 2000 2005 2010 2015

Thre

at S

ever

ity

Fonte: Marco Morana

Tim LloydOmega (1996)

Vladimir Levinciti (1998) De Guzman

ILoveYou virus (2000)

Albert GonzzalesTJ Maxx (2007)

Isreael-Palestine DDoS(2012)

Rinat ShabayevBlackPOS (2013)


Economic motivations

21


Economic motivations

22

http://pralab.diee.unica.it 23


Threat Actors and Their Motives

MOTIVESACTORS

Verizon - 2019 Data Breach Investigations Report

24


Computer Security

25


The CIA Triad

26

Figure 1.1 Essential Network and Computer Security Requirements

Dataand

services

Availability

Integrity

Accountability

Authenticity

Confid

entiality


Hardware• Availability– Damage, steal – Power outages

• Confidentiality and Integrity– access to memory, register locations– trust in the implementation

27


Levels of Impact

Low

The loss could be expected to have a limited adverse effect

Moderate

The loss could be expected to have a serious

adverse

High

The loss could be expected to have a severe

or catastrophic adverse effect

on organizational operations, organizational assets, or individuals


Architecture of a Computer Systems from a Security Perspective

29


Threat Model• Any action performed by a computer system can be

modelled as an information flow from a source to a sink

• Computer attacks aim at modifying the information flow

• Four main categories of attacks can be defined

30

Informationsource

Informationdestination

(a) Normal flow

(b) Interruption (c) Interception

(d) Modification (e) Fabrication

Figure 15.2 Security Threats


1. Interruption• An asset is destroyed or disabled– hardware damages– interruption of communication lines– exhausting all the available resources– disabling core services

• This kind of attack is called Denial of Service (DoS) as the attack threats the availability

31


2. Interception• A third unauthorised party gain access to information flows

• This attack is a threat to confidentiality

32


3. Modification• A third unauthorised party

– intercepts the information flow by spoofing the identity of the destination (this is an attack per se)

– sends a modified flow to the destination

• This attack is a threat to confidentiality and integrity

33


4. Fabrication• A third unauthorised party produces information flows

by spoofing the identity of the source

• This attack is a threat to integrity

34


Summary

Availability Confidentiality Integrity/Authenticity

HardwareEquipment is stolen or disabled, thus denying the device

Software Programs are deleted, denying access to users

An unauthorised copy of software is made

A working program is modified, either to cause it to fail during execution ot to cause it to do some unintended task

Data Files are deleted, denying access to users

An unauthorised read of data is performed. An analysis of statistical data reveals underlying data

Existing files are modified or new files are fabricated

Communication lines

Messages are destroyed or deleted. Communication lines or networks are rendered unavailable

Messages are read. The traffic pattern of messages is observed

Messages are modified, delayed, reordered, or duplicated. False messages are fabricated

35


Threat consequences (RFC2828)

36

Threat Consequence Threat Action (Attack)

Unauthorized DisclosureAn entity gains access to data for which the entity is not authorized

Exposure: Sensitive data are directly released to an unauthorized entity.

Interception: An unauthorized entity directly accesses sensitive data traveling between authorized sources and destinations.

Inference: A unauthorized entity indirectly accesses sensitive data (but not necessarily the data contained in the communication) by reasoning from characteristics or byproducts of communications.

Intrusion: An unauthorized entity gains access to sensitive data by circumventing a system's security protections.

DeceptionAn authorized entity receiving false data and believing it to be true.

Masquerade: An unauthorized entity gains access to a system or performs a malicious act by posing as an authorized entity.

Falsification: False data deceive an authorized entity.Repudiation: An entity deceives another by falsely denying

responsibility for an act.


Threat consequences (RFC2828)

37

Threat Consequence Threat Action (Attack)

DisruptionThe correct operation of system services and functions are interrupted or prevented.

Incapacitation: Prevents or interrupts system operation by disabling a system component.

Corruption: Undesirably alters system operation by adversely modifying system functions or data.

Obstruction: A threat action that interrupts delivery of system services by hindering system operation.

UsurpationControl of system services or functions by an unauthorized entity.

Misappropriation: An entity assumes unauthorized logical or physical control of a system resource.

Misuse: Causes a system component to perform a function or service that is detrimental to system security.


Vulnerabilities

38


Definitions• Vulnerability– Any flaw in the system that can be leveraged to perform

attacks against availability, confidentiality and integrity.• e.g., lack of access controls, unchecked bounds in C, etc.

• Threat– The potential for a threat-source to successfully exploit a

particular information system vulnerability. (ENISA)

• Attack– Any kind of malicious activity that attempts to collect,

disrupt, deny, degrade, or destroy information system resources or the information itself [by exploiting system vulnerabilities] (CNSS)

39


Finding Threats• Any computer program or protocol may contain weaknesses

– originating from the programming language– causing unexpected outputs from unexpected inputs– that allow for the arbitrary modification of the program flow

• The maliciousness depends on the context– input values, API usage, etc. cannot be considered malicious per

se but the maliciousness is related to the context and the related consequences

– ambiguity and misinterpretation may occur when data and instructions are passed from one component to another

• The detection of weaknesses is a very difficult task– Deep knowledge of languages and protocols – Multiple information sources (network traffic, application logs,

system calls, etc.)– Static or dynamic analysis

40


Sources of vulnerabilitiesDa

ta a

nd In

stru

ctio

ns

Data

and

Inst

ruct

ions

Data and Instructions

Data and Instructions

Ambiguities in the interpretation and

processing of byte flows

41


Example: Obfuscationa program that builds a program that builds a program…

D. Ugarte, D. Maiorca, F. Cara, G. Giacinto. PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware, DIMVA 2019

Modifications on binary files or source codes that do not alter the semantics, and make them hard to understand for human analysts or machines.

