Automating Visibility into User Behaviour Vulnerabilities to Malware Attack

Presented at VB2016, Oct. 5, 2016, 2 p.m. (30 minutes)

An integrated, holistic approach to assessing the vulnerability of organizations to malware attacks requires measurement and correlation of three aspects: (1) vulnerability of protected IT infrastructure and processes to attack (e.g. penetration testing); (2) global prevalence and local incidence of malicious threats specifically relevant to the target organization (e.g. threat intelligence); and (3) vulnerability of authorized users to malicious manipulation such as social engineering (e.g. user behaviour analytics). While advanced tools are available for all three of these aspects, the affordability and practicality of high-quality continuous vulnerability assessment for smaller organizations is lowest for the third aspect: effective user behaviour analytics. This problem is particularly severe for protecting unstructured user data and ad hoc unregulated user practices.

The problem is mitigated through both more actionable measures of user behaviour risk and more focused automated user behaviour monitoring. This paper provides a detailed view of the development of automatic measurements of user behaviour related to interactions required by threats, especially APTs. The user behaviour measurements are based on passive and active information gathering from the network and from the endpoint workstations used by the users. Passive measurements are related to the usual activities of the user while the active option can enable the possibility to measure the users' reactions in generated situations. The methodology include a complex algorithm for information analytics as well, which is the so-called automatic user profilization. Privacy issues are also considered and discussed.

This paper presents new practical methods by which available results from (1) automated penetration testing and (2) threat intelligence feeds can be correlated with user behaviour monitoring to provide more actionable and focused visibility into user behaviour vulnerabilities.


Presenters:

  • Kálmán Hadarics - Secudit
    Kálmán Hadarics Kálmán Hadarics graduated from the University of Veszprém as a master of information technology engineer. He has been working as an assistant professor at the University of Dunaújváros, Institute of Informatics since 2000. His primary research and academic interest is the Linux operating system, network operating systems, and different programming and script languages. He has been investigating with the behaviour of malicious codes and their perceptions since 2008. He has been a Ph.D. student at the National University of Public Service since 2013. His Ph.D. theme is "Analysing risks of programmed threats". He regularly participates in research projects and the development of teaching materials in the Institute of Informatics.
  • Eszter Oroszi - Secudit
    Eszter Oroszi Eszter Oroszi works nowadays as a senior information security expert at MVM Hungarian Electricity Ltd, prior to which she worked as an information security consultant at several consultancy companies. She operated as a lecturer at National University of Public Service, where now she is a Ph.D. student researching security awareness of human factor. She has been concerned with information security since 2008. Eszter's favourite topics in information security are social engineering and security awareness, her main activities are measuring and improving the security awareness level of users. She has given lots of presentations about the vulnerability of human factor, as a regular presenter at the Ethical Hacking conference and other Hungarian information security events.
  • Anthony Arrott - Secudit
    Anthony Arrott Anthony Arrott received his education in physics, physiology and biomedical engineering at McGill University and MIT, after which he founded Payload Systems, a scientific instrumentation company that flew the first commercial space experiments aboard the Soviet space station Mir. At Arthur D. Little, Anthony Arrott performed numerous technology due diligence studies for financial institutions investing in satellite and wireless systems in Italy, Israel, Egypt and Japan. Since 2004, Anthony Arrott has worked in the cybersecurity software industry. At Trend Micro, he managed external benchmark testing that provided independent measures of the protection commercial security software products provide to customers. In 2007 he led the project team for Trend Micro HijackThis v2.0 - enhancing the popular malware diagnostic tool originally developed by Merijn Bellekom. Currently, he provides measurement and analysis of automated security software products as Director of Security Analytics at CheckVir.
  • Ferenc Leitold - Secudit
    Ferenc Leitold Ferenc Leitold graduated from the Technical University of Budapest in 1991. He received his Ph.D. at the Technical University of Budapest too, in 1997, in the theme of computer viruses. Currently he teaches computer security and computer networks at the University of Dunaújváros, Hungary. His research interest is based on managing the protections against computer threats: mathematical models of computer viruses, automatic methods for analysing computer threats. According to the Checkvir project (www.checkvir.com) of Veszprog Ltd. he is dealing with the testing of different types of protections. Since 2015 he ihas led the R&D team of Secudit Ltd, which is dealing with the vulnerability measurement of an enterprise.

Links:

Similar Presentations: