research-article

Improving offensive cyber security assessments using varied and novel initialization perspectives

Author: Jacob OakleyAuthors Info & Claims

ACMSE '18: Proceedings of the 2018 ACM Southeast Conference

Article No.: 3, Pages 1 - 9

https://doi.org/10.1145/3190645.3190673

Published: 29 March 2018 Publication History

Abstract

Offensive cyber security assessment methods such as red teaming and penetration testing have grown in parallel with evolving threats to evaluate traditional and diverging attack surfaces. This paper provides a taxonomy of ethical hacker conducted offensive security assessments by categorization of their initial evaluation perspectives. Included in this taxonomy are the traditional assessment perspectives which initiate analysis and attack simulation against networks either externally, from within a DMZ or internally. A novel paradigm of critical perspective as an initial point for offensive security evaluation processes is also presented. This initialization from a critical perspective bolsters the holistic capabilities of offensive cyber security assessment by providing a new offensive security assessment option intended to begin evaluation at the last line of defense between malicious actors and the crown jewels of an organization. Then from such a perspective assess outwards from the deepest levels of trust and security. This method will be shown to improve the ability to mitigate the impact of threats regardless of their originating from within or without an organization. As such, the assessment initialization at a critical perspective provides a new approach to offensive security assessment different from what has traditionally been practiced by red teams and penetration testers.

References

[1]

AppliedTrust, "The Importance of Periodic Security Assessments," Viawest. {Online}. {Accessed 15 7 2017}.

[2]

c. s. choo, c. l. chua and s.-h. v. tay, "Automated red teaming: a proposed framework for military application," in 9th annual conference on Genetic and evolutionary computation, New Yotk, 2007.

Digital Library

[3]

A. Applebaum, D. Miller, B. Strom, C. Korban and R. Wolf, "Intelligent, automated red team emulation," in 32nd Annual Conference on Computer Security Applications, New York, 2016.

Digital Library

[4]

s. ghosh and s. juneja, "Computing worst-case tail probabilities in credit risk," in 38th conference on Winter simulation, 2006.

Digital Library

[5]

M. Y. Naghmouchi, N. Perrot, A. R. Mhjoub, N. Kheir and J.-P. Wary, "A New Risk Assessment Framework Using Graph Theory for Complex ICT Systems," in 8th ACM CCS International Workshop on Managing Insider Security Threats, Vienna, 2016.

Digital Library

[6]

The TREsPASS Project, "TREsPASS," 2017. {Online}. Available: https://www.trespass-project.eu/. {Accessed 4 October 2017}.

[7]

J. Heiser, "Understanding Data Leakage," Gartner Research Report, 2017.

[8]

CERT, "Common Sense Guide to Prevention and Detection of Insider Threat," CERT, 2009. {Online}. Available: http://www.ncix.gov/issues/ithreat/csg-v3.pdf. {Accessed 7 2017}.

[9]

Imperva, "Hacker Intelligence Initiative Report," Imperva, 2016.

[10]

V. Yegneswaran, P. Barford and U. Johannes, "Internet Intrusions: Global Characteristics and Prevalence," in 2003 ACM SIGMIETRICS international conference on Measurement and modeling of computer systems, 2003.

Digital Library

[11]

Eeye Security Inc., "Microsoft IIS Buffer Overflow Advisory," 2001. {Online}. Available: http : //www.eeye.com/html/ -- Research/Advisories/AD20010618.html. {Accessed 7 2017}.

[12]

K. Poore, "Nimda Worm - Why is it Different?," SANS Institute InfoSec Reading Room, 11 November 2001.

[13]

SANS, "IDFAQ: An analysis of SQL.Spider-B (Digispid.B.Worm, Spida, MSSQL Worm and SQLSnake)," SANS, 2003.

[14]

M. Bauer, "Paranoid Penguin: Designing and Using DMZ Networks to Protect Internet Servers," Linux Journal, vol. 2001, no. 83es, March 2001.

Digital Library

[15]

Verizon, "2017 Data Breach Investigations Report (DBIR)," Verizon, 2017.

[16]

Industrial Control Systems Cyber Emergency Response Team, "ICS-CERT Year in Review," NCCIC, 2016.

[17]

M. J. Lewis, "Characterizing risk," in Eighth Annual Cyber Security and Information Intelligence Research Workshop, 2013.

Digital Library

[18]

"Data Classification Standard," 22 April 2013. {Online}. Available: https://security.berkeley.edu/data-classification-standard. {Accessed 16 7 2017}.

[19]

P. Manadhata, J. Wing, M. Flynn and M. McQueen, "Measuring the attack surfaces of two FTP daemons," in 2nd ACM workshop on Quality of protection, Alexandria, 2006.

Digital Library

[20]

K. Sun and S. Jajodia, "Protecting Enterprise Networks through Attack Surface Expansion," in 2014 Workshop on Cyber Security Analytics, Intelligence and Automation, Scottsdale, 2014.

Digital Library

[21]

J. Stuckman and J. Purtilo, "Comparing and applying attack surface metrics," in 4th international workshop on Security measurements and metrics, Lund, 2012.

Digital Library

[22]

The Open Web Application Security Project (OWASP), "What is Attack Surface Analysis and Why is it Important?," OWASP, July 2015. {Online}. Available: https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet. {Accessed 17 July 2017}.

[23]

SANS Technology Institute, "Security Laboratory: Defense In Depth Series," SANS, 2016. {Online}. Available: https://www.sans.edu/cyber-research/security-laboratory/article/did-attack-surface. {Accessed 17th July 2017}.