42


Example: Obfuscationa program that builds a program that builds a program…

D. Ugarte, D. Maiorca, F. Cara, G. Giacinto. PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware, DIMVA 2019

The core activity of the resulting program is not evident, as it is hidden behind layers of manipulation functions.

43


Vulnerabilities exploited in 2015

44DBIR – Verizon 2016


CVE –Common Vulnerabilities and Exposureshttp://cve.mitre.org - https://nvd.nist.gov

45


Exploiting vulnerabilities

46


Critical vulnerabilitieshttps://nvd.nist.gov/vuln-metrics/visualizations/cvss-severity-distribution-over-time

47

According to the CVSS (Common Vulnerabilities Scoring System)


Examples• Search information on CVE-2020-0601– Technical description– Severity– Exploits– Available patches

• Search information on CVE-2019-8197– Technical description– Severity– Exploits– Available patches

48


The search engine for exposed devices

49


Defense in Depth and Attack Surface

Figure 1.4 Defense in Depth and Attack Surface

Attack Surface

MediumSecurity Risk

HighSecurity Risk

LowSecurity RiskD

eep

Laye

ring

Shal

low

Small Large

MediumSecurity Risk

50

An attack surface consists of the reachable and exploitablevulnerabilities in a system


Threats

51


ENISA Threat taxonomyhttps://www.enisa.europa.eu/topics/threat-risk-management/threats-and-trends/enisa-threat-landscape/threat-taxonomy/view

52


Threat Landscape 2018

53

https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2018


Why Malware is the No. 1 Threat

54


Cyber Threat Intelligence

55


Cyber Kill Chain

56

Released by Lockheed Martin in 2011.

The rationale is that by understanding each of these stages, defenders can better identify and stop attackers at each of the respective stages.

Since 2011, various versions of the “Cyber Kill Chain” have been released


Cyber Kill Chain

57


Cyber Kill Chain

58


Cyber Kill Chain

59


Cyber Kill Chain

60


Cyber Kill Chain

61


Cyber Kill Chain

62


Cyber Kill Chain

63


• Allow listing concrete threats, categorised according to the kill chain taxonomy

– CAPEC (MITRE)Common Attack Pattern Enumeration and ClassificationV3.1 (April 2019 - 519 attack patterns)

– ATT&CK (MITRE)knowledge base of adversary tactics and techniques based on real-world observations

– OWASP Cheat Sheet Seriesa concise collection of high value information on specific web application security topics

64

Attack Libraries


Advanced Persistent Threats (APT)• Persistency– Threat actors want to keep access to their victims’

networks even when discovered.

• Persistency is achieved by ensuring that malware loads every time a machine reboots– registering malware to run as a service– modifying auto-start entries – creating files in specific locations to trick legitimate

programs into loading them

65


Lateral Movements• When the threat actor move laterally from the initial

infected machine to other neighbouring hosts – to perform reconnaissance activities – to increase the number of infected machines

• Lateral movement often occurs without the use of malware– e.g., exploiting operating system services– the detection of newly compromised systems is more

difficult– detection requires analysing the logs of multiple hosts

66


Phishing

67


Phishing Attack Statistics

68


Phishing Attack Statistics

69


Ransomware

70


Ransomware

71


Ransomware• Downloaded from malicious links

• Two main families– Lock screen’ ransomware

The idea is to scare the victim into paying up.– Crypto-ransomware

Once it finds its way onto your machine it will encrypt all or most of the data on your hard drive based on file type.

• The attacker will demand a ransom – usually a few hundred dollars – be paid in Bitcoin in return for the decryption key

72


Ransomware

73


Cybersecurity Strategy

74


StrategySecurity Policy

Formal statement of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources

Security ImplementationInvolves four complementary courses of action:• Prevention• Detection• Response• Recovery

AssuranceEncompassing both system design and system implementation, assurance is an attribute of an information system that provides grounds for having confidence that the system operates such that the system’s security policy is enforced

Evaluation• Process of examining a computer

product or system with respect to certain criteria

• Involves testing and may also involve formal analytic or mathematical techniques


Prevention• Physical protection of hardware assets– physical access control

• guards, passcodes, biometrics, video surveillance, etc.– disaster protection (flooding, fire, etc.)– cooling

• Logical access control mechanisms– least privilege

Only the minimum necessary rights should be assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary

– Firewallsblock all the traffic flows that are not allowed

76


Prevention• Identity management– access management– authorization management– user event behaviour analysis

• Data protection– Backup and Redundancy– Cryptography

• Software– Security updates and patches– Trusted sources– certified software (http://www.commoncriteriaportal.org)

77


Detection• Endpoint defence tools– Anti Malware products for the detection of viruses, worms,

trojans, spyware, etc.– installed in any endpoint device

• Intrusion Detection Systems– Detect malicious activities by analysing traffic flows– Deployed at the perimeter of the protected network

• Security Event Information Management (SIEM) systems– log analysis

78


Awareness• We all have multiple identities – one real identity and multiple virtual identities

• Virtual identities– a projection of a real identity (persons, companies,

government) that exhibit just a portion of a real identity• images, places, relations, official documents, etc..

