Printer-friendly version


Currently sorted By last update ascending Sort chronologically: By last update change to descending | By creation date

Page:  1  2  3  4  5  6  7  8  (Next)
  ALL

Picture of Yee Wei Law

CCSDS publications naming convention

by Yee Wei Law - Wednesday, 11 January 2023, 2:51 PM
 

Publications from the Consultative Committee for Space Data Systems (CCSDS) can be found here.

Each publication has an identifier of the form MMM.MM-A-N, where

  • The alphabet A is “B” for blue book (recommended standard), “M” for magenta book (recommended practice), and “G” for green book (informational report).
  • The suffix N is the issue number.
Picture of Yee Wei Law

Homodyne vs heterodyne detection

by Yee Wei Law - Wednesday, 8 February 2023, 11:42 AM
 

Homodyne detection = method of detecting a weak frequency-modulated signal through mixing with a strong reference frequency-modulated signal (so-called local oscillator).

References

[ETS18] ETSI, Quantum Key Distribution (QKD); Vocabulary, Group Report ETSI GR QKD 007 v1.1.1, December 2018. Available at https://www.etsi.org/deliver/etsi_gr/QKD/001_099/007/01.01.01_60/gr_qkd007v010101p.pdf.
Picture of Yee Wei Law

Transport Layer Security

by Yee Wei Law - Sunday, 12 February 2023, 10:35 AM
 

TODO

Picture of Yee Wei Law

Intrusion detection systems: classifications

by Yee Wei Law - Monday, 27 February 2023, 12:02 PM
 
See attachment 👇.
PDF document SampleLearningJournalA.pdf
Picture of Yee Wei Law

MITRE D3FEND

by Yee Wei Law - Tuesday, 7 March 2023, 12:54 PM
 

MITRE D3FEND is a knowledge base — more precisely a knowledge graph — of cybersecurity countermeasures/techniques, created with the primary goal of helping standardise the vocabulary used to describe defensive cybersecurity functions/technologies.

  • It serves as a catalogue of defensive cybersecurity techniques and their relationships to offensive/adversarial techniques.

The D3FEND knowledge graph was designed to map MITRE ATT&CK techniques (or sub-techniques) through digital artefacts to defensive techniques; see Fig. 1.

  • Any digital trail left by an adversary, such as Internet search, software exploit and phishing email, is a digital artefact [KS21, Sec. IVE].
Fig. 1: Mapping done by the D3FEND knowledge graph [KS21, Figs. 7-8].

Operationally speaking, the D3FEND knowledge graph allows looking up of defence techniques against specific MITRE ATT&CK techniques.

Watch an overview of the D3FEND knowledge graph from MITRE on YouTube:

References

[KS21] P. E. Kaloroumakis and M. J. Smith, Toward a knowledge graph of cybersecurity countermeasures, The MITRE Corporation, 2021. Available at https://d3fend.mitre.org/resources/D3FEND.pdf.
Picture of Yee Wei Law

Systems Security Engineering

by Yee Wei Law - Tuesday, 7 March 2023, 3:21 PM
 

NIST provides guidelines on engineering trustworthy (see Definition 1) and cyber-resilient (see Definition 2) systems through NIST SP 800-160 volumes 1 and 2 [RWM22, RPG+21], to be used in conjunction with

  • ISO/IEC/IEEEE International Standard 15288:2015 [ISO15],
  • NIST SP 800-37 [Joi18] and
  • NIST SP 800-53 [Joi20].
Definition 1: Trustworthy [RWM22, p. 1]

Worthy of being trusted to fulfill whatever critical requirements may be needed for a particular component, subsystem, system, network, application, mission, enterprise or other entity.

Definition 2: Cyber-resilient [RPG+21, p. 1]

Able to anticipate, withstand, recover from, and adapt to adverse conditions, including stresses, attacks, and compromises on systems that use or are enabled by cyber resources.

📝 A cyber resource is an information resource which creates, stores, processes, manages, transmits, or disposes of information in electronic form and that can be accessed via a network or using networking methods; for example, a file or database.

A primary objective of NIST SP 800-160 volume 1 is to provide a basis for establishing a discipline for systems security engineering as part of systems engineering in terms of its principles, concepts, activities and tasks.

  • Systems engineering is a transdisciplinary and integrative approach to enabling the successful realisation, use, and retirement of engineered systems [RWM22, Sec. 2.2].
  • Systems security engineering is meant to provide complementary engineering capabilities that extend the concept of trustworthiness to deliver trustworthy systems [RWM22, p. 2].
  • Without going into details, Fig. 1 captures the workflow in the prescribed Systems Security Engineering Framework [RWM22, Sec. 4].
Fig. 1: The Systems Security Engineering Framework provides guidenlines on how to define the problem and how to develop a solution to achieve trustworthiness [RWM22, Fig. 10]. See [RWM22, Sec. 4] for details.

A primary objective of NIST SP 800-160 volume 2 is to provide guidance on how to apply cyber resilience concepts, constructs and engineering practices to systems security engineering and risk management for systems (e.g., enterprise IT, industrial control systems, Internet of Things) and organisations.

References

[ISO15] ISO, IEC and IEEE, ISO/IEC/IEEE International Standard 15288: Systems and software engineering – System life cycle processes, 2015. https://doi.org/10.1109/IEEESTD.2015.7106435.
[Joi18] Joint Task Force, Risk management framework for information systems and organizations: A system life cycle approach for security and privacy, NIST Special Publication 800-37 Revision 2, December 2018. https://doi.org/10.6028/NIST.SP.800-37r2.
[Joi20] Joint Task Force, Security and privacy controls for information systems and organizations, NIST Special Publication 800-53 Revision 5, September 2020. https://doi.org/10.6028/NIST.SP.800-53r5.
[RPG+21] R. Ross, V. Pillitteri, R. Graubart, D. Bodeau, and R. McQuaid, Developing cyberresilient systems: A systems security engineering approach, NIST Special Publication 800-160 Volume 2 Revision 1, December 2021. https://doi.org/10.6028/NIST.SP.800-160v2r1.
[RWM22] R. Ross, M. Winstead, and M. McEvilley, Engineering trustworthy secure systems, NIST Special Publication 800-160v1r1, November 2022. https://doi.org/10.6028/NIST.SP.800-160v1r1.
Picture of Yee Wei Law

NIST Cybersecurity Framework

by Yee Wei Law - Wednesday, 8 March 2023, 10:52 AM
 

The National Institute of Standards and Technology (NIST) has an essential role in identifying and developing cybersecurity risk frameworks for voluntary use by owners and operators of critical infrastructure (see Definition 1) [NIS18, Executive Summary].

Definition 1: Critical infrastructure [NIS18, Sec. 1.0]

Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

One such framework is the Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework for short), for which NIST is maintaining an official website.

As of writing, the latest version of the NIST Cybersecurity Framework is 1.1 [NIS18].

The Cybersecurity Framework provides a common language for understanding, managing and expressing cybersecurity risks to internal and external stakeholders [NIS18, Sec. 2.0].

The Cybersecurity Framework has three parts: 1️⃣ Framework Core, 2️⃣ Implementation Tiers, and 3️⃣ Framework Profiles.

Framework Core

This is a set of cybersecurity activities, desired outcomes and applicable references (industry standards, guidelines and practices) that are common across critical infrastructure sectors [NIS18, Sec. 1.1].

The Framework Core consists of five concurrent and continuous Functions that provide a high-level strategic view of the lifecycle of an organisation’s management of cybersecurity risks:

  1. Identify: Develop an organisational understanding to manage cybersecurity risks to systems, people, assets, data and capabilities [NIS18, p. 7].

    Applicable activities include [MMQT21]:

    • identifying critical enterprise processes and assets;
    • documenting information flows (how information is collected, stored, updated and used);
    • maintaining hardware and software inventories;
    • establishing cybersecurity policies specifying roles, responsibilities and procedures in integration with enterprise risk considerations;
    • identifying and assessing vulnerabilities and threats;
    • identifying, prioritising, executing and tracking risk responses.

  2. Protect: Develop and implement appropriate safeguards to ensure delivery of critical services [NIS18, p. 7].

    Applicable activities include [MMQT21]:

    • managing access to assets and information;
    • safeguarding sensitive data, including applying authenticated encryption and deleting data that are no longer needed;
    • making regular backups and storing backups offline;
    • deploying firewalls and other security products, with configuration management, to protect devices;
    • keeping device firmware and software updated, while regularly scanning for vulnerabilities;
    • training and regularly retraining users to maintain cybersecurity hygiene.

  3. Detect: Develop and implement appropriate activities to identify the occurrence of a cybersecurity event [NIS18, p. 7].

    Applicable activities include [MMQT21]:

    • developing, testing and updating processes and procedures for detecting unauthorised entities and actions in the cyber and physical environments;
    • maintaining logs and monitoring them for anomalies, including unexpected changes to systems or accounts, illegitimate communication channels and data flows.

  4. Respond: Develop and implement appropriate activities to take action regarding a detected cybersecurity incident [NIS18, p. 8].

    Applicable activities include [MMQT21]:

    • making, testing and updating response plans, including legal reporting requirements, to ensure each personnel is aware of their responsibilities;
    • coordinating response plans and updates with all key internal and external stakeholders.

  5. Recover: Develop and implement appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired by a cybersecurity incident [NIS18, p. 8].

    Applicable activities include [MMQT21]:

    • making, testing and updating recovery plans;
    • coordinating recovery plans and updates with all key internal and external stakeholders, paying attention to what, how and when information is shared;
    • managing public relations and company reputation.

Each Function comprises Categories, and each Category comprises Subcategories, and for each Subcategory, Informative References are provided [NIS18, Sec. 2.1].

  • A Category is a cybersecurity outcome closely tied to programmatic needs and particular activities.
  • A Subcategory is an outcome of technical and/or management activities for supporting achievement of the outcomes in each Category.
  • An Informative Reference is a specific part of a standard, guideline and practice common among critical infrastructure sectors that illustrates a method to achieve the outcomes associated with each Subcategory.

Fig. 1 shows Categories, and the Subcategories under the Category “Business Environment”, and furthermore the Informative References for each of these Subcategories.

Fig. 1: Functions, Categories, sample Subcategories and sample Informative References. Details about these Informative References can be found in [NIS18, p. 44].
Implementation Tiers

The four tiers in Table 1 provide context on how an organisation views cybersecurity risks and the processes in place to manage those risks [NIS18, p. 8].

Table 1: Implementation tiers [NIS18, pp. 9-11].
Tier Risk management process Integrated risk management program External participation
1, Partial Not formalised, ad hoc and reactive.

Limited cybersecurity awareness.

Risk management is irregular and case-by-case.

 Organisation does not engage with other entities, and lacks awareness of cyber supply chain risks.
2, Risk-informed

Formalised but not organisation-wide.

Prioritisation of cybersecurity objectives and activities is directly informed by organisational risks, business requirements, or the threat environment.

Cybersecurity awareness exists at the organisational level, but risk management is not organisation-wide.

Irregular risk assessment of assets.

Organisation receives information from other entities and generates some of its own, but may not share information with others.

Organisation is aware of cyber supply chain risks, but does not respond formally to the risks.
3, Repeatable Formalised and regularly updated based on the application of risk management processes to changes in business requirements and the threat landscape.

Risk management is organisation-wide.

Organisation accurately and consistently monitors cybersecurity risks of assets.

Organisation responds effectively and consistently to changes in risks.

Cybersecurity is considered through all lines of operation.

Organisation receives information from other entities and share its original information with others.

Organisation is aware of cyber supply chain risks, and usually responds formally to the risks.
4, Adaptive

Formalised and adaptable to experience and forecast.

Continuously improved leveraging advanced cybersecurity technologies and practices, to respond to evolving, sophisticated threats in a timely and effective manner.

Risk management is organisation-wide.

Decision making is grounded in clear understanding of the relationship between cybersecurity risks and financial risks / organisational objectives.

Risk management is integral to organisational culture and is supported by continuous awareness of activities on systems and networks.

Organisation receives, generates and reviews prioritised information to inform continuous risk assessment.

Organisation uses real-time information to respond formally and consistently to cyber supply chain risks.

Implementation tiers do not represent maturity levels; they are meant to support organisational decision making about how to manage cybersecurity risks.

Framework Profiles

A Framework Profile (“Profile”) is a representation of the outcomes that a particular system or organisation has selected from the Framework Categories and Subcategories [NIS18, Appendix B].

A Profile specifies the alignment of the Functions, Categories, and Subcategories with the business requirements, risk tolerance, and resources of an organisation [NIS18, Sec. 2.3].

A Profile enables organisations to establish a roadmap for reducing cybersecurity risks, that 1️⃣ is well aligned with organisational and sector goals, 2️⃣ considers legal/regulatory requirements and industry best practices, and 3️⃣ reflects risk management priorities [NIS18, Sec. 2.3].

For example,

  • The NIST Interagency Report 8401 [LSB22] specifies a Profile for securing satellite ground segments.
  • A Profile for securing hybrid satellite networks is currently under development.
  • More examples of Profiles can be found here.

Watch a more detailed explanation of the Cybersecurity Framework presented at RSA Conference 2018:

References

[LSB22] S. Lightman, T. Suloway, and J. Brule, Satellite ground segment: Applying the cybersecurity framework to satellite command and control, NIST IR 8401, December 2022. https://doi.org/10.6028/NIST.IR.8401.
[MMQT21] A. Mahn, J. Marron, S. Quinn, and D. Topper, Getting Started with the NIST Cybersecurity Framework: A Quick Start Guide, NIST Special Publication 1271, August 2021. https://doi.org/10.6028/NIST.SP.1271.
[MMBM22] J. McCarthy, D. Mamula, J. Brule, and K. Meldorf, Cybersecurity Framework Profile for Hybrid Satellite Networks (HSN): Final Annotated Outline, NIST Cybersecurity White Paper, NIST CSWP 27, November 2022. https://doi.org/10.6028/NIST.CSWP.27.
[NIS18] NIST, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, April 2018. Available at https://www.nist.gov/cyberframework/framework.
Picture of Yee Wei Law

Universally composable security

by Yee Wei Law - Monday, 13 March 2023, 1:19 PM
 

First proposed by Canetti [Can01], the paradigm of universally composable security guarantees security even when a secure protocol is composed with an arbitrary set of protocols, or more generally when the protocol is used as a component of an arbitrary system.

  • It guarantees security even when an unbounded number of protocol instances are executed concurrently in an adversarially controlled manner.
  • It is an essential property for maintaining security of cryptographic protocols in complex and unpredictable environments such as the Internet.

References

[Can01] R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in Proceedings 42nd IEEE Symposium on Foundations of Computer Science, 2001, pp. 136–145. https://doi.org/10.1109/SFCS.2001.959888.
Picture of Yee Wei Law

Cyber Kill Chain

by Yee Wei Law - Wednesday, 15 March 2023, 9:24 AM
 

The Cyber Kill Chain® framework/model was developed by Lockheed Martin as part of their Intelligence Driven Defense® model for identification and prevention of cyber intrusions.

The model identifies what an adversary must complete in order to achieve its objectives.

The seven steps of the Cyber Kill Chain sheds light on an adversary’s tactics, techniques and procedures (TTP):

Watch a quick overview of the Cyber Kill Chain on LinkedIn Learning:

Overview of the cyber kill chain from Ethical Hacking with JavaScript by Emmanuel Henri

Example 1: Modelling Stuxnet with the Cyber Kill Chain

Stuxnet (W32.Stuxnet in Symantec’s naming scheme) was discovered in 2010, with some components being used as early as November 2008 [FMC11].

Stuxnet is a large and complex piece of malware that targets industrial control systems, leveraging multiple zero-day exploits, an advanced Windows rootkit, complex process injection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface [FMC11].

Watch a brief discussion of modelling Stuxnet with the Cyber Kill Chain:

Stuxnet and the kill chain from Practical Cybersecurity for IT Professionals by Malcolm Shore

⚠ Contrary to what the video above claims, Stuxnet does have a command and control routine/interface [FMC11].

References

[FMC11] N. Falliere, L. O. Murchu, and E. Chien, W32.Stuxnet Dossier, Symantec Security Response, February 2011, version 1.4. Available at http://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2014/11/20082206/w32_stuxnet_dossier.pdf.
Picture of Yee Wei Law

MITRE Engage

by Yee Wei Law - Wednesday, 15 March 2023, 9:52 AM
 

MITRE Engage (previously MITRE Shield) is a framework for planning and discussing adversary engagement operations.

  • It is meant to empower defenders to engage their adversaries and achieve their cybersecurity goals.

Cyber defense has traditionally focussed on applying defence-in-depth to deny adversaries’ access to an organisation’s critical cyber assets.

Increasingly, actively engaging adversaries proves to be more effective defence [MIT22b].

  • For example, making adversaries doubt the value of any data/information they stole drives down the value of their operations and up their operating cost.

The foundation of adversary engagement, within the context of strategic planning and analysis, is cyber denial and cyber deception [MIT22b]:

  • Cyber denial is the ability to prevent or otherwise impair adversaries’ ability to conduct their operations.
  • Cyber deception intentionally reveals deceptive facts and fictions to mislead the adversary, while concealing critical facts and fictions to prevent the adversary from making correct estimations or taking appropriate actions.

While MITRE Engage has not been around for long, the practice of cyber deception has a long history; honeypots for example can be traced back to the 1990s [Spi04, Ch. 3].

MITRE Engage prescribes the 10-Step Process, which was adapted from the process of deception in [RW13, Ch. 19], in Fig. 1:

Fig. 1: The 3-phase 10-Step Process of MITRE Engage [MIT22b, p. 7].

Prepare phase:

  1. Define the operational objective, e.g., expose adversaries, or affect an adversary’s ability to operate, or elicit intelligence on an adversary’s TTPs.
  2. Construct an engagement narrative (i.e., story to deceive the adversary) that supports this objective.
  3. This narrative informs the design of the engagement environment (e.g., a network) and all operational activities.
  4. Gather all relevant stakeholders to define the acceptable level of operational risk.
  5. Construct clear Rules of Engagement (RoE) to serve as guardrails for operational activities.
  6. Put sufficient monitoring and analysis capabilities in place to ensure activities remain within set bounds.

Operate phase:

  1. Implement and deploy designed activities.
  2. Explore these activities more in the Operationalise the Methodologies section below.

Understand phase:

  1. Turn operational outputs into actionable intelligence to assess whether the operational objective is met.
  2. Capture lessons learned and refine future engagements.
Example 1: The Tularosa Study

A starting point to practising cyber deception is to combine deception tools (e.g., honeypots and decoy content) with traditional defences (e.g., application programming interface monitoring, backup and recovery) [Heb22].

Contrary to intuition, cyber deception is more effective when adversaries know it is in place, because its presence exerts psychological impact on the adversaries [Heb22].

Supporting evidence is available from the 2018 Tularosa Study [FWSR+18]; watch presentation below:

Operationalise the Methodologies

The foundation of an adversary engagement strategy is the Engage Matrix:

Fig. 2: The MITRE Engage Matrix. Click on image 👆 to navigate to https://engage.mitre.org/matrix/.

The Matrix serves a shared reference that bridges the gap between defenders and decision makers when discussing and planning denial, deception, and adversary engagement activities.

The Matrix allows us to apply the theoretical 10-Step Process (see Fig. 1) to an actual operation.

The top row identifies the goals: Prepare and Understand, as well as the objectives: Expose, Affect and Elicit.

  • The Prepare and Understand Goals focus on the inputs and outputs of an operation.
  • While the Matrix is linear like the 10-Step Process, it should be viewed as cyclical.

The second row identifies the approaches, which let us make progress towards our selected goal.

The remainder of the Matrix identifies the activities.

  • The same activities often appear under one or more approach or goal/objective, e.g., Lures under ExposeDetect, AffectDirect and AffectDisrupt, because activities can be adapted to fit multiple use cases.
  • An adversary’s action may expose an unintended weakness of the adversary.
  • We can look at each MITRE ATT&CK® technique to examine the weaknesses revealed and identify engagement activities to exploit these weaknesses.
  • Fig. 3 shows an example of mapping a MITRE ATT&CK technique to an engagement activity.
Fig. 3: Mapping ATT&CK technique Remote System Discovery (T1018) to an engagement activity. Options include Software Manipulation (EAC0014), Lures (EAC0005), Network Manipulation (EAC0016), Network Diversity (EAC0007) and Pocket Litter (EAC0011).

References

[FWSR+18] K. Ferguson-Walter, T. Shade, A. Rogers, M. Trumbo, K. Nauer, K. Divis, A. Jones, A. Combs, and R. Abbott, The Tularosa Study: An Experimental Design and Implementation to Quantify the Effectiveness of Cyber Deception, Tech. Report SAND2018-5870C, Sandia National Lab, 2018. Available at https://www.osti.gov/servlets/purl/1524844.
[Heb22] C. Hebert, Trust Me, I’m a Liar, IEEE Security & Privacy 20 no. 6 (2022), 79–82. https://doi.org/10.1109/MSEC.2022.3202625.
[MIT22b] MITRE Engage, A Starter Kit in Adversary Engagement, 2022, version 1.0. Available at https://engage.mitre.org/wp-content/uploads/2022/04/StarterKit-v1.0-1.pdf.
[RW13] H. Rothstein and B. Whaley, Art and Science of Military Deception, Artech House, 2013. Available at https://app.knovel.com/hotlink/toc/id:kpASMD0003/art-science-military/art-science-military.
[Spi04] L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley Professional, 2004. Available at https://learning.oreilly.com/library/view/honeypots-tracking-hackers/0321108957/.

Page:  1  2  3  4  5  6  7  8  (Next)
  ALL