[24]

M. Chapple, "Four Tips for Securing a Network DMZ," 18 May 2012. {Online}. Available: https://fedtechmagazine.com/article/2012/05/four-tips-securing-network-dmz-fed. {Accessed 17 July 2017}.

[25]

That Security Blog, "Penetration Testing and Rules of engagement," 3 September 2016. {Online}. Available: https://fl0x2208.wordpress.com/2016/09/03/penetration-testing-and-rules-of-engagement/. {Accessed 18 July 2017}.

[26]

pentest-standard, "pre-engagement," 16 August 2014. {Online}. Available: http://www.pentest-standard.org/index.php/Pre-engagement. {Accessed 18 July 2017}.

[27]

J. Mirkovic, P. Reiher, S. Fahmy, R. Thomas, A. Hussain, S. Schwab and C. Ko, "Measuring denial Of service," in 2nd ACM workshop on Quality of protection, Alexandria, 2006.

Digital Library

[28]

J. Brustoloni, "Protecting electronic commerce from distributed denial-of-service attacks," in 11th international conference on World Wide Web, Honolulu, 2002.

Digital Library

[29]

M. Schmidt, M. Smith, N. Fallenbeck, H. Picht and B. Freisleben, "Building a demilitarized zone with data encryption for grid environments," in first international conference on Networks for grid applications, Lyon, 2007.

Digital Library

[30]

B. J. Wood and R. A. Duggan, "Red Teaming of Advanced Information Assurance Concepts," in DARPA Information Survivability Conference and Exposition, 2000, Hilton Head, 2000.

[31]

C. Kirsch, "What is Penetration Testing?," Rapid7, 17 April 2013. {Online}. Available: https://community.rapid7.com/docs/DOC-2248. {Accessed 19 July 2017}.

[32]

D. Russel and G. T. Gangemi, Computer Security Basics, Sebastopol: O'Reilly & Associates.

Digital Library

[33]

S. Siddiqui, M. S. Khan, K. Ferens and W. Kinser, "Detecting Advanced Persistent Threats using Fractal Dimension based Machine Learning Classification," in 2016 ACM on International Workshop on Security And Privacy Analytics, New Orleans, 2016.

Digital Library

[34]

K. Hafner and J. Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier, New York: Simon & Shuster, 1991.

Digital Library

[35]

C. Han and R. Dongre, "Q&A What Motivates Cyber-Attackers?," Talent First Network, October 2014. {Online}. Available: https://timreview.ca/article/838. {Accessed 18 July 2017}.

Cited By

Samantaray MSatapathy SLenka A(2022)A Systematic Study on Network Attacks and Intrusion Detection SystemMachine Intelligence and Data Science Applications10.1007/978-981-19-2347-0_16(195-210)Online publication date: 2-Aug-2022
https://doi.org/10.1007/978-981-19-2347-0_16
Mehta ARathod T(2021)Design and Development of Hybrid Algorithms to Improve Cyber Security and Provide Securing Data Using Image Steganography With Internet of ThingsMultidisciplinary Approach to Modern Digital Steganography10.4018/978-1-7998-7160-6.ch015(326-338)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-7160-6.ch015

Index Terms

Improving offensive cyber security assessments using varied and novel initialization perspectives
1. Security and privacy
  1. Systems security
    1. Vulnerability management
      1. Penetration testing

Recommendations

From information security to cyber security

The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. ...
Application of the armament cyber assessment framework: a security assessment methodology for military systems
HotSoS '20: Proceedings of the 7th Symposium on Hot Topics in the Science of Security

As the Army modernizes, its weapon systems are becoming increasingly more cyber dependent. This increased connectivity provides incredible opportunities, but also introduces new risks. This paper introduces the Armament Cyber Assessment Framework (ACAF),...
Government regulations in cyber security: Framework, standards and recommendations
Abstract
Cyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information) from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information ...
Highlights
- We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber security incident management framework and its various ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ACMSE '18: Proceedings of the 2018 ACM Southeast Conference

March 2018

246 pages

ISBN:9781450356961

DOI:10.1145/3190645

Conference Chair:
Ka-Wing Wong
Eastern Kentucky University
,
Program Chair:
Chi Shen
Kentucky State University
,
Publications Chair:
Dana Brown
Bluegrass Community & Technical College

Copyright © 2018 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

ACM: Association for Computing Machinery

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 29 March 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACM SE '18

Sponsor:

ACM

ACM SE '18: Southeast Conference

March 29 - 31, 2018

Kentucky, Richmond

Acceptance Rates

ACMSE '18 Paper Acceptance Rate 34 of 41 submissions, 83%;

Overall Acceptance Rate 502 of 1,023 submissions, 49%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
324
Total Downloads

Downloads (Last 12 months)15
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Samantaray MSatapathy SLenka A(2022)A Systematic Study on Network Attacks and Intrusion Detection SystemMachine Intelligence and Data Science Applications10.1007/978-981-19-2347-0_16(195-210)Online publication date: 2-Aug-2022
https://doi.org/10.1007/978-981-19-2347-0_16
Mehta ARathod T(2021)Design and Development of Hybrid Algorithms to Improve Cyber Security and Provide Securing Data Using Image Steganography With Internet of ThingsMultidisciplinary Approach to Modern Digital Steganography10.4018/978-1-7998-7160-6.ch015(326-338)Online publication date: 2021
https://doi.org/10.4018/978-1-7998-7160-6.ch015

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents