Detecting cyber attacks in time combining attack simulation with detection logic

Kyberhyökkäysten havaitsemisesta on tullut entistä vaikeampaa, nostaen onnistuneen tietomurron havaitsemisajan tyypillisesti yli puoleen vuoteen, jolloin keskimäärin hyökkäys maksaa lähes neljä miljoonaa dollaria kohteelle. Hyökkäykset ovat yhä edistyneempiä sekä kohdennettuja, tehden huonosti valmi...

Täydet tiedot

Bibliografiset tiedot
Päätekijä:	Myllylä, Juuso
Muut tekijät:	Informaatioteknologian tiedekunta, Faculty of Information Technology, Informaatioteknologia, Information Technology, Jyväskylän yliopisto, University of Jyväskylä
Aineistotyyppi:	Pro gradu
Kieli:	eng
Julkaistu:	2021
Aiheet:	threat detection cyber defense attack simulation SIEM blue team Active Directory Tietotekniikka Mathematical Information Technology 602 simulointi kyberturvallisuus verkkohyökkäykset simulation cyber security cyber attacks
Linkit:	https://jyx.jyu.fi/handle/123456789/74965

_version_	1826225755972960256
author	Myllylä, Juuso
author2	Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_facet	Myllylä, Juuso Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä Myllylä, Juuso Informaatioteknologian tiedekunta Faculty of Information Technology Informaatioteknologia Information Technology Jyväskylän yliopisto University of Jyväskylä
author_sort	Myllylä, Juuso
datasource_str_mv	jyx
description	Kyberhyökkäysten havaitsemisesta on tullut entistä vaikeampaa, nostaen onnistuneen tietomurron havaitsemisajan tyypillisesti yli puoleen vuoteen, jolloin keskimäärin hyökkäys maksaa lähes neljä miljoonaa dollaria kohteelle. Hyökkäykset ovat yhä edistyneempiä sekä kohdennettuja, tehden huonosti valmistautuneista yrityksistä otollisia kohteita hyökkääjille. Vaikka yrityksillä usein on toimivat palomuurit sekä haittaohjelmien torjuntaohjelmat, saattavat he yllättyä joutuessaan uhriksi esimerkiksi kiristyshaittaohjelmahyökkäykselle. Tämä herättää kysymyksen, miten hyökkäystä ei onnistuttu havaitsemaan ajoissa? Tämän tutkimuksen tarkoituksena on selvittää juurisyyt sille, mikä aiheuttaa liian myöhäisen tai olemattoman hyökkäysten havaitsemisen. Päätavoitteena on esitellä puolustajille testiympäristö riittävillä lokituskäytännöillä, jossa he voivat itse simuloida hyökkäyksiä. Hyökkäyssimulaatiosta saadut tulokset käännetään tämän jälkeen toiminnalliseksi havaitsemislogiikaksi uhkien havaitsemis viitekehyksen avulla. Viitekehys on suunnitteltu ohjaamaan puolustajia nopean ja ketterän prosessin läpi kehittämään laajaa havaitsemislogiikkaa painottaen taktiikoita, tekniikoita sekä käytäntöjä. Tutkimuksen tulokset vastaavat esitettyihin tutkimusongelmiin yleisesti sekä laajasti, jotta puolustajat oppivat sekä ymmärtävät perimmäisen ongelman uhkien havaitsemisessa. Cyber attacks have become harder to detect, causing the average detection time of a successful data breach to be over six months and typically costing the target organization nearly four million dollars. The attacks are becoming more sophisticated and targeted, leaving unprepared environments easy prey for the attackers. Organizations with working antivirus systems and firewalls may be surprised when they discover their network has been encrypted by a ransomware attacker. This raises a serious question, how did the attacks go undetected? The research conducted in this thesis aims to focus on the most common pitfalls regarding late or non-existent detection by defining the root cause behind the failed detections. The main goal is also to empower defenders to set up a test environment with sufficient logging policies and simulating attacks themselves. The attack simulations will then be turned into actionable detection logic, with the help of the detection logic framework. The framework is designed to guide defenders through a quick and agile process of creating more broad detection logic with the emphasis on tactics, techniques and procedures of attacks. The results in this study approach the detection issues in a broad and general manner to help defenders understand the issue of threat detection, instead of providing readily implemented solutions.
