We explore the economics of ransomware on production supply chains. Integrated supply chains result in a mutual-dependence between firms that can be exploited by cyber-criminals. For instance, we show that by targeting one firm in the network the criminals can potentially hold multiple firms to ransom. Overlapping security systems may also allow the criminals to strike at weak points in the network. For instance, it may be optimal for the attacker to target a supplier in order to ransom a large producer at the heart of the production network. We introduce a game theoretic model of an attack on a supply chain and solve for two types of Nash equilibria. We then study a hub and spoke example before providing simulation results for a general case. We find that the total ransom the criminals can demand is increasing in the average path length of the network. Thus, the ransom is lowest for a hub and spoke network and highest for a line network. Mitigation strategies are discussed.
{"title":"The economics of ransomware attacks on integrated supply chain networks","authors":"A. Cartwright, E. Cartwright","doi":"10.1145/3579647","DOIUrl":"https://doi.org/10.1145/3579647","url":null,"abstract":"We explore the economics of ransomware on production supply chains. Integrated supply chains result in a mutual-dependence between firms that can be exploited by cyber-criminals. For instance, we show that by targeting one firm in the network the criminals can potentially hold multiple firms to ransom. Overlapping security systems may also allow the criminals to strike at weak points in the network. For instance, it may be optimal for the attacker to target a supplier in order to ransom a large producer at the heart of the production network. We introduce a game theoretic model of an attack on a supply chain and solve for two types of Nash equilibria. We then study a hub and spoke example before providing simulation results for a general case. We find that the total ransom the criminals can demand is increasing in the average path length of the network. Thus, the ransom is lowest for a hub and spoke network and highest for a line network. Mitigation strategies are discussed.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-02-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127206532","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this article, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.
{"title":"An Analysis of Adversary-Centric Security Testing within Information and Operational Technology Environments","authors":"Alex Staves, Antonios Gouglidis, D. Hutchison","doi":"10.1145/3569958","DOIUrl":"https://doi.org/10.1145/3569958","url":null,"abstract":"Assurance techniques such as adversary-centric security testing are an essential part of the risk assessment process for improving risk mitigation and response capabilities against cyber attacks. While the use of these techniques, including vulnerability assessments, penetration tests, and red team engagements, is well established within Information Technology (IT) environments, there are challenges to conducting these within Operational Technology (OT) environments, often due to the critical nature of the OT system. In this article, we provide an analysis of the technical differences between IT and OT from an asset management perspective. This analysis provides a base for identifying how these differences affect the phases of adversary-centric security tests within industrial environments. We then evaluate these findings by using adversary-centric security testing techniques on an industrial control system testbed. Results from this work demonstrate that while legacy OT is highly susceptible to disruption during adversary-centric security testing, modern OT that uses better hardware and more optimised software is significantly more resilient to tools and techniques used for security testing. Clear requirements can, therefore, be identified for ensuring appropriate adversary-centric security testing within OT environments by quantifying the risks that the tools and techniques used during such engagements present to the operational process.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"48 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-02-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124756109","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Louise Axon, Arnau Erola, Ioannis Agrafiotis, G. Uuganbayar, M. Goldsmith, S. Creese
The accelerated pace with which companies, governments and institutions embrace digital transformation is creating opportunities for economic prosperity, but also increases the threat landscape. Recent orchestrated cyber-attacks have revealed the unpredictability of the harm they can cause in our society, rendering the creation of new models that capture systemic risk more critical than ever. In this paper, we model the behaviour of one of the most prominent cyber-attacks: ransomware; in particular ransomware that propagates between organisations via the Internet. We draw concepts from epidemiological models of viral propagation to reason about policies that can reduce the systemic cyber-risk to the community. To achieve this, we present a compartment-based epidemiological model of predator-prey interactions, and run simulations to validate the importance of defensive controls that reduce the propagation of ransomware. Our model suggests that with specific defensive controls in place, other response policies may also become more effective. A prey policy to not pay the ransom may improve the ability of the victim population to recover; while information-sharing may reduce the number of organisations compromised, if certain conditions on the speed of threat-intelligence sharing practices are met. These results indicate the validity of the approach, which we believe could be extended to explore the impacts of a broad range of attacker and defender behaviours and characteristics of the digital environment on systemic risk.
{"title":"Ransomware as a Predator: Modelling the Systemic Risk to Prey","authors":"Louise Axon, Arnau Erola, Ioannis Agrafiotis, G. Uuganbayar, M. Goldsmith, S. Creese","doi":"10.1145/3579648","DOIUrl":"https://doi.org/10.1145/3579648","url":null,"abstract":"The accelerated pace with which companies, governments and institutions embrace digital transformation is creating opportunities for economic prosperity, but also increases the threat landscape. Recent orchestrated cyber-attacks have revealed the unpredictability of the harm they can cause in our society, rendering the creation of new models that capture systemic risk more critical than ever. In this paper, we model the behaviour of one of the most prominent cyber-attacks: ransomware; in particular ransomware that propagates between organisations via the Internet. We draw concepts from epidemiological models of viral propagation to reason about policies that can reduce the systemic cyber-risk to the community. To achieve this, we present a compartment-based epidemiological model of predator-prey interactions, and run simulations to validate the importance of defensive controls that reduce the propagation of ransomware. Our model suggests that with specific defensive controls in place, other response policies may also become more effective. A prey policy to not pay the ransom may improve the ability of the victim population to recover; while information-sharing may reduce the number of organisations compromised, if certain conditions on the speed of threat-intelligence sharing practices are met. These results indicate the validity of the approach, which we believe could be extended to explore the impacts of a broad range of attacker and defender behaviours and characteristics of the digital environment on systemic risk.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-01-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124018386","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The editors of Digital Threats Research and Practice (DTRAP) are excited to bring readers this special issue on Internet of Things (IoT) security. Here, a diverse mixture of cybersecurity academics and industry practitioners have authored articles spanning vulnerabilities in encryption protocols, MAC-layer spoofing protection, shared IoT responsibility models, and industry issues around multimodal deployments. IoT security can be an alarming problem, as devices are often deeply embedded in our hospitals, vehicles, and infrastructure. IoT security is unique in that device manufacturers typically experience heavy downward cost-per-unit pressures, keeping the cybersecurity functionality in hardware and firmware scaled down as well. Heterogenous networks, hardware often leased in the cloud, and hyper-connected environments spanning multiple parties make cybersecurity a team sport. Today, shared responsibility models are a hot topic. The cloud industry has evolved well-defined security responsibilities between infrastructure providers, like Amazon, and tenant companies leasing infrastructure to deploy technologies within. Unfortunately, shared responsibility models around IoT ecosystems have been lacking. It is fitting that our first article, “Emerging Cybersecurity Capability Gaps in the Industrial Internet of Things: Overview and Research Agenda,” tackles the problem of a shared responsibility model in IoT. It presents an assessment of capability gaps based on a series of workshops with 100 expert participants. It presents comprehensive needs against the NIST framework and includes research that models the division of cybersecurity responsibility across the IoT device, network, and cloud resident data, impacting the full lifecycle. MAC-layer spoofing is a serious problem in wireless systems, and scaled-down IoT devices often lack any prevention and detection capabilities. “Randomized Moving Target Approach for MAC-layer Spoofing Detection and Prevention in IoT Systems” details a novel system combing signal-level device fingerprinting with the principles of Randomized Moving Target Defense (RMTD).
{"title":"Introduction to the Special Issue on the Lifecycle of IoT (In)security","authors":"Paul Shomo, Sebastián Echeverría, J. Sowell","doi":"10.1145/3569901","DOIUrl":"https://doi.org/10.1145/3569901","url":null,"abstract":"The editors of Digital Threats Research and Practice (DTRAP) are excited to bring readers this special issue on Internet of Things (IoT) security. Here, a diverse mixture of cybersecurity academics and industry practitioners have authored articles spanning vulnerabilities in encryption protocols, MAC-layer spoofing protection, shared IoT responsibility models, and industry issues around multimodal deployments. IoT security can be an alarming problem, as devices are often deeply embedded in our hospitals, vehicles, and infrastructure. IoT security is unique in that device manufacturers typically experience heavy downward cost-per-unit pressures, keeping the cybersecurity functionality in hardware and firmware scaled down as well. Heterogenous networks, hardware often leased in the cloud, and hyper-connected environments spanning multiple parties make cybersecurity a team sport. Today, shared responsibility models are a hot topic. The cloud industry has evolved well-defined security responsibilities between infrastructure providers, like Amazon, and tenant companies leasing infrastructure to deploy technologies within. Unfortunately, shared responsibility models around IoT ecosystems have been lacking. It is fitting that our first article, “Emerging Cybersecurity Capability Gaps in the Industrial Internet of Things: Overview and Research Agenda,” tackles the problem of a shared responsibility model in IoT. It presents an assessment of capability gaps based on a series of workshops with 100 expert participants. It presents comprehensive needs against the NIST framework and includes research that models the division of cybersecurity responsibility across the IoT device, network, and cloud resident data, impacting the full lifecycle. MAC-layer spoofing is a serious problem in wireless systems, and scaled-down IoT devices often lack any prevention and detection capabilities. “Randomized Moving Target Approach for MAC-layer Spoofing Detection and Prevention in IoT Systems” details a novel system combing signal-level device fingerprinting with the principles of Randomized Moving Target Defense (RMTD).","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131902389","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
F. Massacci, Nick Nikiforakis, Ivan Pashchenko, A. Sabetta, Victoria Wang
Vulnerabilities are a fundamental aspect of the field of Digital Threats. How we discover, manage, and reduce the impact of vulnerabilities is as important as the vulnerabilities themselves. In this special issue, we have five articles. We cover topics from “Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories” to “Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosure.” We want to know what to expect in vulnerabilities; the article entitled “Vulnerability Forecasting: Theory and Practice” looks at the future of what to expect. On the other hand, Smart Cities may have vulnerabilities as well; thus, the article entitled “Vulnerability Exposure Driven Intelligence in Smart, Circular Cities” examines those possibilities. Finally, can vulnerabilities help us defend our networks? The article entitled “Strategies for Practical Hybrid Attack Graph Generation and Analysis” considers this strategy. We hope you learn from these articles and the topics they cover can help you manage your own vulnerabilities. Vulnerability disclosure, transitive impacts, forecasting, and attack graph generating are all current issues that need more exposure. Being prepared for the future in smart cities is important as well.
{"title":"Introduction to the Special Issue on Vulnerabilities","authors":"F. Massacci, Nick Nikiforakis, Ivan Pashchenko, A. Sabetta, Victoria Wang","doi":"10.1145/3580605","DOIUrl":"https://doi.org/10.1145/3580605","url":null,"abstract":"Vulnerabilities are a fundamental aspect of the field of Digital Threats. How we discover, manage, and reduce the impact of vulnerabilities is as important as the vulnerabilities themselves. In this special issue, we have five articles. We cover topics from “Analyzing the Direct and Transitive Impact of Vulnerabilities onto Different Artifact Repositories” to “Are We Skillful or Just Lucky? Interpreting the Possible Histories of Vulnerability Disclosure.” We want to know what to expect in vulnerabilities; the article entitled “Vulnerability Forecasting: Theory and Practice” looks at the future of what to expect. On the other hand, Smart Cities may have vulnerabilities as well; thus, the article entitled “Vulnerability Exposure Driven Intelligence in Smart, Circular Cities” examines those possibilities. Finally, can vulnerabilities help us defend our networks? The article entitled “Strategies for Practical Hybrid Attack Graph Generation and Analysis” considers this strategy. We hope you learn from these articles and the topics they cover can help you manage your own vulnerabilities. Vulnerability disclosure, transitive impacts, forecasting, and attack graph generating are all current issues that need more exposure. Being prepared for the future in smart cities is important as well.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129444732","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Ethan M. Rudd, David B. Krisiloff, Scott E. Coull, Daniel Olszewski, Edward Raff, James Holt
