ABSTRACT
Offensive cyber security assessment methods such as red teaming and penetration testing have grown in parallel with evolving threats to evaluate traditional and diverging attack surfaces. This paper provides a taxonomy of ethical hacker conducted offensive security assessments by categorization of their initial evaluation perspectives. Included in this taxonomy are the traditional assessment perspectives which initiate analysis and attack simulation against networks either externally, from within a DMZ or internally. A novel paradigm of critical perspective as an initial point for offensive security evaluation processes is also presented. This initialization from a critical perspective bolsters the holistic capabilities of offensive cyber security assessment by providing a new offensive security assessment option intended to begin evaluation at the last line of defense between malicious actors and the crown jewels of an organization. Then from such a perspective assess outwards from the deepest levels of trust and security. This method will be shown to improve the ability to mitigate the impact of threats regardless of their originating from within or without an organization. As such, the assessment initialization at a critical perspective provides a new approach to offensive security assessment different from what has traditionally been practiced by red teams and penetration testers.
- AppliedTrust, "The Importance of Periodic Security Assessments," Viawest. {Online}. {Accessed 15 7 2017}.Google Scholar
- c. s. choo, c. l. chua and s.-h. v. tay, "Automated red teaming: a proposed framework for military application," in 9th annual conference on Genetic and evolutionary computation, New Yotk, 2007. Google ScholarDigital Library
- A. Applebaum, D. Miller, B. Strom, C. Korban and R. Wolf, "Intelligent, automated red team emulation," in 32nd Annual Conference on Computer Security Applications, New York, 2016. Google ScholarDigital Library
- s. ghosh and s. juneja, "Computing worst-case tail probabilities in credit risk," in 38th conference on Winter simulation, 2006. Google ScholarDigital Library
- M. Y. Naghmouchi, N. Perrot, A. R. Mhjoub, N. Kheir and J.-P. Wary, "A New Risk Assessment Framework Using Graph Theory for Complex ICT Systems," in 8th ACM CCS International Workshop on Managing Insider Security Threats, Vienna, 2016. Google ScholarDigital Library
- The TREsPASS Project, "TREsPASS," 2017. {Online}. Available: https://www.trespass-project.eu/. {Accessed 4 October 2017}.Google Scholar
- J. Heiser, "Understanding Data Leakage," Gartner Research Report, 2017.Google Scholar
- CERT, "Common Sense Guide to Prevention and Detection of Insider Threat," CERT, 2009. {Online}. Available: http://www.ncix.gov/issues/ithreat/csg-v3.pdf. {Accessed 7 2017}.Google Scholar
- Imperva, "Hacker Intelligence Initiative Report," Imperva, 2016.Google Scholar
- V. Yegneswaran, P. Barford and U. Johannes, "Internet Intrusions: Global Characteristics and Prevalence," in 2003 ACM SIGMIETRICS international conference on Measurement and modeling of computer systems, 2003. Google ScholarDigital Library
- Eeye Security Inc., "Microsoft IIS Buffer Overflow Advisory," 2001. {Online}. Available: http : //www.eeye.com/html/ -- Research/Advisories/AD20010618.html. {Accessed 7 2017}.Google Scholar
- K. Poore, "Nimda Worm - Why is it Different?," SANS Institute InfoSec Reading Room, 11 November 2001.Google Scholar
- SANS, "IDFAQ: An analysis of SQL.Spider-B (Digispid.B.Worm, Spida, MSSQL Worm and SQLSnake)," SANS, 2003.Google Scholar
- M. Bauer, "Paranoid Penguin: Designing and Using DMZ Networks to Protect Internet Servers," Linux Journal, vol. 2001, no. 83es, March 2001. Google ScholarDigital Library
- Verizon, "2017 Data Breach Investigations Report (DBIR)," Verizon, 2017.Google Scholar
- Industrial Control Systems Cyber Emergency Response Team, "ICS-CERT Year in Review," NCCIC, 2016.Google Scholar
- M. J. Lewis, "Characterizing risk," in Eighth Annual Cyber Security and Information Intelligence Research Workshop, 2013. Google ScholarDigital Library
- "Data Classification Standard," 22 April 2013. {Online}. Available: https://security.berkeley.edu/data-classification-standard. {Accessed 16 7 2017}.Google Scholar
- P. Manadhata, J. Wing, M. Flynn and M. McQueen, "Measuring the attack surfaces of two FTP daemons," in 2nd ACM workshop on Quality of protection, Alexandria, 2006. Google ScholarDigital Library
- K. Sun and S. Jajodia, "Protecting Enterprise Networks through Attack Surface Expansion," in 2014 Workshop on Cyber Security Analytics, Intelligence and Automation, Scottsdale, 2014. Google ScholarDigital Library
- J. Stuckman and J. Purtilo, "Comparing and applying attack surface metrics," in 4th international workshop on Security measurements and metrics, Lund, 2012. Google ScholarDigital Library
- The Open Web Application Security Project (OWASP), "What is Attack Surface Analysis and Why is it Important?," OWASP, July 2015. {Online}. Available: https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet. {Accessed 17 July 2017}.Google Scholar
- SANS Technology Institute, "Security Laboratory: Defense In Depth Series," SANS, 2016. {Online}. Available: https://www.sans.edu/cyber-research/security-laboratory/article/did-attack-surface. {Accessed 17th July 2017}.Google Scholar
- M. Chapple, "Four Tips for Securing a Network DMZ," 18 May 2012. {Online}. Available: https://fedtechmagazine.com/article/2012/05/four-tips-securing-network-dmz-fed. {Accessed 17 July 2017}.Google Scholar
- That Security Blog, "Penetration Testing and Rules of engagement," 3 September 2016. {Online}. Available: https://fl0x2208.wordpress.com/2016/09/03/penetration-testing-and-rules-of-engagement/. {Accessed 18 July 2017}.Google Scholar
- pentest-standard, "pre-engagement," 16 August 2014. {Online}. Available: http://www.pentest-standard.org/index.php/Pre-engagement. {Accessed 18 July 2017}.Google Scholar
- J. Mirkovic, P. Reiher, S. Fahmy, R. Thomas, A. Hussain, S. Schwab and C. Ko, "Measuring denial Of service," in 2nd ACM workshop on Quality of protection, Alexandria, 2006. Google ScholarDigital Library
- J. Brustoloni, "Protecting electronic commerce from distributed denial-of-service attacks," in 11th international conference on World Wide Web, Honolulu, 2002. Google ScholarDigital Library
- M. Schmidt, M. Smith, N. Fallenbeck, H. Picht and B. Freisleben, "Building a demilitarized zone with data encryption for grid environments," in first international conference on Networks for grid applications, Lyon, 2007. Google ScholarDigital Library
- B. J. Wood and R. A. Duggan, "Red Teaming of Advanced Information Assurance Concepts," in DARPA Information Survivability Conference and Exposition, 2000, Hilton Head, 2000.Google Scholar
- C. Kirsch, "What is Penetration Testing?," Rapid7, 17 April 2013. {Online}. Available: https://community.rapid7.com/docs/DOC-2248. {Accessed 19 July 2017}.Google Scholar
- D. Russel and G. T. Gangemi, Computer Security Basics, Sebastopol: O'Reilly & Associates. Google ScholarDigital Library
- S. Siddiqui, M. S. Khan, K. Ferens and W. Kinser, "Detecting Advanced Persistent Threats using Fractal Dimension based Machine Learning Classification," in 2016 ACM on International Workshop on Security And Privacy Analytics, New Orleans, 2016. Google ScholarDigital Library
- K. Hafner and J. Markoff, Cyberpunk: Outlaws and Hackers on the Computer Frontier, New York: Simon & Shuster, 1991. Google ScholarDigital Library
- C. Han and R. Dongre, "Q&A What Motivates Cyber-Attackers?," Talent First Network, October 2014. {Online}. Available: https://timreview.ca/article/838. {Accessed 18 July 2017}.Google Scholar
Index Terms
- Improving offensive cyber security assessments using varied and novel initialization perspectives
Recommendations
From information security to cyber security
The term cyber security is often used interchangeably with the term information security. This paper argues that, although there is a substantial overlap between cyber security and information security, these two concepts are not totally analogous. ...
Government regulations in cyber security: Framework, standards and recommendations
AbstractCyber security refers to the protection of Internet-connected systems, such as hardware, software as well as data (information) from cyber attacks (adversaries). A cyber security regulation is needed in order to protect information ...
Highlights- We list and discuss the cyber attacks, security requirements and measures. We then discuss the cyber security incident management framework and its various ...
Application of the armament cyber assessment framework: a security assessment methodology for military systems
HotSoS '20: Proceedings of the 7th Symposium on Hot Topics in the Science of SecurityAs the Army modernizes, its weapon systems are becoming increasingly more cyber dependent. This increased connectivity provides incredible opportunities, but also introduces new risks. This paper introduces the Armament Cyber Assessment Framework (ACAF),...
Comments