first_indexed	2024-09-11T08:49:34Z
format	Pro gradu
free_online_boolean	1
fullrecord	[{"key": "dc.contributor.advisor", "value": "Costin, Andrei", "language": "", "element": "contributor", "qualifier": "advisor", "schema": "dc"}, {"key": "dc.contributor.author", "value": "Myllyl\u00e4, Juuso", "language": "", "element": "contributor", "qualifier": "author", "schema": "dc"}, {"key": "dc.date.accessioned", "value": "2021-04-07T05:28:42Z", "language": null, "element": "date", "qualifier": "accessioned", "schema": "dc"}, {"key": "dc.date.available", "value": "2021-04-07T05:28:42Z", "language": null, "element": "date", "qualifier": "available", "schema": "dc"}, {"key": "dc.date.issued", "value": "2021", "language": "", "element": "date", "qualifier": "issued", "schema": "dc"}, {"key": "dc.identifier.uri", "value": "https://jyx.jyu.fi/handle/123456789/74965", "language": null, "element": "identifier", "qualifier": "uri", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Kyberhy\u00f6kk\u00e4ysten havaitsemisesta on tullut entist\u00e4 vaikeampaa, nostaen onnistuneen tietomurron havaitsemisajan tyypillisesti yli puoleen vuoteen, jolloin keskim\u00e4\u00e4rin hy\u00f6kk\u00e4ys maksaa l\u00e4hes nelj\u00e4 miljoonaa dollaria kohteelle. Hy\u00f6kk\u00e4ykset ovat yh\u00e4 edistyneempi\u00e4 sek\u00e4 kohdennettuja, tehden huonosti valmistautuneista yrityksist\u00e4 otollisia kohteita hy\u00f6kk\u00e4\u00e4jille. Vaikka yrityksill\u00e4 usein on toimivat palomuurit sek\u00e4 haittaohjelmien torjuntaohjelmat, saattavat he yll\u00e4tty\u00e4 joutuessaan uhriksi esimerkiksi kiristyshaittaohjelmahy\u00f6kk\u00e4ykselle. T\u00e4m\u00e4 her\u00e4tt\u00e4\u00e4 kysymyksen, miten hy\u00f6kk\u00e4yst\u00e4 ei onnistuttu havaitsemaan ajoissa? T\u00e4m\u00e4n tutkimuksen tarkoituksena on selvitt\u00e4\u00e4 juurisyyt sille, mik\u00e4 aiheuttaa liian my\u00f6h\u00e4isen tai olemattoman hy\u00f6kk\u00e4ysten havaitsemisen. P\u00e4\u00e4tavoitteena on esitell\u00e4 puolustajille testiymp\u00e4rist\u00f6 riitt\u00e4vill\u00e4 lokitusk\u00e4yt\u00e4nn\u00f6ill\u00e4, jossa he voivat itse simuloida hy\u00f6kk\u00e4yksi\u00e4. Hy\u00f6kk\u00e4yssimulaatiosta saadut tulokset k\u00e4\u00e4nnet\u00e4\u00e4n t\u00e4m\u00e4n j\u00e4lkeen toiminnalliseksi havaitsemislogiikaksi uhkien havaitsemis viitekehyksen avulla. Viitekehys on suunnitteltu ohjaamaan puolustajia nopean ja ketter\u00e4n prosessin l\u00e4pi kehitt\u00e4m\u00e4\u00e4n laajaa havaitsemislogiikkaa painottaen taktiikoita, tekniikoita sek\u00e4 k\u00e4yt\u00e4nt\u00f6j\u00e4. Tutkimuksen tulokset vastaavat esitettyihin tutkimusongelmiin yleisesti sek\u00e4 laajasti, jotta puolustajat oppivat sek\u00e4 ymm\u00e4rt\u00e4v\u00e4t perimm\u00e4isen ongelman uhkien havaitsemisessa.", "language": "fi", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.abstract", "value": "Cyber attacks have become harder to detect, causing the average detection time of a successful data breach to be over six months and typically costing the target organization nearly four million dollars. The attacks are becoming more sophisticated and targeted, leaving unprepared environments easy prey for the attackers. Organizations with working antivirus systems and firewalls may be surprised when they discover their network has been encrypted by a ransomware attacker. This raises a serious question, how did the attacks go undetected? The research conducted in this thesis aims to focus on the most common pitfalls regarding late or non-existent detection by defining the root cause behind the failed detections. The main goal is also to empower defenders to set up a test environment with sufficient logging policies and simulating attacks themselves. The attack simulations will then be turned into actionable detection logic, with the help of the detection logic framework. The