Real-world malware analysis consists of a complex pipeline of classifiers and data analysis – from detection to classification of capabilities to retrieval of unique training samples from user systems. In this paper, we aim to reduce the complexity of these pipelines through the use of low-dimensional metric embeddings of Windows PE files, which can be used in a variety of downstream applications, including malware detection, family classification, and malware attribute tagging. Specifically, we enrich labeling of malicious and benign PE files with computationally-expensive, disassembly-based malicious capabilities information. Using this enhanced labeling, we derive several different types of efficient metric embeddings utilizing an embedding neural network trained via contrastive loss, Spearman rank correlation, and combinations thereof. Our evaluation examines performance on a variety of transfer tasks performed on the EMBER and SOREL datasets, demonstrating that low-dimensional, computationally-efficient metric embeddings maintain performance with little decay. This offers the potential to quickly retrain for a variety of transfer tasks at significantly reduced overhead and complexity. We conclude with an examination of practical considerations for the use of our proposed embedding approach, such as robustness to adversarial evasion and introduction of task-specific auxiliary objectives to improve performance on mission critical tasks.
{"title":"Efficient Malware Analysis Using Metric Embeddings","authors":"Ethan M. Rudd, David B. Krisiloff, Scott E. Coull, Daniel Olszewski, Edward Raff, James Holt","doi":"10.1145/3615669","DOIUrl":"https://doi.org/10.1145/3615669","url":null,"abstract":"Real-world malware analysis consists of a complex pipeline of classifiers and data analysis – from detection to classification of capabilities to retrieval of unique training samples from user systems. In this paper, we aim to reduce the complexity of these pipelines through the use of low-dimensional metric embeddings of Windows PE files, which can be used in a variety of downstream applications, including malware detection, family classification, and malware attribute tagging. Specifically, we enrich labeling of malicious and benign PE files with computationally-expensive, disassembly-based malicious capabilities information. Using this enhanced labeling, we derive several different types of efficient metric embeddings utilizing an embedding neural network trained via contrastive loss, Spearman rank correlation, and combinations thereof. Our evaluation examines performance on a variety of transfer tasks performed on the EMBER and SOREL datasets, demonstrating that low-dimensional, computationally-efficient metric embeddings maintain performance with little decay. This offers the potential to quickly retrain for a variety of transfer tasks at significantly reduced overhead and complexity. We conclude with an examination of practical considerations for the use of our proposed embedding approach, such as robustness to adversarial evasion and introduction of task-specific auxiliary objectives to improve performance on mission critical tasks.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"22 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-12-05","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126898203","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double extortion ransomware now exfiltrates the data first, before encrypting it. As a consequence the early detection and prevention of data exfiltration is one of today’s major challenges of institutions connected to the Internet. If attempts to illegal data exfiltration are successfully detected, the attacked institution should address a probable subsequent encryption attack step, too. In particular, valuable business assets must be checked for unauthorized access and need to be protected. However, due to the bulk of network traffic and persistent data, automation is a key requirement to successfully defend contemporary threats. The main goal of this article is to present a concept and its initial evaluation to achieve automation of data exfiltration mitigation in a targeted manner. Our concept consists of two main steps. Based on recognized international approaches used in Cyber Threat Intelligence (CTI), an automatic procedure on base of the MITRE ATT&CK framework for deriving current threats with respect to data exfiltration is presented in the first place. In the spirit of the DTRAP forum, a practical approach is chosen in addition to the theory in this manner. Our evaluation reveals that we are able to automatically identify the most relevant recent risks of unauthorized data exfiltration. In our second step we present the design of a simulation gear based on the attacks extracted from the MITRE ATT&CK framework. The aim is to simulate the greatest threats before they actually occur in the operational environment. The strict focus on the threats of data exfiltration characterizes our solution and makes our approach an ideal addition to existing solutions. We provide an evaluation of this initial simulation concept and its underlying technology for the implementation to show that we are on the right track.
{"title":"Threat-based Simulation of Data Exfiltration Towards Mitigating Multiple Ransomware Extortions","authors":"M. Mundt, Harald Baier","doi":"10.1145/3568993","DOIUrl":"https://doi.org/10.1145/3568993","url":null,"abstract":"Network-based attacks and their mitigation are of increasing importance in our ever-connected world. Often network-based attacks address valuable data, which the attacker either encrypts to extort ransom or steals to make money reselling, or both. After the infamous WannaCry and NotPetya ransomware attacks in 2017, companies stepped up their cyber defenses. More emphasis was placed on backup and recovery processes so that even when files were destroyed, organizations had copies for quick recovery. However, cyber criminals have also adapted their methods. Instead of simply encrypting files, double extortion ransomware now exfiltrates the data first, before encrypting it. As a consequence the early detection and prevention of data exfiltration is one of today’s major challenges of institutions connected to the Internet. If attempts to illegal data exfiltration are successfully detected, the attacked institution should address a probable subsequent encryption attack step, too. In particular, valuable business assets must be checked for unauthorized access and need to be protected. However, due to the bulk of network traffic and persistent data, automation is a key requirement to successfully defend contemporary threats. The main goal of this article is to present a concept and its initial evaluation to achieve automation of data exfiltration mitigation in a targeted manner. Our concept consists of two main steps. Based on recognized international approaches used in Cyber Threat Intelligence (CTI), an automatic procedure on base of the MITRE ATT&CK framework for deriving current threats with respect to data exfiltration is presented in the first place. In the spirit of the DTRAP forum, a practical approach is chosen in addition to the theory in this manner. Our evaluation reveals that we are able to automatically identify the most relevant recent risks of unauthorized data exfiltration. In our second step we present the design of a simulation gear based on the attacks extracted from the MITRE ATT&CK framework. The aim is to simulate the greatest threats before they actually occur in the operational environment. The strict focus on the threats of data exfiltration characterizes our solution and makes our approach an ideal addition to existing solutions. We provide an evaluation of this initial simulation concept and its underlying technology for the implementation to show that we are on the right track.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"161 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115688396","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Yagiz Yilmaz, Orçun Çetin, C. Grigore, B. Arief, J. Hernandez-Castro
Ransomware remains one of the most prevalent cyberthreats to individuals and businesses alike. Psychological techniques are often employed by attackers when infecting victims’ devices with ransomware, in an attempt to increase the likelihood of the victims paying the ransom demand. At the same time, cybersecurity researchers are continually putting in effort to find new ways to prevent ransomware infections and victimisation from happening. Since employees and contractors are often considered to be the most frequent and well-known attack vectors, it makes sense to focus on them. Identifying factors to predict the most vulnerable population to cyberattacks can be useful in preventing or mitigating the impact of ransomware attacks. Additionally, understanding victims’ psychological traits can help us devise better solutions to recover from the attack more effectively, while at the same time, encouraging victims not to pay the ransom demand to cybercriminals. In this paper, we investigated the relationship between personality types and ransomware victimisation, in order to understand whether people with certain personality types would be more prone to becoming a ransomware victim or not. We also studied the behavioural and psychological effects of becoming a ransomware victim, in an attempt to see whether such an experience can be used to reinforce positive cybersecurity behaviours in the future. We carried out a survey involving 880 participants, recruited through the Prolific online survey platform. First, these participants were asked to answer a set of standard questions to determine their personality type, using the Big-Five personality trait indicators. They were then asked to answer several follow-up questions regarding victimisation, as well as their feelings and views post-victimisation. We found that 9.55% (n=84) of the participants had been a victim of ransomware. Out of these, 2.38% (n=2) were found to have paid the ransom. We found no compelling evidence to suggest that personality traits would influence ransomware victimisation. In other words, there are no discernible differences regarding potential ransomware victimisation based on people’s personality types alone. Therefore, we should not blame victims for falling prey – in particular, we should not apportion the blame to their personality type. These findings can be used to improve positive cybersecurity behaviours, for example, by encouraging victims to invest more in cybersecurity products and tools. Additionally, our results showed that the aftermath of a ransomware attack could be quite devastating and hard to deal with for many victims. Finally, our research shows that properly dealing with ransomware is a complex socio-technical challenge that requires both technical and psychological support.
{"title":"Personality Types and Ransomware Victimisation","authors":"Yagiz Yilmaz, Orçun Çetin, C. Grigore, B. Arief, J. Hernandez-Castro","doi":"10.1145/3568994","DOIUrl":"https://doi.org/10.1145/3568994","url":null,"abstract":"Ransomware remains one of the most prevalent cyberthreats to individuals and businesses alike. Psychological techniques are often employed by attackers when infecting victims’ devices with ransomware, in an attempt to increase the likelihood of the victims paying the ransom demand. At the same time, cybersecurity researchers are continually putting in effort to find new ways to prevent ransomware infections and victimisation from happening. Since employees and contractors are often considered to be the most frequent and well-known attack vectors, it makes sense to focus on them. Identifying factors to predict the most vulnerable population to cyberattacks can be useful in preventing or mitigating the impact of ransomware attacks. Additionally, understanding victims’ psychological traits can help us devise better solutions to recover from the attack more effectively, while at the same time, encouraging victims not to pay the ransom demand to cybercriminals. In this paper, we investigated the relationship between personality types and ransomware victimisation, in order to understand whether people with certain personality types would be more prone to becoming a ransomware victim or not. We also studied the behavioural and psychological effects of becoming a ransomware victim, in an attempt to see whether such an experience can be used to reinforce positive cybersecurity behaviours in the future. We carried out a survey involving 880 participants, recruited through the Prolific online survey platform. First, these participants were asked to answer a set of standard questions to determine their personality type, using the Big-Five personality trait indicators. They were then asked to answer several follow-up questions regarding victimisation, as well as their feelings and views post-victimisation. We found that 9.55% (n=84) of the participants had been a victim of ransomware. Out of these, 2.38% (n=2) were found to have paid the ransom. We found no compelling evidence to suggest that personality traits would influence ransomware victimisation. In other words, there are no discernible differences regarding potential ransomware victimisation based on people’s personality types alone. Therefore, we should not blame victims for falling prey – in particular, we should not apportion the blame to their personality type. These findings can be used to improve positive cybersecurity behaviours, for example, by encouraging victims to invest more in cybersecurity products and tools. Additionally, our results showed that the aftermath of a ransomware attack could be quite devastating and hard to deal with for many victims. Finally, our research shows that properly dealing with ransomware is a complex socio-technical challenge that requires both technical and psychological support.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127492918","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Saurabh Kumar, Debadatta Mishra, Biswabandan Panda, S. Shukla
With wide adaptation of open-source Android into mobile devices by different device vendors, sophisticated malware are developed to exploit security vulnerabilities. As comprehensive security analysis on physical devices are impractical and costly, emulator-driven security analysis has gained popularity in recent times. Existing dynamic analysis frameworks suffer from two major issues: (i) they do not provide foolproof anti-emulation-detection measures even for fingerprint-based attacks, and (ii) they lack efficient cross-layer profiling capabilities. In this work, we present InviSeal, a comprehensive and scalable dynamic analysis framework that includes low-overhead cross-layer profiling techniques and detailed anti-emulation-detection measures along with the basic emulation features. While providing an emulator-based comprehensive analysis platform, InviSeal strives to remain behind-the-scene to avoid emulation-detection. We empirically demonstrate that the proposed OS layer profiling utility to achieve cross-layer profiling is ∼1.26× faster than existing strace-based approaches. Overall, on average, InviSeal incurs ∼1.04× profiling overhead in terms of the number of operations performed by the various workloads of the CaffeineMark-3.0 benchmark, which is better than the contemporary techniques. Furthermore, we measure the anti-emulation-detection strategies of InviSeal against the fingerprint-based emulation-detection attacks. Experimental results show that the emulation-detection attacks carried out by the malware samples do not find InviSeal as an emulated platform.
