cybersecurity

The Diamond Model of Intrusion Analysis

/ bugejajoseph / Leave a comment
Photo by Michael Morse on Pexels.com

In the world of cyber security, effectively processing data and turning it into actionable intelligence is crucial. While the Cyber Kill Chain® and the MITRE ATT&CK Framework are commonly used methodologies, there is perhaps a lesser-known alternative called the Diamond Model of Intrusion Analysis. Developed in 2013 by renowned cyber security professionals, Sergio Caltagirone, Andrew Pendergast, and Christopher Betz, this model is an indispensable resource for cyber security professionals. It offers a simple yet powerful way to analyze and document intrusion incidents.

The Diamond Model is composed of four features: adversary, infrastructure, capability, and victim. The adversary represents individuals, groups, or organizations that exploit vulnerabilities to achieve their goals. Capability encompasses the tools, techniques, and methods used by adversaries, while infrastructure refers to communication systems like IP addresses and domain names. Victims can be individuals, organizations, or specific assets such as target email addresses. In addition, it delineates supplementary meta-features that bolster higher-level constructs, while also incorporating measurement, testability, and repeatability to deliver a more encompassing scientific approach to analysis.

Despite its unassuming appearance, the Diamond Model possesses the ability to swiftly navigate intricate and multifaceted details. The dynamics of a threat actor exist in a perpetual state of flux, as attackers continuously modify their infrastructure and capabilities. Moreover, when integrated with the Cyber Kill Chain® and other frameworks, it contributes to the establishment of a comprehensive cyber security framework. This integration facilitates a deeper understanding of threats and strengthens incident response capabilities, empowering a more proactive defense posture.

An example of using the Diamond Model in practice is found here.

Essential Skills for Effective Threat Hunting

/ bugejajoseph / Leave a comment
Photo by Harrison Haines on Pexels.com

In today’s cyber security landscape, where cyber threats continue to evolve in sophistication, organizations must adopt proactive approaches to safeguard their networks and sensitive data. Threat hunting, a human-driven and iterative process, has emerged as a crucial aspect of cyber security. This article aims to highlight the essential skill set required to become a successful threat hunter.

Threat hunting tends to operate under the assumption that adversaries have already breached an organization’s defenses and are hiding within the corporate network. Unlike traditional security measures that tend to rely solely on automated detection tools and known indicators of compromise (IoCs), threat hunting leverages human analytical capabilities to identify subtle signs of intrusion that automated systems may miss.

A successful threat hunter requires a diverse skill set to navigate the complexities of modern cyber threats effectively. Here are some essential skills for aspiring threat hunters:

  • Cyber threat intelligence. Understanding cyber threat intelligence is foundational for any threat hunter. It involves gathering, analyzing, and interpreting information about potential threats and threat actors. This knowledge provides valuable insights into advanced persistence threats, various malware types, and the motivations driving threat actors.
  • Cyber security frameworks. Familiarity with frameworks like the Cyber Kill Chain and ATT&CK is invaluable for threat hunters. The Cyber Kill Chain outlines the stages of a cyber attack, from initial reconnaissance to the exfiltration of data, helping hunters identify and disrupt attack vectors. ATT&CK provides a comprehensive knowledge base of adversary tactics and techniques, aiding in the understanding of attackers’ behavior and their methods.
  • Network architecture and forensics. A strong grasp of network architecture and forensic investigation is crucial for analyzing network activity, identifying anomalous behavior, and tracing the root cause of security incidents. Additionally, threat hunters must be comfortable working with extensive log data and extracting meaningful insights from them.
  • Coding and scripting. Proficiency in coding and scripting languages, such as Python, PowerShell, or Bash, can be highly beneficial for threat hunters. These skills allow them to automate repetitive tasks, conduct custom analysis, and develop tools to aid in their investigations.
  • Data science. Threat hunting often involves dealing with vast amounts of data. Data science skills enable hunters to develop algorithms, create statistical models, and perform behavioral analysis, significantly enhancing their ability to detect and respond to threats effectively.
  • Organizational systems. Each organization operates differently, and threat hunters need to be well-versed in their organization’s systems, tools, and incident response procedures. This knowledge allows them to discern deviations from normal activity, leading to quicker response times and more accurate threat assessments.
  • Collaboration and communication. Threat hunters often work in teams and collaborate with other cybersecurity professionals. Strong communication skills are essential for sharing findings, coordinating responses, and effectively conveying complex technical information to non-technical stakeholders.

Threat hunting is not a one-size-fits-all approach, but a personalized, data-driven, and iterative process tailored to an organization’s unique risk profile. Cultivating a skilled team and proactive culture bolsters defenses against dynamic cyber threats. Staying informed, collaborating, and embracing technology ensures success in securing organizations from advanced adversaries.

Securing the University: My Information Security Awareness Session

/ bugejajoseph / Leave a comment
Photo by ThisIsEngineering on Pexels.com

As technology continues to advance, so do the risks and threats associated with it. To protect ourselves and our institutions, it is crucial to remain informed and updated with the latest security trends and best practices. This was the main focus of my recent 45-minute security awareness session with the university technical staff.

In addition to discussing fundamental security measures, I also covered the latest threat actors and threats in the cyber security landscape affecting universities and public institutions. This included state-sponsored actors, cybercriminals, hacker-for-hire groups, and hacktivists. I emphasized the potential consequences of a cyber attack, which can be severe and damaging, such as financial losses, reputational harm, and legal liability.

One alarming statistic I shared was that according to estimates from Statista’s Cybersecurity Outlook, the global cost of cybercrime is expected to surge in the next five years, rising from $8.44 trillion in 2022 to $23.84 trillion by 2027. This underscores the importance of taking proactive steps to mitigate potential risks.

While technical measures are essential, we also discussed the human element of security, including social engineering tactics like phishing emails or pretexting phone calls. Information security starts and ends with all of us, and it is crucial that everyone takes responsibility for protecting sensitive information and assets.

Here is a redacted version of the presentation. Additionally, I recently co-authored an article titled “Human Factors for Cybersecurity Awareness in a Remote Work Environment”, which delves into relevant and relatable cyber security aspects for remote employees.”

The Importance of Combining Research and Teaching

/ bugejajoseph / Leave a comment
Photo by cottonbro studio on Pexels.com

As the world progresses, so too does the need for innovative research to support it. In many ways, research and teaching go hand-in-hand, with each feeding off the other to produce a well-rounded system of knowledge. In the field of cybersecurity, for example, teaching is essential to ensure that a new generation of workers is equipped with the skills they need to protect our online world. But research is also critical to staying ahead of the curve and developing new ways to combat the ever-evolving threats that target our digital lives.

The benefits of combining research and teaching are numerous. By keeping up with the latest advances in their field, teachers can ensure that their students are receiving the most up-to-date and relevant information. This helps to prepare students for the real world, where they will be expected to apply their knowledge to solve problems. Meanwhile, researchers can use their findings to inform their teaching, ensuring that the latest discoveries are passed on to the next generation.

But it is not just about staying up-to-date; research can also help to improve the quality of teaching. By constantly testing and refining their methods, researchers can develop more effective ways of imparting knowledge. This benefits not only the students who receive this improved teaching but also society as a whole, as a better-educated workforce is better equipped to meet the challenges of the 21st century.

It is clear, then, that research and teaching are two sides of the same coin. By working together, they can create a virtuous circle that benefits everyone involved.

IoT Security: A Guest Lecture at Malmö University

/ bugejajoseph / Leave a comment

Today, I delivered a guest lecture in a Master’s course at Malmö University. The lecture that I gave was on the topic of IoT Security. In my lecture, I talked about the IoT, the importance of IoT security, and the different ways that IoT devices can be attacked and secured. I also discussed the challenges that the IoT poses to security and how we can address them.

After the lecture, I had an interesting discussion with some of the students about the topic of IoT security in which we especially talked about the importance of keeping our devices updated.

Overall, it was a good experience, and I am glad that I was able to share my knowledge with the students. I am always happy to help out and answer any questions that the students may have.

A Great Resource to Help you Learn about Cybersecurity

/ bugejajoseph / Leave a comment

I find the collection of resources from GoVanguard to be quite helpful for anyone interested in a career in cyber security, whether it be in academia or industry.

Specifically, the GoVanguard InfoSec Encyclopedia is an excellent resource for beginners and experienced professionals alike. It contains a wealth of information on various aspects of information security and is constantly being updated with new and improved content. If you are looking to get into the field of information security, or simply want to learn more about it, the GoVanguard InfoSec Encyclopedia may be a great place to start.

Here is a look at their resource list:

This repository also covers “OSINT Tools Used” and “Exploitation Enumeration and Data Recovery Tools” in addition to the aforementioned resources.

Popular smart home brands may be allowing the police to conduct warrantless home surveillance

/ bugejajoseph / Leave a comment

The security cameras in our smart homes from well-known smart home brands like Amazon and Google might not just be watching over our pets. According to an article in The Verge, they can also aid law enforcement in their investigations of crimes, but only if we do not mind the police viewing our footage without a warrant.

That implies that the police can access our private information without first presenting proof that an emergency situation exists. Police will probably only make use of this access for lawful objectives, such as preventing crime or attempting to locate a missing person in need of assistance. However, it does raise some issues regarding what may transpire when this technology becomes even more widely used and available.

What if, for instance, this access is utilized to locate and detain activists or protestors who have not breached any laws? Citizens may only exercise caution when shopping, be aware that their smart device may record personal information, and, if possible, enable end-to-end encryption.

If you have any questions about how to secure your smart home, do not hesitate to contact me.

The Ultimate OSINT Collection

/ bugejajoseph / Leave a comment

For threat agents, reconnaissance (scouting) and gathering intelligence are vital. The aim is to get as much information about a potential target, as possible. With that information, they can exploit any weaknesses in a system or an individual, which will allow them to gain access to a system. One type of data that is often overlooked by victims and hackers alike is publicly available data. The collecting and analysis of data acquired from open sources (overt and publicly available sources) is known as open-source intelligence (OSINT). Some examples of OSINT are social media, forums, news, blogs, public data and reports, and other publicly available materials.

Red or blue, OSINT could effectively assist threat agents and researchers alike in discovering dark places that they may be unaware of. It allows them to create attack scenarios for red teams or hypotheses for threat hunting. Most cybersecurity initiatives, in my opinion, should include OSINT; a service that is often overlooked. A fantastic one-stop shop for the best OSINT content is compiled by @hatless1der and is available at the website: https://start.me/p/DPYPMz/the-ultimate-osint-collection.

Investigative tools/resources collection from Hatless1der OSINT collection.

Please remember to get in touch if you want to learn more about cyber security research and OSINT.

Where are we today with IoT Security Standards?

/ bugejajoseph / Leave a comment

IoT security standards are necessary because the IoT is fundamentally insecure. It is hard to predict whether or not an IoT device will be hacked, and even if it is, what data will be compromised. There must be defined criteria for security standards for this technology to evolve responsibly without introducing new problems. Here is a quick rundown of some of the most recent security standards.

In the United States, in December 2020, the IoT Cybersecurity Improvement Act of 2020 was signed into law. This is the first piece of IoT legislation in the US aimed at ensuring that federal agencies only buy IoT devices that adhere to strict security protocols. A new cybersecurity standard for consumer IoT (ETSI EN 303 645 V2.1.1) products was introduced in the European Union in June 2020. The purpose of this standard is to encourage better security practices and the use of security-by-design concepts in the creation of new connected consumer products. The Department of Culture, Media, and Sport in the United Kingdom announced new measures also in June 2020 to protect users of internet-connected household devices from cyberattacks. They implemented a product assurance scheme that requires certified IoT devices to bear an assurance label or kitemark indicating that they have completed independent testing or a thorough and accredited self-assessment process.

When it comes to the IoT, one of the most crucial considerations is security. As the IoT grows more intertwined in people’s lives, security standards are required to keep it safe from hostile attacks and prying eyes. There is so much that can be done to improve IoT security, and this is an opportunity for bright minds to get together and influence the IoT’s future.

Finally please remember that you are welcome to contact me and suggest themes for future posts.

My FOSAD experience and Ph.D. security courses

/ bugejajoseph / Leave a comment

Going back to the summer of 2016, I had the opportunity to attend a summer school on information security. It was the International School on Foundations of Security Analysis and Design (FOSAD) held in the University Residential Center of Bertinoro, Italy. FOSAD is one of the best Ph.D. summer schools I have ever attended.

There were various outstanding and demanding presentations on a wide range of topics, including mathematical models, analysis tools, and Internet security, as well as formal verification of security protocol implementations, practical system security, and others. We also covered information security from a practical perspective as well.

Aside from education, we also enjoyed the Italian countryside, breathtaking views, exquisite food, and some local wine. I had the opportunity to meet and mingle with exceptional students from all around the world, as well as professors from renowned universities. This also helped me in the expansion of my academic network.

If you are a Ph.D. student or simply you want to delve deeper into the intricate world of information security, I recommend attending FOSAD, preferably in person. It is a challenging summer school, but it is one of the best schools I have ever attended.

Here is a group photo from that event.

FOSAD 2016 group photo (adapted from http://www.sti.uniurb.it)

More details about FOSAD can be found on their website: https://sites.google.com/uniurb.it/fosad

Finally, if you want to learn more about security-related Ph.D. courses organized in Sweden, I highly recommend that you visit the website: https://swits.hotell.kau.se/Courses/SWITS-PhD-courses-in-IT-security.htm

Also, please feel free to drop me an email or a tweet in case you want to know more about Ph.D. courses in general.