– …but also identities loosely or not-at-all related to real identities• they just exists in the virtual world

79


Is this the Era of Feudal Security?https://www.schneier.com/blog/archives/2012/12/feudal_sec.html

• In the Personal Computer era, each person was responsible for the security– backups– antivirus

• Are we in a new feudal era where our service providers must provide for our security?– A few vendors are becoming our feudal lords

• for the security of software• for the security of data that we save in their servers

80


Designing for security

81


Why computer security is a big issue?

• Software complexity– difficult to fully identify all the threats at design time, and

at test time

• Networking produces a very complex system– difficulty in understanding the effect of all the possible

interactions

• New software, and new versions are released at a fast pace

• Large volume of vulnerabilities discovered daily– still many companies does not implement Software

Development Lifecycles with security checks

82


Challanges

83


Consumerization• New technologies are delivered directly to the mass

market– individuals use new technologies in advance with respect

to the company they work for

• Short time-to-market does not allow– understanding all the risks related to the new product– updating the security assessment

• BYOD (Bring Your Own Device)– what happens to the corporate network if the employee is

allowed to attach her own device? – how the security can be assessed?

84


The Personal Devices Environment

85

Location Instant Messages

Pictures

Videos

Social Sharing

Cloud Storage

Contacts Financial Data

Music

Personal Preferences

Digital Wallets

A L W A Y S O N

Calendar

TravelsAccess to the

Company’s Network


Personal devices & Networked objectsThreats & Opportunities

• What is the meaning of “Privacy” in our society?

• We leave a lot of traces related to our daily life– and smartphones are powerful personal sensors!

• New criminal organizations take advantage of this wealth of data, and of the smart devices in our pockets…

• ….but data and smart devices also help LEA investigations– on cybercrime– on traditional criminal activities

Digital Forensics

86


Internet of (every)Things

87CSA (Cloud Security Alliance) 2015


Internet of Things• Bruce Schneier prefers to move the focus on computers

with things attached to them– Your modern refrigerator is a computer that keeps things

cold. – Your oven, similarly, is a computer that makes things hot. – An ATM is a computer with money inside. – Your car is no longer a mechanical device with some

computers inside: it's a computer with four wheels and an engine. Actually, it's a distributed system of over 100 computers with four wheels and an engine.

88

http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html


Internet of Things

89

IEEE Spectrum 2015


IoT

90

The Mirai botnet was made up of millions of infected IoT devices

On Sept 13, 2016 the website “KrebsOnSecurity” was under DDoS attack from the Mirai botnet

On Oct 21, 2016 the DNS provide “Dyn” was taken down for a few hours by a DDoS attack from the Miraibotnet

Symantec – ISTR2016


Connected dolls

91


Cloud Pets

92


Sources of difficulties in Cybersecurity

93


Truisms on Computer Security1. On the Internet, attack is easier than defense

– The interconnection of millions of devices makes the Internet a very complex system.

– More complexity means more people involved, more parts, more interactions, more mistakes in the design and development process.

– A complex system means a large attack surface. – The defender has to secure the entire attack surface.

The attacker just has to find one vulnerability It's simply not a fair battle.

2. Most software is poorly written and insecure

3. Connecting everything to each other via the Internet will expose new vulnerabilities

4. Everybody has to stop the best attackers in the world

5. Laws inhibit security research

94http://nymag.com/selectall/2017/01/the-internet-of-things-dangerous-future-bruce-schneier.html

Bruce Schneier


Unfalsifiability of Security Claims

A theory which is not refutable by any conceivable event is non-scientific. Irrefutability is not a virtue of a theory (as people often think) but a vice

K. Popper, Conjectures and Refutations, 1959

• There is an inherent asymmetry in computer securitythings can be declared insecure by observation, but not the reverse. – There is no observation that allows us to declare an arbitrary system or

technique secure. – While the claim that countermeasures are sufficient is always subject to

correction, the claim that they are necessary is not.

• When justifications are unfalsifiable, deciding the relative importance of defensive measures reduces to a subjective comparison of assumptions.– Relying on such claims is the source of two problems

• once we go wrong we stay wrong and errors accumulate• and we have no systematic way to rank or prioritize measures.

95

Cormac HerleyMicrosoft Research, Redmond, WA, USA

Pattern Recognition and Applications Lab Cybersecurity › giorgiogiacinto › files › 2020 › 03...

Documents

Transcript of Pattern Recognition and Applications Lab Cybersecurity › giorgiogiacinto › files › 2020 › 03...