{"title":"InviSeal: A Stealthy Dynamic Analysis Framework for Android Systems","authors":"Saurabh Kumar, Debadatta Mishra, Biswabandan Panda, S. Shukla","doi":"10.1145/3567599","DOIUrl":"https://doi.org/10.1145/3567599","url":null,"abstract":"With wide adaptation of open-source Android into mobile devices by different device vendors, sophisticated malware are developed to exploit security vulnerabilities. As comprehensive security analysis on physical devices are impractical and costly, emulator-driven security analysis has gained popularity in recent times. Existing dynamic analysis frameworks suffer from two major issues: (i) they do not provide foolproof anti-emulation-detection measures even for fingerprint-based attacks, and (ii) they lack efficient cross-layer profiling capabilities. In this work, we present InviSeal, a comprehensive and scalable dynamic analysis framework that includes low-overhead cross-layer profiling techniques and detailed anti-emulation-detection measures along with the basic emulation features. While providing an emulator-based comprehensive analysis platform, InviSeal strives to remain behind-the-scene to avoid emulation-detection. We empirically demonstrate that the proposed OS layer profiling utility to achieve cross-layer profiling is ∼1.26× faster than existing strace-based approaches. Overall, on average, InviSeal incurs ∼1.04× profiling overhead in terms of the number of operations performed by the various workloads of the CaffeineMark-3.0 benchmark, which is better than the contemporary techniques. Furthermore, we measure the anti-emulation-detection strategies of InviSeal against the fingerprint-based emulation-detection attacks. Experimental results show that the emulation-detection attacks carried out by the malware samples do not find InviSeal as an emulated platform.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"56 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-12","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"122268722","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Max Landauer, Markus Wurzenberger, Florian Skopik, Wolfgang Hotwagner, Georg Höld
Cyber attacks are omnipresent and their rapid detection is crucial for system security. Signature-based intrusion detection monitors systems for attack indicators and plays an important role in recognizing and preventing such attacks. Unfortunately, it is unable to detect new attack vectors and may be evaded by attack variants. As a solution, anomaly detection employs techniques from machine learning to detect suspicious log events without relying on predefined signatures. While visibility of attacks in network traffic is limited due to encryption of network packets, system log data is available in raw format and thus allows fine-granular analysis. However, system log processing is difficult as it involves different formats and heterogeneous events. To ease log-based anomaly detection, we present the AMiner, an open-source tool in the AECID toolbox that enables fast log parsing, analysis, and alerting. In this article, we outline the AMiner’s modular architecture and demonstrate its applicability in three use-cases.
{"title":"AMiner: A Modular Log Data Analysis Pipeline for Anomaly-based Intrusion Detection","authors":"Max Landauer, Markus Wurzenberger, Florian Skopik, Wolfgang Hotwagner, Georg Höld","doi":"10.1145/3567675","DOIUrl":"https://doi.org/10.1145/3567675","url":null,"abstract":"Cyber attacks are omnipresent and their rapid detection is crucial for system security. Signature-based intrusion detection monitors systems for attack indicators and plays an important role in recognizing and preventing such attacks. Unfortunately, it is unable to detect new attack vectors and may be evaded by attack variants. As a solution, anomaly detection employs techniques from machine learning to detect suspicious log events without relying on predefined signatures. While visibility of attacks in network traffic is limited due to encryption of network packets, system log data is available in raw format and thus allows fine-granular analysis. However, system log processing is difficult as it involves different formats and heterogeneous events. To ease log-based anomaly detection, we present the AMiner, an open-source tool in the AECID toolbox that enables fast log parsing, analysis, and alerting. In this article, we outline the AMiner’s modular architecture and demonstrate its applicability in three use-cases.","PeriodicalId":202552,"journal":{"name":"Digital Threats: Research and Practice","volume":"68 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2022-10-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114215578","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: