Cyber Operations, Defence, and Forensics
Permanent URI for this collection
1 - 4 of 4
ItemSecurity Operations Centers: A Holistic View on Problems and Solutions( 2022-01-04)Since Security Operations Centers (SOCs) were first implemented, they have strived to protect the organization and constituency they serve from all manner of Information Technology (IT) security threats. As SOCs have evolved over time to become as effective and efficient at this as possible, they have struggled with changes and upgrades to their foundational elements of people, processes, and technology in pursuit of this mission. While most relevant literature focuses on one challenge a SOC faces, or one aspect of one problem, the authors of this paper performed a literature review to identify and discuss the top current and future challenges that SOCs face in addition to the top current and future solutions to these problems.
ItemLantern to the Underworld - Following User Actions Using Bing URL Parameters When Child Exploitation Terms Are Suggested by the Search Engine( 2022-01-04)During a 2016 criminal investigation overseen by the authors, a discovery was made that the Bing search engine was suggesting search terms known to be associated with child exploitation materials. This was in response to a non-contraband search by a subject, leading to increasingly explicit suggestions. This information led to the discovery that, with a user’s browser history files, the specific actions taken by a user could be isolated and tracked using Bing’s own unique URL parameters. While the suggestion of contraband terms by the Bing search engine has since ceased, there has been little to no research conducted on analyzing a user’s browser activity in order to determine their specific actions behind the keyboard through the use of these unique URL parameters. The purpose of this paper is to document Bing’s URL parameters related to image searches (specifically the FORM parameter) in order to detail how a user’s actions during searching may be determined by an analyst. The authors also provide a new tool for creating a timeline of Bing image search events when an analyst possesses a user’s browser history files.
ItemHESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon( 2022-01-04)Advanced Persistent Threat (APT) actors are increasingly utilizing Living-off-the-Land (LotL) cyber attack techniques to avoid detection. LotL are techniques that abuse legitimate functionality to perform malicious cyber activities. A common LotL attack technique, that is currently very difficult to detect and prevent, is malicious process injection, MITRE ATT\&CK Process Injection ID: T1055. We report on the initial results for HESPIDS: A Hierarchical and Extensible System for Process Injection Detection using Sysmon. We developed a hierarchical graph-based detection approach for accurate and automated detection for five process injection techniques in Windows clients. These techniques include four of 11 T1055 sub-techniques: DLL Injection, PE Injection, APC Injection, Process Hollowing, and a T1056 sub-technique: API Hooking (T1056.004). Our novel detection approach exhibits, within the limitations of our small testing environment, very high sensitivity and specificity. HESPIDS demonstrates a promising avenue for development of automated detection of advanced cybersecurity threats.