framework is designed to guide defenders through a quick and agile process of creating more broad detection logic with the emphasis on tactics, techniques and procedures of attacks. The results in this study approach the detection issues in a broad and general manner to help defenders understand the issue of threat detection, instead of providing readily implemented solutions.", "language": "en", "element": "description", "qualifier": "abstract", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Submitted by Paivi Vuorio (paelvuor@jyu.fi) on 2021-04-07T05:28:42Z\nNo. of bitstreams: 0", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.description.provenance", "value": "Made available in DSpace on 2021-04-07T05:28:42Z (GMT). No. of bitstreams: 0\n Previous issue date: 2021", "language": "en", "element": "description", "qualifier": "provenance", "schema": "dc"}, {"key": "dc.format.extent", "value": "84", "language": "", "element": "format", "qualifier": "extent", "schema": "dc"}, {"key": "dc.format.mimetype", "value": "application/pdf", "language": null, "element": "format", "qualifier": "mimetype", "schema": "dc"}, {"key": "dc.language.iso", "value": "eng", "language": null, "element": "language", "qualifier": "iso", "schema": "dc"}, {"key": "dc.rights", "value": "In Copyright", "language": "en", "element": "rights", "qualifier": null, "schema": "dc"}, {"key": "dc.subject.other", "value": "threat detection", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "cyber defense", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "attack simulation", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "SIEM", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "blue team", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.subject.other", "value": "Active Directory", "language": "", "element": "subject", "qualifier": "other", "schema": "dc"}, {"key": "dc.title", "value": "Detecting cyber attacks in time : combining attack simulation with detection logic", "language": "", "element": "title", "qualifier": null, "schema": "dc"}, {"key": "dc.type", "value": "master thesis", "language": null, "element": "type", "qualifier": null, "schema": "dc"}, {"key": "dc.identifier.urn", "value": "URN:NBN:fi:jyu-202104072287", "language": "", "element": "identifier", "qualifier": "urn", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Pro gradu -tutkielma", "language": "fi", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.type.ontasot", "value": "Master\u2019s thesis", "language": "en", "element": "type", "qualifier": "ontasot", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Informaatioteknologian tiedekunta", "language": "fi", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.faculty", "value": "Faculty of Information Technology", "language": "en", "element": "contributor", "qualifier": "faculty", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Informaatioteknologia", "language": "fi", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.department", "value": "Information Technology", "language": "en", "element": "contributor", "qualifier": "department", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "Jyv\u00e4skyl\u00e4n yliopisto", "language": "fi", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.contributor.organization", "value": "University of Jyv\u00e4skyl\u00e4", "language": "en", "element": "contributor", "qualifier": "organization", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Tietotekniikka", "language": "fi", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "dc.subject.discipline", "value": "Mathematical Information Technology", "language": "en", "element": "subject", "qualifier": "discipline", "schema": "dc"}, {"key": "yvv.contractresearch.funding", "value": "0", "language": "", "element": "contractresearch", "qualifier": "funding", "schema": "yvv"}, {"key": "dc.type.coar", "value": "http://purl.org/coar/resource_type/c_bdcc", "language": null, "element": "type", "qualifier": "coar", "schema": "dc"}, {"key": "dc.rights.accesslevel", "value": "openAccess", "language": null, "element": "rights", "qualifier": "accesslevel", "schema": "dc"}, {"key": "dc.type.publication", "value": "masterThesis", "language": null, "element": "type", "qualifier": "publication", "schema": "dc"}, {"key": "dc.subject.oppiainekoodi", "value": "602", "language": "", "element": "subject", "qualifier": "oppiainekoodi", "schema": "dc"}, {"key": "dc.subject.yso", "value": "simulointi", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "kyberturvallisuus", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "verkkohy\u00f6kk\u00e4ykset", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "simulation", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber security", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.subject.yso", "value": "cyber attacks", "language": null, "element": "subject", "qualifier": "yso", "schema": "dc"}, {"key": "dc.format.content", "value": "fulltext", "language": null, "element": "format", "qualifier": "content", "schema": "dc"}, {"key": "dc.rights.url", "value": "https://rightsstatements.org/page/InC/1.0/", "language": null, "element": "rights", "qualifier": "url", "schema": "dc"}, {"key": "dc.type.okm", "value": "G2", "language": null, "element": "type", "qualifier": "okm", "schema": "dc"}]
id	jyx.123456789_74965
language	eng
last_indexed	2025-02-18T10:56:19Z
main_date	2021-01-01T00:00:00Z
main_date_str	2021
online_boolean	1
online_urls_str_mv	{"url":"https:\/\/jyx.jyu.fi\/bitstreams\/b1088dd9-77be-4ade-8537-e739455326f5\/download","text":"URN:NBN:fi:jyu-202104072287.pdf","source":"jyx","mediaType":"application\/pdf"}
publishDate	2021
record_format	qdc
source_str_mv	jyx
spellingShingle	Myllylä, Juuso Detecting cyber attacks in time : combining attack simulation with detection logic threat detection cyber defense attack simulation SIEM blue team Active Directory Tietotekniikka Mathematical Information Technology 602 simulointi kyberturvallisuus verkkohyökkäykset simulation cyber security cyber attacks
title	Detecting cyber attacks in time : combining attack simulation with detection logic
title_full	Detecting cyber attacks in time : combining attack simulation with detection logic
title_fullStr	Detecting cyber attacks in time : combining attack simulation with detection logic Detecting cyber attacks in time : combining attack simulation with detection logic
title_full_unstemmed	Detecting cyber attacks in time : combining attack simulation with detection logic Detecting cyber attacks in time : combining attack simulation with detection logic
title_short	Detecting cyber attacks in time
title_sort	detecting cyber attacks in time combining attack simulation with detection logic
title_sub	combining attack simulation with detection logic
title_txtP	Detecting cyber attacks in time : combining attack simulation with detection logic
topic	threat detection cyber defense attack simulation SIEM blue team Active Directory Tietotekniikka Mathematical Information Technology 602 simulointi kyberturvallisuus verkkohyökkäykset simulation cyber security cyber attacks
topic_facet	602 Active Directory Mathematical Information Technology SIEM Tietotekniikka attack simulation blue team cyber attacks cyber defense cyber security kyberturvallisuus simulation simulointi threat detection verkkohyökkäykset
url	https://jyx.jyu.fi/handle/123456789/74965 http://www.urn.fi/URN:NBN:fi:jyu-202104072287
work_keys_str_mv	AT myllyläjuuso detectingcyberattacksintimecombiningattacksimulationwithdetectionlogic

Detecting cyber attacks in time combining attack simulation with detection logic

Samankaltaisia teoksia