Advanced Security: 2020-2021
The Advanced Security course is designed to bring students towards the research boundaries in computer security, covering contemporary topics in depth. It is split into two related modules, each an area of interest to members of the Computer Security research theme. This year the modules will be:
Weeks 1–4 [11 lectures]: Threat Detection, 10 lectures Sadie Creese plus 1 lecture from Professor Rebecca Williams (law)
Attacks on computer systems and how to detect them.
Weeks 5–8 [11 lectures]: Situational Awareness and Information Defence, 11 lectures, Jassim Happa
Using modern tools to obtain an understanding of how adversaries attack systems and common defence tactics.
To attain a deeper understanding of certain contemporary topics in computer security, bridging the gap to research and linking theory to common practice.
This term the learning outcomes are expected to be:
- To develop an understanding of the breadth of malicious threats faced and techniques used to attack computer systems.
- To understand the basic components and approach of threat detection systems, and their limitations.
- To develop a working knowledge of network-based threat detection tools.
- To be understand the role of situational awareness in detecting threat, the methods that can facilitate it and how situational awareness overall contributes to cyber-defence including its interface with core capablities such as incident response, deception and offensive security.
- To understand how a wider range of threats malicious and non-malicious (e.g. accidents, wear and tear or unplanned events) can be incorporated into such situational awareness.
- To develop a working knowledge of how situational awareness can be created using cybersecurity visualisation techniques.
For both modules, the Computer Security course (or its equivalent) is advised.
The practicals will require programming in Python or C, but only a very basic understanding of the languages will be required.
Attack Detection (weeks 1–4; 2 classes, plus practicals)
- The range of threats we face, and how we understand them in the context of the risk they pose to our security.
- The kinds of attack vector used, and models for understanding attacks, and the vulnerabilities exploited when conducting them.
- The general ways in which we conduct threat detection in systems today, the components used and how they fit into a wider security architecture.
- We will consider in detail intrusion detection as well as insider threat detection, the use of signatures and rules, as well as anomaly detection.
- We will introduce situational awareness, and the research challenge of analysing and predicting the propagation of attacks and resulting risk across our systems.
Situational Awareness and Information Defence (weeks 5–8; 2 classes, plus practicals)
- We will consider situational awareness in detail, in so far as it relates to cyber-attacks.
- In-depth examination of misuse and anomaly detection in use and how these facilitate situational awareness. Practices and challenges in implementing and benchmarking cyber defences (pentesting, threat detection).
- Cybersecurity visualization: basic concepts, visual analytics and visual abstraction.
- dependency modelling for predicting attack propagation: dealing with across the infrastructure and also relating to business processes. Cybersecurity vs Resilience. Cyber defences: cyber threat intelligence, incident response, deception and threat modelling.
- Real world applications of cybersecurity and use cases: Challenges in insider threat vs external intrusions specific defences. Cyber physical systems. Privacy. Current approaches advantages and limitations.
Threat Detection. Nature of malign threats. Organisational risk context. Attack vectors. Models for understanding attacks. Vulnerabilties. Threat detection systems. Security architectures. Intrusion detection. Insider threat detection. Signatures and rules and anomaly detection. Organisational context
The Computer Misuse Act and ethical considerations.
Situational Awareness. Cybersecurity Visualization. Dependency Modelling. Threat Modelling. SOCs. CSIRTs. Cyber Defences. Insider Threat Detection. Intrusion Detection Systems. Deception. Remaining challenges in social contexts.
Examination: both part C undergraduate and MSc students will be examined by take-home assignment over the Easter vacation. Students must answer questions on both modules.
MITRE Adversarial Tactics, Techniques & Common Knowledge:ATT&CK, https://attack.mitre.org for resources.
MITRE Common Attack Pattern enumeration and classification CAPEC, https://capec.mitre.org.
Understanding cyber-attacks by Hodges and Creese, in Cyber Warfare published by Routledge 2015.
AVOIDIT: A cyber attack taxonomy, by Simmons et al, in proceedings of the 9th Annual Symposium on Information Assurance ASIA'14.
Security Engineering by Ross Anderson - esp. Chapter 21 “Network Attack and Defense” http://www.cl.cam.ac.uk/~rja14/Papers/SEv2-c21.pdf
APT1, Exposing One of Chinas Espionage Units, by Mandiant, https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
Framework for Improving Critical Infrastructure Cybersecurity, NIST 2014, https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf
A cyber attack modeling and impact assessment framework, by I. Kotenko and A. Chechulin, in proceedings of the 5th International Conference on Cyber Conflict (CyCon) 2013, NATO CCD COE Publications.
Undermining an Anomaly-Based Intrusion Detection System Using Common Exploits, by Kymie M. C. Tan, Kvein S. Killourhy, Roy A. Maxion, in Proceedings of RAID 2002, LNCS 2516.
Understanding Insider Threat: A Framework for Characterising Attacks, by Jason R. C. Nurse, Oliver Buckley, Philip A. Legg, Michael Goldsmith and Sadie Creese, in Proceedings of the IEEE Security and Privacy Workshops 2014. http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6957307
Automated Insider Threat Detection System Using User and Role-Based Profile Assessment, by Philip A. Legg, Oliver Buckley, Michael Goldsmith and Sadie Creese, in IEEE Systems Journal, Vol 11, Issue 2 June 2017.
Intrusion detection system: a comprehensive review, by Hung-Jen Liao, Chun-Hung Richard Lin, Ying-Chih Lin and Kuang-Yuan Tung, in Journal of Network and Computer Applications Vol 36 Issue 1 2013.
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, by Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Lockheed Martin Corporation.
Attack Trees, Bruce Schneier, SANS Network Security 1999, http://tnlandforms.us/cs594-cns96/attacktrees.pdf.
Foundations of Attack-Defense Trees, by Barbara Kordy, Sjouke Mauw, Sasa Radomirovic and Patrick Schweitzer, in Proceedings of FAST2010, LNCS 6561.
Managing the Risks of Cyber-Physical Systems, by C. Warren Axelrod, 2013 IEEE. https://pdfs.semanticscholar.org/5ed2/822de8f87dd862c81cae2ceea8036186ab15.pdf
An Formalised Approach to Designing Signification Systems for Network-Security Monitoring, by Louise Axon, Jason R. C. Nurse, Michael Goldsmith and Sadie Creese, in International Journal on Advances in Security 2017.
Attacker-Parametrised Attack Graphs, by Alastair Janse van Rensburg, Jason R. C. Nurse and Michael Goldsmith, in 10th International conference on Emerging Security Information, Systems and Technologies 2016.
Intrusion detection: a brief history and overview, by R. A. Kemmerer and G. Vigna, in Computer Vol 35, Issue 4 2002.
An Overview of IP FLow-Based Intrusion Detection by Anna Sperotto, Gregor Schaffrath, Ramin Sadre, Cristian Morariu, Aiko Pras and Burchard Stiller, in IEEE Communications Surveys and Tutorials Vol 12, Issue 3 2010.
An Intrusion-Detection Model, by D. Denning, in IEEE Transactions on Software Engineering Vol SE-13, Issue 2 1987.
Anomaly-based network intrusion detection: Techniques, systems and challenges, by P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macib-Fernandez and E. Vazquez in Computers and Security Vol 28, Issues 1-2 2009.
Books worth a read:
Enterprise Cybersecurity - How to Build a Successful Cyberdefense Program Against Advanced Threats, by Scott E. Donaldson, Stanley G. Siegel, Chris K. Williams and Abdul Aslam, 2015.
Network Security Metrics, by Lingyu Wang, Sushi Jajodia and Anoop Singhal, 2017.
Blue Team Field Manual, by Alan J White and Ben Clark, 2017.
Blue Team Handbook: Incident Response Edition, by Don Murdoch 2014.
Inside Network Perimeter Security, by Stephen Northcutt, Lenny Zeltser, Scott Winters, Karen Kent and Ronald W. Ritchey, 2005.
Hacking the Human - Social Engineering Techniques and Security Countermeasures, by Ian Mann, 2010.
Cyber Situational Awareness - Issues and Research, by S. Jajodia, P. Liu, V. Swarup and C. Wang 2010.
Threat Modelling: Designing for Security, by Adam Shostack 2014.
Managing the Insider Threat, by Nick Catrantzos, 2012.
Information Warfare and Security, by D. Denning, 1999.
Network Security Assessment, by Chris McNab, 2017.
The Tao of Network Security Monitoring: Beyond Intrusion Detection, by Richard Bejtlich 2004.